Cyber deterrence dialog raises many questions

A conference hosted in April by the Armed Forces Communications Electronics Association International in Omaha, Neb., provided a forum for military and private-sector cybersecurity experts to discuss the challenges of cyber deterrence.

Alarmists say it louder than military officers who prefer to whisper softly, but many cyber world thinkers agree that the United States is vulnerable to a cyber attack.

“Our sovereignty is at risk,” said O. Sami Saydjari, founder and president of Cyber Defense Agency, a strategic security consulting company. Saydjari, whom some say leans toward the alarmist side of the spectrum, spoke last month at an Omaha, Neb., conference on cybersecurity sponsored by Armed Forces Communications Electronics Association International. China and Russia “have launched a couple of cyber Sputniks. The capabilities that they are demonstrating are significant and perhaps better than ours,” he warned.

Not far from downtown Omaha is Offutt Air Force Base, where the U.S. Strategic Command (STRATCOM) is located. One of the command’s jobs is shaping a strategy that prevents such a cyber attack from happening. Parsing conflicts in terms of deterrence – making the price of an attack so believably high to potential attackers that their cost-benefit ratio is negative – comes naturally to STRATCOM. It commanded America’s land-based strategic bomber aircraft and land-based intercontinental ballistic missile nuclear arsenal for the duration of the Cold War.

Back then the rules coalesced into fairly clear lines. Now the command is faced with an array of questions for which there are no easy answers.

“Can we determine first of all that we are being attacked?” asked Air Force Brig. Gen Susan Helms, STRATCOM’s director of plans and policy. “How will we differentiate between that, and let’s say, a system failure?”

Other questions include: How can anyone be sure where the attack is coming from? It’s difficult in the cyber world to attribute where an attack originates from with certainty. Also, might third party countries be stirring up apparent attacks in an effort to channel a U.S. response toward an apparent aggressor? Then there are questions about the nature of American response – do cyber attacks require a cyber response, or should the president order a live weapon reply? At what point does the threat of a kinetic attack become unbelievable? Might that leave a gap in a potential adversary exploit, frustrating U.S. resolution until there’s nothing left?

Some states — notably, China — believe in exploiting military reliance on information technology as a combat tactic – might others exploit a U.S. readiness to perceive a Chinese attack even should none exist? (STRATCOM, in conjunction with Pacific Command, will attempt to hold direct talks with the Chinese military over cybersecurity issues, according to its commander, Air Force Gen. Kevin Chilton.)

“Does it matter if it’s an attack on the economy, where there’s little physical damage, there’s just disruption?” asked a STRATCOM official who requested to remain anonymous. However, it’s difficult to make definitive statements in things cyber-related. An attack shutting down a power plant in western Nebraska for a few hours could be a nuisance.

The same attack in New York City would be many times costlier and potentially lethal.

Not every intrusion into U.S. military networks is necessarily an act of war, cautioned the STRATCOM official. “You will hear people new to this discussion a lot using the word ‘attack’ interchangeable with ‘espionage,’” he said.

Espionage generally is a crime punishable by jail – but in the cyber world couldn’t intensive spying be an enabler of physical combat? When do “normal” cyber operations conducted in peace-time cross the line – and where is the line?

“It’s not going to be the same for cyber as we’ve seen with the nuclear approach to deterrence,” Helms said.