No cyber defeatism in the United States

Many Europeans who during the Cold War never lost any sleep over the fact that the maintenance of peace and security in their continent was contingent on a system of deterrence in the domains of air, land, sea and outer space, seem to lose heart when that system needs to be extended to the fifth domain of cyberspace. Cyberspace is a daunting domain. What makes cyber attacks particularly uncanny is that in so many cases the attacker remains unknown. Writing in the Financial Times of May 10, Edward Luce summarized the problem as follows: ‘The doctrine of mutually assured destruction has scant relevance to cyber warfare. Deterrence works when the culprit can be identified.’ He called the post-Cold War world we live in: ‘a far cry from what we once so cheerfully anticipated.’

As an example of a very different frame of mind I would like to draw attention to the Drell Lecture delivered at Stanford University on April 23 by U.S. Secretary of Defense Ash Carter on ‘the future of technology, innovation, and cyber security.’ Two excerpts from that lecture follow below, but I recommend reading the whole transcript of the lecture by using the link:

Why this visit to Stanford University and Silicon Valley?

[….] our reliance on technology has led to real vulnerabilities that our adversaries are eager to exploit. And this brings me to my question for today: how do we mitigate that risk – the risk that comes with such technology while simultaneously unleashing its promise?

Sometimes the bonds between the academy, industry, and defense were particularly close…like during World War II, when the Manhattan Project and the MIT Radiation Laboratory and others brought together the brightest minds, and the best of industry cranked out the ships, planes, and tanks – at what are now astonishing to us numbers. And another was during the Cold War, when a cross-section of military, academic, and private-sector experts paved the way to a future of precision-guided munitions, battle networks, and stealth. [….] Through successes and strains, our ties have broadly endured…but I believe we must renew the bonds of trust and rebuild the bridge between the Pentagon and Silicon Valley.

The cyber threat. Becoming better at locating the attacker. U.S. has a preference for deterrence but is willing to use cyber options itself. 

This is one of the world’s most complex challenges today, which is why the Department of Defense has three missions in the cyber domain. The first is defending our own networks and weapons, because they’re critical to what we do every day…and they’re no good if they’ve been hacked. Second, we help defend the nation against cyberattacks from abroad – especially if they would cause loss of life, property destruction, or significant foreign policy and economic consequences. And our third mission is to provide offensive cyber options that, if directed by the President, can augment our other military systems.

In some ways, what we’re doing about this threat is similar to what we do about more conventional threats. We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks – as well as pinpoint where an attack came from. We’ve gotten better at that because of strong partnerships across the government, and because of private-sector security researchers like FireEye, Crowdstrike, HP – when they out a group of malicious cyber attackers, we take notice and share that information.

Still, adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary. And when we do take action – defensive or otherwise, conventionally or in cyberspace – we operate under rules of engagement that comply with international and domestic law.