The Significance of Panetta’s Cyber Speech and the Persistent Difficulty of Deterring Cyberattacks

Secretary of Defense Leon Panetta’s speech last week on cyber is more significant than has been reported.  Most of the coverage focused on Panetta’s grave warnings about cyber threats facing the nation, but the speech’s real significance, I think, concerns DOD’s evolving deterrence posture.  (The speech has other significant elements, but I focus here on deterrence.) Panetta had two main messages related to deterrence.  First, because the USG’s attribution skills have improved, “[p]otential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.”  Second, “If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens,” then on the orders of the President, DOD can “conduct effective operations to counter threats to our national interests in cyberspace.”  (This second point echoes earlier USG statements, including one made earlier this month by DRNSA Keith Alexander, who said, somewhat less cautiously than Panetta, that DOD must be able to “stop [an attack] before it happens. . . . Part of our defense has to consider offensive measures like that to stop it from happening.”) Here is what I think is significant about Panetta’s speech. First, DOD has previously said that it is trying to improve is attribution capabilities, and in conversation officials have noted some success.  Panetta goes further, saying concretely and definitively that DOD has “made significant advances in solving” the attribution problem, presumably through a combination of tracing back the source of a cyber attack and identifying the attacker through “behavior-based algorithms” and human and electronic intelligence.  Panetta does not tell us how good or fast DOD is at attribution, and he may to some unknown degree be puffing.  Nonetheless, this is a potentially big deal for cyber deterrence. Second, Panetta was more aggressive than DOD has been in the past about the trigger for a self-defensive cyberattack by the United States.  Previously, DOD has stated that adversaries would face a “grave risk” if they launched a “crippling” or “significant” cyberattack on the homeland.  Panetta’s speech changes this posture in two ways.  He is less definitive about the high threshold of a “significant” or “crippling” attack as a trigger for a USG response, and indeed implies that the threshold is (or can be) lower.  And more importantly, he makes plain that the DOD has the capabilities and desire to engage in a preemptive attacks against imminent cyber threats.  This possibility has been hinted at before (most recently, in Alexander’s comment above and in Harold Koh's  NSA Cyber Command legal conference speech last month).  But Panetta was more definitive about DOD’s capacity and desire to engage in such attacks. (Herb Lin, chief scientist at the National Research Council’s Computer Science and Telecommunications Board, noted to me that Panetta referred to the need to “take action” with “effective operations” against imminent cyberthreats, and pointedly did not state that such actions or operations would necessarily involve cyber means or cyber targets.  This is consistent with DOD’s prior claims that it would use “cyber and/or kinetic capabilities” to redress large-scale cyberattacks.)  Panetta was ambiguous, however, about whether DOD currently has the authorities to engage in such preemptive attacks (by cyber means or other means) in the face of cyber threats.  He said that “we need to have the option to take action against those who would attack us to defend this nation when directed by the president” (emphasis added), and he emphasized DOD capabilities while several times calling for more DOD authorities. I have previously criticized DOD’s announced deterrence policy, so I should say that Panetta’s speech takes steps in the right direction.  Panetta noted improvement in attribution (which is potentially huge), he warned that the USG would hold attackers responsible, he appeared to eliminate unjustifiably super-high thresholds for a self-defensive responses to cyberattacks, and he noted DOD’s capacity and need for preemptive attacks in the face of imminent cyberattacks. That said, Panetta made these points in an after-dinner speech, not an official declaratory policy.   And many questions remain, such as:  How much better (in terms of speed and accuracy) is our attribution capacity?  How do adversaries know whether the USG’s supposed attribution advances are not a bluff?  What exactly is the threshold for a self-defensive offensive operation in response to a cyber attack?  What counts as an imminent threat of cyberattack that would warrant a preemptive attack by the USG?  The effectiveness of any deterrence posture depends on the answers to these (and related) questions, and (very importantly) on our adversaries’ beliefs about the answers to these questions.  Ambiguity about the answers might over-deter (as vague criminal law often does), but it might also under-deter (because the adversary misperceives where the red lines are). The effectiveness of deterrence also depends, crucially, on the credibility of our threat to attack in the face of actual or imminent attacks.  Several obstacles prevent our threats from being entirely credible.   Panetta’s speech and other DOD pronouncements, as well as news reports, indicate that DOD does not think it has adequate legal authorities to engage in offensive operations related to defense, and that USG lawyers are currently putting up affirmative obstacles to such operations.  To the extent that the USG is and appears to be legally constrained from acting as it says it needs to, its threats to act are not credible. In addition, even if our attribution skills are fast and accurate (which they won’t always be), any responsive cyberattack that has public effects must be accompanied by public evidence that the attack was warranted – something very hard to do when attribution is based on sophisticated and fragile intelligence tools.  To the extent the USG cannot prove attribution publicly, its threats of a cyberattack are diminished.  This point implies that self-defensive cyberattacks are (all things equal) more likely to be unattributable than attributable.  But that conclusion in turn presents two problems.  First, how to convince the adversary that we have hit it in response to a cyberattack when we cannot take public credit for the attack? (This is potentially difficult, not impossible; Iran certainly suspected the USG even before the public revelations about Stuxnet/Olympic Games.)*  Second, an unattributable self-defensive cyberattack is more likely in response to a relative small actual or threatened cyberattack on the nation.  If we suffer a crippling blow, we will need to respond with large public fire, in cyber or kinetic space, or both.  The worry is that the difficulties of public proof of attribution will slow the needed public response, or weaken it, or make it seem less legitimate ex post – all of which weakens the credibility of a responsive attack ex ante, and thus weakens deterrence. Finally, some thoughts about Stuxnet/Olympic Games, the cyber operation(s) against the Iranian nuclear facilities.  While many in the USG are no doubt genuinely angry that the USG hand in Stuxnet was revealed, this revelation probably has the happy effect of enhancing U.S. cyber deterrence.  For it demonstrates that the USG has sophisticated cyberweapons that – despite legal and other obstacles – it is willing to deploy, even in a preemptive fashion.  For many reasons that I lack time explain (having to do with the nature of the Iranian threat, which did not present an attribution problem, and the nature of the cyber attack on the Iranian facilities), I think the legal and policy hurdles to the Iranian operation were less significant than ones that would arise with a self-defensive USG attack in response to an actual or threatened cyberattack.  Nonetheless, the Stuxnet/Olympic Games revelations probably enhance U.S. cyber deterrence overall.  (And no, the Iranian cyberattacks in the news yesterday, which reportedly inflicted “modest damage,” do not by themselves belie this claim.) * Herb Lin describes one way that the USG might “sign a cyberattack” and thereby convince the adversary that we have hit it in response to a cyberattack even though we cannot take public credit:

Step 1 – Digitally sign the code under a certificate that is publicly known to be associated with the US government (e.g., ugov.gov, the CIA domain name).  The result is a long number (call it X). Step 2 – encrypt X using a symmetric cipher and the key Y.  The result is another long number Z. Step 3 – append Z to the cyberattack code (at the end).  (You can do it anywhere, but say append for simplicity.) When you want to tell Iran that the US was behind it, do the following. Step A – tell Iran where to find Z in the code. Step B – give Iran the key Y. Step C – Iran decrypts Z to yield X, which is the signature of the code. After Step C, Iran has the code, a signature derived from the code in its possession, and because of Step 1 above, the public key of the U.S.  At this point, the problem is the same as signing any kind of code (e.g., knowing that Microsoft was indeed the provider of the update you downloaded last week), and can tell if the code did or did not come from the U.S. This process does not work if the certificate belonging to the U.S. has been compromised by another party.  But presumably we keep control of our certificates.