The United States’ Feckless Cyber Deterrence Policy

David Sanger has a very damning story on the USG’s struggles to figure out how to respond to the OPM hack. It has decided it has to do something, Sanger tells us, but it cannot decide what to do, or whether to do it publicly or privately, and it worries about sparking escalation that would worsen the situation. President Obama doesn’t like his options and has asked for more.

Wow. This is not a new problem. The government has been dealing with and complaining about foreign government exploitation of its networks for a very long time, long before the Obama administration. Since 2009 the Obama administration has said it has been putting in place a new cyberseurity strategy to deal with intrusions of its networks. Hundreds and probably thousands of conferences and meetings have been held, inside and outside the government, on how to defend and deter intrusions in USG systems. And yet, just as the USG seemed entirely befuddled about how to respond to the first major attack on private networks, it seems entirely befuddled about what to do about the intrusions into its networks. And to make matters worse, its befuddlement is playing out on the pages of the NYT for the world to see. A nation cannot establish any form of deterrence when the world sees that it is undecided about what to do. Any retaliation now, after all the public uncertainty about how to proceed, will hardly establish a credible deterrence policy; and the fact that the USG is considering "symbolic" responses shows just how unserious it is about deterrence. The failure to have a credible deterrence policy has repercussions far beyond the Chinese to other State and non-State parties.

The government’s inability to mount a credible deterrence strategy in the face of at least fifteen years of growing network intrusions makes pretty clear that deterrence through retaliation in this context cannot work. The problems are well known. Even if the USG can attribute with certainty (and justify the attribution publicly), and even if it can control the consequences of retaliation, how can it justify retaliation against China when it is well known that we penetrate its government networks? Indeed, DNI James Clapper and Former NSA Director Hayden basically admitted that what China to OPM did was fair game. (Clapper said “you have to kind of salute the Chinese for what they did” and Hayden said the “records are a legitimate foreign intelligence target” and he would have done the same to China if he could.) And then there is the problem that because of our firms as so dependent on Chinese markets, we have more to lose than gain (or at least a whole lot to lose) from escalation.

These and other considerations make me think that Deputy Secretary of Defense Lynn was right when he said in 2010 (after criticizing deterrence through retaliation): “Deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation,” which means that “challenge is to make the defenses effective enough to deny an adversary the benefit of an attack despite the strength of offensive tools in cyberspace.” And yet as the OPM hack reveals, the USG has not taken serious steps to meet this challenge either.