'Cyber Cold War' rhetoric raises alarms
Calls from Capitol Hill for "mutually assured destruction" over alleged Russian hacking are raising questions about whether cyber deterrence is even possible.
When Congress blew back into town this month, so did a lot of bluster over alleged Russian-backed hacking of the Democratic National Committee and U.S. elections infrastructure.
In particular, House Homeland Security Committee Chairman Michael McCaul (R-Texas) raised the specter of a cyber Cold War with Russia and mutually assured cyber destruction.
But that rhetoric isn't sitting well with cyber experts.
"It's nuts, and it's woefully uninformed about the cybersecurity world," said Andrew Plato, cybersecurity expert and president of intelligence firm Anitian. "It's Cold War thinking trying to be applied to Information Age structures, and it isn't going to work.
Plato said Cold War doctrine made sense because of the physicality of the threats and capabilities at the time. But the volatility of the cyber world and the ability of hackers to pop up and disappear quickly mean that you can't point weapons at a physical location and expect to intimidate hackers.
"The etherealness of the world we live in doesn't allow you to have some sort of massive response because you're responding to nothing," he said.
Plato argued that the U.S. could spend months or years developing cyber weapons, but it can be impossible to predict how useful or intimidating they might be.
"That moment finally arrives and they pull those weapons out to use them and half of them just don't work," he said. "Or the weapon they have works but it doesn't do what you want it to because the entire environment has changed from when you developed that."
A 'cyber Hiroshima'
Melissa Hathaway, senior adviser for the Cyber Security Project at Harvard University's Kennedy School of Government, said the Cold War rhetoric is born out of frustration with the growing number of attacks and a sense of embarrassment over the fragility of America's cyber infrastructure.
She said the conversation needs to move from Cold War doctrine to "what are we going to do to protect our data, to protect our critical infrastructure, to protect our country?"
That conversation requires taking responsibility, understanding what is happening, and rebuilding the partnership between the executive and legislative branches, she added.
"I think the core to any policy or strategy has to begin with and end with resilience," Hathaway said. "The more fragile we are to an individual or a nation-state causing harm to something that we consider critical to our national or economic security, then we're in trouble, so we have to invest in resilience."
Even though the state of cyberwarfare has advanced to the point where physical damage is a potential outcome, "we're not at that Cold War level of completely wiping out you or me," said Joshua Toman, an adjunct professor at Charlotte School of Law and a cyber strategy expert. "I think that we are seeing that we could be at a significant place where one state could have an enormous impact on another nation-state."
He added that a "cyber Hiroshima" is a more realistic scenario that should be framing the debate. Hathaway said having an offensive cyber weapon could provide some measure of deterrence but only if there is a credible threat of its deployment. And she warned that hacking back or an offensive attack could lead to unintended consequences.
"I don't think that we've really thought through the different paths of escalation and de-escalation and the different sets of moves that could lead to a lot of miscalculations," she said.
Toman agreed. "The short answer for deterrence is, 'Well, they did this, we know who it is, we're going to go back after them,'" he said. "At what point then does that lead to the constant escalation?"
The White House issued a cyber deterrence policy last year, but Hathaway said the policy is not so much a strategy as a loosely aggregated list of capabilities or possible responses.
Still, she argued that having a rigid deterrent doctrine could make it harder to respond.
"Some argue that an effective deterrence is entanglement -- that if you both have just as much to lose then you will not engage in the actual activity," Hathaway said.
She added that if the U.S. is more resilient than its adversaries, that ability to survive and respond will deter attacks -- essentially the equivalent of a second-strike capability under Cold War doctrine.
Hathaway said the U.S. has the most infected cyber infrastructure in the world, and the growing number of cyberattacks on U.S. assets is a sign of the country's failure to shut down malicious botnets, command and control nets, and ransomware. She said a focus on cleaning up America's infrastructure along the lines of the effort to fix the Year 2000 computer bug would go a long way toward deterring cybercrime.
Why advertise deterrence?
Plato said that even if you have a strong deterrent capability, you don't necessarily want to advertise it.
"The cybersecurity world is where your best deterrent is really a very strong defense -- and a defense that isn't always obvious," he said. "You tend to get measured by how quickly and adeptly you respond to an incident or a situation.… The deterrence becomes this agility, this ability to react to things and muster resources quickly and deploy them quickly."
He said that rather than focus on building some sort of "giant Death Star cybersecurity weapon, let's build a team of brilliant people. Let's motivate them and let's put those people out there because that's going to be the defense."
Another topic of debate among policymakers is whether the U.S. needs new laws of war or other legal tools to combat and deter cybercrime. Experts told FCW that existing legal frameworks are sufficient.
Toman said the U.S. should instead consider non-lethal deterrent measures such as seizing assets or "tasing" the computers of hackers -- options that could be permissible under current law.
Experts also agreed that it's essential for the U.S. to work with foreign governments to establish international legal structures so that hackers and cybercriminals can't hide in places the U.S. can't reach.
"The focus needs to be on cooperation so that instead of it being the United States goes in and does rendition and pulls out a hacker, we're working to get those countries to engage in it themselves," Toman said.
Ultimately, policymakers need to provide more guidance to government and industry, he added. Better guidance and policy conversations would foster stronger cooperation between the two sectors and lead to greater deterrence.
"Each situation is going to have to be judged on its own, but do we have clear-cut reasons or guidance as to 'in this situation, we will do it'?" Toman said. "That to me is the better question. There should be certain situations where we say, 'When this happens, we're doing this. We're going to give ourselves that authority.'"