September 23, 2011
Deterring attackers in cyberspace
By Retired Lt. Gen. Harry Raduege
Is America at war in cyberspace? In the face of increasingly brazen cyber attacks against our country, the Obama administration established the first military command devoted to cyberspace, U.S. Cyber Command, in 2010. And the Pentagon has issued a new declaratory policy in which the United States announced that it reserves the right to respond to cyberattacks with conventional weapons. It sounds a lot like war. But is it?
Today, America is most certainly engaged in what amounts to a cyber "cold war." We face a daily barrage of low-level "tactical" strikes in which foreign adversaries attack our computer networks, often using proxies in cyberspace — much as the United States and the Soviet Union engaged in low-level combat using proxies in Africa and Latin America during the Cold War of the 20th century. In some cases, these attacks escalate into what our military calls operational-level engagements — decisive attacks or incidents that gain front-page attention in the news (such as the Stuxnet virus that attacked Iran's nuclear program) but do not significantly alter the daily lives of Americans.
The real danger is the prospect that an enemy could one day launch a strategic-level attack in cyberspace — one that causes large-scale death, destruction, damage, disruption or devastating economic loss for our country. A sophisticated cyberattack targeting our power grid, telecommunications, banking or transportation systems that could one day cause damage was once the province of conventional weapons. Such a strategic attack could prompt the president to order retaliatory action — turning today's cyber "cold war" into a hot war.
Such a strategic attack in cyberspace has not yet occurred — and preventing one should be the top priority of our nation's cyberdefense policy. We can do so the same way we ensured that the Soviet Union never used its massive nuclear arsenal to cause catastrophic damage to our country: by establishing an effective framework for deterrence.
During the Cold War, the U.S. built a "strategic triad" of land, sea and airborne nuclear weapons that deterred a Soviet attack using weapons of mass destruction. In the digital age, we need a cybersecurity triad to deter attacks on our information networks using weapons of mass disruption.
The first leg of this new triad is resilience. During the Cold War, our adversaries knew that a nuclear first strike was futile, because if they hit our land-based missiles, we still had missiles at sea and in the air with which to retaliate. We must build similar resilience into our information systems so adversaries know they cannot cripple the U.S. economy or military. If our networks are resilient and terrorists or other adversaries find they can cause no devastating negative impact, that is a deterrent in itself.
The second leg of the new cybersecurity triad is recognition. One of the reasons cyberattacks are so attractive today is that it is extremely difficult to identify the ultimate source of the attack. We need to improve our ability to trace cyberattacks and identify the culprits. If foreign enemies can attack our information networks without fingerprints, they can attack without consequences, and that means they cannot be deterred.
The third leg is retaliation. Our enemies must know that America can launch counterstrikes in cyberspace that can cripple their information networks if they dare to threaten ours. Unfortunately, as Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently explained, we are currently devoting nearly 90 percent of our attention toward building better firewalls and only 10 percent on retaliatory capabilities. Gen. Cartwright said a better strategy would be the reverse.
Moreover, our enemies must understand that America cannot limit its response to cyberspace. Cyberspace is a domain, just like land, sea, air and space. Today, if the United States is attacked at sea, our military does not limit itself to retaliating at sea. We reserve the right to reply in other domains. The same is now true of an attack in cyberspace. If we can trace the source of a cyberattack to a cave in the Hindu Kush mountains, America's response could come in the form of a hellfire missile.
At the start of the nuclear age, the United States developed the doctrine and capabilities that successfully deterred the USSR from using its nuclear arsenal against us. Now, at the start of the cyberspace age, we must develop the doctrine and capabilities to deter would-be attackers from wreaking destruction or disruption on our country from cyberspace.
Raduege is a retired lieutenant general of the Air Force and former co-chairman of the Commission on Cyber Security for the 44th Presidency. He is currently a senior counselor of The Cohen Group and chairman of the Deloitte Center for Cyber Innovation.