It Takes More than Offensive Capability to Have an Effective Cyberdeterrence Posture Dr Martin C Libicki Testimony before the House Committee on Armed Services Cyber Warfare in the 21st Century Threats Challenges and Opportunities 01 March 2017 The views expressed here are those of the author alone They do not represent the estimates or policies of the U S Navy or any other organization of the U S government Good morning Chairman Thornberry Ranking Member Smith and distinguished members of the committee My name is Martin Libicki I hold the Maryellen and Richard Keyser Chair of Cybersecurity Studies at the U S Naval Academy and am also adjunct management scientist at the non-partisan non-profit RAND Corporation The following represents my own viewpoint and not the viewpoint of the U S Naval Academy the Federal Government or the RAND Corporation I thank you for the opportunity to testify today about some issues associated with deterrence of cyberattacks Two years ago the Commander of the US Cyber Command argued in Congressional testimony that he needed a greater ability to conduct offensive cyber operations stating that its purpose was to be able to deter cyberattacks on the United States 1 Clearly greater capability would not hurt - but would it help much must less suffice to achieve deterrence A successful posture of deterrence - that is the use of threats to compel others to restrain themselves - has many prerequisites Four of them merit note First the United States has to be able to attribute cyberattacks in order to punish the correct party and convince others that the United States is acting justifiably Second the United States needs to communicate its thresholds - that is what actions will lead to reprisals Third U S promises to retaliate need credibility - so that others believe that punishment will in fact follow crossing such thresholds Fourth the United States needs the capability to carry out reprisals There are also other considerations but they are not prerequisites as such One is that carrying out reprisals affects the broader relationship between the United States and the attacking country there may be larger issues in the ongoing relationship which may modulate or exacerbate the reprisal - which in turn affects the credibility and even legitimacy of the 1 How do we increase our capacity on the offensive side to get to that point of deterrence Ellen Nakashima Cyber chief Efforts to deter attacks against the U S are not working Washington Post March 19 2015 http www washingtonpost com world national-security head-of-cyber-command-us-may-need-to-boostoffensive-cyber-powers 2015 03 19 1ad79a34-ce4e-11e4-a2a7-9517a3a70506_story html threat For instance however annoying the Iranian DDOS attacks on U S banks were in late 2012 efforts to halt Iran's nuclear program clearly had higher priority thus had reprisals been on the table their impact on such efforts had to be taken into account Two is the extent to which the attacker feels justified in its original cyberattack which may have been prompted by something perceived in its past This in turn will color its view of how legitimate the U S reprisal is - which in turn may influence the likelihood of its making counter-reprisals Returning to the prerequisites the U S capability to retaliate in cyberspace is least in doubt amongst the four even if United States need not respond in kind Admiral Rogers' argument assumed that we needed to be able to do so Any country credited with Stuxnet and the ability to penetrate systems using techniques described by Ed Snowden has demonstrated a very impressive capability Whether or not the credit is deserved2 is secondary As long as other countries believe we can do magic what we can actually do matters less for deterrence purposes That noted however countries vary in their susceptibility to reprisals in cyberspace North Korea is a good example because a combination of its economic primitiveness and paranoia about the outside world means that computers and connectivity are far less important to the national well-being than it is in other countries Note that susceptibility consideration had only a modest effect on the efficacy of the nuclear deterrent Furthermore while the U S attention to the laws of armed conflict specifically jus in bello is laudable the effect of following them is to take certain targets off the list Such prohibitions are larger if people are worried that cyberattacks on some targets may yield unacceptable collateral damage Lastly for those who believe that reprisals delayed are reprisals denied note that even a very capable United States is limited in its ability to respond from a cyberattack from a country that it did not previously consider a threat and thus whose systems it did not scope in advance Otherwise U S capability is more than sufficient for purposes of reprisals The other three prerequisites are what hobble the ability to develop a coherent deterrence policy Attribution to be fair has improved considerably over the past ten years There are several reasons why Roughly a decade ago difficulties in attribution were recognized as an important barrier to establishing a deterrence posture Considerable time and attention was therefore invested in improving the intelligence and science behind attribution by late 2012 the Secretary of Defense was able to claim that two-thirds of all incidents could be traced back Furthermore several private cybersecurity companies - starting most publicly with Mandiant3 in early 2013 - started making their own attribution claims this allowed the U S Government to make a case against other countries without having to reveal its own sources and methods 2 In the last year Israel has publicly declared that it and the United States together authored Stuxnet Deterring Terror English Translation of the Official Strategy of the Israel Defense Forces Belfer Center Special Report of August 2016 http www belfercenter org publication israeli-defense-forces-defense-doctrine-englishtranslation p 48 3 Mandiant APT1 Exposing One of China's Cyber Espionage Units sintelreport mandiant com Mandiant_APT1_Report pdf March 2013 even if some government officials believe private attribution claims force their hands when the evidence is less-than-overwhelming or decisions on reprisals need time to make correctly Although the consonance between what the intelligence community knew and what the private cybersecurity claimed is less than perfect the two efforts remain quite complementary It is quite plausible that China's perception that the U S ability to attribute acts of economic cyberespionage to the Chinese was good enough sufficed to inhibit further economic espionage from that country after the Xi-Obama agreement to foreswear such activity Nevertheless a few cautions are in order First the ability to attribute and the ability to evade attribution are a measurecountermeasure game Until the consequences of being caught are severe enough it may simply not pay for hackers to hide their origins as opposed to their tracks very well Yet if the point of having a deterrence policy is to inhibit cyberattacks then presumably consequences have to be severe If the prospects of reprisals are daunting enough hackers can be expected to take pains to keep from getting caught carrying out cyberattacks Hence countermeasures to attribution can be expected Another way of putting it is that attribution will be good until it becomes useful at which point it will cease being good Second the U S Government has made less progress in explaining why it believes its attribution is correct After the Sony attack the FBI's publicly released statement on North Korean attribution devoted just 140 words to justifying its conclusion 4 The public justification of Russian attribution for the DNC hack is even more problematic The two public documents released on the matter - one by DHS5 and the other by the DNI6 - were generally deemed far from satisfactory Granted it may not be obvious why the United States has to convince others that it is right about attribution by this argument as long as the attacker knows that it could get caught and punished for what it did - and knows it did - then the opinion of third parties is irrelevant But is it To skeptics U S retaliation against a country that could be innocent may strike them not as punishment but aggression Worse if potential attackers come to believe that innocence is no guarantee against reprisals what is the point of being innocent The accused country could easily maintain its innocence and having done so credibly for lack of a good case against it could justify its responding to retaliation as if it were responding to unprovoked aggression Thus what started as an attempt to make other countries conform to standards of responsible behavior becomes an exchange of tit for tat where no one can easily claim the high ground 4 FBI Update on Sony Investigation December 17 2014 http www fbi gov news pressrel pressreleases update-on-sony-investigation 5 NCCIC FBI GRIZZLY STEPPE - Russian Malicious Cyber Activity December 29 2016 https www uscert gov sites default files publications JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229 pdf 6 Office of the Director of National Intelligence Background to Assessing Russian Activities and Intentions in Recent US Elections The Analytic Process and Cyber Incident Attribution January 6 2017 https www dni gov files documents ICA_2017_01 pdf Credibility also remains an issue when it comes to cyber deterrence Put simply the United States has yet to retaliate to any cyberattack with any truly serious consequences of the sort that the rest of the world can see The U S retaliation against North Korea involved sanctions on a handful of individuals The only quasi-serious response-like event was a DDOS attack on North Korea's thin Internet connection to the rest of the world - and the United States if anything distanced itself from taking credit for that act 7 There are reports that the United States carried out reprisals against North Korea that did not make the news although I have no way of evaluating that claim suffice it to say that hidden reprisals lack effectiveness in persuading other countries of the folly of carrying out cyberattacks on the United States The United States also retaliated against Russia for the DNC hack by increasing some sanctions and throwing some Russian diplomats out of the country there may have also been reprisals not visible to the public Since the Russians probably believe that their contribution to defeating a presidential candidate they disliked exceeded the pain of having to replace a few diplomats it is difficult to see how the consideration of future such punishment would deter them Does anyone think the Russians will hereafter refrain from injecting itself into other countries' elections And what does it say for the credibility of the U S Government when representatives of an incoming administration delegitimize the reprisals levied by an outgoing administration After two weak public responses the credibility of U S reprisals cannot be ranked very high Perhaps the failure to respond with anything harsher may have been wise given the relatively limited harm associated with both the Sony hack and the DNC hack - and the possibility that a major confrontation would have raised much higher levels of risk But it would now take a serious response to raise the credibility of a possible U S response off the floor where it now sits - and several serious responses to convert the possibility into a likelihood These hypothetical responses to as-yet-potential cyberattacks would carry their own risks Put another way if the United States wanted to achieve credibility for a cyberspace deterrence policy the costs of doing so would not be small at this point That leaves thresholds which I want to focus on in part because it seems to get the least attention Here is the relevant question what cyberattacks merit cranking up the machinery of U S retaliation for The term machinery is deliberately meant the decision on whether and how to retaliate would certainly involve the President and the National Security Council and would have to be followed up by policy adjustments throughout the bureaucracies to reconcile retaliation with whatever else is taking place vis-a-vis the attacking country Retaliation after 7 See Nicole Perlroth and David Sanger North Korea Loses Its Link to the Internet December 22 2014 https www nytimes com 2014 12 23 world asia attack-is-suspected-as-north-korean-internet-collapses html But two weeks later sanctions were described as a first response suggesting that the DDOS attack was not a U S response BBC Sony cyber-attack North Korea faces new US sanctions January 3 2015 http www bbc com news world-us-canada-30661973 all is an unfriendly act By contrast foreign individuals can be indicted in U S court - as multiple cybercriminals are - based on decisions taken at the level of a U S district attorney and without much reference to the U S relationship with the country of their origin Although the indictment of five members of China's PLA and seven Iranian nationals doubtless required greater coordination these moves were at least announced by someone no higher than an Assistant Attorney General The need for a threshold is obvious Objectionable acts in cyberspace range greatly from a network hiccup to a major catastrophe Not all of them merit Presidential attention By contrast in the nuclear realm even the detonation of the smallest nuclear weapons on say U S soil was always going to be an enormous deal Finding a tractable and defensible threshold is alas a problem not easily solved Let's consider some candidates that have been bruited about Perhaps something is actionable if it violates the U S Computer Fraud and Abuse Act Three problems arise First using a national law as a red line sets a precedent that can be easily abused by countries whose laws criminalize behavior that is acceptable even normal in the United States e g posting on the Internet material critical of the government In other words if we use our domestic laws as a basis for international reprisals what keeps others from using their domestic laws in the same way Second the CFAA is being violated literally millions of times - notably every time a computer is infected as part of an effort to build a botnet or every time some teenager wants to go exploring in someone else's machine Third such a law makes cyberespionage generally actionable when the United States relies on such techniques to protect itself from terrorists and hostile countries Another good reason not to establish a threshold that makes all cyber-espionage actionable is that penetrations can often go undetected for months or years and sometimes forever - whereas the effects of cyberattack in terms of the disruption of operations or the corruption of information is harder to hide The less likely a violation is to be caught the more problematic it is to punish violations that are Another alternative threshold is to use some metric of size to determine whether something is actionable As one Assistant Secretary of Defense has argued the United States cares primarily about the top two percent of all cyberattacks 8 The problem with that formulation is that the criterion for membership in the set of cyberattacks has no obvious lower bound Two percent of something unmeasurable is itself unmeasurable Insofar as the effects of cyberattack can almost always be measured in terms of dollars an economic threshold might make sense - until it comes time to measure impacts If Sony's statement to the SEC is indicative the attack from North Korea cost only $35 million in the financial quarter that took place plus the quarter afterwards Yet there are reasons to believe that many intangible costs e g to the reputation of Sony's executives the hassle of shifting communications from e-mail 8 David Sanger Pentagon Announces New Strategy for Cyberwarfare New York Times April 23 2015 http www nytimes com 2015 04 24 us politics pentagon-announces-new-cyberwarfare-strategy to phones anxiety among employees were not well captured by that metric Furthermore the Administration defended its decision to respond to the Sony attacks and the DNC attacks not by using economic criteria but because such cyberattacks violated transcendent values That is the attack on Sony contravened its freedom of speech while the attack on the DNC contravened U S political sovereignty Meanwhile there was no U S response to the Iranian attack on Las Vegas Sands Corporation which wreaked damage approximately as large as those suffered by Sony Another criterion for judging a cyberattack actionable is if it hurts some part of the U S critical infrastructure One would think such a threshold had sufficient clarity since the key elements of that infrastructure had been publicly enumerated by DHS admittedly in response to physical terrorism which generates a somewhat different list than a focus on cyberspace would But following the attacks on Sony and the DNC some have tried to stretch the definition to include such attacks There were desultory attempts to note that technically Sony Entertainment was part of the U S critical infrastructure but they were not taken seriously 9 The DNC hack however did persuade the Government to declare the U S election system to be critical infrastructure and properly so Perhaps a criterion is needed that offers a parallel with physical attack Perhaps then something is actionable if it violates the Laws of Armed Conflict specifically jus ad bellum LOAC has the benefit of being established international law But the various laws of armed conflict having been established for physical combat focuses on destruction and injury They do not cover economic loss from hostile activity perhaps because one country can make many types of decisions that cost other countries money without using force at all In the decadeslong history of cyberwar physical destruction has occurred twice Stuxnet and a putative Russian cyberattack on a German blast furnace in many other cases information was altered that resulted in making machines unusable until reformatted but that is not physical destruction 10 No one has yet been harmed as a direct consequence of a cyberattack Instead the effects of cyberattacks are usually felt in terms of lost time hence productivity e g when systems are down or when the data they hold has to be recovered It is unclear whether an attack that say bankrupts a trading house would be actionable by such criteria - and a willingness to declare it so after the fact is not a basis for deterrence To complicate matters further the reliance on precedents such as LOAC fosters the notion that cyberattack like physical attack is actionable while cyber-espionage like pre-cyber espionage is acceptable behavior for countries But accepting all cyberespionage as acceptable state behavior is not U S policy The United States successfully pressed China to stop its economically-motivated cyberespionage - and by so doing established a norm that was 9 Kim Zetter Hacker Lexicon What Counts as a Nation's Critical Infrastructure February 16 2016 https www wired com 2016 02 hacker-lexicon-what-counts-as-a-nations-critical-infrastructure 10 Kim Zetter A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever January 8 2015 http www wired com 2015 01 german-steel-mill-hack-destruction adopted by the G20 11 which given the G20's membership thereby makes it close to a universal norm If the information taken from OPM had been sold into the black market - the possibility of which was implied by OPMs offering credit-monitoring services to potential victims - then it is quite plausible that the United States would have strongly objected that the acceptability of cyber-espionage did not imply the acceptability of every use of what was taken Fortunately there is scant evidence that such information was transferred to criminals Lastly it helps to remember that the DNC hack was actually cyberespionage - the results of which would not have led to a U S response if the Russians had kept what they took to themselves rather than use it to influence the outcome of a Presidential election These three examples may not be the only occasions where cyberespionage rises to the point where it is as obnoxious as cyberattack It is characteristic of cyberspace operations that it is very difficult to distinguish between cyberespionage against a system and the preparations made for a cyberattack on such systems In some cases the motivation for cyberespionage is so plausible that countries caught penetrating systems with valuable information can be assumed to have done so out of interest in the information it held than in taking down the system that holds it But it may be hard to give others the benefit of the doubt when they are caught carrying out cyberespionage against certain elements of a country's critical infrastructure - notably the machine control systems associated with transportation energy production and distribution or manufacturing in general - because the information such systems contain is of modest value while the potential for mischief is substantial Here too certain types of cyberespionage may be plausibly deemed actionable if detected characterized and attributed In the face of these many issues ensuring that countries do not convince themselves that there is a threshold below which that they can operate with impunity entails deliberately maintaining a threshold so low that the United States can afford to be indifferent to cyberattacks that fall beneath that level This is hardly a panacea First it forces inordinate attention to above-threshold even if low-level attacks because the failure to respond to them erodes credibility associated with a U S promise to respond although for some observers the failure to respond will only erode their belief that the stated threshold is the real one Second if there is no difference between the responses to low-level and high-level attacks potential attackers may reason that if they are going to get caught and punished again no sure prospect they might as well try to achieve a greater rather than a lesser effect Third too low a threshold coupled with a fixed minimum cost associated with cranking up the retaliation machinery may strike others as disproportional expensive and even arbitrary A broader issue in all this is whether any country even the world's most powerful can arbitrarily establish redlines as opposed to first achieving some consensus on norms and then 11 For a copy of the communique and a discussion thereof see Cody Poplin Cyber Sections of the Latest G20 Leaders' Communique November 17 2015 https www lawfareblog com cyber-sections-latest-g20-leaderscommunique using the violation of such norms as a basis for deterrence To be fair redlines are not the worst option at least they have the advantage of needing to be declared beforehand One of the problems with responding to the DNC hack - apart from its inherently political nature - was that few anticipated that the United States would need to declare against other countries hacking political organizations extracting their contents of their e-mail and posting them online To react to injury solely after the fact assumes that a reasonable presumption could have been made by the attacker that something so injurious could not go unanswered Such thinking is far from easy even in the physical domain where precedents to almost every conceivable action abound In the cyber domain such precedents are absent and the best one can resort to are inexact analogies between something that has merited objection in the past and some objectionable act in the present Deterrence after all only works when the potential attacker knows in advance where the redlines are at least approximately A country's willingness to respond based on post facto redlines presupposes the willingness of others to give the aggrieved country a wide berth Redlines have had their place in U S history the Monroe Doctrine which stated the U S intolerance for any establishment of new colonies in the Americas could not possibly have been a norm It was geographically delimited to one hemisphere and the prevailing norm in those days actually allowed colonization in general Russia's concern over activities in its near abroad or China's concern over activities within its self-defined first island chain to use less justifiable examples are also geographically defined But cyberspace as oft observed does not have the same geography and to an important extent has no geography at all Thus redlines cannot be stated in geophysical terms very easily - and thus also a major justification for redlines in order to defend the physical basis for a country's sovereignty does not apply Redlines and norms differ in several key respects A country can establish redlines without having to abide by them when a country establishes exclusion zones for others it hardly signals its intention to exclude itself But a norm implies mutual constraint Every UN member by dint of its membership has pledged adherence to norms against carrying out an armed attack on others Clearly redlines are less constraining than norms - but that may be exactly why arbitrary redlines sit poorly with long-standing U S ideals At issue is how rules should govern the world Until the mid-20th century international relations could be said to be taken from Thucydides' Melian Dialogue the strong do as they will and the weak suffer what they must Redlines bespeak a world in which strong countries - and the United States is the strongest - can set the rules that they can compel others to live by even if they have no intention of living by such rules themselves But U S leadership in the post-war era allowed a different notion to take root International stability and world peace result when everyone follows the rules just as domestic stability and safety follow when everyone obeys the law To achieve legitimacy that meant that the United States and its friends had to obey the same laws And much of the history of the Cold War was an attempt - one that was largely successful - to define these laws and use the muscle of the United States and its allies to see that such laws were largely obeyed The end of the Cold War made that task easier and spread the rule of law wider but the effort remains non-trivial This theoretical difference has a practical consideration Reconsider the OPM hack Should the United States have responded The attack transferred information of great value to China It embarrassed the U S Government U S officials were angry at the Chinese and there is evidence that Chinese officials were at least somewhat abashed at having been associated with the hack they subsequently announced an arrest for having carried out the hack12 But the DNI and a former CIA director admitted that what the Chinese did was something that the United States would have done if it could have and it may well have done similar things 13 The United States could easily declare that it would regard a repeat as having crossed a red line it might even be able to enforce its dictum But if the United States would not foreswear doing likewise it could not argue that a repeat would have violated a norm One of the reasons that the United States could persuade China to abjure economic cyber-espionage is that it could make a reasonable case that this was behavior that the United States would not conduct - and indeed had not conducted or at least no one has proved the contrary By the same token one of the difficulties of dealing with Russia's politically-motivated cyberespionage-cum-doxing was the lack of a norm that made it easy to argue that such activity was out of bounds Because countries even the United States seek to influence the elections of other countries all the time mere unwarranted influence is a poor guide to norms-writing - but a norm condemning the use of cyberespionage coupled with doxing for political ends would be more precise and consistent with U S behavior A norms-based deterrence posture has its issues One is determining how much of a consensus is required to establish a norm One advantage of working from the UN charter is that UN membership is universal - but the conversion from the words of the charter into the new fields of cyberspace is hardly obvious The European Convention on Cybercrime aka the Budapest Convention counts almost every advanced country as a signatory but Russia for one is not a signatory Treating say the Russian's providing sanctuary for major cybercriminals as an actionable violation of universal norms is an iffy proposition Conversely waiting until North Korea signs up to norms before deeming them universal means waiting indefinitely A 12 Ellen Nakashima Chinese government has arrested hackers it says breached OPM database Washington Post December 2 2015 https www washingtonpost com world national-security chinese-government-has-arrestedhackers-suspected-of-breaching-opm-database 2015 12 02 0295b918-990c-11e5-8917653b65c809eb_story html 13 Don't blame the Chinese for the OPM hack former NSA and CIA Director Michael Hayden said arguing that he would not have thought twice about seizing similar information from China if he had the chance Matthew Ferraro On the OPM Hack Don't Let China Off the Hook The Diplomat July 14 2015 Director of National Intelligence James Clapper echoed the sentiment saying at a conference you have to kind of salute the Chinese for what they did If we had the opportunity to do that to them I don't think we'd hesitate for a minute Jim Sciutto Director of National Intelligence blames China for OPM hack June 25 2015 http www cnn com 2015 06 25 politics james-clapper-china-opm-hacking best guess is that a norm can be deemed universal if it wins adherence from either Russia or China The other issue is holding others to norms A country that has declared a redline has put the onus on itself - and only itself - to respond to a redline's violation Responding to a norms violation however is a collective responsibility - which is both good and bad good because many countries joint together in responding and bad because each country can shift the responsibility to the other In the past it has fallen to the United States to enforce norms of international behavior picking up other countries as active allies or passive supporters as their politics dictated But it is fair to note that despite the lip service that the United States pays to its mutual-defense alliances it is more likely to react to a cyberattack on itself than to an ally The best indicator comes from comparing its response to the Sony attack to its nonresponse to a longer series of more damaging incursions into South Korean systems Conclusions Using the threat reprisals to dissuade cyberattacks introduces multiple issues that need far more careful attention than they have received to date The notion that building an offensive capability second to none suffices for deterrence is simplistic to say the least Granted weak countries cannot deter and in there is a basis for Admiral Rogers's argument But the United States is by no means weak especially in cyberspace If the U S deterrence policy has problems they are not ones of weakness but wisdom notably in determining where to draw the line between cyberattacks that are actionable at the national level and those that can either be ignored or responded to via judicial processes In the interim we should understand that there are certain potential cyberattacks - e g one that plunges the country into a blackout - that clearly cannot go unanswered while there are other ones that are simply too trivial to bother with It is the in-between that is the problem As a general rule it would seem appropriate for the United States develop its thresholds by working towards a regime of norms with which the difference between the actions of foreign governments that are acceptable and those that are unacceptable and actionable can be made consistent I appreciate the opportunity to discuss this important topic and I look forward to your questions                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu