Main Image Credit Members of the Vermont Army National Guard Computer Network Defense Team during the 2014 Cyber Shield Exercise. Courtesy of US Army/Wikimedia.
Despite what you may have heard, the latest information dump from Wikileaks is not the most important development in cyber security.
For those following ongoing debates on the challenges for cyber security in the aftermath of the US elections, much attention has been focused on the recent set of revelations from WikiLeaks.
Sensationalised coverage focused on the way the CIA had allegedly developed techniques whereby encrypted messaging apps such as WhatsApp could be hacked to reveal their content, or on allegations that the intelligence agencies could monitor you and your activities through your TV set or even fridge freezer.
WikiLeaks also highlighted the supposed use of ‘false flag’ operations, leading some to suggest that efforts to destabilise the US presidential election through the hacking of emails and the spreading of disinformation might actually have been the work of American intelligence agencies themselves.
While much of this has been debunked, it also somewhat overshadowed the release a few days earlier of a much more significant report. Although less sensationalist than WikiLeaks, the US DoD Defense Science Board (DSB) Task Force on Cyber Deterrence report is arguably one of the most significant documents on the subject in the past few years.
While the key elements of the document are in its recommendations on how the US needs to improve its deterrent posture to cyber attacks, it is in its assessment of the underlying threat that the report is surprisingly revelatory.
The challenge of deterring malicious actors in cyber space has been puzzling policymakers since long before the study was initiated two years ago.
Whether it was to be deterrence through the threat of punishment or through making targets too difficult to attack, the uniqueness of cyberspace and its associated capabilities has meant that there are few lessons or comparisons which could be drawn from the approach to nuclear deterrence during a previous era.
For, while the destructive power of nuclear weapons has been demonstrated, the power of cyber capabilities has not, other than the sort of local and time-limited impact caused by attacks such as the one perpetrated on a German steel mill in 2014 and on the broadcaster TV5Monde in France a few months later.
Furthermore, the sensitivity of the tools and techniques used to deliver effects in and through cyberspace – and in particular how access to networks is obtained – means that it is impossible to demonstrate weapons capabilities.
This has led to a focus on deterrence through other means, such as punishment through sanctions or the threat of conventional military action. This is the context in which the DSB Task Force of academics and practitioners sought to develop new insights and policy recommendations.
China and Russia the Biggest Threat
The report is clearly focused on the strategic and operational levels and builds its recommendations on a robust and honest assessment of the threat landscape. Its focus is primarily on the threat from state actors and identifies China and Russia as providing the highest level of threat to US critical infrastructure.
This assertion is, in itself, not surprising, but the seriousness with which the report describes the two countries is striking: both are deemed to hold the US infrastructure at risk in ways that threaten to place the US in an ‘untenable strategic position’.
The report suggests that it will be at least ten years before the US's ability to defend its infrastructure will catch up with the offensive cyber capabilities of these potential adversaries, and that the US military’s dependence on information technology provides a ‘massive attack surface’.
Beyond these major states, the report also highlights the ability of regional powers – specifically Iran and North Korea – and non-state groups to develop or purchase offensive cyber capabilities that could cause significant disruption.
Although the report’s language eschews the hyperbole of ‘cybergeddon’, it is nevertheless stark in the way it emphasises US vulnerability in cyberspace, and hence the importance of developing a more robust deterrence posture.
Take Three Steps
The report recommends that the US takes three main steps to enhance its strategic position. First, it needs to plan and conduct deterrence campaigns tailored to the actor and the specific threat through the full spectrum of conflict from peacetime to general war. This is clearly a substantial task in comparison to the approach required for nuclear deterrence.
Second, the report highlights the need to ensure the cyber resilience of key US strike systems from cyber – through nuclear to conventional. This is essential to ensure that the US retains a credible ability to threaten to impose unacceptable costs in response to the full range of cyber attacks, and particularly those by major powers.
Last, the experts note the need for the DoD to focus on boosting key capabilities that support the deterrence effort, including enhancing the ability to attribute attacks, leading on innovation in cyber security technology and improving the cyber resilience of the whole US Joint Force.
Clearly, if these recommendations are to be taken forward, there will need to be a significant redistribution of resources and a reconsideration of investment decisions.
So, while WikiLeaks’ revelations provide some interesting insights into the vulnerabilities of current technology, the DSB report gives much more substantial food for thought.
Its public recognition of the vulnerability of the US to a major cyber attack for at least another decade is significant in its honesty, and the report provides the impetus for new approaches in policy and practice in establishing cyber deterrence.
Still, if the US is vulnerable, what is the position in the UK? The UK National Cyber Security Strategy includes ‘deter’ as one of the three D’s of its plan to confront threats in cyberspace, along with ‘defend’ and ‘develop’. However, it lacks the clarity of the DSB Report as to the nature of the challenge provided by contemporary threats and the response required.
Yet there is little doubt that this will be occupying minds at the new National Cyber Security Centre and in the National Security Council more broadly.