The National Security Agency detailed “a significant amount of people and resources” to the Federal investigation of the data breach at the Office of Personnel Management, NSA Director Admiral Michael Rogers acknowledged Tuesday at a public forum in Washington, D.C. The response, however, was largely an effort to help OPM understand how the breach happened and what could be done to plug the holes.
But a new approach is taking shape that Rogers and other senior cybersecurity policymakers describe as a nascent cyber deterrence strategy – a fundamental military concept that has been used for decades to prevent the use of nuclear weapons, but that has failed to take shape in the cyber realm. Thanks to the increasing volume and severity of state-sponsored attacks targeting U.S. companies, Federal agencies and critical infrastructures a rough outline of a U.S. cyber deterrence policy and a set of basic international norms of behavior in cyberspace is now taking shape.
“I believe in the long run, we’ve got to get the foundational concepts of deterrence and norms of behavior,” Rogers said, speaking Tuesday at a Wilson Center forum. “We’ve got to get there in cyber. Right now, I believe most nation states, groups and individuals have come to the conclusion that in the current framework there’s little price to pay for the behaviors they are choosing to engage in. And in the long run, I don’t think that’s the best place for the United States to be and…I don’t think that’s in the best interest of the world,” Rogers said.
Rogers acknowledged that a debate is currently underway throughout official policy circles in the Obama administration regarding what types of cyber attacks might elicit an official response from the government. The debate took center stage in the aftermath of the devastating data breach at OPM, which compromised more than 21.5 million government security clearance files and was attributed to Chinese hackers. And while the administration is reportedly working on a sanctions response to the OPM breach, it has chosen not to publicly blame China. This is in stark contrast to its response to the North Korean hack of Sony Entertainment and it highlights the difficulties surrounding development of a comprehensive deterrence strategy.
But the focus on deterrence in the latest cyber strategy released in April by Defense Secretary Ash Carter was a deliberate effort by the administration to put nation states and cybercriminals on notice, according to Rogers.
“We felt that to help deter behaviors we need to talk about the department’s intent to generate a spectrum of capability from the defensive to the offensive and that was foundational to this idea of deterrence,” Rogers said. “One of the questions we’re trying to work through from a policy perspective is ‘what is the trigger that elicits a response?’ Is it impact as defined by some dollar value? Is it impact as defined by the idea of value? Is the criteria you want to use some level of loss of life, harm or injury?”
In the Sony attack, for example, it was determined that the incident was an attack against freedom of speech – “a fundamental right for us as a nation,” Rogers said. “This is an ongoing topic of debate. It’s of significance. We all realize that this is not some minor occurrence. Every one of us in the government who’s part of these discussions clearly understands that.”
For Rogers, there are two principal ways to deter aggression in cyberspace. “The first is to convince the opponent that despite their best efforts they won’t succeed, they will fail.That’s the defensive part,” he said. “The second idea of deterrence, and that’s the one that gets the most attention, is that you convince an opponent that even if they were to succeed at achieving the objective, the costs that they would pay far outweighs any value that would be generated and therefore it’s in their best interest not to do it.”
But what about deterring and responding to attacks perpetrated by non-state actors? That’s where policymakers have hit a roadblock in the development of a clear framework for deterrence. While most nation states are reluctant to destroy the international structure to achieve short-term goals, that is not necessarily a view shared by non-state actors, such as terrorist organizations, Rogers acknowledged.
Criminals and terrorist groups, such as ISIL, “would destroy the very structure that we and many nations around the world are interested in perpetuating – this idea of freedom, of choice. I think that’s a challenge that we’re going to have to work our way through,” Rogers said. “I don’t have an easy answer for that one. Every group, every individual values something. There’s a way that we can highlight [to these groups] that which you value is threatened if you pursue destabilizing courses of action,” he said.
“So OPM is just one part of a broader dialogue for us,” Rogers said, responding to questions about the administration’s decision not to publicly respond to the data breach. “Clearly, we’re in the very early stages of this and we are still working our way through it. And it is not a one-size fits all.”