Cyber Defense Review

Ambiguous Deterrence

By Dr. Aaron Brantly | January 23, 2016

The ratification of a pledge for joint defense in case of a major cyber-attack at the 2014 NATO Summit is a major step forward.Under this pledge a significant cyberattack on any NATO nation would be constitutive of anattack on all of them. While it is hoped that the vague framing and uncertain capabilities of each NATO member will facilitate deterrence through ambiguity, it should be noted that deterrence only works when that ambiguity is backed up by a command structure capable of a timely and organized response.

As President Obama and other NATO leaders are redefining and reinvigorating strategy for the alliance it should be noted that the problem lies less in an ability to pledge for mutual defense than it does in the ability to organize and provide for that same defense. As recently as February 2013 the Government Accountability Office released a report on National Strategy, Roles, and Responsibilities and found that many of the major problems faced with regards to cybersecurity for the United States have less to do with capabilities and more to do with responsibilities. Large-scale cyberattacks such as Estonia 2007 or Georgia 2008 cross civil-military/private-public boundaries. Although policy-makers, think tanks, and academics have been working furiously to establish policy and write strategy documents, the fact remains that the United States remains woefully unable to respond to a significant cyberattack largely due to a failure to assign responsibilities and jurisdiction.

The ramifications associated with failure to assign responsibilities and jurisdictions are public knowledge and have been demonstrated in a wide variety of simulations. The Bipartisan Policy Center conducted a major cyber incident simulation in 2010 called Cyber Shockwave. Two of categories of findings in their follow up report dealt with significant problems associated with governmental organization and legal authorities and the third was international policy coordination. A 2011 report by DHS following Cyber Storm III, a simulation designed to test the effectiveness of the National Cyber Incident Response Plan, noted in one of its key findings: “Although public–private interaction around cyber response is continually evolving and improving, it can be complicated by the lack of timely and meaningful shared situational awareness; uncertainties regarding roles and responsibilities; and legal, customer, and/or security concerns.” As the United States and NATO pledge mutual defense, they are further expanding the problem of responsibilities and jurisdiction to an international institution with its own organizational and jurisdictional shortcomings.

The claim made by statesmen including NATO Secretary General Anders Rasmussen, that ambiguity of response facilitates deterrence is accurate, particularly when examining the use of nuclear weapons. However, that ambiguity falls back upon a rigid command and control system that enables a rapid response to hostile actions. If nuclear command and control functioned as it does for our cyber forces and nuclear warheads were headed across the Atlantic or Pacific towards major U.S. cities, our ability (or lack there of) to respond would make the concept of mutually assured destruction laughable. Our ability to adequately respond to an attack would be measured not in minutes or hours, but in days, weeks, and likely even months. At present, only long after the United States and her allies are left smoldering in the wake of a major cyberattack are we capable of even deciding who had the responsibility to respond.

Pledging mutual security in the face of an increasingly serious threat is admirable. Yet it is equally important to provide the structural aspects that underpin that security both at the national and international level for all NATO members. Currently the United States and her NATO allies lack a well-developed understanding of who has responsibility for what, when at the national and international level. And until those responsibilities and jurisdictional boundaries are formally defined the notion of ambiguity fostering cyber deterrence is largely an empty threat. It is imperative that Secretary General Jens Stoltenberg, who took office on October 1, 2014, facilitate policy discussions between NATO member states in the coming years that consider those aspects that facilitate meaningful deterrence in cyberspace.