An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

Ambiguous Deterrence

By Dr. Aaron Brantly | January 23, 2016

The ratification of a pledge for joint defense in case of a major cyber-attack at the 2014 NATO Summit is a major step forward.Under this pledge a significant cyberattack on any NATO nation would be constitutive of anattack on all of them. While it is hoped that the vague framing and uncertain capabilities of each NATO member will facilitate deterrence through ambiguity, it should be noted that deterrence only works when that ambiguity is backed up by a command structure capable of a timely and organized response.

As President Obama and other NATO leaders are redefining and reinvigorating strategy for the alliance it should be noted that the problem lies less in an ability to pledge for mutual defense than it does in the ability to organize and provide for that same defense. As recently as February 2013 the Government Accountability Office released a report on National Strategy, Roles, and Responsibilities and found that many of the major problems faced with regards to cybersecurity for the United States have less to do with capabilities and more to do with responsibilities. Large-scale cyberattacks such as Estonia 2007 or Georgia 2008 cross civil-military/private-public boundaries. Although policy-makers, think tanks, and academics have been working furiously to establish policy and write strategy documents, the fact remains that the United States remains woefully unable to respond to a significant cyberattack largely due to a failure to assign responsibilities and jurisdiction.

The ramifications associated with failure to assign responsibilities and jurisdictions are public knowledge and have been demonstrated in a wide variety of simulations. The Bipartisan Policy Center conducted a major cyber incident simulation in 2010 called Cyber Shockwave. Two of categories of findings in their follow up report dealt with significant problems associated with governmental organization and legal authorities and the third was international policy coordination. A 2011 report by DHS following Cyber Storm III, a simulation designed to test the effectiveness of the National Cyber Incident Response Plan, noted in one of its key findings: “Although public–private interaction around cyber response is continually evolving and improving, it can be complicated by the lack of timely and meaningful shared situational awareness; uncertainties regarding roles and responsibilities; and legal, customer, and/or security concerns.” As the United States and NATO pledge mutual defense, they are further expanding the problem of responsibilities and jurisdiction to an international institution with its own organizational and jurisdictional shortcomings.

The claim made by statesmen including NATO Secretary General Anders Rasmussen, that ambiguity of response facilitates deterrence is accurate, particularly when examining the use of nuclear weapons. However, that ambiguity falls back upon a rigid command and control system that enables a rapid response to hostile actions. If nuclear command and control functioned as it does for our cyber forces and nuclear warheads were headed across the Atlantic or Pacific towards major U.S. cities, our ability (or lack there of) to respond would make the concept of mutually assured destruction laughable. Our ability to adequately respond to an attack would be measured not in minutes or hours, but in days, weeks, and likely even months. At present, only long after the United States and her allies are left smoldering in the wake of a major cyberattack are we capable of even deciding who had the responsibility to respond.

Pledging mutual security in the face of an increasingly serious threat is admirable. Yet it is equally important to provide the structural aspects that underpin that security both at the national and international level for all NATO members. Currently the United States and her NATO allies lack a well-developed understanding of who has responsibility for what, when at the national and international level. And until those responsibilities and jurisdictional boundaries are formally defined the notion of ambiguity fostering cyber deterrence is largely an empty threat. It is imperative that Secretary General Jens Stoltenberg, who took office on October 1, 2014, facilitate policy discussions between NATO member states in the coming years that consider those aspects that facilitate meaningful deterrence in cyberspace.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.