To prevent automated spam submissions leave this field empty.
Kathleen A. Doty, University of Georgia School of Law, moderated this terrific panel. Jonathan E. Davis, Office of the Legal Adviser, U.S. Department of State, kicked things off by asking what we mean by cyber deterrence, and who are we deterring?
While nuclear deterrence is obviously designed to deter nuclear-capable states from conducting nuclear strikes, the activity a cyber deterrence strategy seeks to discourage ranges from cyber crime to cyber attacks. Additionally, such disconcerting conduct emanates from a variety of actors who need to be deterred, including non-state actors, individuals, and States. This spectrum of malicious cyber activity and the range of actors challenge effective deterrence strategy, which consists of influencing an adversary not to do X because the adversary realizes that the benefits of doing X are outweighed by the resultant costs.
Davis outlined four criteria of a successful deterrence strategy, including a threshold for action, which need not be a bright-line; attribution; responsive capability; and credibility. He highlighted that deterrence typically benefits from transparency, but due to concerns regarding tactics, techniques, and procedures, States are often not as public as they need to be to strengthen cyber deterrence. Davis also noted that cyber deterrence may not work to deter certain non-state actors such as terrorists, given their motivation and perverse cost-benefit analyses, but this weakness isn’t unique to cyberspace.
Davis provided the international law backdrop to cyber deterrence, highlighting that most States accept that acts in cyberspace may be considered a use of force or armed attack under UN Charter Article 2(4) and 51, respectively. (He used these interchangeably, pursuant to US interpretation.) These are well-recognized thresholds in the international law community. Most States use a similar effects-based, consequentialist approach to determine how they are tripped in the cyber realm. He highlighted that it’s less clear what States consider an armed attack/use of force that does not result in physical consequences. Would sustained cyber measures that shut down a national stock exchange equal a use of force/armed attack? To deter actors from getting close to the line, States don’t reveal their definitions, which furthers ambiguity.
Davis explained that the attribution problem has been overstated and it doesn’t pose an insurmountable hurdle to deterrence. He claimed that it’s highly likely that a powerful victim can use cyber indicators to identify cyber attackers. With respect to the availability of response options, States are, of course, not required to use physical force in response, but they can — limited by necessity and proportionality. That is, international law allows for adequate responses for the most significant and serious cyber attacks. Pivoting, Davis noted that cyber deterrence struggles with those actions below the level of self-defense triggering uses of force/armed attacks; that is, how to deter the daily malicious cyber conduct that isn’t an armed attack. In aggregate, such daily acts may prove costly and destabilizing over time. International law plays a real role in shaping responsive options, such as the doctrine of counter-measures, though this doctrine has limited viability due to its many constraints, which he then addressed.
Gary Brown, United States Marine Corps University, described deterrence as States’ effective ability and willingness to respond to cyber attacks, and the public knowledge of the same. He noted that the US struggles the most with his third prong; if we don’t communicate our strategy, deterrence is weakened. Brown explained various recent US attempts at making “declaratory policies” in an effort to communicate US strategy. He characterized the US 2011 international strategy for cyber-space as fairly vague, and noted the US statement in 2015 that it would act to “defend our interests in a manner of our choice.” He found that both leave wide swaths of “strategic ambiguity.” He noted the US has little to say regarding its willingness to use its cyber capabilities in response to a cyber attack, versus its willingness to use other tools, such as diplomatic statements, economic sanctions, etc.
Brown proceeded to highlight the difference between trying to deter non-state actors versus States: it is particularly challenging in cyberspace because the methods to wage war are no long monopolized by States. Since anyone can build a cyber capability with a credit card, non-state actors are a huge concern. He noted that generally speaking, countermeasures can only be used against States, which is a problem. In other words, if the US sees offensive cyber activity, it needs to try to tie it to a State, but the relationship between non-state actors and States can be tenuous and not necessarily rise to the level of State responsibility. He contrasted the US indictments against PLA officers in China, where the link to the State seems clearer, with the situation in Russia, where some Russian criminal cyber actors have “interesting” links to the Russian government. Is Russian encouragement, for example, a sufficient nexus to the State to trigger State responsibility, when international law typically looks to “effective control?” The answer is likely no. He mentioned a few actions to deter such non-state actors, such as retorsion measures and hack backs, though the latter generally violate US law.
Tara McGraw Swaminatha, DLA Piper LLP, who now represents large corporations who have suffered cyber attacks, highlighted that the targets of cyber attacks are different than those in the kinetic world. Specifically, she stated that it’s the responsibility of the government (law enforcement) to prevent and respond to physical attacks—but regarding cyber attacks, the private sector has been asked to help build defenses. She thinks the category of critical infrastructure must be expanded to include, for example, large databases of health information, most of which are held by private sector companies. She noted the competing interests in the private sector, including the need to protect against malicious activity and the need to ensure companies aren’t conduits for such activity versus concerns about legal exposure to class actions, reputational costs, etc. She noted that there is a negative unemployment rate in the cyber security world. Every company wants appropriate risk management but there is insufficient talent. She called for more partnership among the government, private, and academic sectors to develop this expertise.
McGraw Swaminatha related that at a 2015 DOJ roundtable, the assistant Attorney General intimated the government couldn’t track and deter cyber attacks against the private sector because so much of the evidence remains in the hands of industry. McGraw Swaminatha claimed that the reverse is actually true. For example, without subpoena power, industry can’t track IP addresses. She noted that companies who are afraid of legal exposure due to sharing data with the government are starting to move past that to share more. She also called for exploration of the elusive chat rooms called the dark web. She explained that while DOJ has immunity when impersonating hackers on-line for investigative purposes, private sector investigative security personnel are technically breaking the law via solicitation crimes, etc., if they engage in similar activity, so they are understandably leery about navigating this territory proactively. She also noted that the government has attempted to improve private sector security by: (1) requiring any technology provider with contracts with the government, via NIS 853, to comply with cyber security requirements; she noted the impossibility of 100% compliance as well as the huge expense and that lack of compliance could lead to criminal liability under the False Claims Act; and (2) there’s been a significant uptick in regulatory investigations following data breaches. She noted that this has had a chilling effect because once companies reveal breaches to the FTC, vulnerabilities become discoverable by plaintiffs in class actions. She emphasized that such counter-productive barriers need to be broken down so these communities can work together more effectively.
The panel concluded with a lively dialogue with the audience based on questions ranging from state sovereignty to whether enhanced State due diligence requirements could help deal with cyber attacks emanating from non-state actors.
Rachel E. VanLandingham, Associate Professor of Law, Southwestern Law School.