As we have done STH reader feedback sessions, we found that many of our US readers work in the infrastructure and government spaces. We have many other readers in the security field. As a result, we read an interesting report on the state of critical infrastructure cyber security that did not get much press. The Defense Science Board (DSB) published its report on Cyber Deterrence recently, which was presented to the Senate Armed Services Committee in a hearing on Cyber Strategy and Policy.
The newly released report builds on a 2013 DSB study on the resilience of DoD’s systems, in which its authors essentially concluded the Department of Defense cannot adequately defend its systems against the offensive capabilities of the highest-level threat actors, and therefore, must rely on deterrence, among other things, to prevent major cyber attacks and costly cyber intrusions.
Just in the short number of years since, the United States has experienced a number of cyber attacks and costly cyber intrusions. However, it is essential to understand that cyber attacks on the United States to date do not represent the “high end” threats that could be conducted by U.S. adversaries today – let alone the much more daunting threats of cyber attacks and costly cyber intrusions that the Nation will face in coming years as adversary capabilities continue to grow rapidly.
The Cyber Deterrence report underscores that while the United States gains tremendous economic, social, and military advantages from cyberspace, our pursuit of these advantages has created extensive dependencies on highly vulnerable information technologies and industrial control systems. As a result, U.S. national security is at unacceptable and growing risk.
Specifically, the study’s authors determined the United States faces three distinct sets of cyber deterrence challenges.
- First, major powers (e.g., Russia and China) have a significant and growing ability to hold U.S. critical infrastructure at risk via cyber attack, and an increasing potential to also use cyber to thwart U.S. military responses to any such attacks. This emerging situation threatens to place the United States in an untenable strategic position. Although progress is being made to reduce the pervasive cyber vulnerabilities of U.S. critical infrastructure, the unfortunate reality is that, for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States’ ability to defend key critical infrastructures. The U.S. military itself has a deep and extensive dependence on information technology as well, creating a massive attack surface.
- Second, regional powers (such as Iran and North Korea) have a growing potential to use indigenous or purchased cyber tools to conduct catastrophic attacks on U.S. critical infrastructure. The U.S. Government must work with the private sector to intensify efforts to defend and boost the cyber resilience of U.S. critical infrastructure in order to avoid allowing extensive vulnerability to these nations. It is no more palatable to allow the United States to be held hostage to catastrophic attack via cyber weapons by such actors than via nuclear weapons.
- Third, a range of state and non-state actors have the capacity for persistent cyber attacks and costly cyber intrusions against the United States, which individually may be inconsequential (or be only one element of a broader campaign) but which cumulatively subject the Nation to a “death by 1,000 hacks.”
To address these challenges, the report’s authors propose, as urgent priorities, three broad sets of initiatives to bolster deterrence of the most important cyber threats and related challenges to the United States and DoD.
- Plan and Conduct Tailored Deterrence Campaigns: The U.S. cyber deterrence posture must be “tailored” to cope with the range of potential attacks that could be conducted by each potential adversary. And it must do so in contexts ranging from peacetime to “gray zone” conflicts to crisis to war. Clearly, for U.S. cyber deterrence (as with deterrence more broadly), one size will not fit all.
- Create a Cyber-Resilient “Thin Line” of Key U.S. Strike Systems: The DoD must devote urgent and sustained attention to boosting the cyber resilience of select U.S. strike systems (cyber, nuclear, non-nuclear) and supporting critical infrastructure in order to ensure that the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attacks. In effect, DoD must create a second-strike cyber resilient “Thin Line” element of U.S. military forces to underwrite deterrence of major attacks by major powers.
- Enhance Foundational Capabilities: In addition to the measures outlined above, the Department of Defense and the broader U.S. Government must pursue several different types of capabilities, such as enhancing cyber attribution, the broad cyber resilience of the joint force, and innovative technologies that can enhance the cyber security of the most vital U.S. critical infrastructure.
You can find this, report at the following link.
For the enterprising readers at STH there are a few key takeaways. First, this is going to be an area of intense IT spending in the years to come. With investment, there are opportunities both at the government and large business level for growth. The other key takeaway is that this is a US government report. It is more than likely that other governments will see a similar need spend more on cyber deterrence capabilities.