The nominee to head the Pentagon’s new CyberCommand testified in front of Congress late last week that employing Cold War strategies to cyberwarfare challenges may not work for the United States..
A newly published research paper by a University of Cincinnati professor and colleagues goes a step further and concludes more directly that deterrence can not serve as the primary national cybersecurity strategy.
In testimony on April 15th before the U.S. Congress, Lt. General Keith A. Alexander offered his view that a Cold War approach of nuclear deterrence as a strategy for securing the United States might not translate effectively into the new realm of cyberwarfare, an area where the U.S. is just beginning to think about broader strategic approaches.
That same subject area is addressed in a new article in the Journal of Homeland Security and Emergency Management by UC Professor of Political Science Richard Harknett and co-authors John Callaghan and Rudi Kauffman. They say that to deal with cyberaggression, a more traditional model of warfighting will have to become the focus if cyberspace is to become more secure and safe.
In their article, “Leaving Deterrence Behind: War-Fighting and National Cybersecurity,” Harknett and his co-authors argue that “the inherent characteristics of cyberspace require adoption of a full war-fighting posture that moves out of the fifty-plus year comfort zone of deterrence as the dominant strategic anchor… We must organize thinking about managing cyber-leveraged war so that damage is contained and reduced. Counter-intuitively, these futuristic threats require us to adopt the historical posture of traditional warfare.”
By traditional warfare, the authors mean the traditional offense-defense framework that has defined war strategy throughout much of history. While a deterrence posture works in a nuclear context when the alternative for both sides is mutually-assured destruction, several factors unique to cyberwarfare make applying the deterrence model an awkward fit.
For one thing, cyberwarfare is an offense-dominated enterprise. Attacks can be carried out cheaply and in ways that make determining responsibility a slow process and difficult to establish. Deterrence is also undercut by the possibility of attackers using previously unknown approaches that greatly diminish their susceptibility to responses.