In May of last year, the US Government published its International Strategy for Cyberspace.
The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table.
More specifically, the US government stated that it 'encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate' [emphasis mine].
This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems.
Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.
Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation's Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF).
In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn't have to read it all to get to the end.
One especially important aspect of this discussion is the much-debated problem of attribution. Since retaliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario's such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences.
Suffice to say that if you, as an attacker, hide your tracks well enough (don't forget the cyber intelligence aspect!), you won't have much problems with retaliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retaliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.
You might be wondering what the point is of declaring retaliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution - No problem. So why make a public statement about how you're going to strike back if everyone knows its highly unlikely?
Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won't copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides.
Besides, and here is the succinct point of it all, even though you declare that you may use kinetic military options as a retaliatory measure doesn't mean you are immediately obliged to actually do so.
In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy.
It doesn't worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it.
See the "Questions from .GOV" series (part 1)(part 2)(part 3). I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?
About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the Founder and CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.
Cross-posted from ArgentConsulting.nl