Tuesday, April 28, 2009

Secrecy and Cyber Deterrence

On Monday, April 27, 2009, the New York Times published the first article in a series on the "growing use of computing power as a weapon." While I applaud the Times for reporting on this important issue, I was disturbed by the backwards thinking of policy makers revealed by the article.

Specifically, the article the touches on the problem of defining a cyber deterrence strategy. This is a topic in which I am extremely interested in and have previously written about here and here. The article states,

But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.
While I understand the need for secrecy in matters of national security, I am deeply troubled that the culture of secrecy surrounding cyber warfare will negatively impact the United State's ability to create a credible cyber deterrent.

Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

It will be very difficult for the US to convince an adversary that it faces a credible prospect of punishment if our adversaries do not understand our offensive cyber power. I do not believe we need to publicly inventory our cyber weapons arsenal, but it would behoove us to publicly demonstrate our offensive capabilities. Public demonstrations like the Aurora Generator Test are good examples of how we can demonstrate our offensive capabilities to our adversaries.

A policy of publicly demonstrating offensive capabilities is nothing new. During the Cold War, the US military repeatedly tested nuclear weapons and conducted large-scale conventional military exercises. The US used these tests and exercises in part to demonstrate its offensive prowess so that its adversaries, including the Soviet Union, would understand the United State's ability to cause harm. Cyber is just a new domain of warfare and I see no reason to treat it any differently than we have previously treated warfare in the past. As such, it makes sense to publicly demonstrate our offensive capabilities. This will increase our deterrent capacity and help stave off future cyber wars. Excessive secrecy only makes cyber deterrence harder to achieve.


Sarah said...

One post in response to weekly readings -

The selected reading from Daniel Solove’s "The Digital Person: Technology And Privacy In The Information Age" was particularly interesting in its discussion of the digital dossier, or a collection of detailed data about an individual which is becoming increasingly more problematic in our current technological era. This topic was particularly striking to me because of the fact that a digital dossier contains extremely personal information, but we oftentimes do not even know that it exists, nor do we have a large amount of power in regulating its information or accessibility if we do discover its existence.

Though these digital dossiers are usually created in order to make predictions about an individual as a consumer, and individuals sometimes disregard the danger of such collection as irrelevant due to its content (where we shop online, what items we buy, etc.), I believe that digital dossiers represent a trend in targeted marketing that we must all be aware of. Digital dossiers, as well as private-sector databases that seek to profit off of targeted analysis of our information, exacerbate privacy arms in the process. For instance, alongside increased accessibility comes the threat of secondary use. Though this “consumer information” may appear irrelevant and harmless, it is the matter of privacy which is being attacked. Each individual has a right to the protection of information which he/she deems necessary of that protection. However, with digital dossiers that leave individuals virtually powerless to the knowledge or control of their information, individuals are unable to protect themselves from threats such as secondary use. In other words, information that may appear irrelevant to the company collecting the data might actually be extremely personal and private to the individual, and therefore, the individual's sense of privacy is under attack.

Solove's book presents the notion that privacy does not have to do solely with our bank account number or a country’s power grid. Rather, privacy rights and laws have a responsibility to address the issue of digital dossiers in order to provide for the protection of an individual’s everyday information, so that each person not only has their information protected, but that they live in an environment in which they feel safe, sheltered and in control of their lives and the information that defines them.

Jeffrey Michael Comfort said...

I would agree that a veil of complete secrecy is not the best way to create any amount of deterrence. I also agree that a full disclosure is just as bad a policy as it would allow our enemies to know how bets to counter our capabilities. Where I would disagree is in that war has changed distinctly since the times of nuclear bomb tests and routine war games. The threat then was from a large and known enemy, the USSR and its allies. These countries could be impressed or scared into submission, so to speak, by examples of our military power and prowess. The most threatening enemy we face today is less concerned with the response it will garner and more concerned with simply causing mass destruction and terror. While revealing our offensive cyber capabilities might spook Russia or China, I believe they are far less threatening to our national security than terrorist organizations. These groups are far harder to target and would not be as impressed by a show of force on the part of the US. So, I would suggest that we tip our hand a bit and show the world just how dangerous we are, but I’d rather err on the side of caution. It seems smarter to keep our capabilities under wraps so that they cannot be easily countered.