Deterrence by Denial: The Missing Element of U.S. Cyber Strategy

By Robert Morgus, John Costello, Charles Garzoni, Michael Garcia
Wednesday, March 11, 2020, 1:59 PM

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

As laid out by Benjamin Jensen in a prior post, the layered cyber deterrence called for by the Cyberspace Solarium Commission relies on the three layers—shaping behavior, denying benefits and imposing costs—all working in concert to dissuade aggressive action from adversaries. Deterrence by denial, what Joseph Nye calls denial by defense, is an effort to make it more difficult for an adversary to achieve an objective or to increase the cost of an adversary’s actions. To be effective, deterrence by denial must make the cost of aggression “unprofitable by rendering the target harder to take, harder to keep, or both.” As the nation grows ever more reliant on a functioning cyber ecosystem, it is paramount to deny adversaries the ability to degrade these elements of national power or disrupt them in a time of crisis. Yet a strategy of deterrence by denial, or a prioritization of defense and resilience in cyberspace, has been a key element missing from U.S. cybersecurity strategies to date.

In the 1950s, as the Soviet Union developed nuclear weapons at scale, the United States faced the challenge of deterring the use of those weapons. The U.S. opted to focus its deterrent efforts on ensuring that adversaries clearly understood our posture and the threat of massive cost imposition. Protected by geography and psychology, the U.S. has never had to seriously consider defense and resilience as part of its national security strategy.

Cyber, however, presents a number of novel challenges. There is no mutual assurance of destruction. Oceans do not provide the U.S. with protection. There is more ambiguity and more uncertainty. In the 1970s, when the nuclear nonproliferation treaty went into force, only five countries had nuclear weapons. Today that number is higher, with up to nine states in possession of nuclear weapons, but even that number pales in comparison to the number of actors with cyber capabilities, including criminals and other actors that are less likely to be deterred through cost imposition. In cyberspace, actors are obfuscated and the lines are unclear.

Thus, rather than relying primarily on psychology and cost imposition to deter adversaries, a strategy to secure the U.S. in cyberspace must prioritize defense, denying adversaries the opportunity to attack us (and the benefit of doing so) in this evolving domain. The incongruity of nuclear and conventional deterrence dynamics when applied to cyberspace has created an overwhelming focus on deterring adversaries by demonstrating a strong military offense in cyberspace or imposing costs and consequences on adversary action after the fact. Neither of these measures has stemmed the tide of threat and, indeed, may have exacerbated it—emboldening our adversaries and diverting resources or limiting security and resilience efforts that may have had a more substantial impact on adversaries’ cost calculus. This focus fails to address the core and persistent vulnerability at the heart of the problem—the pervasive insecurity of cyberspace and the systems, assets and functions that underpin key pillars of national power.

Deterrence by denial for cyberspace must emphasize the importance of building defensive capacity and resilience to withstand attacks, while focusing efforts squarely on safeguarding and preserving the national assets that form the basis for national power, or systemically important critical infrastructure. These are entities whose disruption would cause cascading failures and place continuity of the military, economy, government and society at risk and would render the U.S. impotent in a time of crisis. With this context, a strategy for cyber deterrence by denial must acknowledge and embody three key principles.

First, the strategy must be built on the foundational principle that resilience, rather than strict prevention alone, is crucial to denying adversaries benefits. A strategy for deterrence by denial must be built around this concept of resilience, or the capacity to withstand and quickly recover from attacks. This necessitates identifying the assets, functions and entities at highest risk of targeting and disruption, and ensuring they maintain continuity and resilience in peacetime and in crisis. Ensuring the continuity of these functions is critical in denying adversaries both the benefits of disruption and confidence that their operations can be relied on to achieve consequences that could compel, deter, restrain or otherwise shape the U.S. in crisis.

Building resilience will fundamentally revolve around identifying and mitigating risk and ensuring capacity to aid in response and recovery. The U.S. government currently lacks the resourcing to conduct robust, national-level assessments of risk and interdependencies that could inform risk reduction efforts. That is why we recommend the codification of sector risk management agencies and the creation of a five-year national risk management cycle to inform a comprehensive national risk management strategy. Similarly, while the U.S. government has plans of action for crises that might disrupt the continuity of government and operations, we lack requisite planning to withstand crises that would disrupt our economy. To address this gap, the U.S. government must undertake planning for continuity of the economy.

Second, the strategy must recognize and reflect that cyberspace is different from conventional domains of conflict and competition. In cyber conflict and competition, the cyber ecosystem is the battlefield. Unlike other domains—land, sea, air and space—it is entirely humanmade and is therefore ripe for manipulation in ways that others domains are not. Cyber deterrence by denial should therefore focus on building the ecosystem in a way that would drive up the literal cost of doing business for those who would do us harm. A strategy for deterring by denial must shape the battlespace by reducing vulnerabilities that our adversaries exploit that are inherent in the technology, people and process that make up this ecosystem.

For nearly as long as cyberspace has existed, its construction has largely been driven by market forces. In many cases, these market forces have delivered positive outcomes. Bad cyber hygiene, if exposed by a data breach, has resulted in dips in stock prices. The constant barrage of cyberattacks has led to the creation of entirely new industries to manage and mitigate incidents and spurred internet service providers to improve their security offerings. In other areas, the market forces have largely failed to deliver adequate security in products and encourage better security behavior from firms.

Finally, the strategy must embody the notion that in cyberspace, building better national cyber defense—deterring our adversaries by denying benefit—is largely a private-sector activity and the government must focus on areas where it holds comparative advantage and can play a supporting role. The private sector does not just own the vast majority of critical infrastructure; it is responsible for the majority of the key decisions and actions to prepare for, respond to and recover from cyber incidents—both in what the private sector owns and in the products and services it provides that constitute the cyber ecosystem itself. National defense means something very different in this context, where the government primarily plays a supporting role in security and defense and is not the main actor.

There are two private-sector constituencies that merit particular attention to ensure that security can scale. The first is those who provide the information and communications technology infrastructure, including internet service providers, data hosts and others. These entities are uniquely positioned to implement security measures that scale across the ecosystem. The second major constituency is what we call the systemically important critical infrastructure providers. These are the entities that own and operate assets on which the rest of the economy, government and society more broadly rely. These entities will be targeted by nation-states often, and, despite the entities’ best efforts, they will be compromised. It is in the United States’s interest to encourage, incentivize, and at times require the private sector to build capacity and resilience so that both can work together to protect against the most significant threats. The failure or disruption of these entities becomes a problem for the rest of the nation, so their safety must be the highest priority.

We have a good foundation for defense and resilience, but we need to update for the 21st century. The Cyberspace Solarium Commission set out to build a defensive strategy embodying the principles we described here. With our recommendations, the United States can ensure better systemic defense and resilience across our national cyber ecosystem and increase the operating costs of our adversaries, while also denying or diminishing the benefits of successful attacks.