/ Published July 25, 2019
Strategic Cyber Deterrence: The Active Cyber Defense Option by Scott Jasper. Rowman & Littlefield, 2017, 254 pp.
Scott Jasper, CAPT, USN (ret.) is a faculty member in the National Security Affairs Department of the Naval Postgraduate School in Monterey, California. He designs and delivers resident and mobile courses on cyber security and defense capability development. Additionally, he has edited three books and has contributed articles to several national security and intelligence publications including Strategic Studies Quarterly.
Strategic Cyber Deterrence is a thoroughly researched monograph that outlines the concept of active cyber defense and its relevance with regard to modern deterrence theory. While the concept itself is not new in military cyber defense circles, Jasper’s determination that active cyber defense has legitimate applications in protecting private enterprise is a compelling and potentially controversial proposal that has the ability to revolutionize network security practices.
Jasper begins by exploring what he describes as the daunting and critical question of “whether traditional deterrence strategies are sufficient to deter malicious actors in cyberspace.” Jasper uses DOD Joint Publication 3-0, Joint Operations, as the foundation for defining deterrence and determines that “for a deterrence strategy to be effective, it must be based on capability (possessing the means to influence behavior), credibility (instilling believability that counteractions may actively be deployed), and communication (sending the right message to the desired audience).” Using these criteria, deterrence by retaliation, denial, and entanglement are weighed, measured, and ultimately found wanting with regard to cyberspace. Jasper posits that the wide array of actors in cyberspace complicates the easy one-size-fits-all IT solutions currently employed across most of government and industry because “deterrence has to work in the minds of each attacker under different circumstances.”
While Jasper’s analysis of deterrent strategies as individual elements rather than as a cohesive approach highlights the piecemeal nature of contemporary network security, his simplification is unnecessary in building the case for an active defense option because the difficulty with cyber deterrence is not in the approaches, but in the variety of actors and lack of redundant or mutually reinforcing capabilities. In the face of this difficulty, the author proposes an alternative strategy of active cyber defense to deter the myriad of state, non-state, and criminal actors who carry out malicious cyber activity. This strategy, he states, “reinforces both deterrence by denial and deterrence by retaliation. It combines internal systemic resilience to malicious cyber activity after an intrusion with tailored disruption capacities to thwart malicious actor objectives.”
This leads to possibly the most compelling argument made in the book that private industry needs to be legally authorized and technologically prepared to embrace all three deterrent strategies through active cyber defense measures. Most controversial among Jasper’s proposals for private industry is the establishment of cyber privateers licensed by the government to provide a civilian “hack-back” capability for industry similar to that practiced by the DOD’s Response Action (RA) teams working defensive cyber operations. These teams would be hired by companies not only to identify who was responsible for a network intrusion but also to potentially seek out and destroy intruders on their own networks.
Key to addressing the idea of active cyber defense is that such a prospect is both “technically capable and legally viable” within private industry. This is no small feat when it comes to addressing the myriad of difficulties springing forth from this policy. What is needed to create such a system is for companies and governments to be more transparent in sharing details on attack signatures, for Congress to rewrite legal statutes to authorize private companies to engage in hack-back activity, and for nation-states to develop better capabilities to determine attribution. Doing so will establish clear lines of demarcation between state-sponsored or licensed hacking, criminal hacking, and the unintended collateral damage that hack-backs might incur.
To this end, Jasper closes out his advocacy of active cyber defense by proposing a short list of policies and priorities that can be used to guide and shape this initial discussion in both the legal and technical domains. While the discussion ahead is difficult and its bounds are ill-defined, the seemingly endless list of high-level network intrusions and digital security compromises chronicled throughout Jasper’s book make it clear that existing cyber practices are ineffective and must evolve to meet current needs. Jasper does not propose that active cyber defense will end cybered conflict or stop all cyber attacks, but the combination of measures proposed by Jasper as part of active cyber defense offer an enticing starting point for this vital discussion.
Strategic Cyber Deterrence is not a book meant for those who already engage in cybered conflict; to them, this book is already industry best practice and not the least bit revolutionary. This book is intended to inform lawmakers and network managers about the scope and scale of the threat and how that threat, varied as it might be, can be deterred by active cyber defense practices. I also highly recommend this book for anyone outside the cyber defense industry who wants to understand and speak intelligently on why the DOD uses the set of security practices it does and why those practices may or may not be suitable for those operating outside the scope of a Title 10, Title 50, or Title 18 authority. This book is ultimately a timely and relevant piece that offers itself as being at the forefront of cyber defense and will likely serve as a reference point for years to come.
Capt Sean E. Thompson, USAF
600 Chennault Circle
Maxwell AFB, AL 36112-6010