Read the original article: Cyber ‘Deterrence’: A Brexit Analogy
“Brexit means Brexit” started out its life in the U.K. as a spectacularly successful political slogan four and a half years ago. It sounded authoritative and purposeful, yet at the same time unobjectionable. It was enough to convince British supporters of leaving the European Union that a new Prime Minister, Theresa May, who had supported staying in the bloc, would deliver what they wanted. More importantly, it was enough to reassure a shocked nation that the uncharted journey ahead was in safe hands.
Its genius as a slogan was its undoing as a governing philosophy. As a slogan it worked because no one really understood what it meant, and therefore anyone could interpret it as they chose. In government, that malleability could not and did not hold. Moreover, as a slogan it made Brexit sound simple. The governing reality was that the process of leaving the European Union was extraordinarily complicated and involved extremely difficult choices.
The slogan of Western cyber policy—that “we will impose costs to deter our adversaries” (or variants of these words)—is at least as old as “Brexit means Brexit.” As head of the U.K.’s cyber security efforts from 2014 to 2020, I heard it many times. I heard it when standing alongside Philip Hammond, one of May’s most senior Ministers when the U.K.’s National Cyber Security Strategy was launched, just a few months after the Brexit referendum in December 2016. A year later, Boris Johnson, then British foreign secretary, flew to Moscow with a heavily briefed public warning to his Russian counterpart that the U.K. would seek to impose costs on Russian cyber activity. Johnson resigned (over Brexit) shortly afterwards, to be replaced by Jeremy Hunt. They may have differed over Brexit, but Hunt’s cyber deterrence rhetoric was from the same script. In 2019, in a speech in Glasgow, he said that “the British government’s starting point is that we must impose a price on malicious cyber activity.” Johnson is now of course back, as Prime Minister, reunited with the permanent slogan of British cyber policy.
The cyber slogan serves the same function as its Brexit counterpart. It conveys purpose and authority without saying anything in detail. But so far it has proved equally unsuccessful: Whatever other improvements that have been made in Western cyber security in the past few years, and there have been many, deterring hostile state attackers has not been one of them. “Imposing costs” has become the “Brexit means Brexit” of the cyber domain: a catchy, useful political slogan devoid of meaning, substance and—consequently—impact.
So it is striking that the phrase made a reappearance in President-elect Biden’s otherwise very impressive Dec. 17 statement on the “Solar Winds” operation. Biden’s statement talks of prioritizing cybersecurity in light of the massive campaign of digital espionage carried out by the Russian intelligence services. Biden’s statement is hugely welcomed by anyone who cares about the security of Western cyberspace. It shows that the Biden team, unlike the outgoing administration, understands the significance of what happened as a result of the operation. Its pledge to make cybersecurity “a top priority” is borne out by those who’ve been in contact with senior members of the incoming administration.
Towards the end of the statement, however, the president-elect reverts to the well-worn cyber slogan. He states that the new administration will seek “to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place” and that “we will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks” (note the remarkable resemblance to the statement by the then British foreign secretary in 2019). Given the unhappy record of successful delivery on such statements, the audience is entitled to wonder what that might actually mean.
First, let’s look at what those phrases are often thought to be, but in reality, can rarely, if ever be: direct retaliation and escalation in cyberspace. Like “Brexit means Brexit,” “imposing costs” can mean what you want it to mean. So for many, it’s taken to mean that the U.S. (and allies) will now unleash hitherto locked-away offensive cyber capabilities that have previously been voluntarily foregone, and take the cyber fight to the adversary. (Biden, in presaging his ‘imposing costs’ remark with “a good defense is not enough,” gives cause to speculate that this is what he might be hinting at. In the same way, in the U.K. back in 2017, Johnson was clear to Lavrov that he was talking about like-for-like retaliation as a response to Russian cyber activity. To be fair, Hunt, in 2019, spoke of a broader range of responses than just offensive cyber.)
This interpretation of imposing costs is attractive not least because, thanks to the sometimes necessary secrecy surrounding cyber operations, the government doesn’t have to prove that it’s responded effectively. It just has to hint that it has responded in kind, or is planning to, and answer no further questions. Such sentiments are often accompanied by the language of war, equating cyber intrusions with military strikes. According to this way of thinking, the aggrieved Western country is going to sort out the problem of Russian state hacking by whacking them on some sort of secret, invisible digital battlefield.
This approach is deeply flawed in both principle and practice. Part of the problem arises from the conflation of two related but distinct concepts: that of cyber security on the one hand, and cyber power on the other. There are links between the two, of course. But they are two different things, serving two quite distinct purposes.
Cybersecurity is, well, cybersecurity. It is about the security of the digital homeland: of the networks and devices and digital services and capabilities on which our societies depend. It’s about the protection of everything online from consumers to corporations to personal data to state secrets. Cyber power, on the other hand, is the protection of national security from any type of threat where the use of cyber capabilities might be appropriate to further that goal, as well as the projection of state power for any relevant policy goal through cyber capabilities. Therefore, cybersecurity is not a subset of ‘cyber power’, and the aim of ‘cyber power’ is not cybersecurity. To say otherwise is to adopt the ‘boxing ring’ mentality of cyberspace
[…]
Read the original article: Cyber ‘Deterrence’: A Brexit Analogy