Our Cyberwar Strategy: Play for the Tie?

Deputy Secretary Lynn has given a speech unveiling the unclassified parts of the Pentagon’s cyberwar strategy.  All of the “pillars” and practically all the unclassified content of the cyberwar strategy are defensive.  Here’s the theme: 

“Our strategy’s overriding emphasis is on denying the benefit of an attack.  Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.  If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”

 This is not completely comforting.  It’s like hearing that our nuclear war strategy is to build more fallout shelters. 

The network defenses we have today, and even the ones we hope to have tomorrow, will not deter adversaries or deny them the benefits of an attack.  The DIB Cyber Pilot, for example, is an classified version of technology the private sector has been using for nearly ten years. It’s a good thing, but it hasn’t exactly stopped hackers cold.

Defensive research is also a good idea, although neither of the ideas flagged in the speech — self-healing networks and methods for processing encrypted data — are likely to change the enormous advantage currently held by attackers in cyberspace.

So this is at best a partial strategy.  The Pentagon deserves credit for taking on the issue and doing the planning.  But the plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning. 

I hope that the actual classified version doesn’t suffer from the same diplomatic and political correctness.