The Obama administration's report to Congress on cyber deterrence policy comes across as a “laundry list, not a strategy document,” according to Jim Lewis of the Center for Strategic and International Studies.
The 19-page report, obtained by Inside Cybersecurity, was submitted to Capitol Hill in recent days – more than a year after the statutory deadline – by the Defense Department, after the White House ultimately delegated the authority for the report to DOD on Dec. 2. It acknowledges the need for a “declaratory policy” that discourages other governments from targeting the United States in cyberspace – but it stops short of articulating such a policy.
“Ambiguity probably hurts more than it helps – opponents see it as bluffing or are confused,” Lewis told Inside Cybersecurity via email Wednesday.
The report calls for “a nuanced and graduated declaratory policy and strategic communications” approach that highlights the U.S. government's commitment to using its capabilities to defend against cyber attacks.
These efforts should remain “ambiguous on thresholds for response and consequences to discourage preemption or malicious cyber activities just below the threshold for response,” the administration writes.
“I still don't see a clear, unambiguous declaratory policy,” Lewis said. “Declaratory policy doesn’t work like a business contract, with lots of caveats and conditions.”
Lawmakers have urged the administration to talk more publicly about U.S. capabilities for offensive cyber operations to deter potential adversaries.
A congressional source described the report as underwhelming. The report makes only a few references to U.S. offensive cyber capabilities and “goes to great pains” to state that the use of such capabilities “will be the absolute very last resort with all sorts of qualifiers,” the source said.
“Building better defenses to deter only works if you actually build them, and if opponents know that you've built them,” Lewis said. “That's not the case for either.”
“The key problem for the U.S. is convincing other people that our threats are credible,” he continued. “The same is true for our defenses.”
The administration's report “falls into the category of 'checking the box,'” Lewis said. – Christopher J. Castelli (ccastelli@iwpnews.com)