Search GSSD

Deterring Cyberattacks: How to Reduce Vulnerability

In her article, Susan Hennessey outlines the shortcomings of current U.S. cybersecurity policies. Through the study of the U.S. 2016 Election, the 2014 Sony Hack and OPM hack, she analysed efforts by the Obama Administration to bolster its cyber-defenses but in same time its reluctance to retaliate due to the fear of sparking escalatory cycles. Susan Hennessey clearly explains why we should define less ambiguous norms and unacceptable behaviours, stating that it would help deter cyberattacks -something the U.S. has failed to do so far. She first outlines the terms of engagement, going through the concept of deterrence, the problems with detecting cyberattacks and the difficulty in accessing whether or not this attack meets the retaliation threshold. In her article, goes through the two major cyberattack cases in 2014 and outlines the notable shortcomings in U.S. cyber-deterrence policy. For example, the Policy did not extend to private networks (e.g. private networks) because officials did not anticipate an attack on the country’s values. She explains that attacks on government networks have failed to elicit a strong response, which allowed Russia to navigate the current policy shortcomings. After these attacks, an updated cyber-strategy policy was implemented but it narrowly defined thresholds for retaliation in cyberspace and focused on physical threats governmental infrastructure, economic security, and military command and control -not private networks or setting norms. She then explains how the U.S. reactions to these events enabled Russia to precisely interfere with our elections, which they have repeatedly done to other countries: just like in the SONY hack, they targeted private networks as they had noted that the leaked e-mails of Sony executives were deemed an embarrassment rather than a form of information warfare and targeted only non-governmental networks. Finally, Hennessey outlines the notable failures of our current policy, its consequences and the next steps that need to be taken. She explains that officials should be more consistent and proactive in publicly attributing attacks and should cease to be inhibited by the fear of sparking escalatory cycles. Up to now, we have used ambiguity in our cyber-strategy as a deterrent but experience has showed this to be ineffective. She finished by asserting that “Cyber-deterrence policy must reflect the reality that failing to respond in the face of an attack is itself a choice with consequences.”
Susan Hennessey
Foreign Affairs
Domains-Issue Area: 
Industry Focus: 
Internet & Cyberspace
United States of America
Case Studies