Skip to main content

Proceedings of a Workshop on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:

The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence--Paul Rosenzweig
Pages 245-270

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 245...
... But equally clear from this anecdote are the challenges we face from the lack of any effective, purpose-built, standing organizations or pro cesses within the U.S. government for developing policy or making decisions about cyber attacks and cyber defense.
Read the entire page →
From page 246...
... More prosaically, despite the proliferation of boards and commissions we simply have not paid enough sustained attention to the problem: organizational structures for the United States government to support our cyber deterrence activities have developed organically, over the past 20 years, through episodic and often reactive attention, rather than the product of a concerted policy-making process. Then, too, by virtue of the nature of the cyber intrusions we have experienced, our organizational efforts have focused systematically on defensive measures rather than offensive ones.
Read the entire page →
From page 247...
... to identify certain subcategories of potential cyber deterrence activities for purposes of assessing the utility of current structures and pro cesses. Within the area of denial, one can identify at least three distinct types of activity: • Cyber defense -- Classic activities of cybersecurity involving the detection and prevention of cyber intrusions or attacks.
Read the entire page →
From page 248...
... See Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, at 32 (GAO-05-434 May 2005)
Read the entire page →
From page 249...
... have aspects of cyber defense or resilience to them, but more appropriately are characterized as policies of cyber assurance, cyber attack or non-cyber response. As with any taxonomy, the categorization of policies is indefinite at the margins and of utility only insofar as it aids analysis.
Read the entire page →
From page 250...
... Indeed, as observers have noted, there is a disconnect between our counter-intelligence, which is often aware of risks to our cyber supply chain, and our procurement processes, which cannot have access to classified information regarding supply chain threats. Setting aside intelligence concerns, the prospect of creating a "black list" of unacceptable products for purchase is fraught with problematic issues regarding liability 18 Cyber Space Policy Review at 8.
Read the entire page →
From page 251...
... government that provide a means of addressing supply chain security issues -- and neither is particularly adept or well suited to the task. One is the Committee on Foreign Investment in the United States (CFIUS)
Read the entire page →
From page 252...
... 30Aisenberg, "Information Technology Supply Chain," at 10. 31 TRADOC PAM 525-7-8, Cyberspace Operations Concept Capabilities Plan (Feb.
Read the entire page →
From page 253...
... To cite the most obvious example, as the Cyber Space Policy Review, the National Cybersecurity Strategy and the recent CSIS study on Securing Cyberspace all recognize, the internet is a uniquely borderless domain.37 Thus any effective deterrent strategy will necessarily require a governmental organization and process that enables international engagement. While one could, in theory, imagine a situation in which all of our cyber responses were enabled by military-to-military interactions the prospects for such a scenario are dim.
Read the entire page →
From page 254...
... cyber deterrence policy lie not in these difficulties, for they are more technological than organizational. They will likely not be resolved by a decision on how the government and private sector are organized.
Read the entire page →
From page 255...
... Indeed, to summarize the problem, a goernment operated system will raise the specter of "Big Brother" and engender significant opposition from privacy advocates, while a priately operated system has proven impossible to develop naturally, lacks transparency, and has less ready access to NSAgenerated threat signature information. If we do not solve the dilemma of enabling public-private cooperation we are unlikely to get cyber defense and cyber resilience right.
Read the entire page →
From page 256...
... As Martin Libicki pointed out in a recent RAND study, a cyber response is unlikely to be able to disable a cyber attacker completely. As a consequence, for deterrence policy, "[m]
Read the entire page →
From page 257...
... Indeed, given the reality of asymmetric cyber reliance by our adversaries, the implication is that our response to a cyber attack should not be confined to a cyber response. While it is likely (indeed, almost certain)
Read the entire page →
From page 258...
... It may often be the case that a like-for-like cyber response will be deemed to have the maximum deterrent effect while achieving proportionality; • kinetic military attacks -- And, finally, there is no reason to suppose that a cyber attack with kinetic or near-kinetic effects on American targets must, necessarily, be responded to with an equivalent cyber response. It is at least plausible to consider the possibility that a traditional kinetic response will be the more proportionate and responsible one.
Read the entire page →
From page 259...
... It is significantly more difficult for the inspection processes of the purchaser to provide for hardware or software assurance than it is for those of the manufacturer. 56 53A Collective Security Approach to Protecting the Global Critical Infrastructure at 13 n.14 (ITU Workshop on Creating Trust in Critical Network Infrastructures, Document CNI/09, May 2002)
Read the entire page →
From page 260...
... E The "Right" of Self-Defense The failure to develop structures that effectively protect the private sector from cyber intrusion cre ates a challenge for private sector actors who are obliged to defend their own networks: Consider the cyber deterrence problem from the perspective of the private sector actor whose systems are subject to an attack.
Read the entire page →
From page 261...
... As the GAO reported earlier this year, though several coordinating groups exist at the White House, agencies continue to have "overlapping and uncoordinated responsibilities for cybersecurity activities."64 To the extent the lack of coordination is discussed publicly, the perception is that there is an ongoing fight for control of the domestic cybersecurity effort pitting the National Security Agency against the Department of Homeland Security. The perception of, at best, a lack of coordination and, at worst, continuing conflict over control of the cyber defense mission is only exacerbated by acts which at least facially suggest a continuing dissonance.
Read the entire page →
From page 262...
... Thus, it matters significantly which agency is assigned as the lead for protecting civilian networks. As Rod Beckstrom (former Director of the DHS National Cybersecurity Center)
Read the entire page →
From page 263...
... The outcome of this battle matters, profoundly. Authority follows responsibility, and who the Fed eral government charges with principal responsibility for cyber defense and resilience will determine whether our cyber response is primarily influenced by concerns grounded in intelligence or in network security.
Read the entire page →
From page 264...
... It will require a strong commitment from the White House and a significant increase in the power of the cyber coordinator, and, no doubt, will necessitate legislative changes from Congress. To achieve a fully integrated cyber response, it would be necessary to give the coordinator authority to: • Create a unified cyber security budget account within the President's annual budget submission and work with OMB and the NSC to set budget priorities with that account; • Lead and coordinate the development of cyber security policy (including through chairmanship of the policy planning group described below, if that is created)
Read the entire page →
From page 265...
... That sort of organizational structure and planning process does not do justice to the panoply of cyber attack and non-cyber response options. For purposes of a comprehensive cyber deterrence policy apparatus, the President should charter an NSC-led committee (notionally called the "Cyber Defense Options Group")
Read the entire page →
From page 266...
... But the reality is that we have yet to find a structure that enables strategic information sharing between the private sector and the federal government in an appropriate way.78 Frequent reliance on cooperative councils, like the ISACs, has produced little more than the repetitive refrain that government can't share intelligence with the private sector and the private sector sees little to gain by sharing with the government. Perhaps the time has come to consider a different organizational structure for cyber defense, for which the author offers this novel idea:79 We might think about whether or not we should formalize the public-private partnership necessary for cyber defense by creating a Congressionally-charted, non-profit corporation (akin to the American Red Cross and the Millennium Challenge Corporation)
Read the entire page →
From page 267...
... At a minimum, one expects that the CAC will serve as a centralized information sharing system for threat information, much as the ISAC does now, but with a greater capacity to marry that information to government-derived data and, potentially, with the capacity to anonymize and re-dis tribute threat information more successfully than ISACs currently do. Indeed, the expectation is that, because of its particular authorities, the CAC will be able to achieve greater sharing than under current structures.
Read the entire page →
From page 268...
... 83 Address Service and Non-Ownership vulnerabilities Finally, we need to give more concerted attention to the problems posed by the insecurity of our supply chain. Our current system (which, in a very limited way, reviews threats to our supply chain in some situations where a foreign entity takes corporate control of a critical systems manufacturer)
Read the entire page →
From page 269...
... Whatever the policy chosen, clearer lines of authority within the Federal government and a more coherent structure of public-private interaction are necessary to allow for effective action. In sum that structure must: • Provide for greater and more effective control of the Federal effort; • Assure political control of any cyber response; • Provide a means that will effectively allow for a public-private collaboration; and • Find some means of providing for supply chain security.
Read the entire page →

Key Terms

  • cyber defense
  • cyber deterrence
  • cyber response
  • cyber attack
  • supply chain

  • homeland security
  • organizational structures
  • deterrence policy
  • critical infrastructure
  • cyber coordinator

  • cyber command
  • sector actors
  • information sharing
  • defense science
  • cyber space

  • cyber resilience
  • cyber intrusions
  • national cybersecurity
  • space policy
  • cyberspace operations

  • cyber security
  • cyber attacks
  • security threats
  • policy review
  • kinetic military

  • law enforcement
  • cyber threats
  • sector actor
  • chain security
  • states government


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.