

U.S. Navy Vice Admiral Michael Rogers (R) and U.S. Air Force General Paul Selva chat before giving testimonies at the Senate Armed Services Committee confirmation hearing on Capitol Hill in Washington March 11, 2014. REUTERS/Gary Cameron

As Adam Segal pointed out Tuesday, Vice Admiral Michael Rogers, the Obama administration’s nominee for head of Cyber Command, seems to have told the Senate that the Edward Snowden revelations have helped U.S. deterrence policy. What’s going on?

Part of the answer is that the U.S. has changed how it thinks about deterrence in cyberspace. As discussed in this earlier post, the U.S. has previously thought that traditional forms of deterrence will not work in cyberspace. The best way to deter hostile actors is to credibly threaten to punish them if they attack you. If the punishment is sufficiently painful, and the likelihood that it will be delivered is sufficiently high, your adversary will calculate that the costs of the attack will outweigh the benefits. This arguably worked well during the Cold War. However, Pentagon policy makers concluded a few years ago that it wouldn’t work against cyberattacks. The big problem in cyberspace is that it’s easy for attackers in cyberspace to conceal their true identity, making it hard for the U.S., or anyone else, to retaliate effectively. If you aren’t sure who attacked you, it’s hard to punish them, and if punishment is unlikely, standard deterrence isn’t going to work.

It may still be possible to deter attackers without retaliation, by ramping up defenses so high that attacks are very unlikely to succeed. However, as my colleague Charlie Glaser points out (PDF), this won’t deter attackers if attacks are cheap. A 1 in 1,000 chance of penetrating your adversary’s defenses may be attractive odds if you are able to afford to attack again and again and again.

Rogers’s testimony suggests that the U.S. is changing its mind about the severity of these problems. While he acknowledges that it is still difficult to attribute attacks to their perpetrators, he seems to think that it’s slowly getting easier, and that smoking gun proof isn’t always necessary to retaliate against attack.

Attribution has improved, but is still not timely in many circumstances. We must employ several approaches to this challenge. A healthy, engaged partnership with the Intelligence Community is vital to continued improvement in attribution. Second, is development of defensive options which do not require full attribution to meet the requirements of law and international agreements.

This also explains why Rogers is much more open to talking about the U.S.’s cyberattack capabilities than other US officials have been in the past. As long as the U.S. believed that deterrence was infeasible, it had no incentive to talk about its own cyberattack capabilities. At best, such talk would be useless. At worst, it might give other states more reason to beef up their own defensive and offensive capabilities. Now, the U.S. thinks that things are different.

the development of both offensive and defensive capabilities can serve to deter an adversary from cyber attack. Strong capabilities can deter an attack by preventing an adversary from achieving his objectives and demonstrating the ability to impose costs on the adversary.

The U.S. still doesn’t want to talk about the specifics of its cyber-offensive capabilities, since this might give its adversaries clues that they could use to defend against them. But it does want adversaries and potential adversaries to know that it has these capabilities and that they are extensive. This (together with more traditional forms of military force) will help deter them from attacking, and perhaps convince them to engage in norm-building that might lead to some new version of detente.

But this still doesn’t explain why Snowden‘s revelations have been helpful to deterrence. After all, Rogers himself can talk about the U.S,’s cybersecurity policies. Why might the inadvertent leaking of information be helpful for the U.S. in deterring its enemies and, in Rogers’s words, engaging:

both the American public and our international partners in discussion of the balance of offense and defense, the nature of cyber warfare, norms of accepted and unacceptable behavior in cyberspace, and so forth.

One plausible way of thinking about this question can be found in political science arguments about democracy and war. Kenneth Schultz argues that democratic states will be more credible in international crises because of the role of opposition parties. Simplifying Schultz’s argument drastically, if the government threatens war, its potential adversary might think that it is just bluffing. However, if the main opposition party supports the government’s tactic, then the adversary will be less likely to think that it’s a bluff, since the opposition party will probably reap big political benefits if the government’s threats don’t work out. The opposition party will appear more credible to the adversary than the government since, unlike the government, it will not win any benefits from head faking the adversary into backing down.

The relationship between the U.S. government and Snowden isn’t entirely dissimilar. Now that the U.S. government thinks that deterrence is feasible, it faces a dilemma. It would like to get everyone to believe that it has strength and depth in cyber-offense, so that it can deter others from attacking it. Yet (as Rogers says in his testimony), the U.S. doesn’t want to provide any detail about its capabilities. If you have some idea of what a country’s cyber weapons look like, you can defend yourself much better against them. Because the U.S. can only talk in vague generalities about its capabilities, other states might think that it is deliberately inflating them for show. The U.S. is obviously technically sophisticated and spends a lot of money on cybersecurity. Even so, opponents might underestimate it.

Here, Snowden’s revelations may provide a much more credible signal about the strength of the U.S. cybersecurity apparatus than anything that the government itself could say. Clearly, Snowden did not leak his information in order to puff up the reputation of the U.S. cybersecurity apparatus. His leaks have provoked fury among senior government officials. Equally, the material published to date has not been nearly as harmful to the U.S. government as it could have been. It has suggested that the U.S. and its close allies have strong and sophisticated capabilities, while providing only limited information on how those capacities are used against states like China and Russia. And these suggestions are taken seriously by other states. Snowden’s disagreements with the U.S. government makes him a much more credible messenger about the extent of U.S. cyber capabilities than any U.S. official. He doesn’t have the same incentives to bluff, exaggerate or misrepresent. Paradoxically, Snowden’s public conflict with the burgeoning U.S. cybersecurity state makes him a far better spokesman for the deterrent capabilities of that state than any US official could be.

Over time, the political dynamic that Snowden has set in motion may also make it easier for the U.S. credibly to bargain with other states. The more that the U.S. cyber state is responsive to democratic authority, the more likely other states will be to believe commitments made by those democratic authorities about how offensive cyber capabilities will, or will not be, deployed. It may be too much to expect President Obama to pin the Presidential Medal of Freedom on Snowden’s chest anytime soon, but as Rogers’s written testimony implicitly suggests, he may have done the U.S .(and the process of norm building in cybersecurity) a quite considerable service.

Previous posts in this series

The political science of cybersecurity I – why people fight so hard over cybersecurity.

The political science of cybersecurity II: Why cryptography is so important.

The political science of cybersecurity III – How international relations theory shapes U.S. cybersecurity doctrine.