This panel was convened at 11:00 a.m., on Thursday, March 31, 2016, by its moderator, Kathleen A. Doty of the Dean Rusk International Law Center at the University of Georgia School of Law, who introduced the panelists: Jonathan E. Davis of the Office of the Legal Adviser, United States Department of State; Gary Brown of United States Marine Corps University; and Tara McGraw Swaminatha of DLA Piper LLP. *
INTRODUCTORY REMARKS BY KATHLEEN A. DOTY ([double dagger])
Deterrence has long been at the heart of the U.S. security strategy. While deterrence typically is considered in the context of nuclear weapons, the rise of computer network exploitation and cyber attacks against the United States has driven policymakers to incorporate the concept into discussion of cybersecurity. This is most recently reflected in the 2015 Department of Defense Cyber Strategy, (1) which emphasizes the criticality of developing a comprehensive cyber deterrence policy in the face of escalating cyber threats.
Developing and implementing such a policy comes with great challenges. As it is commonly understood in the nuclear framework, deterrence does not neatly transfer to the world of cyber. Cyber attacks may be committed by both state and nonstate actors, and attribution for attacks can be daunting on account of ever-changing technology. The attacks themselves may take a myriad of forms and warrant a corresponding range of state responses. Moreover, the role that the private sector can or should play in deterring cyber attacks remains unclear, despite the general interplay of government and the private sector in the area of cybersecurity.
To explore such questions, the American Society of International Law Nonproliferation, Arms Control, and Disarmament Interest Group convened this panel, featuring three experts who represented a range of perspectives. Jonathan Davis, from the State Department's Office of the Legal Adviser, focused his remarks on state actors. In particular, Davis considered: the form a deterrence strategy in the cyber context might take; the circumstances under which such a cyber attack constitutes the use of force; and the availability of state responses, such as self-defense, countermeasures, and retorsion. Gary Brown, a professor of cybersecurity at the United States Marine Corps University and formerly the first Senior Legal Counsel for U.S. Cyber Command at Fort Meade, Maryland, focused on the differences between deterring state and nonstate actors. Brown highlighted both the desirability and the difficulty of attributing malicious cyber activity, committed by nonstate actors, to a state. Tara McGraw Swaminatha, Of Counsel at DLA Piper, emphasized the need for partnership between government and the private sector in all areas of cybersecurity. So as to afford greater protection, she argued, the concept of critical infrastructure should be expanded to include the mass quantities of personal data that are currently maintained by the private sector.
REMARKS BY JONATHAN E. DAVIS **
In thinking about how international law applies to states' cyber activities and the implications for cyber deterrence, it is helpful first to address two questions: who and what are we trying to deter? There is no single answer to these questions like there is in the case of strategic nuclear deterrence, where what states seek to deter is clear: a first nuclear strike by another state. In contrast, a cyber deterrence strategy could be intended to address a broad spectrum of actors and activities. Who we seek to deter could range from nonstate actors, like cyber criminals and terrorists, to state actors. And what we seek to deter could include: cybercrime (which is generally motivated by financial gain); cyber attacks designed to harass or create a nuisance for the victim for political or other noneconomic motives; cyber attacks designed to coerce the victim to act or not act in a certain way (e.g., the cyber attack against Sony Pictures Entertainment); (1) cyber espionage; cyber attacks that create financial and economic havoc but that cause no direct death, injury, or physical destruction (e.g., a cyber operation that shuts down a stock or commodity exchange); or cyber attacks that cause death, injury, or physical destruction.
In this discussion, it also is important to clarify what we mean by "deterrence." Simply put, deterrence is a strategy that seeks to influence an adversary not to do "X" by making the adversary believe the costs of doing "X" will outweigh any potential benefits. Successful deterrence strategies are generally understood to have four components. First, they must have a clear threshold. In other words, as just noted, what acts is the deterrence strategy trying to prevent? A threshold need not be a bright line that, for example, explains that when an actor does "X," the response will be military force. A threshold can be clear in the sense of articulating a line that triggers a particular response if crossed but nonetheless is strategically ambiguous as to what specific acts might cross that line--consider, for example, a state's assertion that it reserves the right to use all elements of national power, including military force, to respond to an armed attack.
Second, a successful deterrence strategy requires attribution--that is, one generally must be able to identify the actor to deter the acts in question. Third, a state must have the capability to respond to the acts it seeks to deter in an appropriate manner--that is, in a manner that would impose costs on the actor that would outweigh the act's benefits. Fourth, a deterrence strategy requires a credible threat of an appropriate response if the threshold is crossed. A potential "attacker" generally must believe that all four elements are present. If, for example, a state has the...