ARGUMENT: Cybersecurity as counterterrorismCybersecurity as Counterterrorism: Seeking a Better Debate

Published 20 May 2021

Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. Simon Handler, Emma Schroeder, and Trey Herr, however, write that it would be a mistake for the policy establishment to double down on an outdated view of cyber conflict rooted in Cold War analogies. To improve U.S. cybersecurity, policymakers should draw instead on more relevant strategic lessons from the study of terrorism and counterterrorism.

Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. Simon Handler, Emma Schroeder, and Trey Herr, however, write in War on the Rocks that  it would be a mistake for the policy establishment to double down on an outdated view of cyber conflict rooted in Cold War analogies. To improve U.S. cybersecurity,  policymakers should draw instead on more relevant strategic lessons from the study of terrorism and counterterrorism.

The tendency to draw simple comparisons between cyber and nuclear attacks has been repeatedly critiqued, but the residue of this thinking lingers. Debates over how to deter or punish cyber attacks still frame them as infrequent and catastrophic. In practice, though, cybersecurity looks more like counterterrorism than nuclear strategy — with frequent and repeated interactions between antagonists, a continual contest for information, and multi-party engagements amidst a sea of unaligned parties.

Therefore, they write, approaching cybersecurity with reference to counterterrorism strategy would offer benefits to policymakers, “particularly by highlighting the importance of ruthlessly prioritizing risk, winning the intelligence competition, privileging detection over reaction, and promoting strong private sector cooperation.”

The add:

Like cyber attacks, terrorist operations rarely resemble traditional military conflicts. Engagements are frequent and iterated rather than rare and catastrophic. Because terrorist organizations seek to cause fear and sow political discord, they can choose from a wide variety of targets. As a result, counterterrorism organizations are often forced to defend against attacks that are difficult to predict because they have a range of potential civilian targets.

Among the features, and benefits of approaching cybersecurity in similar terms to counterterrorism:

·  Moving away from an all-or-nothing approach and recognizing that it is also a domain in which myriad engagements occur daily and adversaries will eventually find ways to get in. This is the compelling insight behind the idea of “constant contact.”

·  A counterterror approach to cybersecurity emphasizes that “success” is about competing more effectively, not creating an absolute guarantee against loss.

·  Thinking of cybersecurity in terms of counterterrorism can also help draw attention to the fact that it is ultimately an intelligence contest. As in cybersecurity, “everything that is done in countering terrorism has to be based on intelligence,” often gathered from local sources who have intimate knowledge of the area and populations in which terrorist operatives hide.

·  Cybersecurity and counterterrorism also share an inevitable focus on private actors — as targets and victims, as influential intermediaries, and as bystanders. One of the ways the United States government should respond to the intelligence contest is by sharing information with selected private sector partners with an eye towards operational collaboration.

·  Instead of focusing too much on response and retaliation, policymakers should help build up private sector capacity to more rapidly detect and respond to enemy operations. 

Handler, Schroeder, and Herr conclude:

There will and should be a U.S. response to these campaigns. But Washington would be best served by ensuring that this response is pragmatic and preventive rather than punitive. Despite overwhelming investments in security and decades of political rhetoric, there are no impregnable cyber castles and no practical guarantees of perfect cybersecurity. The reality is an ugly and iterative contest between asymmetric players where the measurement of success looks more like a better batting average rather than a transition from war to peace. Progress is incremental and “winning” is marginal. These cyber realities match the operational and strategic realities of counterterrorism, defined by low-intensity conflict, dynamic intelligence contestation, and the centrality of private non-combatants. Recognizing and building upon the lessons of counterterrorism is essential, therefore, if America hopes to improve its average and get more marginal wins going forward.