Two special cases: space systems and cyber deterrence.
Two panels addressed special challenges: securing space systems against cyberattack, and building an effective regime of cyber deterrence.
Cyberspace and outer space.
Satellites form an increasingly important part of critical infrastructure, and, like other infrastructure sectors, they're receiving more attention from cyber operators. Victoria Samson (Washington Office Director, Secure World Foundation) pointed out that there are 1800 active satellites today. As many as 10,000 may be launched over the next ten years. Most of those new satellites will be commercial. Kevin McLaughlin (Founder and President, McLaughlin Global Associates) agreed, and noted that most terrestrial critical infrastructure is in private hands, and that commercial space might look there for security inspiration.
McLaughlin also observed that, on the Government side, the US nuclear posture is fed by space systems, and that the first threat those assets must be defended against—as a matter of national policy—is the cyber threat. George Gonzales (Chief, Operations Branch, Operations Support & Sustainment Division, MILSATCOM, US Air Force) explained why the cyber risk to space systems must be taken so seriously. There are low barriers to entry for any threat actor wishing to develop an effective ant-space cyber offensive capability. Those barriers are far lower than the barriers to entry for deploying kinetic anti-satellite systems. The ground systems that support the satellites, he thinks, are the most interesting aspect of the system of systems is the ground control system. They present adversaries with a promising attack surface, much more accessible than the systems in orbit.
International norms of conflict haven't yet been worked out for either space or cyber, Samson said. "The difficulty of attribution and the absence of norms make cyber weapons attractive to use, and they carry with them the risk of easy escalation."
Asked to comment on the direction technology should take as we work toward securing space systems, McLaughlin answered that "ground systems are just IT systems, but flight systems need more autonomy, more ability to reprogram." And Government and industry need to emphasize supply chain security. Samson argued that sharing threat intelligence was vital, and Gonzales concluded with a call for designed-in security and designed-in resilience.
Building cyber deterrence: views from the UK and the US.
A panel on the cyber deterrence strategies opened with moderator Brigadier General (retired) Gregory Touhill (former US CISO, currently President of Cyxtera Federal Group) asking a panel of experts from the UK and the US what lessons the history of nuclear deterrence might hold for cyber deterrence. In particular, might mutual assured destruction be a useful organizing concept for cyber deterrence?
Burke Edwin WIlson (US Deputy Assistant Secretary of Defense for Cyber Policy) thought the lessons were limited, and that facile attempts to draw them would be misleading. Cyber is more complex than nuclear deterrence. Cyber capabilities have a far lower price of entry than nuclear capabilities, and cyber simply shifts too rapidly for there to be any simple analogies between the two.
Mark Sayers (Deputy Director, National Cyber Security Strategy, UK Cabinet Office) thought that one encounters a great many different actors in cyberspace. They have many different motivations, and the operate against an expansive attack surface. Thus cyber deterrence requires both agility and nuance.Eric Welling (Deputy Assistant Director, Cyber Division, FBI) agreed that a deterrent response can't be "one-size fits all," but he did insist that obviously for deterrence to be credible, there must be some imposition of cost on an attacker.
Paul Maddinson (Counselor, British Embassy, Washington, DC) characterized this as a recognition that there's a place for restricted deterrence in cyber. Such restricted deterrence probably shouldn't include "hacking back." "There's more we could do," Maddinson said, and more partnership with the private sector is possible and desirable, "but we should be very cautious about hacking back." This is not only potentially very disruptive of the international order but attribution is also difficult, and risky. Welling agreed. "The private sector has an important role, and a seat at the table, but we don't support hacking back."
Touhill turned the discussion to information operations. "What about disinformation by Russia and Iran directed at disrupting elections? What are we missing? Or where are we succeeding ,in an under-appreciated way?" Welling thought we should remember that the present situation is the result of problems that have been in play for years. Maddinson noted the lack of effect Russian informaiton operations appeared to have on the last German elections: a hopeful sign, but the current state of affairs to unclear for more than very cautious optimism.
Sayers suggested that there might not be the right regulatory regimes in place. "And we need to ensure that our own government's communication machinery is in order." Wilson would bring the weight of the nation to defend elections, but he also commended critical thinking about the information we're presented with. He noted with regret that this seems not to be an American strength.
The panel's consensus is that deterrence is best conceived as a joint allied effort.