Nuclear deterrence was one of the most thoroughly studied doctrines of the 20th Century and went through decades of refinement. Policymakers today face an even more daunting challenge and far less time to perfect it, as they seek to craft cyber deterrence policy. Unlike the nuclear arms race, cyber policy inevitably will have to deter both state actors and aggressive nonstate actors, while coordinating efforts between the public and private sectors.
The 2018 National Defense Authorization Act — differing versions of which have passed each chamber—finally takes the important step of pushing for a real cyber-deterrence policy. The House version of the bill includes a provision, Section 1658, that calls on the Defense Department to establish a definition of deterrence for cyber operations. An amendment to the Senate version sponsored by Sen. John McCain, R-Ariz., similarly calls upon the DOD to report on the various approaches to cyber deterrence in Section 1630A.
As the bill moves to a conference committee, the DOD would be far better served by following the Senate language to develop a cyber-deterrence policy.
The House version is not without some positive attributes. Once the Pentagon develops a definition of deterrence, it would be used "in the context of cyber operations of the Department of Defense," meaning it would be actionable almost immediately.
But the House bill's problems are two-fold. The bill would require the secretary of defense to assess how the definition of deterrence "affects the overall cyber strategy of the Department." This leaves unclear whether the definition will be developed in conjunction with, or separate from, the establishment of a cybersecurity strategy. Without clarity about the importance of cyber deterrence, it's far too likely to continue to be an afterthought of the strategy: the mandate is too broad to lead to concrete cyber strategy action.
Second, the House version does not include provisions that would lead to a well-constructed definition of deterrence. Deterrence is complicated. It's rooted in theory; varies depending on who and what can be deterred; and relies on making choices about what capabilities the government is willing to reveal in order to show an adversary that it won't be beneficial to attack. Without sufficient resources dedicated to getting all those considerations right, the final definition is unlikely to be sufficiently robust to be useful.
In contrast, the Senate version speaks much more directly to the challenges of developing good cyber-deterrence policy. It requires the secretary to analyze the relative strengths and weaknesses of competing cyber-deterrence theories, drawing upon experts not only within the DOD but in industry and academia, as well. It thus sets up the secretary to bring the best people to the table. It even specifies that the Pentagon's report includes a discussion of alternative views and potential dissent, a necessary element to capture the complexities of deterrence.
The Senate version isn't perfect either. It only requires a report and thus fails to require the results be incorporated immediately into the overall cyber strategy. However, on the whole, it better sets up DOD to integrate cyber deterrence into a comprehensive cyber strategy.
Congress, in conjunction with DOD, is finally pushing for the United States to assume a place of leadership on cybersecurity. A good cyber-deterrence policy is essential to develop that leadership. While the Senate language may be flawed, it would lead to much better policy.
Megan Reiss (@MegReiss) is a contributor to the Washington Examiner's Beltway Confidential blog. She is the senior national security fellow with the R Street Institute.
If you would like to write an op-ed for the Washington Examiner, please read our guidelines on submissions here.