What Passes for Deterrence

Sean Lyngaas has an interesting story on the deterrence strategy posed by the White House, "White House sends cyber deterrence policy to Congress"  https://fcw.com/articles/2015/12/17/lyngaas-congress-cyber-deterrence.aspx

This must have been greeted on the Hill with quite a bit of skepticism.  

I can't remember a less inspiring set of ideals being expressed as a 

policy.  It looks for all the world like wishful thinking, not a strategy.  

The article goes on to say this:" The administration is particularly concerned about cyberthreats that "could cause wide-scale disruption, destruction, loss of life and significant economic consequences for the United States," the report states.

The document is meant as a roadmap around which federal agencies will align their efforts. It reaffirms the administration's efforts to bolster deterrence through more resilient network defense; the imposition of costs, such as sanctions, on hackers; and the establishment of international norms in cyberspace."  

What the Administration has missed here is that hacking, on the level the Russia, Iran and China have shown, is state-sponsored.  Neither one of them give a hoot about international norms, since both have already undone all there ever were.  The Internet used to be a safe place to go before they started supporting people who try to undermine our basic industries and use the information they steal to compete directly with us.  They are not going to stop, or even think about stopping, until we actually do something to deter them.  The Chinese haven't even blinked since Xi was over here promising less hacking of our business interests.  He has a good thing going and is not going to give it up until he has consequences for continuing.  This kind of wishy-washy diplomatic language applied to a deterrence strategy is more likely to encourage him to continue than stop. 

Let us start with a simple strategy of deterrence:  reciprocity.  What you do to us, we do to you.  That will be the international norm for behavior. 

 You may deny all you want, but we know what you do and we can prove it to our government officials.  If the Russians hack the Ukraine government, we will help the Ukraine government hack Russia.  If he Chinese hack an industry here, we will help that industry hack back.  There is no need to help individual companies at a strategic level. Industries that steal need to feel the sanctions, so far non existent.  When the national policy is to talk loudly about sanctions, but do none, credibility suffers.  

So, the two words that make a policy are credibility and reciprocity, neither of which are found in this new policy.