Measuring Policy Effectiveness of Cyber Deterrence and Defensibility

Speaker: Jason Healey (Columbia University’s School of International and Public Affairs)

Date: 28 March 2024

Speaker Session Summary

Cyber deterrence differs significantly from conventional deterrence, particularly nuclear deterrence. Mr. Healey discusses strengths, weaknesses, and new ways of measuring success in the cyber realm in his recently published paper “Measuring Policy Effectiveness of Cyber Deterrence and Defensibility.” He highlighted prolonged efforts by the Department of Defense to develop proactive cyber deterrence strategies. He referenced the Defense Science Board’s 1996 findings, stressing the importance of an active defense approach, rather than merely possessing cyber capabilities in reserve, opposite to nuclear deterrence where possessing a formidable arsenal is deemed sufficient. 

Presently, available data do not offer definitive conclusions regarding the effectiveness of cyber deterrence operations. Nonetheless, even loose correlations between actions and the frequency and severity of cyber-attacks are beneficial. A report by Mandiant, previously known as FireEye, provided data regarding the reduction of cyber-attacks’ frequency and severity. Notably, its data showed a decline in cyber-attacks from China, correlating with US diplomatic efforts, particularly the threat of US sanctions and presidential meetings between Obama and Xi. This correlation is worth exploring further, especially because the NSA was able to confirm this decrease in malicious cyber activity. 

Mr. Healey underscored various opportunities and obstacles encountered by analysts researching cyber deterrence. Opportunities include access to multiple databases and mandatory reporting of cyber incidents by the US government through the Cybersecurity and Infrastructure Security Agency (CISA). Conversely, obstacles include the proprietary nature of many existing databases held by vendors and the classified nature of US government data. Mr. Healey proposed the necessity for a novel approach to measure the success of cyber deterrence, emphasizing that the current measuring system is far too rigid.  

Speaker Session Recording

Briefing Materials

Biography: Jason Healey is a Senior Research Scholar at Columbia University’s School for International and Public Affairs, specializing in cyber risk and conflict, and a part-time Senior Strategist at the National Risk Management Center at the US Cybersecurity and Infrastructure Security Agency. He has taught and mentored hundreds of students who have pursued careers at the White House, in the finance sector, civil society, and various other fields. Before joining Columbia University, he served as the founding director of the Cyber Statecraft Initiative at the Atlantic Council, where he established the global “Cyber 9/12” student cyber-policy competition. He edited the first history of conflict in cyberspace, titled “A Fierce Domain: Cyber Conflict, 1986 to 2012.” Jason is a frequent keynote speaker on cyber risk and conflict, recognized as a “top-rated” speaker for the RSA Conference and recipient of the inaugural “Best of Briefing Award” at Black Hat.

Jason Healey played pivotal roles as a founding member of both the Office of the National Cyber Director at the White House (2022) and the world’s first cyber command, the Joint Task Force for Computer Network Defense, established in 1998. In these positions, he contributed as an early pioneer of cyber threat intelligence. During a previous tenure in the White House, he served as a director for cyber policy, leading efforts to secure US cyberspace and critical infrastructure. He established Goldman Sachs’ initial cyber incident response capability and subsequently oversaw the bank’s crisis management and business continuity operations in Asia. He also served as the vice chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC). Additionally, Jason Healey sits on the review boards of the DEF CON and Black Hat hacker conferences, contributed to the Defense Science Board task force on cyber deterrence, and previously served as president and founding board member of the Cyber Conflict Studies Association. He commenced his career as a US Air Force intelligence officer, holding positions at the Pentagon and the National Security Agency.