Title: A Theory of Cyber Deterrence

From Nuclear to Cyber: Deterrence for a Modern World

In deterrence theory, the objective is to eliminate attacks by making costs and consequences outweigh benefits. There are two parts to implementing this strategy. The first is to have a strong defense; if a country’s defense is sufficient to make an attack exceedingly difficult, an attacker might choose to stand down. In the cyber realm, this goal is a practical solution to the majority of attacks. The second part is focused on retaliation. If some successful attackers face severe retribution following their actions, other aspirants may choose not to attack at all.

Lacking from traditional deterrence theory is the problem of identifying the source of an attack. In the cyber realm, this challenge looms large as an obstacle to intelligent retaliation, since the nature of the digital domain lends itself to anonymity. Therefore, this introduces a third component of cyber deterrence: attribution.

This suggests a three-pronged approach, with an understanding that responses will vary between state and non-state actors. In order to limit the scope of our analysis, we will focus on countries such as the U.S. where power relative to one’s opponent is not a serious concern. The prongs of the approach are as follows:

• Defense – A powerful cyber defense is the first step in protecting against the vast majority of aggressors and dissuading some from attacking at all.
• Attribution – The ability to attribute an attack to a specific source is important for maintaining credibility and ensuring legitimacy at home and abroad.
• Retaliation – The willingness and capability to retaliate against any (but not necessarily every) attack from any source under any circumstances must be assured.

Defense

In order to build a theoretical framework for an effective defense in the cyber realm, one must first appreciate its characteristics. Franklin D. Kramer, former Assistant Secretary of Defense and editor and joint author of Cyberpower and national security,  provides some useful insight by suggesting that cyber is similar to land in three important respects: players are numerous, barriers to entry are minimal, and there is ample opportunity for concealment.[v] Unlike land, however, there can be significant geographic separation between aggressors and their targets in the cyber realm. This, combined with the perception of concealment (a result of the difficulty of attribution), may diminish fear of retaliation in the cyber domain. For instance, an armed assailant attacking a federal building faces almost certain punishment and high risk of death. A college student sipping coffee in an internet café in Moscow while infiltrating the computer network of that same building is less concerned about the immediate consequences of his actions.

No country on earth could possibly muster the resources to attribute and retaliate against thousands of attacks per day.[vi] Therefore, the first component of deterrence theory must be a strong defense; a robust combination of hardware and software components intended to make unauthorized access nearly impossible. This will serve two purposes. First, it will completely prevent most intruders from gaining entry into the system. Second, it may keep potential intruders from even trying, due to the very low probability of successfully breaking into the system relative to the very high costs to of doing so.[vii] This form of defense must block or dissuade the majority of aspiring attackers, so that the remaining ones can be dealt with through retaliatory methods.

This has clear implications for a US policy of cyber deterrence. A strong defense must leverage a combination of physical infrastructure and human capital. The need for physical security is obvious; beneath the virtual world of the internet is a vast network of glass tubes, copper wires, routers, switches, firewalls, and satellites. This physical infrastructure must be protected as part of any strategic defense.

In the balance between efficiency and security, mission-critical systems must lean heavily towards the latter. Kramer discusses the need for “high-end” and “low-end” systems, which could be dealt with differently when considering security needs.[viii] The same should be required through regulation of any non-profit or private organizations working with or retaining confidential information. This need is accentuated by the identity of the U.S. government; its iconic status as the most powerful organization in the world makes it the crown jewel of hackers worldwide.

Redundancy is imperative. The US should ensure that no single point of failure exists on any piece of hardware or software where a loss of functionality would have serious national security implications.[ix] Backups should be automated and maintained in order to protect against corruption and loss. Redundancy and disaster recovery add enormous complexity and significant costs to the maintenance of any system, but like an insurance policy, their absence is devastating during a crisis.

Human capital is no less critical. Complex systems diminish in value without the personnel and knowledge to monitor, maintain, and improve them. The backups and redundancy discussed above require talented and knowledgeable staff to manage, as do the periodic updates required by all code-based technology. Furthermore, no system that allows entry to required personnel can be flawlessly secured, which necessitates constant evolution through reassessment and enhancement.

Defense concerns cannot be limited to the public sector. Some might argue the U.S. government does not have an obligation to protect private companies, or that this is outside the scope of a cyber deterrence framework. But this view is mistaken. U.S. led multi-national companies work across the globe, and even if this were not the case, cyber attacks are unhindered by state borders. Furthermore, U.S. interests are harmed by intellectual property theft and U.S. citizens are directly hurt when their information is stolen from company databases. For these reasons, a comprehensive cyber-deterrence policy needs to take private companies into consideration.

The lack of direct government control makes the complexity of cyber protection for private companies greater. Although the government could create regulations defining requirements for an effective cyber defense, this would stifle innovation and development while failing to keep up with evolving security needs. Alternatively, the government could provide cyber security infrastructure and software to companies, but this would be outrageously expensive, complex, and wasteful. The most reasonable option is to let private companies secure themselves, but step in if a breach occurs to provide attribution and retaliation services.

This may sound untenable, but is no different than the physical domain of security. Companies take steps to defend themselves with locked doors, gates, and alarm systems. In the event that these systems fail, and theft, property damage, or violence occurs, some form of government agency (local police, FBI, or other) is expected to take the next steps to bring the perpetrators to task and ensure justice is done. While the policing method would be similarly structured, the virtual nature of the cyber domain would be better served by a highly talented and centralized team rather than a local police force.

These aforementioned measures, which included physical security, redundancy, human capital for the public sector, and expectations of a reasonable degree of security for private sector systems, are the first step of a US cyber deterrence strategy. Their theoretical importance lies in reducing the number of high-risk attacks to a minimum, thus paving the way for successful attribution and retaliation against the most malicious of assailants. Though this is a critical first step, some aggressors will penetrate the defenses. For these cases, a second element of cyber-deterrence theory is required.

Attribution

The problem of attribution is universally acknowledged in the context of cyber deterrence.[x] The massive number of users and relatively anonymous nature of the cyber domain makes attribution far more difficult than it is for nuclear deterrence.[xi] Governments can launder their actions through individual users or groups, achieving their objectives while maintaining plausible deniability. Individuals can also launch formidable attacks on governments or private companies with relatively minimal financial support, making it infeasible to assume government complicity based solely on the success or scale of an attack. Malicious individuals can also achieve concealment by breaking into the computers of the technologically vulnerable and directing their attacks from there.

This does not mean that attribution is impossible. Goodman points out that when Estonian websites were damaged in 2007 through[tooltip title=”” content=”A denial of service attack is a cyber attack whereby servers are bombarded with more requests for information than they can handle, thus rending the server essentially unusable.” type=”info” ] denial of service attacks[/tooltip], and when Georgia had their network assaulted in 2008, both countries were able to attribute the attacks to Russian hackers with a high degree of certainty. More recently the New York Times, with the help of hired cyber experts, was able to attribute stolen passwords and other illegal online activity to the work of Chinese hackers.[xii] These examples demonstrate that the challenges of attribution are not insurmountable in the real world.[xiii]Indeed many attacks have been traced to their sources, even if some attackers have escaped prosecution. It is not unrealistic to think that greater investment in personnel and technology could improve the success rate.

Furthermore, despite the challenges faced by attribution efforts, they remain a critical part of cyber deterrence theory. Attribution helps guarantee that retaliation efforts will bear fruit, since they will eliminate the true threat rather than a scapegoat. Successful attribution also builds legitimacy and credibility at home and in the eyes of the international community.

Credibility and legitimacy are poignant within the context of US strategy. Congress would be extremely hesitant to impose harsh economic sanctions on a Chinese government that appeared circumstantially to be responsible for an attack. If there was undeniable forensic evidence, however, that hesitation would be reduced. If the evidence pointed to a terrorist cell in Shanghai rather than the Chinese government, the response would be different, and a dangerous diplomatic spat could be avoided. If, however, the government were proven responsible, then other actions could be pursued.

The U.S. should take leadership in establishing norms for collaboration on cyber attribution efforts in regards to crime. This necessitates proactive behavior; the sooner the U.S. defines illegal cyber behavior in the international community, the more likely it is those norms will become globally recognized. Even if disagreement arises over time, these norms will be difficult to overturn once they are firmly entrenched in the international system.

One final note on attribution is that countries should take responsibility for attributing major attacks on domestic companies. This may be costly, but far less so than sending the message that attacks on companies will go unpunished. If countries fail to do this, companies will likely take matters into their own hands as cyber crimes increase in frequency and their cost grows unacceptably high. The U.S. and other large countries would come to regret the chaos encouraged by lawlessness in the cyber domain if they fail to act in support of their corporations’ interests. Additionally, the U.S. and other countries will benefit from economies of scale by building their ability to attribute not only government attacks but private sector attacks as well.

None of the above guarantees the ability to attribute every cyber attack to a specific person or entity, but it does accentuate the importance of attribution efforts. Though not absolutely necessary for every attack, frequent attribution paves the path for the final pillar of cyber deterrence theory.

Retaliation

No deterrence theory could succeed without retaliation. In the absence of retaliation, there is no incentive for opponents to refrain from attacking. Morgan says to maximize the effectiveness of retaliation, it should fall in the intersection of three criteria: unacceptable to one’s opponents, feasible, and acceptable to the retaliating party and the international community.[xiv]

For dealing with attributed non-state actors, appropriate punishment presents some difficulty due to lack of established international law. As discussed above, the U.S. should work to proactively define illegal behavior for exactly this reason. Though challenges arise with enforcement and the judicial process, setting a precedent at least sends a clear message of actions that are deemed inappropriate and what retaliatory action may be taken.

Despite the legal concerns, it is vital to retaliate against non-state actors. The large number of daily cyber attacks speaks to an absence of fear of retaliation. If these attacks are to be reduced, aspiring cyber criminals need to observe punishments being administered to those who break rules. This retaliation would not need to be in kind; once illegal activity has been defined, then arrest and imprisonment are on the table as appropriate responses.

States pose a different challenge when dealing with retaliation, both due to the magnitude of the potential consequences and the complexity of inter-state relations. In retaliating against attributed state actors, as with individuals, states need not constrain themselves to responding only in kind to cyber attacks. In order to maximize the effectiveness of deterrence, states should demonstrate credible willingness to respond through a variety of measures, including economic sanctions, seizure of state resources, diplomatic and political maneuvers, or even military attack.

Retaliations against states need not be proportional to the offense, but should reflect geopolitical realities. Leaders need the leeway to exercise judgment when deciding what measures best deter future attacks. The measures pursued must be strong enough to arouse fear in other aspiring assailants, but should also attempt to maintain legitimacy or rally support for future retaliations.

Most challenging is when an attack cannot be attributed to a specific source. Morgan argues that in classic deterrence theory, attribution is unnecessary, and that states can be held accountable for any attack that comes from within its borders.[xv] But he goes on to note this might only be acceptable for severe attacks. Goodman seconds this opinion, stating that attribution can be unnecessary if culpability can be shifted to a state[xvi].

This option may sometimes be necessary, but does not represent a consistent guideline for action; the decision to punish a state for attacks would certainly depend upon the geopolitical, economic, and diplomatic circumstances.[xvii] Countries should also be reluctant to establish a norm of blaming states for citizens’ actions in the realm of cyber security for fear that these norms might work against them in the future. The characteristics of cyber security lend themselves to a lack of control, so if the U.S. were to blame China for independently operating hackers, it might later need to accept responsibility and prosecute Google or another company for defying local laws in a foreign country.

The underlying message is that U.S. policy-makers should not feel obligated to follow a particular course of action after an attack occurs. Retaliation can vary according to the source, the magnitude, and the political environment.  Nevertheless, the U.S. should establish precedent by retaliating against attacks in consistent ways, thus showing the world the consequences of a given action. As Kugler rightly argues, these precedents need to be built prior to a crisis situation to avoid ad-hoc behavior when responding to attacks. For this reason, he argues for a “strong declaratory policy” to broadcast punishments for given situations to maximize impact on aspiring assailants.[xviii]

Conclusion

Deterrence is not the final solution to crime, espionage, and attacks in the cyber realm. Cyber deterrence differs from the nuclear variety in many key ways, and as such is highly unlikely to eliminate the occurrence of all attacks no matter how effective the implementation. Nevertheless, deterrence can play a critical role in reducing the total number of attacks to a manageable level at a relatively low cost. This should free up resources to pursue and prosecute the attacks that do slip through.

For deterrence to be effective, it is imperative to utilize a framework of defense, attribution, and retaliation. Without an effective defense, the number of successful attacks would be far too great to source and pursue. Attribution techniques, though not an absolute necessity in every circumstance, will need to identify the source of attacks often enough to convince aspiring attackers that the odds are against them escaping unscathed. Retaliation is crucial for demonstrating that breaking the law or attacking a nation will not go unpunished.

Given the vast amount of cyber attacks the U.S. endures on a daily basis, a policy of cyber deterrence should be aggressively pursued. The defensive mechanisms of redundancy and data protection as well as the necessary investment in education and training may be expensive, but these costs will yield large dividends as the cyber realm becomes increasingly important. The U.S. has always been a country of innovators and entrepreneurs and there is no reason for the U.S. to not be the dominant cyber power in the world for decades to come, with cyber deterrence policy as a foundation of that power.

Image Credit: Jamie Zawinski, Wikimedia Commons

This is an archived article. While every effort is made to conserve hyperlinks and information, GJIA’s archived content sources online content between 2011 – 2019 which may no longer be accessible or correct.