Cyberdeterrence is – in addition to being an annoying neologism – one of those esoteric subjects that a surprisingly large number of people have been trying to get their head around for years. Deterrence as effect and strategy has been hampered by the lack of a big ‘cyber’ stick – no Apaches, no nuclear warhead – and no clear idea about the legality of offensive or retaliatory computer network operations (CNO), the collateral effects these might have, problems of attribution, and how to have a declaratory policy given these issues and many more.
Rather than bore readers more interested in kinetic operations with further details of the inner workings of this field, I’ll just give a flavour of the discussion given two pieces I saw yesterday.
My Forbes colleague Richard Stiennon wrote a piece for The Firewall yesterday in which he had the following to say about cyberdeterrence:
I suggest that rather than focus on creating a balance of mutual assured destruction such as existed during the protracted Cold War, a more appropriate response to cyber threats is to increase the costs for the attackers by improving defenses.
Students of nuclear strategy will immediately recognise this form of ‘deterrence by denial’. Specifically, this is ‘pre-event’ deterrence by denial, in which the marginal cost of maintaining a defensive measure is less than the marginal cost of investing in offensive measures sufficient to provide a successful attack. That’s a wordy way of saying that if your defences are good, adversaries will eventually give up trying to attack as they can’t afford the arms race to achieve success.
However, this is precisely the approach a new paper claims cannot work. In Leaving Deterrence Behind: War-Fighting and National Cybersecurity, Richard Harknett and colleagues argue that adversaries do not give up:
Relying on deterrence by denial … must be distinguished from temporary deflection of attacks through superior defense. An attacker that is continually probing, but does not launch a full attack because they cannot get around a strong defense, is not an attacker being deterred; it is an attacker being frustrated and contained (defended).
This is because, the authors assert, cyberspace is an ‘offense-dominated security environment’, and they apply offence-defence theory (à la Stephen Biddle) to show this. They conclude that even robust defences
will be undermined eventually as the offense-dominant nature of the environment will allow the attacker to innovate technically, tactically and operationally with some prospective success.
Attempts at deterrence, such as are hinted at in the US Cyberspace Policy Review (2009) [pdf], should therefore be abandoned. They counsel the following:
The inherent characteristics of cyberspace require adoption of a full war-fighting posture that moves out of the fifty-plus year comfort zone of deterrence as the dominant strategic anchor. We must organise thinking about managing cyber-leveraged war so that damage is contained and reduced. Counter-intuitively, these futuristic threats require us to adopt the historical posture of traditional warfare. This does not mean we must accept a perpetual state of war in cyberspace. Importantly, as the ubiquity of cyber grows societally across the globe, effective norms against cyberaggression will become increasingly important in reining in unacceptable forms of behavior in this new realm of human interaction. But, in facing down threats to national security, the United States must organize itself around the reality of war preparation and fighting, rather than the hope of avoidance, as the principle upon which cybersecurity will be advanced.
This is a rather bleak assessment that will find favour with those, like John Arquilla, who favour a war footing for cyber operations, particularly against terrorists. It also reflects a particular sector of US national security thinking that makes claims to be realist but has so far failed to actually make a solid claim to reality. I don’t doubt the logic of the authors but I do get slightly uneasy when I see the ‘teenagers in their basement’ trope wheeled out in support of these arguments. In this case, the insurgent drone intercepts are also mentioned as examples of the threat environment, a situation that would have been avoided by better defensive measures, i.e. encryption of video feeds from UAVs.
That said, Harknett – who knows his onions – and his co-authors (see also their earlier stab at this issue) have made a bold move. I’m not sure that the Obama administration would be very vocal about this strategic shift were they to adopt it, although it would only require, as Harknett et al point out, the dropping of a single word from the 2009 policy review. I’m also not sure that this wouldn’t be throwing the baby out with the digital bathwater.
Other authors, like Richard Stiennon and John Robb, suggest that all options remain on the table. Others, like James Lewis, point out that the pre-eminent cyber-offensive power, the US, currently derives little deterrent effect from those capabilities, which is problematic for a no-holds-barred strategy. For some, state-level deterrence is a function of existing kinetic capabilities – you hack us, we bomb you. That’s fine for all-out cyber attacks but what of espionage, etc, goes the riposte to that view. Also, some of the activities listed under Harknett’s ‘cyberaggression spectrum’ are addressed by a range of civil legal and non-legislative measures, although these deterrence regimes are usually not very effective [pdf].
What is clear is that Cold War nuclear-strategic thought cannot simply be applied to deterrence in information environments. This much is recognised by all parties to this debate, save for a few remaining crusty generals. I suspect, in time, that the US military will be accorded pretty much whatever freedom they wish to operate in cyberspace, against a range of military and non-military ‘threats’. I can only imagine what that will look like in policy terms. It may be as straightforward as dropping the ‘D-word’ and letting the lawyers sort out the rest.
{ 6 trackbacks }
{ 5 comments… read them below or add one }
Sadly I’m forced to agree. Though I would prefer to avoid ‘cyber’ races and think that the matter is hardly capable of doomsday predictions I also don’t think that this is an area where one can remain ‘safe’ via defenses.
It is indeed a very tricky area to resolve, let alone in any politically ‘safe’ way. As if on cue, we get this news story a few hours ago: Military asserts right to return cyber attacks.
Right on cue indeed. I like Alexander’s emphasis on ‘firing back’ – at what I’m not exactly sure. As you well know, an ‘elite’ US military cyber team can hit a stationary target (the CIA-Saudi honeypot website), but not without disrupting 300 servers in 3 countries. What will they fire back at in the majority of cases where there is no target?
Tim – you may also find this new publication interesting; the EastWest Institute on ‘Global Cyber Deterrence’ – http://www.ewi.info/global-cyber-deterrence
Dave,
Thanks for the EWI link – I’ll check out the report as soon as I can. I was invited to their upcoming conference in Dallas but unfortunately couldn’t make it.
You identify one of the key problems in this field: attribution. It crops up as a problem everywhere you look. John Arquilla outline his solution to this in a recent article for Foreign Policy: smaller, distributed units, out there in the networks, swarming adversaries, etc. Worth a read but see a response to this from Chris Albon at Current Intelligence.
Tim,
Thanks for this article (and for the hat tip on your blog re. EWI). I happened to have read it previously, but it was well worth another look. I agree with much of what he has to say re. the direction of needed change.
I hear similar establishment arguments for retaining first-tier capabilities here in the UK (i.e. carriers w\ F-35s, continuous at-sea deterrent, etc). But, as Arquilla points out, isn’t the very definition of first-tier gradually shifting? The capabilities that once seemed essential are now looking more like financial millstones.
As Albon points out, there is a casualty cost for the change to networked swarms, a cost that Americans would be unwilling to pay (at least until a carrier is lost with all hands). However, there are other political barriers to overcome first, namely the diverse and highly-entrenched interests that perpetuate the current system. These barriers cut across the private and public sector, and though Secretary Gates has challenged them, any change remains extremely slow. Huge political battles must be fought before networked swarms can exist in large numbers (or suffer high casualties).
But back to cyber! Though networked swarms may drive improvement in US cybersecurity, wouldn’t they be only slightly less vulnerable when attacked by hostile and likely much more agile swarms? And how would they swarm adversaries in cyberspace without a McConnell-style ‘reengineer the internet’ initiative, to which other countries may raise ever-so-slight objections.
As you noted, this is a battle that remains offence-dominated. Perhaps what is needed is a kind of de-perimeterisation (a la Jericho Forum) that acknowledges the impossibility of always protecting everything, while building a high wall around the truly critical bits of value (source code, intel, command and control, etc)? Perhaps networked swarms could be a step in that direction, making an organisation more agile and flexible. The problem, of course, is that regardless of how many swarms we release, for the foreseeable future rigid hierarchies will remain in situ. There will always be a military command or corporate HQ to target at will – hence the need to roll the barriers back to these tall towers, and focus on them.