Cyberdeterrence is – in addition to being an annoying neologism – one of those esoteric subjects that a surprisingly large number of people have been trying to get their head around for years. Deterrence as effect and strategy has been hampered by the lack of a big ‘cyber’ stick – no Apaches, no nuclear warhead – and no clear idea about the legality of offensive or retaliatory computer network operations (CNO), the collateral effects these might have, problems of attribution, and how to have a declaratory policy given these issues and many more.
Rather than bore readers more interested in kinetic operations with further details of the inner workings of this field, I’ll just give a flavour of the discussion given two pieces I saw yesterday.
My Forbes colleague Richard Stiennon wrote a piece for The Firewall yesterday in which he had the following to say about cyberdeterrence:
I suggest that rather than focus on creating a balance of mutual assured destruction such as existed during the protracted Cold War, a more appropriate response to cyber threats is to increase the costs for the attackers by improving defenses.
Students of nuclear strategy will immediately recognise this form of ‘deterrence by denial’. Specifically, this is ‘pre-event’ deterrence by denial, in which the marginal cost of maintaining a defensive measure is less than the marginal cost of investing in offensive measures sufficient to provide a successful attack. That’s a wordy way of saying that if your defences are good, adversaries will eventually give up trying to attack as they can’t afford the arms race to achieve success.
However, this is precisely the approach a new paper claims cannot work. In Leaving Deterrence Behind: War-Fighting and National Cybersecurity, Richard Harknett and colleagues argue that adversaries do not give up:
Relying on deterrence by denial … must be distinguished from temporary deflection of attacks through superior defense. An attacker that is continually probing, but does not launch a full attack because they cannot get around a strong defense, is not an attacker being deterred; it is an attacker being frustrated and contained (defended).
This is because, the authors assert, cyberspace is an ‘offense-dominated security environment’, and they apply offence-defence theory (à la Stephen Biddle) to show this. They conclude that even robust defences
will be undermined eventually as the offense-dominant nature of the environment will allow the attacker to innovate technically, tactically and operationally with some prospective success.
Attempts at deterrence, such as are hinted at in the US Cyberspace Policy Review (2009) [pdf], should therefore be abandoned. They counsel the following:
The inherent characteristics of cyberspace require adoption of a full war-fighting posture that moves out of the fifty-plus year comfort zone of deterrence as the dominant strategic anchor. We must organise thinking about managing cyber-leveraged war so that damage is contained and reduced. Counter-intuitively, these futuristic threats require us to adopt the historical posture of traditional warfare. This does not mean we must accept a perpetual state of war in cyberspace. Importantly, as the ubiquity of cyber grows societally across the globe, effective norms against cyberaggression will become increasingly important in reining in unacceptable forms of behavior in this new realm of human interaction. But, in facing down threats to national security, the United States must organize itself around the reality of war preparation and fighting, rather than the hope of avoidance, as the principle upon which cybersecurity will be advanced.
This is a rather bleak assessment that will find favour with those, like John Arquilla, who favour a war footing for cyber operations, particularly against terrorists. It also reflects a particular sector of US national security thinking that makes claims to be realist but has so far failed to actually make a solid claim to reality. I don’t doubt the logic of the authors but I do get slightly uneasy when I see the ‘teenagers in their basement’ trope wheeled out in support of these arguments. In this case, the insurgent drone intercepts are also mentioned as examples of the threat environment, a situation that would have been avoided by better defensive measures, i.e. encryption of video feeds from UAVs.
That said, Harknett – who knows his onions – and his co-authors (see also their earlier stab at this issue) have made a bold move. I’m not sure that the Obama administration would be very vocal about this strategic shift were they to adopt it, although it would only require, as Harknett et al point out, the dropping of a single word from the 2009 policy review. I’m also not sure that this wouldn’t be throwing the baby out with the digital bathwater.
Other authors, like Richard Stiennon and John Robb, suggest that all options remain on the table. Others, like James Lewis, point out that the pre-eminent cyber-offensive power, the US, currently derives little deterrent effect from those capabilities, which is problematic for a no-holds-barred strategy. For some, state-level deterrence is a function of existing kinetic capabilities – you hack us, we bomb you. That’s fine for all-out cyber attacks but what of espionage, etc, goes the riposte to that view. Also, some of the activities listed under Harknett’s ‘cyberaggression spectrum’ are addressed by a range of civil legal and non-legislative measures, although these deterrence regimes are usually not very effective [pdf].
What is clear is that Cold War nuclear-strategic thought cannot simply be applied to deterrence in information environments. This much is recognised by all parties to this debate, save for a few remaining crusty generals. I suspect, in time, that the US military will be accorded pretty much whatever freedom they wish to operate in cyberspace, against a range of military and non-military ‘threats’. I can only imagine what that will look like in policy terms. It may be as straightforward as dropping the ‘D-word’ and letting the lawyers sort out the rest.