cyber deterrence is bad strategy and merely provides a false sense of security. The U.S. needs to focus on cyber defense, not deterrence.
Recent events have led U.S. leaders to posit that we have entered a period of cyber war. The May 2017 “WannaCry” ransomware attacks certainly support the notion that cyber security is a big problem with big consequences. What is the right strategy for cyber security? Hearkening back to successful strategies in other areas (especially nuclear weapons), congressional leadership has called for the Executive Branch to develop cyber deterrence policies. However, deterrence requires more certainty about who the enemy is than the cyber domain currently offers. It also necessitates better U.S. offensive cyber capabilities, and a resolution to use these weapons in response to a cyber-attack. Given these shortcomings, cyber deterrence is bad strategy and merely provides a false sense of security. The U.S. needs to focus on cyber defense, not deterrence.
Why is deterrence a bad cyber strategy? Uncertainty is a core characteristic of the cyber domain, and it undermines basic requirements for successful deterrence. Best exemplified in nuclear strategy, deterrence requires three conditions: both parties must know when they are under attack; they must know who is attacking; and they must pose a clear and credible threat of retaliation which is quick, accurate, and proportionate. In the cyber domain, these conditions are difficult (if not impossible) to establish.
First, clear and immediate recognition of cyber-attack is undermined by the design and purpose of such attacks. The U.S. National Counterintelligence Executive defines cyber-attack as, “An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.” Consider the variety of operations that fall under that definition. Cyber-attacks range from espionage, to theft, to sabotage. They may be highly-visible or perpetually stealthy, or remain latent until triggered. Their effects may be evident as soon as an attack begins, or only discovered after the operation has concluded (if ever). Indeed, many cyber exploits remain concealed as long as possible in order to maximize their disruptive effects.
A second problem with cyber deterrence is that cyber-attacks are notoriously difficult to attribute to a specific actor. Like a high school teacher trying to figure out which student made a rude noise when his back was to the class, the victim of a cyber-attack finds himself looking at a variety of suspicious actors, all of them saying variations of, “Who, me?” The difficulty in attributing cyber-attacks to states arises from the same cyber characteristics that challenge recognition that attacks are occurring in the first place. Although the internet has a geography (switches, modems, and servers must be located somewhere), sophisticated exploits can use poorly-secured devices located anywhere on earth, turning computers or other gadgets into “zombies” that actually execute the attack and mask the true culprit.
As hard as it is to establish attribution for a cyber-attack, it may be even harder to dispense appropriate punitive measures. This is the final problem with cyber deterrence: a credible, timely, and proportional response is extremely difficult to make. Cyber deterrence requires offensive capabilities and a willingness to respond in kind. Offensive cyber weapons have immense potential, promising precision and lightspeed delivery. Why not employ more of them? First, the precision of offensive cyber is not as assured as it seems. Cyber weapons are proving difficult to control. It is also a struggle to predict the results of a cyber-attack. This fundamental lack of understanding dramatically increases the uncertainty and thereby the risk posed by employing cyber weapons. Cyber weapons pose additional challenges below the strategic level, as the inherent ambiguities of cyber weapons also complicate operational planning. From an operational planning standpoint, offensive cyber operations are a wild card. It is difficult to determine, let alone predict, the impact of cyber weapons. Traditional battle damage assessment and prediction techniques depend on physical observations. In the cyber domain, observables can be masked and manipulated by the adversary so that they deliberately mislead. As difficult as it is to predict tangible results from cyber weapons—it is even harder to control their spread. In summary, cyber offense is too volatile to be a basis of U.S. cyber strategy, and cyber deterrence as a whole is ill-advised.
In addition to the three problems with cyber deterrence mentioned above, another factor argues against an offense-focused cyber strategy: cyber weapons are instantly proliferated after use. The United States was unable to contain the spread of nuclear weapons after their development. Imagine how hard it would be to control nuclear proliferation if an expended nuclear bomb could be instantaneously reconstructed and turned back on its original creator. This is the case with cyber weaponry. Once deployed, cyber weapons become open-source. Furthermore, cyber weapons do not expire after their first use, and can be repackaged and manipulated more easily than conventional munitions. They may then pose a threat not only to the originator of the weapon, but also to allies and others, as seen in the “WannaCry” attack that used leaked U.S. cyber exploits.
The wider proliferation of advanced cyber weapons threatens to destabilize the cyber domain as a global common and delegitimize U.S. efforts to lead the international community. The U.S. may lose the moral and political legitimacy necessary to be a global leader in this area if it remains active in using, and thereby proliferating, cyber weapons. While there is certainly a use for cyber weapons and offensive cyber operations, it is not consequence-free. The deployment and proliferation of sophisticated cyber weapons also increases the cost of cyber defense. This is not an argument against the development of offensive cyber weapons. Such tools remain crucial to aggressive statecraft and military operations. However, cyber deterrence based on them cannot be the foundation for a stable cyber security strategy.
Some estimates hold that by 2018, the costs of cyber-attacks will exceed the initial benefit of starting or expanding a business in cyberspace. Cybercrime (and fighting it) is already an expensive proposition. Lloyds of London estimates that the cost of cybercrime was $400 billion in 2015, and projects that cost will grow rapidly, with some estimates placing it at $2 trillion by 2019. The proliferation of advanced, state-developed cyber weapons will only increase this cost further – potentially stifling global economic progress.
the U.S. should apply its technical prowess and global leadership to increase cyber defense capabilities and seek to secure the cyber global common.
If neither deterrence nor offensive cyber operations is the solution to cyber security, what is? The strategist Clausewitz wrote that a strategy based upon defense can be a much “stronger form of carrying on war.” Though he could not have foreseen the technological context of the 21st century, this statement may apply even more to cyberspace than to other domains. Instead of cyber deterrence, the U.S. should apply its technical prowess and global leadership to increase cyber defense capabilities and seek to secure the cyber global common through renewed national and international initiatives to govern and normalize cyberspace.
Man created the Internet, and by extension cyberspace. It is therefore a controllable environment, especially when one considers its origins as a U.S. private/public partnership. The cyber domain was created in October 1969 with the Advanced Research Projects Agency Network (ARPANET). To speed its development, its designers opened the network up to public research and development. The networks that succeeded it retained its open development mindset. This openness remains a choice. Individuals and organizations have powerful means to ensure greater security through more tightly-controlled system development and networks.
Alternative hardware and software development architectures may provide additional means to limit the development of malicious code. Martin C. Libicki of the RAND Corporation notes that entire operating systems, such as the Apple iOS, have been developed in a more closed, centrally managed environment to limit exposure. The U.S. government has recognized this issue since its development of the 2000 National Security Strategy and as such has developed initiatives such as Einstein III: a whole of government approach to protecting the government’s internet domain.
The Joint Staff identifies three layers of cyberspace. The first layer is physical; it is the hardware, the computers, the servers, and the wiring of cyberspace. The second layer is logical; it is the programming and the software of cyberspace. The third layer is the cyber persona; it is the interaction of people and organizations over networks. Cybercriminals and cyberwarriors can exploit each of these three layers: wires can be cut, malicious code can exploit software, and social engineering can convince unwitting victims to lower their guard.
The good news is that the defender controls the physical design of networks, the logical environment, their “persona” in cyberspace, and user interface. This control provides a means for greater security. Through supply chain discipline, physical disconnection from larger networks (air gapping where/when productive), firewalling, virtual private networks, and increased information security practices at the user level, critical cyber infrastructure can be shielded from the battlefield. Additionally, organizations may want to consider employing a more controlled development and user environment. Yet, if defenders can shape their environment to their distinct advantage, why does cybercrime persist, and what is the threat of cyber war?
Cyber security is not uniformly embraced and practiced by governments, corporations, and/or individuals; this is apparent in the Mirai Botnet mass cyber-attack. On October 21, 2016, an unknown actor perpetrated a massive distributed denial of service (“DDoS”) attack against the U.S. Internet infrastructure company Dyn. The attack exploited a near-complete lack of security measures present on Internet of Things devices and used them as zombie computers to flood Twitter, Netflix, Amazon, and Spotify with bogus traffic. The attack severely slowed internet access for Americans east of the Mississippi River.
New vulnerabilities and threats evolve every day, and not all individuals and organizations have the means, attention, or wherewithal to keep pace with potential aggressors. Simply put: civilians have trouble defending themselves on the cyber domain and therefore rely on governments to provide security. This is not unique to cyber as governments defend civilians in all other domains. The government, through U.S. Cyber Command, the National Security Agency, and Department of Homeland Security needs to strengthen bonds with private industry to develop and promulgate greater security techniques, technologies, and standards (such as Einstein III) to the whole of government and critical sectors of the national and international economy.
Defending the U.S. public and private sectors is not enough. Since 1998, the U.S. has acknowledged that cybercrime is “not hampered by international boundaries,” and as such it would be inconsistent (and implausible) to attempt only to secure domestic cyberspace. The U.S. played a central role in the creation of cyberspace and now must usher in greater efforts to secure this global common. Leadership means endorsing international initiatives where appropriate and forming partnerships with other consequential powers to ostracize cybercriminals, promote cyber security, and establish controls for offensive cyber operations.
Deterrence would be an adequate policy if the U.S. could miraculously make the domain more transparent and reduce the risks of proliferation, but cyberspace is not a realm of magic and miracle. Should the U.S. further weaponize cyberspace, other states will likely follow it as they seek to preserve their ability to deter potential U.S. aggression. The national – and global – good depends upon a stable and secure cyberspace. Cyber deterrence will not get us there. It will only increase the number and sophistication of cyber weapons. Cyberspace is manmade and therefore can be controlled by man. The domain can be made more defensible through choice, discipline, and collaboration at the individual, national, and international level.
Joe Brooks is a civilian employee of the Department of Defense, and a member of the U.S. Army War College class of 2017. The views in this article are the author’s and do not necessarily reflect those of the U.S. Army or U.S. Government.
Photo Credit: Kjell Lindgren/NASA