Many cyber security experts and national security policy makers assume that it is impossible to achieve a comprehensive cyber deterrence strategy. Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.
One reason that cyber deterrence is viewed as impossible because unlike the Cold War there is not one monolithic adversary to deter. During the Cold War the United States only had to worry about deterring nation-states and primarily achieved this goal via the threat of a nuclear retaliation. In today’s cyber threat environment there are a number of adversaries including:
- patriotic hackers and;
- cyber criminals.
Each of these adversaries has different interests and objectives. Further, some of these adversaries, like terrorists, believe they have nothing to lose and therefore are not threatened by the use of force – digital or physical.
Accordingly, cyber security experts and policy makers believe it is difficult to develop a deterrent strategy to address all of these adversaries. While it is certainly more difficult to develop individual deterrence strategies for the above adversaries rather than the one deterrent strategy needed to counter the Soviet Union during the Cold War, it is by no means impossible. A closer examination of the various adversaries capabilities and intentions reveals the United States can easily develop a credible cyber deterrent strategy for its adversary.
Deterring nation-states is relatively straightforward. The United States still possesses its nuclear deterrent used to counter the Soviet Union during the Cold War. This deterrent capability can still be used to deter nation-state adversaries from launching devastating cyber attacks on critical infrastructure targets.
Deterring terrorists, patriotic hackers, and cyber criminals is a more difficult challenge. Currently, terrorist groups have demonstrated intent but not the capability to launch crippling cyber attacks against critical infrastructure targets. Therefore, in order to successfully deter terrorist from pursuing cyber warfare the United States should focus on improving its cyber security and resiliency. Improved defense may convince terrorist groups that the execution of a successful cyber attack is well beyond its capabilities.
Additionally, improved resiliency may convince terrorist groups that even if successful a cyber attack may not have the desired crippling effect. Improved resiliency, via the use of redundant systems, can be designed to prevent devastating and cascading failures in critical systems. A terrorist group may be less likely to waste precious resources attacking a target they perceive to be invulnerable to attack.
Patriotic hackers have demonstrated the capability and intent to launch successful cyber attacks against critical infrastructure targets. For example, Chinese patriotic hackers are believed to be responsible for an ongoing series of cyber espionage attacks against various targets within the Defense Industrial Base sector. According to media reports, untold amounts of valuable intellectual property and military logistics data were lost in these attacks. Given the patriotic hackers de facto connection to a nation-state it is reasonable to treat this adversary as an extension of its patron nation-state.
The United States should carefully articulate its belief that attacks carried out by patriotic hackers will be treated as attacks sponsored by the hacker’s patron nation-state. As such, the United States should threaten the patron nation-state with retaliation in an effort to deter attacks launched by patriotic hackers. Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.
Cyber criminals have also demonstrated the capability and intent to launch cyber attacks against critical infrastructure targets. Cyber criminals have launched successful attacks against various targets in the financial sector. Additionally, CIA analyst Tom Donohoe publicly stated that presumed cyber criminals caused blackouts overseas. Donohoe said,
We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities.We do not know who executed these attacks or why, but all involved intrusions through the Internet.
Cyber criminals appear to be the most difficult adversary to deter due to their perceived capability to overcome advanced defenses as well as the inability to tie them directly to a patron nation-state. While difficult, the United States can deter cyber criminals by improving its attribution capabilities. Improved technical attribution coupled with effective intelligence gathering and increased information sharing by international law enforcement partners will enable the United States to more accurately identify the sources of a cyber attack. Once identified the United States should use traditional law enforcement strategies to pursue and arrest cyber criminals. Improved attribution and an effective response from law enforcement will likely discourage cyber criminals from launching high profile attacks on critical infrastructure targets like the power grid.
Developing a comprehensive cyber deterrence will by no means be easy to achieve and will take lots of patient work. Just because our Cold War deterrent strategy is no longer applicable and a replacement is not immediately obvious it does not mean we should conclude that cyber deterrence is impossible. After World War II and the introduction of nuclear weapons, policy makers took time to develop the sustainable framework of mutually assured destruction. This strategy was not immediately obvious at the dawn of the Cold War and we should therefore not expect that a cyber deterrent strategy would also be immediately obvious.