Discouraging Deterrence

25 Nov 2009

Current discussions of cyber warfare and security parallel those of nuclear strategy in the 1950s, making the notion of cyber deterrence attractive. But applying this nuclear formula to the cyber realm is deeply flawed and largely unworkable – with improvements in cybersecurity ultimately requiring more broadly focused and balanced strategic calculations.

Cyber conflict has become part of warfare. Advanced militaries now have the capability to launch cyber attacks not only against data and networks, but also against critical infrastructures that depend on computer networks. These attacks could be a network penetration for intelligence gathering or for the disruption of data, but they could also be an attempt to damage or destroy networked infrastructure. Several countries now have these capabilities and there have probably been a few surreptitious tests.

The problem for countries with advanced militaries is that while they have offensive cyber capabilities, so do their opponents, against whom they must defend. In the nuclear era, a strong offensive capability could serve a defensive purpose, by threatening retaliation and thus deterring an opponent from attacking. Applying this deterrent formula to cyber conflict seems logical, but the notion of cyber deterrence is deeply flawed.

The discussion of cyber warfare and security is in some ways similar to the discussion of nuclear strategy in the 1950s. Like nuclear-tipped missiles, cyber attacks are rapid, cross borders easily, and can serve both tactical and strategic purposes. These parallels are one reason the notion of deterrence is attractive. We do not, however, want to overstate the analogy, as it exaggerates the destructive capacity of cyber weapons and it understates the uncertainties for both attack and defense in cyberspace. Nuclear weapons use was reserved for extreme situations. In contrast, cyber attack (at low levels) is a daily occurrence and no nation will renounce its use. More importantly, key uncertainties in attribution and in the scope of collateral damage make deterrence unworkable.

In cyberspace, we cannot be confident of our ability to determine an attacker’s identity. Identity is easily concealed in cyberspace – we still do not know who was responsible for some major incidents such as the harassment of US and Korean networks in July, and sophisticated attackers are skilled not only at hiding their identity but also making it look as if someone else was responsible. Attackers can never be sure that they will escape detection, but the odds are in their favor. Similarly, the scope of collateral damage is difficult to predict, including both unintended effects on the target and damage to third party networks connected to or dependent upon the target network. Connectivity in cyberspace does not equate to geographic proximity. For example, an attack on an opponent’s network might accidently degrade a neutral nation’s satellite or telecommunications services.

Uncertainty and confusion have always been part of warfare, but the fog of war is especially thick in cyberspace. The implications of uncertainty are most pronounced for deterrence. Deterrence depends on the threat of retaliation to change the opponent’s calculus of the benefits and costs of an attack. But it is hard to convincingly threaten an unknown attacker.

Changing context

The context for deterrence has also changed. There was symmetry in vulnerabilities in the Cold War – each side could threaten their military or civilian target in order to coerce the other to decide against attack. That symmetry no longer exists. The US and other western nations are more dependent on digital networks than some potential opponents, and this asymmetric vulnerability means that even in an equal 'exchange' of cyber attacks, one side will lose more than the other. More importantly, an anonymous attacker may not lose anything at all since his identity is unknown and retaliation is impossible.

Deterrence in the Cold War was buttressed by 'signaling' (nonverbal warnings created by movements in forces or readiness in posture), by statements about intentions, and by implicit or explicit understandings among potential opponents that defined the environment for conflict. There were tacit understandings on 'redlines' and thresholds, which are lacking for cyber conflict. It is not even clear if nations share a common lexicon of terms for cyber warfare. Clear attribution and common understandings allowed for both credible threats and for 'signaling' an opponent; their absence makes cyber conflict more difficult to prevent or manage.

Deterrence strategies in the Cold War professed to accept a large degree of collateral damage as a necessary risk for threatening nuclear retaliation. Strikes would have harmed civilian populations in both NATO and Bloc countries. But the collateral damage from nuclear weapons was in some ways easier to predict than the effect of cyber attack – the blast and radiation effect is limited to an area around impact; in contrast, while in cyberspace, collateral damage may not be contiguous with a target or even located in the target country. Uncertainty about collateral damage will affect decisions by political leaders, who may be unwilling to incur the risk of a cyber attack that could widen or escalate a conflict, or create unfavorable political consequences.

While the military and intelligence forces of nations are the most dangerous opponents in cyberspace, the lost cost of acquiring attack capabilities means that some less sophisticated forms of cyber attack are available to non-state actors. Politically or religiously motivated opponents are much less likely than government leaders to be deterred by the threat of retaliatory attack. They have no capital city or infrastructure to threaten, and their willingness to accept risk will be much greater than most nation-states. Non-state actors do not face the same political constraints that apply to state actions in cyberspace. Some potential opponents may even welcome retaliation, as it could provide justification and expand support for their cause.

The best evidence of the weakness of deterrence in cyberspace comes from the US, which has some of the most advanced cyber offensive capabilities in the world but obtains no deterrent effect from them. Nuclear weapons deterred a potential aggressor. Cyber weapons do not. This is the result of the uncertainty that reduces the credibility of a deterrent threat against an opponent in cyberspace. It may also point to the existence of implicit thresholds for cyber conflict – if attackers limit their actions to espionage, which is generally not regarded as an act of war, there is little chance that the victim will undertake retaliatory attacks.

Deterrence by threatening retaliatory attack does not increase security in cyberspace. While there are good reasons for countries to develop offensive capabilities, we should not expect to get deterrent benefit or greater security from this. Given the limits of deterrence, the nuclear age formula is not appropriate. There was no effective defense against an Intercontinental Ballistic Missile (ICBM). By contrast, cyber conflict could benefit from greater attention to defense. In addition, national defenses would be strengthened by multilateral understandings on acceptable behavior in cyberspace – an explicit norm or obligation that established state responsibility for the private actions of its citizens. Such an obligation, for example, would remove Russia’s ability to plausibly deny its involvement in attacks on Estonia. Just as nations feel a degree of constraint from norms and agreements on nonproliferation, establishing explicit international norms for behavior in cyberspace would affect political decisions on the potential risk and cost of cyber attack. The implicit norms for cyber conflict that currently exist offer an avenue for future agreement on the scope and nature of cyber warfare. Increased attention to defense and resiliency could change an attackers decisions in ways that are not achievable by threatening reprisal or retaliation, by decreasing the chances for successful attack and increasing the costs of detection.

Broad improvement in cybersecurity internationally will require nations to undertake a larger strategic calculation to determine the balance among offensive, defensive and multilateral efforts that best reduce the risk and increase the cost of cyber attack. Most nations have not yet done this. The notion of cyber deterrence is appealing because it is unilateral, and it justifies building offensive capabilities. Real security may require exactly the opposite approach – multilateral agreements and emphasis on defense.

JavaScript has been disabled in your browser