Beset by disruptive digital attacks, espionage, and cyber-enabled influence campaigns intended to sway public opinion, the United States and its allies are looking for ways to stop the onslaught of computer breaches into their systems. Many nations’ security services are bolstering their offensive military cyber capabilities and response frameworks to deter adversaries from intruding into their networks. The Cipher Brief’s Levi Maxey spoke with Jason Healey, a Senior Research Scholar at Columbia University and a Visiting Scholar at the Hoover Institution at Stanford University, about what cyber deterrence means, and why it can backfire.
The Cipher Brief: What is cyber deterrence, and does this strategy seem to be working?
Jason Healey: Every year it seems like cyber attacks have been getting worst than the previous year. The U.S. has blown through what we would have thought were red lines where 10 or 20 years ago, we would have said it will not ever get that bad – nations surely wouldn’t go and do this because other nations would not allow it. And yet, year after year, it is getting worse and worse. This is the case, not just for criminals, but also rising powers – trouble-making powers like North Korea or Iran – as well as the most powerful adversaries America faces in cyberspace, China and Russia.
Generally people say that we can either deter them through resilience and strong defenses – being able to take the punches – or we need to think about deterring them from taking action to begin with. If you look at the canonical Pentagon mission – the things that the Pentagon is there for – they intend to deter conflict from happening, and if deterrence doesn’t work, then to prevail. And since the Department of Defense doesn’t want to be in a warfighting atmosphere where they are trying to fight to prevail, the only option left in their menu is really to just deter. So I find difficulty with a significant portion of that basic premise of how most people in the military are approaching the problem of cyber deterrence in the first place.
To start with, deterrence is already working. It is working fantastically, but only in a limited manner, which is, as far as we can tell, nobody has yet died from a cyber attack. There hasn’t been any really major property damage either. There hasn’t been anything remotely close to that line where the kinds of damage are what you think about from a military attack. Attacks like Stuxnet and NotPetya are close. But that tells us something really interesting about deterrence, which is that even if we have been worried about a digital Pearl Harbor for 26 years, nations are generally unwilling to use cyber operations to have Pearl Harbor-type effects – to kill people or really destroy things. Nations are showing restraint beyond that threshold. Now beneath that threshold, that’s where nations are not showing restraint – espionage and the stuff that people in the military will call “death by a thousand cuts.” But to me, we have got to start the conversation by saying deterrence is working.
When we say every year is worse than the last, that’s true. But every year is getting closer and closer to that threshold beyond which is real death or destruction. Deterrence is one way you might say, let’s not go past that line. But it is not the only obvious way, and in fact to me its not even the preferred way. We could say, lets have restraint and do whatever we can to pour concrete and rebar into preserving that threshold, and that leads you to a larger set of things like norms rather than really deterrence.
A lot of times, what I find when I hear people at the Department of Defense and in Congress talking about deterrence, they are not talking about that restraint or making sure no one goes past that line of death and destruction. Instead they actually mean supremacy. When we talk about nuclear deterrence during the Cold War, we are saying that everyone knows that we don’t want a nuclear war, but if there is one, we want to prevail. We bounce back and forth on that second point, but generally we wanted stability – let’s make sure that nobody is going to use nukes against us.
That is not what they mean when you hear people talk about cyber deterrence today. They mean, we want the other guy to feel restrained in using his capabilities against us, but we are not really willing to give up very much in response. We don’t want our capabilities restrained. We want to be able to hold the other guys at risk for cyber attacks, but we don’t want them to be able to use cyber capabilities against us. The term for that in the military is not deterrence, it’s supremacy or superiority.
This gets to one of the big issues with deterrence. People often talk about deterrence as if we want to stop the adversary from starting something against us. For example, we wanted to deter Saddam Hussein from going into Kuwait or pushing further into Saudi Arabia, or we want to deter Kim Jung Un from launching missiles against us. That’s called pre-war deterrence. But what we are talking about in cyber conflict is intra-war or trans-war deterrence – we are already using these capabilities against one another all of the time. The U.S. is deep inside the Russian, Chinese, Iranian, and North Korean networks, and they are busy trying to get into American networks. So we are throwing these punches back and forth, and hoping nobody throws a punch that’s a lot harder than the punches that have gone back and forth already. That is a very different kind of deterrence.
TCB: How would that change depending on the adversary?
Healey: It is becoming pretty common now that people are saying this has to be tailored deterrence, or specifically targeting what those national leaders are holding at value. What we are looking at, however, is coercion, not deterrence. When we are talking about Chinese cyber espionage, for example, they were already spying on us all the time – indictments or threat of sanctions were not to deter them from doing it, they were already doing it. We wanted instead to coerce them to stop doing something that they already were doing. It is far more difficult to get someone to stop doing something to you that they are already doing.
If one main point is that deterrence is already kind of working, and the second is that what we are really talking about is supremacy, then the third point is talking about the dynamics. Often when talking about deterrence, what we really mean is that we want to hit them back. We want to raise the costs on them and frustrate their operations against us – which is really more fighting, but that is ok – or we want to hold their networks at risk or punch them back so they don’t conduct attacks against us.
But think about the dynamics here. A lot of my colleagues will say look at the Iranians and Shamoon, look at how awful that is, we need to deter Iran. But we need to stop and say, wait a minute, where did this start? If you are talking about deterrence you can’t start in mid-fight and you can’t only talk about the stuff that they did to us, because most of our adversaries are actually hitting back and not hitting first. Deterrence looks really differently when the other side already feels like they are the victim, and you sucker punched them first.
That is surely true when it comes to Iran, who was not paying any attention to offensive cyber or espionage. Their internet capabilities were focused internally looking at dissent until they got hit by Stuxnet. Then they said “oh, that is the way the game is played. All right, we understand now.” Then they were targeted with a wiper worm – which according to reports was by the Israelis – that hit their energy sector and wiped out drives and they had to take wells out of production. A couple months later, they hit back with Shamoon. So whenever I hear U.S. policymakers or generals say “we need to deter because of Shamoon,” I think no, that was the Iranians hitting back, or at least it looked like that was the Iranians hitting back.
So again, we are talking about deterring someone from doing something that was pretty symmetric, but we don’t want to give up the ability to hit other people. So I really caution folks when talking about deterrence not to just focus on what others are doing to us. Our government officials are really good at screaming about what others are doing to us, and classifying what we are doing for outbound fire. To me it is manipulation to classify how we have hit the other guy, and then because we are taking punches, they need larger budgets and they need looser rules of engagement. I am not comfortable with that.
TCB: Is deterrence strategy much more about escalation control than it is about actually stopping the activity?
Healey: It’s about escalation control, it’s about restraint, it’s about stability. For many reasons cyber conflict is the most escalatory kind of conflict we have ever come across. My colleague here at Stanford, Amy Zegart, says that each side is in a constant state of ambush against the others. We are in a constant state of ambush against the others. This is extremely escalatory and therefore if we are pushing deterrence then we are probably just continuing that cycle – something political scientists call a security dilemma. Instead, I prefer talking about restraint, because it means a lot of the same things as talking about deterrence but it doesn’t lead to us building more capability and more strength as the default answer, as does deterrence.
TCB: Could briefly talk about why cyber conflict is so escalatory? Is it because mere espionage can look a lot like preparing the battlefield?
Healey: Exactly. There is a concept from my colleague from Columbia University, Bob Jervis, who has written a lot about the security dilemma, which in political science is that if you deploy even a defensive capability, others might not understand that that is a defensive capability, so they build their own military capability, you see what they did, and you build your own. You end up in this spiral of escalation. Jervis wrote in the 1970s that this is doubly dangerous if you can’t distinguish offensive from defensive capabilities and the domain is offense dominant.
That is describing cyber conflict. These aren’t just tanks waiting behind some border, we are using these capabilities in a state of constant ambush against one another. It is hard to distinguish between offense and defense in cyberspace, and we are in an offensive operational environment – we are not just stockpiling these capabilities, we are using them all the time, often covertly in a non-attributable manner. The policymakers are relatively unfamiliar with these capabilities, and because they are unfamiliar, the capabilities might get misused and tend to cause fear, and when men are afraid we tend to get more aggressive. So there are ton of reasons why I suspect this is much more escalatory than we think.
But it is possible that more offensive capabilities might help on deterrence against specific people like Russian President Vladimir Putin. He knows what he is doing, this isn’t some kind of mistake for a tit-for-tat like it is for Iran. This is someone you need a brush-back against. If he is in our electrical system, then we are probably in his electrical system. That’s the kind of thing that he understands pretty well, and that’s a little bit different than it is, for example, with China or Iran.
We are also going to look across a much broader range of national security policy tools – certainly not just deterrence, and not just resilience, which is talked about a lot, but also norms, confidence-building measures, and looking at restraint. A lot of people who discuss deterrence ask, why would we ever restrain ourselves when the other guys aren’t? Well there are a lot of reasons we would want to restrain ourselves. We are all using this technology, and for us to build these capabilities means that we are generally – not entirely, but often – undermining U.S. technology that is used in U.S. critical infrastructure and by you and by me.