Disruptive and intrusive cyber activity pervades much of modern international relations. The trend towards the jockeying for global influence and geopolitical positioning through cyber means is only going to grow as more countries and non-state actors play out conflicts in the virtual domain.
The responsibility for defending U.S. interests from subversive influence in its domestic politics, theft of intellectual property, and mass disruption of its critical infrastructure rests on company executives, government bureaucrats, and military leaders. How are they seeking to address and prevent these perils of connectivity?
Some specialists talk of deterring cyber adversaries from attacking American networks in the first place. While many use the example of nuclear deterrence during the Cold War, as a practical matter, the two concepts are quite different. Nuclear deterrence is rather straightforward: avoiding nuclear confrontation by vowing nuclear retaliation to any nuclear attack. That’s the meaning of the doctrine known as “mutually assured destruction.”
The idea of cyber deterrence, on the other hand, is that the U.S. would signal that cyber attacks on American networks would result in the imposition of significant costs to the state sponsor, or criminal organization. The prospective attackers would then be expected to change their cost-benefit analysis. This anticipated recalculation is known as “deterrence by cost imposition.”
It bears some similarities to nuclear deterrence, but there are differences, among them, difficulties in fixing blame and in preventing a situation from escalating out of control.
“When we think about cyberspace…we do not have a consensus about what exactly we are trying to deter, and the means through which we could even try to deter are very diverse,” says Michael Sulmeyer, the Director of the Belfer Center’s Cyber Security Project at Harvard University. “We don’t have consensus about which means are appropriate to achieve what kind of goals.”
Another consideration is known as deterrence by denial. It involves a combination of cyber defenses and societal, economic, and military resilience to attacks, forcing potential adversaries to doubt that they will succeed at achieving their desired goals by means of a cyber attack. Theoretically , the overwhelming obstacles to success would dissuade them from taking the risk in the first place. Redundancies and analogue cutoffs can shield weapons systems and power grids, causing adversaries to question their ability to mount an effective cyber attack.
The strategy of cyber deterrence has made its way to the highest echelons of the U.S. government. On May 11, President Donald Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. It called upon the national security team to submit a report by August 9 “on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
The U.S. Department of Defense has taken the lead in developing a U.S. cyber deterrence strategy and the Defense Science Board issued a report in February. The “guiding principles” of the report demand “credible response options at varying levels of conflict,” describing the need to respond to cyber attacks through a toolkit of offensive cyber capabilities, diplomatic overtures, criminal indictments, and economic sanctions. The report covers military responses as well, the most drastic reserved for retaliation with “catastrophic destruction and lost of life.”
The U.S. could take tailored action to target the pressure points of what adversaries value. The U.S. would almost certainly respond differently to a North Korean cyber attack than one mounted by China. “For example, how confident are we that sanctioning North Koreans for hacking is interpreted by their leadership as a compelling cost?” Sulmeyer says. “It is not clear that such a signal is particularly meaningful to them.”
As cyber attacks proliferate – particularly blatant cyber operations such as Russian interference in last year’s presidential election – there is still a threshold nations have not surpassed. “It does seem right now that there is almost a tacit or implicit understanding that the threshold to be observed is to not threaten life and the physical destruction of property through cyber attacks,” says Sulmeyer.
Jason Healey, a senior research scholar at Columbia University and a visiting scholar at the Hoover Institution at Stanford University, suggests cyber attacks haven’t caused death and high ticket property damage because “deterrence is already working. It is working fantastically, but only in a limited manner.” While attacks like Russia’s campaign against Ukraine’s power grid causing blackouts quickly approach that threshold, they occur during active hostilities with Russia.
Perhaps more importantly is that, unlike nuclear deterrence, cyber deterrence is not really about deterrence or prevention at all. The fact is, the U.S. and adversary governments are already using cyber capabilities against each other all the time.
“The U.S. is deep inside the Russian, Chinese, Iranian, and North Korean networks,” says Healey, “and they are busy trying to get into American networks.”
During the Cold War, the U.S. showed restraint by not deploying nuclear weapons against the Soviets. But today, U.S. officials are unwilling to restrain the nation’s offensive cyber capabilities. “We want to be able to hold the other guys at risk for cyber attacks, but we don’t want them to be able to use cyber capabilities against us,” says Healey. “The term for that in the military is not deterrence, its supremacy or superiority.”
Deterring adversaries from mounting cyber attacks becomes more difficult when they feel they are simply responding to incursions by the United States. Perhapw the most obvious example is Iran, which did not conduct offensive cyber operations until it was hit with the Stuxnet worm, allegedly created by the U.S. National Security Agency. It caused physical damage to their nuclear centrifuges as part of a U.S. plan to halt their nuclear ambitions. A disc-wiping malware hit Iranian energy a few months later, causing the Iranians to respond by sending Shamoon malware into the energy sector of neighboring Gulf countries. If true, the U.S. cyber operations against North Korean missile systems – sabotaging their intercontinental ballistic missile tests – sets an international precedent for other countries to do the same against the United States. Due to more tit-for-tat showdowns between cyber-capable nations, “we are in a constant state of ambush against the others,” says Healey.
Deterrence strategy often, though not always, means that nations develop offensive cyber capabilities in order to hold adversaries at risk, Many nations are standing up military cyber commands. The result is a cyber battlefield in which it’s difficult to distinguish defensive intelligence collection from preparations for an offensive attack. This security dilemma in cyberspace poses significant potential for escalation. A miscalculated deterrence strategy could backfire and trigger disproportional retaliation.
At a time when U.S. cyber diplomacy is being undercut, the nation’s cyber deterrence strategy must operate with restraint and with the development of international norms in mind. How nations use cyberspace today lays the foundation for the technology in the future.
“There are real threats right now in terms of intrusions and being held at risk, and deterrence is not going to be the be-all end-all,” says Sulmeyer. “It is comfortable as a strategic concept to a lot of people, but it has to be part – but only one part – of a package of policies and decisions that we make in the United States about how we are really going to keep the country safe.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.