Friday, April 24, 2009

Achieving Cyber Deterrence

Many cyber security experts and national security policy makers assume that it is impossible to achieve a comprehensive cyber deterrence strategy. Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

One reason that cyber deterrence is viewed as impossible because unlike the Cold War there is not one monolithic adversary to deter. During the Cold War the United States only had to worry about deterring nation-states and primarily achieved this goal via the threat of a nuclear retaliation. In today's cyber threat environment there are a number of adversaries including:
  • nation-states;
  • terrorists;
  • patriotic hackers and;
  • cyber criminals.
Each of these adversaries have different interests and objectives. Further, some of these adversaries, like terrorists, believe they have nothing to lose and therefore are not threatened by the use of force - digital or physical.

Accordingly, cyber security experts and policy makers believe it is difficult to develop a deterrent strategy to address all of these adversaries. While it is certainly more difficult to develop individual deterrence strategies for the above adversaries rather than the one deterrent strategy needed to counter the Soviet Union during the Cold War, it is by no means impossible. A closer examination of the various adversaries capabilities and intentions reveals the United States can easily develop a credible cyber deterrent strategy for its adversary.

Deterring nation-states is relatively straight forward. The United States still possesses its nuclear deterrent used to counter the Soviet Union during the Cold War. This deterrent capability can still be used to deter nation-state adversaries from launching devastating cyber attacks on critical infrastructure targets.

Deterring terrorists, patriotic hackers, and cyber criminals is a more difficult challenge. Currently, terrorist groups have demonstrated intent but not the capability to launch crippling cyber attacks against critical infrastructure targets. Therefore, in order to successfully deter terrorist from pursuing cyber warfare the United States should focus on improving its cyber security and resiliency. Improved defense may convince terrorist groups that the execution of a successful cyber attack is well beyond its capabilities. Additionally, improved resiliency may convince terrorist groups that even if successful a cyber attack may not have the desired crippling effect. Improved resiliency, via the use of redundant systems, can be designed to prevent devastating and cascading failures in critical systems. A terrorist group may be less likely to waste precious resources attacking a target they perceive to be invulnerable to attack.

Patriotic hackers have demonstrated the capability and intent to launch successful cyber attacks against critical infrastructure targets. For example, Chinese patriotic hackers are believed to be responsible for an ongoing series of cyber espionage attacks against various targets within the Defense Industrial Base sector. According to media reports, untold amounts of valuable intellectual property and military logistics data were lost in these attacks. Given the patriotic hackers de facto connection to a nation-state it is reasonable to treat this adversary as an extension of its patron nation-state. The United States should carefully articulate its belief that attacks carried out by patriotic hackers will be treated as attacks sponsored by the hacker's patron nation-state. As such, the United States should threaten the patron nation-state with retaliation in an effort to deter attacks launched by patriotic hackers. Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.

Cyber criminals have also demonstrated the capability and intent to launch cyber attacks against critical infrastructure targets. Cyber criminals have launched successful attacks against various targets in the financial sector. Additionally, CIA analyst Tom Donohoe publicly stated that presumed cyber criminals caused blackouts overseas. Donohoe said, "we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." Cyber criminals appear to be the most difficult adversary to deter due to their perceived capability to overcome advanced defenses as well as the inability to tie them directly to a patron nation-state. While difficult, the United States can deter cyber criminals by improving its attribution capabilities. Improved technical attribution coupled with effective intelligence gathering and increased information sharing by international law enforcement partners will enable the United States to more accurately identify the sources of a cyber attack. Once identified the United States should use traditional law enforcement strategies to pursue and arrest cyber criminals. Improved attribution and an effective response from law enforcement will likely discourage cyber criminals from launching high profile attacks on critical infrastructure targets like the power grid.

Developing a comprehensive cyber deterrence will by no means be easy to achieve and will take lots of patient work. Just because our Cold War deterrent strategy is no longer applicable and a replacement is not immediately obvious it does not mean we should conclude that cyber deterrence is impossible. After World War II and the introduction of nuclear weapons, policy makers took time to develop the sustainable framework of mutually assured destruction. This strategy was not immediately obviously at the dawn of the Cold War and we should therefore not expect that a cyber deterrent strategy will also be immediately obviously.


Jessie D said...

Despite the terrorist's classification as he who would be the most difficult to actually deter in his movements being he has “nothing to lose”, I certainly agree with cyber security’s effort to try and convince terrorists that their attacks will not give them the satisfaction that they may long for since “even if successful a cyber attack may not have the desired crippling effect”. Therefore, it is interesting to point out that although cyber security may not necessarily come in direct contact with the attacker, it can still psychologically influence his actions. It’s also intriguing to see technology’s effect on the law. For instance, it is mentioned that “traditional law enforcement strategies” should be implemented to punish cyber criminals. However, as times change and the world is exposed to a broader range of possible crimes that can take place perhaps specific penalties should be allotted to those who execute cyber attacks. Those who are aware of the definite consequences that await them may rethink their planned attack. Although, the establishment of prime cyber deterrence is definitely complex and the factors involved in achieving deterrence are certainly not easy to attain either, including developing better attribution capabilities, cyber security is at least aware of the complex, yet achievable task ahead. With much time and effort and if cyber-attackers are completely prevented from obtaining certain knowledge and begin to feel somewhat threatened, their success will gradually diminish and deterrence will be eventually be reached.

tom said...

When it comes to deterring a nation state like China and its reliance on "Patriotic Hackers," I think a the response should not be a cyber response. If the Chinese or "Patriotic Hackers" take down a power grind in the United States we should not fear using our military to respond. I think a reasonable deterrent would be to alert all of our military forces, and make sure the Chinese see the forces on alert, in the region every time we are attacked by Chinese hackers.The idea of proportional responses is foolish, almost as foolish as not responding at all. When dealing with a nation state and "Patriotic Hackers" the United States must make it clear that any attack, even a cyber attack, will alert our military and could potentially warrant a devastating military response.

Johanna B. said...

I found Devost, Houghton and Pollard's paper "Information Terrorism: Can Your Trust Your Toaster?" to be particularly interesting, specifically in their assertions about the definition of terrorism. Their assertion that terrorism is a political crime, and that our quickness to label an malicious computer use "terrorism" is not only inaccurate, but reactionary, is spot on. I recall watching the beginning of 60 Minutes about a month ago and the use of similar scare tactics to worry viewers about the upcoming April Fool's Day virus attack, which was ultimately anti-climactic. While computer crime is not something to be taken lightly, the easy use of terms such as "cyberterrorism" and "information terrorism" to apply to cases of malicious computer use that do not, as Devost et al. write, attack a particular "government, ideology or policy" only serves to confuse the public about actual cases of information terrorism.

Hope said...

As far as terrorists go, I would have to say that despite that Devost and Pollard (in their “Taking Cyberterrorism Seriously”) assurance that “It is unlikely that a terrorist organization like al Qaeda currently posses the capability to launch a sustained cyberterrorism attack against critical infrastructures,” it worries me that our response to a perceived threat does not seem to be that well-defined. Tom’s idea to have a strong military response seems to have merit, but I would argue that there is still the question of accountability for a cyber attack, any cyber attack. As far as a measure to deter an attack goes, putting out that there would be a strong military response seems to be a good one. But what happens when there is an attack, and we can’t figure out who, exactly, should receive our response? Additionally, if we did manage to ascertain accountability, wouldn’t an instant military response discredit our nation even more if and/or when it turns out to be…misguided? Do we really want to start a literal flesh and blood war over what could amount to be just a… power outage? I would argue that proportional responses would be the better option, here.

lag63 said...

I have to disagree with Tom’s suggestion that we should respond to patriotic hackers with military force. First problem – how is it possible to be one-hundred-percent sure that the alleged hackers have a “de facto connection to a nation-state”? The hacker might claim to be working for his or her government when in reality their crimes are the product of a different motive. Threatening a nation with military force is dangerous in itself but threatening a government with military force in a situation where they might not be behind the crime is even worse. If the attacked is in actuality not affiliated with the nation-state, military force would not be effective because the attacker may or may not really care about the ultimate fate of the nation but only his or her own selfish goals. Relations between the two nations could be irreversibly damaged for no reason. Second, even if the connection between the hacker and the nation-state is verifiable, attribution is still a big downfall to deterring cybercrime. Threats to punish those found to be guilty of cybercrime are not very intimidating because the cyber attacker knows that in most cases it will be impossible to meet the burden of proof necessary to get a conviction. Military force could only be an effective deterrence of cybercrime if the attacker was without a doubt connected to the nation-state’s government and it was possible to confidently identify the attacker –at this point, we do not live in this world.

K Garcia said...

Based on the article, America has a wide array of foreign threats ranging from general cyber attackers, to terrorist, to nation-states and patriotic hackers. The overlying issue is that its impossible (or near impossible) to make a comprehensive deterrence policy that is going to end large scale cyber attacks on critical infrastructures. It’s probably possible to reduce the number of these attacks with specialized deterrence tactics, but the reality is that the internet is just uncensored enough that there are always inlets viable for corruption. In the article, Prof. Moran mentioned in reference to nation states and patriotic hackers, “Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.” A classic example of when this deterrence policy was practiced was in the Google censorship issue in China. Google threatened to completely withdraw from China probably as a means to encourage the Chinese government to take initiative against the Chinese cyber attacks against the U.S. government. However, government in China, is far more extremist than America, and the government failed to support against or take responsibility for the cyber attacks. This shows a lack of nation-state compliance and failed initiative on the American part. So truly, a fool proof deterrent practice has yet to be created, but hopefully further privacy advancements will be made.

Christopher Mika said...

I am currently taking a course on military strategy, and our last class covered strategic nuclear attacks. What interested me greatly is how my professor designed a potential nuclear attack from China. He assumed the use of around 350 nuclear devices, which is the current (and, in all likelihood, wildly inaccurate) US estimate of the extent of the Chinese nuclear arsenal. He and his colleagues were able to design it so that, even with this limited amount of nukes, China could destroy half of our population.

The most intriguing part of their plan was the locations they chose for each nuke. While population densities were certainly one of their concerns, the designers also concentrated on major chokepoints in US infrastructure. Their targets ranged from important bridges, to railway stations, to highways, and even to important junctions in the electrical power grid.

Most often, the lethality of nukes is associated with or limited to the three killers: shock wave, immediate radiation, and fallout. Yet, what many people don’t realize is that, without electrical power, our society would collapse. Indeed one of the greatest killers in this nuclear plan of attack is starvation, as caused by a lack of electricity.

It just seems very interesting to me that one of the most likely cyber war attacks, attacking the power grid, is also one of the major strategic objectives of a nuclear war. Could mentally bridging this gap allow lawmakers and strategists to take cyber war more seriously?