Towards a Cyber Deterrent

Towards a Cyber Deterrent

Bob Gourley

bob.gourley@comcast.net

29 May 2008

The constant exploitation of computer systems attached to the net and the threat of devastating attacks against our critical infrastructures warrants a strategic approach to Cyber Security. Among the ideas being considered is the possible declaration of a national policy of “Cyber Deterrence.” The best way to improve the situation, this theory goes, is to stop the attackers from attacking in the first place.

What must the nation do to successfully declare and execute a deterrence strategy in this domain? Years of focused study on this question by strategic planners, economists, technologists, and academicians in the Cyber Conflict Studies Association (CCSA) have resulted in a framework for discourse on this topic.[1] The examination of cyber deterrence is far from over, but some initial conclusions can already be drawn, and recommendations for more study can be made.

In a national security context, deterrence is an influence strategy designed to prevent attack. It involves understanding adversaries and what motivates them, communicating to adversaries in a way that makes it perfectly clear what behaviors will put them at risk, and demonstrating an ability to respond. Six key challenges have been identified that must be addressed before a deterrence strategy can be put in place for cyber attacks. These challenges are:

· Attribution of Attack

· Knowing the enemy

· Proving we can know who is attacking without undermining how we know

· Deciding and articulating what behaviors to deter

· Establishing and articulating credible responses that are not escalatory

· Operating fast in an environment that impedes our ability to act

Challenge number one: Attribution of Attack.

The primary challenge is one of attribution of attack. You cannot deter unless you can punish and you cannot effectively punish unless you have attribution. Although there are many aspects of attribution, the key challenges are technical ones. The current Internet allows anonymity. And this anonymity can be supplemented when an actor wants to remain undiscovered. Adversaries can spoof addresses, use anonymiser servers, and use open access to the net from a wide range of physical locations.

Challenge number two: Knowing the enemy.

We already know the many kinds of threat actors in cyberspace (Nation State, Terrorist Group, Organized Crime, Hackers, etc), and we have a great deal of experience in defending against them and, unfortunately, suffering losses to them. This experience can help us with our calculations, and can help us articulate requirements to the intelligence community for additional support.

But a deterrence strategy requires even more knowledge. Deterrence requires an understanding of how adversaries view their security and how they assess risk. Deterrence also requires an understanding of of how adversaries might assess their cost/benefits. Adversaries might not be concerned about our responses if they think they will be measured and proportional. Additionally, deterrence strategies will not work for all adversaries (these strategies can only work for actors that are rational, deterrence strategies do not work for those who feel they have nothing to lose). Therefore, a key standing requirement for our intelligence community must be to always understand what our adversaries hold dear, since a deterrence strategy requires us to hold that at risk.

Challenge number three: Proving we can know who is attacking without undermining how we know.

Deterrence in the cyber domain is complicated by the number of participants in cyberspace. There are now over 1 billion PCs in the globe. As of November 2007 there were 3.3 billion cell phone subscribers in the world (past the 50% of the population mark). Any of these PCs or cell phones can be used to participate in or trigger attacks. And in many cases these devices can be recruited to act in ways that the device owner cannot control. Even it we could know which devices are attacking, how do we know who controls the device? Which of the users of these 4.3 billion devices should we be tailoring our strategy for? This type of complexity is different than that addressed in Cold War deterrence models.

For our deterrent to be credible, not only must we have attribution (challenge number one), but we must reveal that we have the power to know who is attacking among all the users in the globe using any of the 4.3 billion end devices connected to the Internet. But if we reveal to adversaries that we have that power, we give them knowledge they can use to create new means to deceive and hide attacks, giving them a way to get around the deterrent.

Challenge number four: Deciding what behaviors to deter and articulating them in ways that do not undermine the strategy.

In the cold war, the primary objective of deterrence was deterrence of nuclear attack. In the cyber realm we need to make some choices. In general, the more we can deter the better. But if we decide to deter more than we can detect, attribute and really respond to, we might not be seen as credible, which undermines the deterrent effect.  We should ask ourselves some questions: Do we seek to have a deterrent strategy that addresses low level hacker activity or  nation state sponsored attacks? Do we seek to deter cyber crime? Do we seek to deter cyber espionage?

Perhaps the bigger challenge is in deciding which behaviors will be articulated in our deterrent strategies. If we clearly articulate what falls inside the deterrent environment we are giving away what lies outside the deterrent environment. Adversaries will know what they can get away with and can get around the deterrent. If our cyber deterrent requires us to make an open declaration of what we hold dear and what we view as expendable we may be revealing too much about our nation’s strengths and weaknesses. If we decide on a more ambiguous articulation it may be so vague that it has no effect. Either extreme may undermine the effort.

Challenge number five: Devising and articulating credible responses that are not escalatory and that do not undermine the deterrent strategy.

To have an effective deterrent we must have a capability to respond. Our responses are by no means limited to responses in cyberspace. The range of responses can span the full spectrum of diplomatic, economic, legal and military responses to include the use of force if required.

Articulating what we will do when attacked in cyberspace raises several challenges, including challenges of proportionality (and those challenges are directly related to credibility). At a minimum, the punishment must outweigh the potential benefits of the attack. And in many cases the way to deter might be to hold an entire nation at risk. Here too we should ask ourselves some questions: Will we articulate a strategy that says cyber espionage will be met with destruction of a nation? That is probably not a credible threat so it undermines the desired deterrent effect. Do we devise methods to corrupt info being stolen by cyber spies? That might pose a good deterrent, but challenge one and two above will need to be addressed for this to work. Will we articulate a strategy that says if the US power grid is attacked by a nation state we will destroy that nation state? That might be a bit more credible of a policy statement, but depending on the country in question that could lead to nuclear escalation. So even that policy statement might not be seen as credible. What adversary would think we would risk nuclear war to prevent cyber attacks?

There is another school of thought in the cyber studies community which posits that we should declare a strategy of deterrence that has more ambiguity, so we will keep our adversaries guessing about what our response may be. This approach might be of use in deterring cyber espionage, for example. In general, for a theory like that to work it should be backed up by a very strong defense and a well functioning internal decision-making process so our actions will not be escalatory by mistake.

Regardless of which school of thought is proven right over time, we must consider ways to communicate our deterrent to a wide range of actors in cyberspace.

Challenge number six: Operating fast in an environment that impedes our ability to act

For deterrence to work, our adversaries must know that the punishment will come and it will defeat them. Since attacks can hit us quickly and can do significant damage while underway, the response needs to be as swift as possible. Operating swiftly can also serve to maximize the deterrent value of future attacks.

This means we must demonstrate a capability to quickly detect who is attacking, and then rapidly determine the appropriate response, and then execute with the speed that we would if we were responding to a nuclear attack. We should have an ability to take away what an adversary cherishes most within minutes of detection of an attack on our systems. And as an aid for future deterrent and for continued international support we will need to offer proof of how we knew what we knew. Additionally, for credibility purposes we must periodically demonstrate the entire mission thread, from detection of an attack to attribution of the attacker to swift punitive measures that overwhelm the attacker.

Wargaming and exercises in this domain consistently demonstrate the complexities in coordinating responses to cyber attacks. [2] Wargames and exercises also demonstrate that current processes require fast elevation into the most senior levels of the national decision-making structure, which slows rather than speeds the process.  Slower decisions means slower responses.   This may very well be an issue that can be solved with more wargaming and more policy work but for now it is a component of a challenge which must be addressed.

The domestic and international legal environment also has impedance effects that slows the ability to attribute who is attacking and slows responses. Slowing attribution undermines deterrence strategies. It may be that changes to domestic and international law can help speed the attribution of cyber attacks and help deter future attacks. But till that is addressed the challenge remains one that today’s strategists must deal with.

Addressing the challenges:

These six challenges have been with us since the start of the Internet age. If there were simple solutions to any of these they would have been solved by now. Addressing these challenges will likely require mobilizing the intellectual capital of a broad swath of experts in industry, academia and government. But meanwhile, the nation has responsibilities to our citizens that require defense. Till a deterrence strategy can be developed that is supportable it is prudent to mount a more vigorous defense.

Mounting a more vigorous defense can help address the deterrence related challenges articulated above. If we can make attacks against our enterprise more costly to attackers then that can make deterrence easier. And if we can protect our most sensitive information from assault then that can remove temptation to attack. And if we can enhance our ability to know all adversaries in cyberspace we can enhance our ability to create more workable solutions to deterrence strategies.

The good news is that new approaches to defense are possible, including significantly strengthened operating systems and new methods of enabling security across the entire technology stack. Identity management and access control can be improved. And the rapid and continuing enhancement of networking technologies will allow significantly enhanced abilities to secure Internet access points and even establish national boundaries in cyberspace if desired. More will need to be done to mount the best possible defense, including using the nation’s education system to ensure all citizens are able to defend their parts of cyberspace and cultivating a positive culture of cyber security in the nation. Treaties that delegitimize the state use of non-state bad actors in cyberspace may also need to be considered.

Intuitively, it seems that mounting a vigorous defense will lay a foundation for a future deterrence based strategy. But this planning assumption is one of many which should be questioned in future research. Strengthening defense while continuing research is the mantra of the day when it comes to cyber defense, cyber deterrence and all other aspects of cyber conflict. Cross-functional, cross-discipline, public and private intellectual work remains before a solid foundation for success can be laid.