Dissuasion in Cyberspace: The Limitations of Classical Deterrence Theory

Dissuasion in Cyberspace:

The Limitations of Classical Deterrence Theory

Sarah M. Koch

            In 2011, a top federal laboratory in the United States was forced to disconnect from the Internet when administrators discovered that data was being siphoned from a server.[1] In 2014, two Chinese hacks into U.S. Office of Personnel Management databases compromised sensitive information on more than 22.1 million people. U.S. officials said it was “highly likely” that every security clearance application since 2000 had been exposed.[2] In the spring of 2017, a mysterious hacking group called the Shadow Brokers released alleged NSA tools. This trove included EternalBlue, which exploited a previously unknown Windows vulnerability. Hackers then used EternalBlue in two high-profile ransomware attacks only months later.[3]

Western society’s connectivity is accompanied by a new national security risk: cyberattacks. To a degree almost unimaginable a decade earlier, disruptive and destructive cyberattacks have become central to multi-domain warfare in interstate conflict. Our critical infrastructure, banking, and military systems rely on connectivity in cyberspace. Paradoxically, those who are at the forefront of these emerging technologies are also the most susceptible to attack.[4] For this reason, nations such as the United States face many peer or near-peer competitors in the domain of cyber warfare.[5] As cyberattacks by state and non-state actors continue to increase in frequency and severity, cyberattack prevention continues to become more central to national security policy. However, cyberattacks can rarely be deterred. Threat of punishment is the universal deterrence mechanism, but punishment will play a lesser role in the cyber domain. As Richard Clark and Robert Knake argue, “Of all the nuclear strategy concepts, deterrence theory is perhaps the least transferable to cyber war.”[6]

            Ultimately, cyber must be distinguished from both nuclear and conventional kinetic conflict.  The constant evolution, paradoxes, and indisputable uniqueness of cyber warfare leave strategists with an unclear picture as they pursue appropriate deterrence policies for cyberattacks. Policy experts have identified four potential mechanisms of deterrence and dissuasion in cyberspace: threat of punishment, denial by defense, entanglement, and normative taboos. However, for concept “purists,” only the first mechanism constitutes deterrence.[7]  In response, Martin Libicki constructed a ladder of appropriate retaliatory responses: diplomatic, economic, cyber, physical force, and nuclear force.[8] Under a strategy grounded in a multi-domain ladder of retaliation, nuclear weapons could serve as a retaliatory strike after devastating, non-nuclear attacks on American infrastructure.  In theory, such a strategy would create a deterrent dynamic for potentially crippling cyberattacks. In reality, its efficacy remains far from clear.

In order to retaliate, the victim, at a minimum, must establish the identity of its attacker. However, attribution after a cyberattack can be complex and is rarely immediate. The speed and sophisticated concealment of cyberattacks make the real-time identification of an attacker rare. Instead, the victim of an attack relies on digital forensics to construct the identity of its attacker. [9] Even when an attack is traced to a single computer, questions surrounding the identity of the attacker can remain. Eric Talbot Jensen illustrates this conundrum using an anecdote: a cyberattack is traced to a computer in the basement of a Chinese government building. This detective work leaves three possible culprits: a Chinese operative acting on behalf of the Chinese government, a rogue Chinese actor, or a third country attempting to implicate the Chinese.[10] According to a report by Cybereason Intelligence Group, both Russia and China have capitalized on this strategic ambiguity. Russia outsources its malicious cyber activities, and China allows entrepreneurial “hackers for hire” to operate as long as they do not create significant issues for the government.[11] These strategies allow the states to operate under a veil of plausible deniability, hampering forceful retaliation. However, this veil of anonymity is not the sole obstacle to effective cyber deterrence.

In addition to attribution, damage assessment is a critical component when weighing retaliatory measures.[12] International law does not require “a response in kind” to an attack, but a response claimed in self-defense is limited not only by an understanding of necessity, but also by the principle of proportionality.[13] Similar to attribution, the processes of damage assessment and determination of proportionality present many difficulties and complexities when applied to cyber warfare. Michael Schmitt argues: “although they [cyberattacks] are non-forceful [non-kinetic], their consequences can range from mere annoyance to death.”[14] Additionally, an act that, on the surface, appears to be a “mere annoyance,” may in fact have a greater impact. For example, Russian meddling in the 2016 U.S. elections could have a lasting impact on the stability of American society and the American political system.[15] Similarly, when Bashar al-Assad’s regime hacked the U.S. Associated Press twitter account and posted a false message that read: “Breaking: Two Explosions in the White House and Barack Obama is injured,” the New York Stock Exchange lost 200 billion dollars almost immediately.[16] Though the markets recovered quickly, cyber actions that resemble this example could erode public trust in security systems and the media. As Joseph Nye explains, “In the classic duality between war and peace,” many cyberattacks fall into a “gray zone.”[17]

When both the actor and impact have been identified, another question arises in the deterrence dilemma: what should be targeted in response and by what means?  Though the punishment mechanism for deterrence need not be limited to the cyber domain, an attack in kind would be the clearest response to a cyberattack and perhaps the easiest to justify on the international stage.[18] However, the debate over what constitutes an appropriate attack in kind highlights two additional characteristics that distinguish cyber from other domains of warfare: (1) the relationship between a society’s technological advancement and its corresponding vulnerability to attack and (2) the single-use nature of offensive cyber capabilities. Richard Clark and Robert Knake argue that deterrence, if the classical concept were applied, would be most effective against the U.S. due to its particular vulnerability to asymmetric attacks. Because the U.S. is more dependent on connectivity than its adversaries, it may be deterred from initiating cyber warfare for fear of retaliation against its own networks.[19] The U.S. takes a great risk when developing offensive technologies, for the possibility will always exist that new American technologies will one day be used against the U.S..[20]

Inversely, a less connected adversary may have far less to lose from an outbreak of cyber warfare. For example, President Obama promised a “proportional response” to North Korea’s hack of Sony Pictures in 2014. Only days later, North Korea experienced one of its worst network failures in years, a blackout of nearly 10 hours, and North Korea blamed the United States for the Internet outage.[21] However, if the United States were at fault, it is unclear whether or not this act was truly proportional to the original North Korean attack. According to the New York Times in 2014, the country had only 1,024 official Internet protocol [IP] addresses and a single upstream network connecting it to the rest of the Internet.[22]  Therefore, this attack likely caused limited interruption in North Korea. Similarly, the Trump administration accused Russia of targeted cyberattacks on the U.S. power grid in March 2018.[23] If Russia had indeed interrupted power in the U.S., and the U.S. were to react in kind, the physical effects in Russia would not be comparable. Purportedly, thirty-percent of applications to connect to the electrical grid in Russian cities are denied because the infrastructure has not been updated in decades, and, in some localities, orders for electricity are still placed by phone and tracked on paper maps.[24] As can be seen by these examples, attacks against a technologically inferior adversary may be largely symbolic. Cyber has become a weapon of choice for the outgunned, and it will remain a relatively low-cost and low-risk activity for weaker state and non-state actors.

Given this debate over the effectiveness of a retaliatory response against a less-connected opponent, strategists must weigh the necessity of “expending” an offensive cyber capability that likely will be limited to a single use. After a cyber weapon has been introduced to the public eye, it can be reverse engineered. Generally, this process then renders the development useless.[25] Not only will the exploited vulnerability be patched, but copycat technologies will also arise. This single-use quality clearly distinguishes cyber weapons from conventional weaponry. Designs for munitions, planes, and bombs are rarely scrapped after their first use. The Stuxnet virus, released in 2010, is a clear example of the limited lifespan of offensive cyber capabilities. The cyber worm affected over 60,000 computers, more than half of which were in Iran, and sabotaged the centrifuges used in the state’s nuclear program. It was labeled “one of the most sophisticated and unusual pieces of software ever created” at its time of release.[26] However, despite its sophistication, the virus was quickly disarmed. A few months after its release, its technical components had been identified.[27] By 2011, a plethora of effective antidotes were available and many variants of the malware appeared.[28] In general, a cyber capability that works one day may not work the next, even without its expenditure. If a target becomes aware of a vulnerability, that asset will receive additional protection.[29] Therefore, the secrecy of a state’s cyber weapons is paramount, increasing the futility of conventional deterrence strategies.  

Nonetheless, threat of punishment remains a bedrock of U.S. Cyber policy, albeit cloaked by contemporary buzzwords and catch-phrases. While the 2018 Cyber Strategy appeared to focus on active defense, or “defending forward” to “intercept and halt cyber threats” to American networks, later U.S. actions in Cyberspace indicated otherwise.[30] In June 2019, the United States escalated its incursions into the Russian electrical grid, introducing potentially crippling malware. According to a New York Times source, offensive action was “long overdue.” For years, Russia had been inserting malware into American infrastructure.[31] After this tit-for-tat, President Trump’s national security advisor warned: “[if you are] engaged in cyberoperations against us, you will pay a price.”[32] This pointed announcement caused any ambiguity to evaporate. The United States is operating in Cyberspace, the newest theatre of warfare, with a less than novel strategy: classical deterrence.

However, as this article has demonstrated, threat of punishment alone is an inviable strategy. Its utility is limited by ambiguous attribution, unclear measures of proportionality, and single-use weaponry.  Ultimately, classical deterrence, as previously defined in the context of nuclear and conventional weaponry, will play a diminished role in Cyberspace. Though research and technologies in this domain are constantly evolving, strategists, policy-makers, and military leaders must understand classical deterrence’s shortcomings in order to minimize their effect—or propose alternative solutions.