Cyber Insecurity: Give Deterrence a Break
by Thomas R. Johansmeyer
It’s time to give deterrence a break. We’ve made the concept carry us through the Cold War and another thirty years after that in the face of bipolar nuclear threats. After almost 80 years, we’ve seen what deterrence can do – and what it can’t. Despite the salient effort to make deterrence work for cyber, it’s clear that we’re faced with a “square peg/round hole” problem. Deterrence doesn’t fit for cyber, and no amount of forcing will change it.
The simplest reason why deterrence is destined to relative irrelevance in the cyber domain of warfare is really one of degree. Nuclear war is largely believed to be a no-win endeavor, whether you ask the White House or WOPR. Cyber, on the other hand, lacks the same effect, except perhaps in the domain of science fiction. There may be some conceivable scenarios in which cyber operations contribute to a no-win result, but that likely involves cyber as a conduit to a form of kinetic warfare with greater impact (such as nukes). Instead of thinking about cyber as a physical risk to be deterred, it may make more sense to contemplate it as an economic threat to be managed – significant, but manageable within appropriate context.
The limits of deterrence
Deterrence is largely believed to be one of the best ideas of its time, but that time was the 1950s. Televisions and newspapers were in black and white. The nuclear age had just begun, and deterrence provided a ready solution to that powerful and still little understood existential risk to humanity. Times have changed, though. Jim Lewis and Chris Painter savage deterrence in their podcast, Inside Cyber Diplomacy: “I love ideas from the 1950s … deterrence is the ‘Ozzie and Harriet’ of cyber security,.” with Colin Gray noted it was fertile ground for “pioneering study” during that same period.
Still, deterrence keeps coming up. NATO advocates for it. Smeets raves about it. Even the U.S. Air Force can handle a limited amount of it. Even with cyber deterrence seen as overrated, the international relations community clings to it like that special childhood teddy bear. Gray notes that deterrence is expensive and “difficult to achieve,” and it ultimately requires the agreement of the deterred. If I seek to deter you and you don’t agree to be deterred, then my efforts haven’t worked, and deterrence will have failed. It’s that simple.
The mutual agreement required seems to be most realistic in cases where the stakes are high enough to make agreement intuitively mutually beneficial and thus easier to attain. The virtually unwinnable nature of nuclear war fits that case, and not much else comes close. That’s why deterrence made sense during the Cold War. The potential carnage that could result from a nuclear strike – and, presumably, reciprocation – would outweigh any potential benefits. In a bipolar world, it was easy for both sides to agree to be deterred.
A study in contrasts
The magnitude of an attack’s impact clearly makes a difference. The time it takes to recover from a cyber attack is far less than from nuclear, or even conventional, weapons. Even major cyber attacks on critical national infrastructure have had a more profound psychological effect than physical or even economic, as illustrated by a comparison of events involving energy companies – one in the United States and the other in Ukraine.
In May 2021, Colonial Pipeline was impacted by ransomware. Concerns about fuel shortages and increasing prices abounded. Sentiment changed quickly, though. Colonial Pipeline was up and running in only five days, given the low level of physical impact. In fact, the price increases were less severe than reported. In the end, the insured loss from the attack was only around $10 million according to PCS Global Cyber research), and the economic loss not significantly higher than that. While the situation could have been worse, it’s hard to extrapolate your way to cybergeddon. To understand why the potential for cyber damage remains relatively low, it helps to look at what kinetic attacks can do.
The kinetic warfare in Ukraine, on the other hand, has been far more impactful. PCS is aware of four windfarms that have experienced damage from the conflict. Aggregate insured losses could be as high as $800 million, an amount that could continue to increase. It’s impossible to tell when Ukraine’s renewable energy capabilities will be restored, but the process is likely to take years. Unlike a cyber attack, which may have some physical damage implications but is largely a virtual endeavor, kinetic activity requires that parts be sourced and shipped and local repairs made – all of which starts with physical access to the damage site. The long time expected for repair, shortage of materials, and inability to start until the conflict cools off illustrate the difference in magnitude between cyber and kinetic attacks. Even the financial consequences could be more severe.
Deterrence, it seems, just isn’t worth it. Cyber attacks seem inevitable, and the decline of ransomware will likely only signal the rise of whatever threat type will come next. While it is important to protect systems and data – there’s no substitute for putting locks on your doors – having a plan for recovery after getting hit is also crucial. Preparation for rapid and disciplined recovery may be far more effective than deterrence.
The significant differences between the cyber attack on Colonial Pipeline and the kinetic activity affecting windfarms in Ukraine illustrates the difference in perspective necessary in understanding how to develop an appropriate strategy for defense, protection, and resilience in the cyber domain of operations. While there can be grave and tangible consequences from cyber attacks, there are clearly aspects that benefit from treatment from the perspective of economic security rather than military security. With that in mind, investing the ability to recover could be as important as continually improving defenses.
Burton, Joe. 2018. Cyber Deterrence: A Comprehensive Approach? CCDOE. April https://ccdcoe.org/uploads/2018/10/BURTON_Cyber_Deterrence_paper_April2018.pdf [Accessed 2 July 2022].
Dean, Grace. 2021. Drivers face $3 gas prices after the Colonial Pipeline cyberattack, and some gas stations have run out completely. Business Insider. 11 May. https://www.businessinsider.com/gas-prices-colonial-pipeline-cyberattack-fuel-east-coast-2021-5 [Accessed 2 July 2022].
Freedman, Linn Foster. 2021. Colonial Pipeline Up and Running After Five Days of Grappling with Ransomware Attack. Data Privacy + Cybersecurity Insider. 13 May. https://www.dataprivacyandsecurityinsider.com/2021/05/colonial-pipeline-up-and-running-after-five-days-of-grappling-with-ransomware-attack/ [Accessed 2 July 2022].
Goodwin, Bill. 2014. Internet at risk of ‘cybergeddon’ says WEF. Computer Weekly. 17 January. https://www.computerweekly.com/news/2240212690/Internet-at-risk-of-cybergeddon-says-WEF [Accessed 2 July 2022].
Gray, Colin S. 2007. Deterrence in the 21st Century. Comparative Strategy. 3, pp. 255-261. https://www.tandfonline.com/doi/abs/10.1080/01495930008403211 [Accessed 2 July 2022].
Harding, Brian, CDR, USN. 2016. Cyber Deterrence: A Research Report Submitted to the Faculty In Partial Fulfillment of the Graduation Requirements. 11 February. Air War College. https://apps.dtic.mil/sti/pdfs/AD1037682.pdf [Accessed 2 July 2022].
Ignatiev, Stanislav. 2022. Destroyed by the War and on the Verge of Bankruptcy. What’s the Future of Green Energy in Ukraine? Kosatka Media. 12 April. https://kosatka.media/en/category/vozobnovlyaemaya-energia/news/zelenaya-energetika-v-ukraine-razrushena-voynoy-i-na-grani-bankrotstva-chto-dalshe [Accessed 2 July 2022].
Johansmeyer, Tom. 2022. Damage to Ukraine’s renewable energy sector could surpass $1 billion. Bulletin of the Atomic Scientists. 20 April. https://thebulletin.org/2022/04/damage-to-ukraines-renewable-energy-sector-could-surpass-1-billion/ [Accessed 2 July 2022].
Johnson, Robert III. 2019. 60 Percent Of Small Companies Close Within 6 Months Of Being Hacked. Cybercrime Magazine. 2 January. https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/ [Accessed 2 July 2022].
Lewis, James Andrew and Christopher Painter. 2021. 2021 in Review: All Things Cyber. Center for Strategic & International Studies. [No date given] https://www.csis.org/podcasts/inside-cyber-diplomacy/2021-review-all-things-cyber [Accessed 2 July 2022].
McKenzie, Timothy M. 2017. Is Cyber Deterrence Possible? Perspectives on Cyber Power: Air Force Research Institute Papers. January. https://media.defense.gov/2017/Nov/20/2001846608/-1/-1/0/CPP_0004_MCKENZIE_CYBER_DETERRENCE.PDF [Accessed 2 July 2022].
Niccum, Jon. Cyberattack on Colonial Pipeline Affected Gas Prices Far Less Than Initially Reported, Study Finds. The University of Kansas. 16 December. https://news.ku.edu/2021/12/16/cyberattack-colonial-pipeline-affected-gas-prices-far-less-initially-reported-study-finds [Accessed 2 July 2022].
Schulze, Matthias. 2019. Cyber Deterrence Is Overrated. Stiftung Wissenschaft und Politik. https://www.swp-berlin.org/10.18449/2019C34/ [Accessed 2 July 2022].
Smeets, Max S. and Stefano Soesanto. 2020. Cyber Deterrence Is Dead. Long Live Cyber Deterrence! Council on Foreign Relations. 18 February. https://www.cfr.org/blog/cyber-deterrence-dead-long-live-cyber-deterrence [Accessed 2 July 2022].
White House, The. 2022. Joint Statement of the Leaders of the Five Nuclear-Weapon States on Preventing Nuclear War and Avoiding Arms Races. The White House. 3 January. https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/03/p5-statement-on-preventing-nuclear-war-and-avoiding-arms-races/ [Accessed 2 July 2022].
YouTube. 2007. That scene from War Games. 17 February. https://www.youtube.com/watch?v=NHWjlCaIrQo [Accessed 2 July 2022].