Cyber Attacks and Deterrence

The advent of nuclear weapons disrupted the historical logic of war completely. In 1946, American military strategist Bernard Brodie declared that the very existence of the bomb meant that the purpose of armies had shifted from winning wars to preventing them, through keeping the peace and by deterring aggression.

Of course, cyber attacks per se do not compare to a nuclear bomb. The heat generated by a nuclear explosion is comparable to the temperature inside a star, and its blast can demolish reinforced concrete two miles away.

Nonetheless, cyber attacks, cyber terrorism, and cyber warfare do pose a potential threat to national security. Computer hacking is best understood as an extraordinary means to a wide variety of ends, many of which have political and military consequences, some of which have national security ramifications.

For example, cyber attacks may be used to steal the technology required to build weapons of mass destruction, to render an adversary’s defenses inoperable during a conventional military strike, or to turn out the lights in an adversary’s homeland.

National security planners have therefore begun to consider whether a reactive, tactical cyber defense posture could be augmented by a proactive, strategic cyber defense policy that involves conventional military deterrence.

In May 2009, Air Force General Kevin Chilton, chief of U.S. Strategic Command, publicly warned prospective foes that retaliation for a cyber attack would not necessarily be limited to cyberspace.

There are two deterrence strategies available to nation-states: denial and punishment. Each strategy has three basic requirements: capability, communication, and credibility.

With deterrence by denial, an adversary is simply prevented from acquiring a threatening technology. This is the preferred option in the nuclear sphere; however, the problem with implementing this strategy in cyberspace is that hacker tools and techniques are not difficult to acquire, deploy, and hide. Malicious software is even difficult to define.

Deterrence by punishment tries to prevent future aggression by threatening painful and perhaps fatal retaliation. Given that cyber attack deterrence by denial may be a non-starter, this second strategy could become the default policy.

However, two key aspects of cyber attacks undermine the credibility of deterrence by punishment: attribution and asymmetry.

Malicious hackers often enjoy a formidable advantage: anonymity. Smart hackers hide within the maze-like architecture of the Internet and can route attacks through countries with which a target’s government has no law enforcement cooperation.

In terms of asymmetry, non-state actors may not possess any meaningful infrastructure against which a victim government could retaliate. One example is “Mafiaboy,” the 15-year-old kid who denied Internet service to some of the world’s biggest online companies, causing enormous financial damage.

By contrast, cyber defense is a tedious process, cyber investigations are typically inconclusive, and the dynamic nature of cyberspace means that defenders may never see the same attack twice. Often, national security decision-makers simply do not possess enough information on an adversary’s cyber operations to respond in a timely fashion.

Back to the Cold War. By 1968, Soviet mastery of nuclear technology meant that both parties to the conflict possessed the ultimate weapon and a second-strike capability. This was called Mutually Assured Destruction, or MAD.

Unless cyber defenders can solve the puzzle of cyber attack attribution and asymmetry, what numerous analysts have called the era of "Mutually Assured Disruption" in cyberspace will endure, and cyber attack deterrence will remain on ice.

— Kenneth Geers