The Nuclear Illusion: Deterrence in Cyberspace
Should cyberwarfare doctrine be based on deterrence, as was previously seen in the nuclear age?
A decisive decade
The proliferation of nuclear weapons in the early 1950’s and 1960’s by other countries, and the subsequent loss of the nuclear monopoly of the United States, forced American policy-makers and military strategists alike to ask the same question: what now? What kind of strategy or policy should we adopt to face a nuclear Soviet Union? How should we retaliate in case of a Soviet first strike? Should we adopt an offensive or a defensive nuclear strategy?
Such axiomatic questions are similar to the ones asked today concerning the proliferation of cyber weapons. Similarly to what the 1950’s and 60’s were to nuclear strategy, this coming decade will be crucial in the formulation of national cyber strategies (as seen by the publishing of recent papers such as the UK’s 2016 “National Cyber Security”, or the Pentagon’s 2015 “Cyber Strategy” paper).[1] [2] Public dialogue including states, tech giants, experts, and individuals is emerging. However, a common mistake is made by those that draw analogies with nuclear strategy; portrayal in popular culture and mainstream media of cyber warfare and hackers has always been approximate at best, and their use of nuclear deterrence terms (Mutually Assured Destruction, escalation, coercive credibility and others) to describe cyber warfare is often misleading. It is indeed a grave mistake that ignores the core attributes of cyber war, which is instantaneous, mostly anonymous, and widely accessible. How do you deter an anonymous adversary that can strike you in milliseconds ? Cyber warfare should be based on deterrence only to the extent that it should rely on defensive deterrence rather than the offensive type of deterrence that reigned during the Cold War. We can and should be able to defend against cyber attacks (while we can barely defend against nuclear strikes) instead of seeking to outweigh others in terms of pure destructiveness.
Game time
To understand these significant differences, we can go back and examine the very core of deterrence theory to determine its applicability to cyber warfare. Paul Huth defined deterrence as:
“the use of threats by one party to convince another party to refrain from initiating some course of action”.[4]
From this definition, Huth identified the 4 key components of deterrence: military balance, signalling, reputation for resolve, and the interests at stake. The second of these, the power of “signalling”, is the first of these components that is significantly different in cyber war.
Nuclear states in the 50’s and 60’s made extensive use of signalling when publicly testing their devices, as they would indeed signal their intent through media broadcasts and official statements. North Korea’s ongoing nuclear tests is the perfect example of signalling, as their missile tests are always accompanied by a wave of propaganda and media broadcasts to ensure the world is aware of their achievements:
Signalling is not a new tactic. Tests of mega-weapons such as the 1961 Tsar Bomba test by the Soviet Union was already abundantly clear: our nuclear weapons will devastate you and we are not afraid to use it. We can borrow the notion of symmetry of information or lack thereof from game theory, which we can also measure in terms of transparency or opacity of information. In this case nuclear weapons transmit relatively transparent signals to opponents, who all understand the frightening implications of nuclear devastation.
Signalling does exist in cyberspace. For example, the alleged Russian hacking of Estonian banking and mobile systems in 2007 was seen by many experts as such.[5] However, the opacity of cyber weapons is what stops signalling from being truly effective in cyberspace, and this for three reasons.
Limited, secretive and anonymous use
The first reason signalling doesn’t work in cyberspace is that cyber weapons are only effective when they are used for the first time- hence why the most powerful cyber weapons are often “zero-day” exploits that opponents have never been able to analyse or create a viable defensive plan for. The ability of the defending party to analyse the weapon’s signature which helps it recognize it instantly if used again and means it can deal with it accordingly and rapidly. Victims are indeed increasingly resilient and are getting better at detecting intrusions, as demonstrated by Google’s victory in September by successfully eradicating Tizi spyware from Android devices.[6] Therefore cyber weapons have in fact a very short lifespan in the grand scheme of things, as opposed to the half-century of nuclear tension during the Cold War- which limits the actual ability of states to effectively deter others with said cyberweapons.
This leads us to the second reason for why signalling just doesn’t work as well in cyberspace: since zero-day exploits are one of the primary ways of catching your opponents off-guard and being able to cause them damage, the stockpiling of cyber weapons by groups is extremely secretive.[7] This secrecy is especially problematic to deterrence as vulnerabilities are also subject to being stolen by other states or potential cyber terrorists alike, as some suspect that the WannaCry exploit used was stolen from the NSA.[8] This complicates the task for upholding cyber deterrence, as your opponent isn’t actually supposed to be aware of the existence of your cyber weapons- how you can threaten someone while keeping your offensive capabilities secret, and running the risk of having them stolen?
Thirdly, the problem of attribution means that groups will almost never be 100% certain of who attacked them in the first place, hence complicating any form of effective retaliation or deterrence. While attribution is fairly easy in nuclear strategy, as the trajectory and estimated target point of missile launches can now be calculated “within minutes of launch”, it usually takes months of investigation for groups to be able to draw even initial conclusions, as seen by the recent declaration by the White House that attributed the WannaCry attacks that occurred last May to North Korea.[9] [10]
Cyber Tsar Bomba or Great Firewall?
Rather than trying to find the cyber equivalent to a Tsar Bomba, some try to look at deterrence in cyberspace by observing cyber warfare as a complementary to kinetic conventional warfare, rather than an independent phenomenon. This borrows from the principle of cyber equivalency: cyber-attacks will be responded to as if they were kinetic attacks, and hence will be responded to with conventional means. Many states are now adopting this principle of equivalency into their policies, with the example of a rumoured future EU proposal to officially adopt this stance.[11] However, while this is a good step to hold states accountable when attribution does work, this will not help deterrence, as demonstrated by the US’s failure in deterring North Korean cyber and nuclear activities with conventional means.[12]
So what strategic alternatives do we have, other than deterrence from signalling and cyber-kinetic equivalence?
Clearly, upping the ante in an offensive cyber arms race through signalling would be ineffective, for the three reasons mentioned above. A first alternative to deterrence through signalling would be to develop coherent defensive strategies that would build up resilience to attacks. While the result of a nuclear blast is assured to destroy everything in its radius, which makes resilience to the nuclear threat difficult, cyber-attacks in a state with a competent cyber defence mechanism can be contained and neutralized- hence defining a defensive national strategy and putting it to execution should be one of the top priorities for states.
In addition to it’s already top-notch offensive capabilities, China is already well ahead in terms of cyber defence; its rumoured ability to cut off its intranet off global networks is being dubbed the “Great Firewall of China”. Without having to resort to such drastic and privacy-invading measures, it is possible to build a coherent defensive mechanism. States’ main objectives should be to encourage cooperation between the private and public sectors in cyber security, cooperation with other allied states to pool resources, and stimulate innovation in cyber defence by training and recruiting imaginative youth. Only then will states be able to curb cyber-attacks and try and engage in viable deterrence strategies.
[1] https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
[2] https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
[3] Clarke, Richard A. 2011. Cyber War. HarperCollins.
[4] Huth, Paul K. 1999. “DETERRENCE AND INTERNATIONAL CONFLICT: Empirical Findings And Theoretical Debates”. Annual Review Of Political Science 2 (1): 25–48. doi:10.1146/annurev.polisci.2.1.25.
[5] Traynor, Ian. 2017. “Russia Accused Of Unleashing Cyberwar To Disable Estonia”. The Guardian. https://www.theguardian.com/world/2007/may/17/topstories3.russia.
[6] “Google Stops The Spread Of Tizi Android Malware In The Play Store”. 2017. Techrepublic. https://www.techrepublic.com/article/google-stops-the-spread-of-tizi-android-malware-in-the-play-store/.
[7] In this article, « groups » will be used to include states, private security firms, private tech companies, hacking groups, and individuals.
[8] “Microsoft Hits Out At US Government ‘Stockpiling’ Of Cyber Weapons”. 2017. Ft.Com. https://www.ft.com/content/5540194a-38fe-11e7-821a-6027b8a20f23.
[9] Barbara Starr, CNN Pentagon Correspondent. 2017. “How The US Would Detect And Attempt To Shoot Down A North Korean Missile”. CNN. http://edition.cnn.com/2017/08/10/politics/how-us-detect-shoot-down-north-korea-missile/index.html.
[10] Eli Watkins, CNN. 2017. “WH Blames North Korea For ‘Wannacry’ Cyberattack”. CNN. http://edition.cnn.com/2017/12/18/politics/white-house-tom-bossert-north-korea-wannacry/index.html.
[11] “EU’S Updated Cyber Strategy To Define ‘Act Of War,’ Offer Response Framework | Insidecybersecurity.Com”. 2017. Insidecybersecurity.Com. https://insidecybersecurity.com/daily-news/eu%E2%80%99s-updated-cyber-strategy-define-%E2%80%98act-war%E2%80%99-offer-response-framework.
[12] “North Korea Has Already Deterred America”. 2017. Theweek.Com. http://theweek.com/articles/742634/north-korea-already-deterred-america.
