Fundamentally, deterrence is about convincing an adversary that the costs of an attack outweigh the benefits. One of the problems in cyber deterrence policy has been a reliance on ideas that were formulated in the very different security environment of the Cold War.
Cold War concepts rely on deterrence by punishment (striking back at an adversary with retaliatory attacks) and deterrence by denial (denying your adversary the ability of a first strike, for example by having too many hidden nuclear missiles sites). While these binary models may have applied in the context of two nuclear superpowers locked in a decades-long geopolitical conflict, they don’t translate easily to a global network of interconnected computers
The first problem is attribution. If you can’t identify the actor responsible for a cyberattack, how can you punish them? Retaliatory cyberattacks can also cause collateral damage. They drag in third parties who may come to the assistance of the adversary, escalate cyber conflict and legitimise the use of cyber capabilities for political and strategic gain. The prospect of using military force to punish cyberattackers is also viewed as disproportionate as a response to most malicious cyber activity.
Deterrence by denial is a similarly problematic framework. The “attack surface” the internet presents is staggeringly large. The number of internet-connected services is set to reach 75 billion by 2025. It is unrealistic to expect that we can ensure that all those devices are secure and cannot be used as back doors into other computer systems.
Before leaving office, the Obama administration assigned US$19 billion for research on cybersecurity.
One of the priorities of this funding was to ensure further improvements to attribution technologies and processes. This could make a big difference to the effectiveness of cyber deterrence, especially when combined with clearer communication by policymakers about the evidence they have about the source of attacks. Cutting through some of the smoke and mirrors put in place around the Putin government’s cyber operations should be a high priority.
Another radical proposal is to change how the internet operates so that it becomes an identified and attributed network where logging in involves providing specific personal identification. This has been given serious attention in the US national security community.
It has obvious implications for maintaining the internet as a free and open global resource. But the internet will have to keep evolving to deal with the growing impact of cyberattacks. Building a more secure domain for some internet traffic is worth considering.
Changing how we think about attacks
New technology may help enhance cyber deterrence, but we will need to change our thinking too. During the Cold War, deterrence was absolute. Even one attack could have proven devastating. In contrast, deterrence in cyberspace will be cumulative. As the scholar Uri Tor has argued, cyber deterrence is about how to “postpone, limit, and shape a series of ongoing conflicts with a variety of state and sub-state actors”. It is not about preventing all attacks at all times.
The role of laws and norms in deterring malicious cyber activity should be given greater attention. Some countries don’t even have current laws that make hacking a criminal offence. This could be solved by more states signing up to the Budapest Convention on cybercrime, which requires the adoption of laws on cybercrime and enables collaborative policing to deal with cyber attackers.
New proposals coming out of the Tallinn Manual 2.0 process suggest the emergence of deterrence mechanisms through international law. This includes holding states to legal account when hackers are operating with impunity from within their territory or being directed by the state. In this scenario, a form of self-deterrence may emerge when governments realise that hackers pose risks to the states themselves.
Cyber resilience involves having back ups for computer networks and the societal services they provide. A cyberattack would have minimal impact if systems are in place to replace an internet service as quickly as it is taken down.
Cyber resilience holds particular promise for critical infrastructure providers in the transport, health and energy sectors. These organisations will never have the authority to deter cyberattacks through retaliatory cyber countermeasures but need to find ways to obscure the cyber targets on their backs.
Similarly, given recent efforts to subvert democracy through cyber operations, the resilience concept will have particular appeal to the electoral governance sector. Building resilience in our elections systems (including election advertising on social media) is a priority for democratic countries, especially in light of the recent scandals around Cambridge Analytica’s misuse of Facebook data during the US election
Joe Burton, Senior Lecturer, New Zealand Institute for Security and Crime Science, University of Waikato
This article was originally published on The Conversation. Read the original article.