Can cyberwarfare be deterred?
The relationship among variables in cyberdeterrence is a dynamic one that will be affected by technology and learning, with innovation occurring at a faster pace
Fear of a “cyber Pearl Harbor” first appeared in the 1990s, and for the past two decades policymakers have worried that hackers could blow up oil pipelines, contaminate the water supply, open floodgates and send aircraft on collision courses by hacking air traffic control systems. In 2012, the then United States secretary of defence, Leon Panetta, warned that hackers could “shut down the power grid across large parts of the country”.
None of these catastrophic scenarios has occurred, but they certainly cannot be ruled out. At a more modest level, hackers were able to destroy a blast furnace at a German steel plant last year. So the security question is straightforward: Can such destructive actions be deterred?
It is sometimes said that deterrence is not an effective strategy in cyberspace, because of the difficulties in attributing the source of an attack and because of the large and diverse number of state and non-state actors involved. Attribution is, indeed, a serious problem. Nuclear attribution is not perfect, but there are only nine states with nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and non-state actors face high entry barriers.
None of this is true in cyberspace where a weapon can consist of a few lines of code that can be invented by any number of state or non-state actors. A sophisticated attacker can hide the point of origin behind the false flags of several remote servers. While forensics can handle many “hops” among servers, it often takes time. For example, an attack in 2014, in which 76 million client addresses were stolen from JPMorgan Chase, was widely attributed to Russia. By 2015, however, the United States Department of Justice identified the perpetrators as a sophisticated criminal gang led by two Israelis and an American citizen living in Moscow and Tel Aviv.
Attribution, however, is a matter of degree. Despite the dangers of false flags and the difficulty of obtaining prompt, high-quality attribution that would stand up in a court of law, there is often enough attribution to enable deterrence.
For example, in the 2014 attack on Sony Pictures, the US initially tried to avoid full disclosure of the means by which it attributed the attack to North Korea, and encountered widespread scepticism as a result. Within weeks, a press leak revealed that the US had access to North Korean networks.
Prompt, high-quality attribution is often difficult and costly, but not impossible. Not only are governments improving their capabilities, but many private-sector companies are entering the game, and their participation reduces the costs to governments of having to disclose sensitive sources. Many situations are matters of degree, and as technology improves the forensics of attribution, the strength of deterrence may increase.
Moreover, analysts should not limit themselves to the classic instruments of punishment and denial as they assess cyberdeterrence. Attention should also be paid to deterrence by economic entanglement and by norms. Economic entanglement can alter the cost-benefit calculation of a major state like China, where the blowback effects of an attack on, say, the US power grid could hurt the Chinese economy. Entanglement probably has little effect on a state like North Korea, which is weakly linked to the global economy. It is not clear how much entanglement affects non-state actors. Some may be like parasites that suffer if they kill their host, but others may be indifferent to such effects.
Uncertainty about effects
As for norms, major states have agreed that cyberwar will be limited by the law of armed conflict, which requires discrimination between military and civilian targets and proportionality in terms of consequences. It has been suggested that one reason why cyberweapons have not been used more in war thus far stems precisely from uncertainty about the effects on civilian targets and unpredictable consequences. Such norms may have deterred the use of cyberweapons in US actions against Iraqi and Libyan air defences. And the use of cyber instruments in Russia’s “hybrid” wars in Georgia and Ukraine has been limited.
The relationship among the variables in cyberdeterrence is a dynamic one that will be affected by technology and learning, with innovation occurring at a faster pace than was true of nuclear weapons. For example, better attribution forensics may enhance the role of punishment; and better defences through encryption may increase deterrence by denial. As a result, the current advantage of offence over defence may change over time.
Unlike the nuclear age, when it comes to deterrence in the cyber era, one size does not fit all. Or are we prisoners of an overly simple image of the past? While the US never agreed to a formal norm of “no first use of nuclear weapons”, eventually, such a taboo evolved, at least among the major states. Deterrence in the cyber era may not be what it used to be, but maybe it never was.
Joseph S. Nye is a professor at Harvard and the author of Is the American Century Over?
gulfnews.com