The Challenges of Deterring Cyber-Attacks

Cyber SecurityBy Joshua Tromp

Small Wars Journal

Recent history is full of events demonstrating the serious effects of cyber-attacks and the prominent role they play in global events.  Incidents such as the 2010 Stuxnet attack on an Iranian Uranium enrichment facility, the 2008 Russian cyber-attack on the country of Georgia, the 2014 attack on Sony Pictures Entertainment, and the 2015 discovery of a substantial compromise of the United States Office of Personnel Management are just a few recent examples of the significant and dangerous role cyber operations play in world conflicts.  The United States possesses the most powerful and technologically advanced military forces in the world and has successfully deterred most conventional attacks against its homeland.  Yet when it comes to cyber-attacks, the Sony and OPM incidents show the U.S. has proven seemingly unable to deter these attacks and remains notably vulnerable to attacks in cyberspace.  Traditional models of deterrence such as Mutually Assured Destruction (MAD) have worked well with nuclear weapons but applying these traditional models to cyber-attacks becomes challenging when one considers the difficulty of attribution and the limitations of operating within the confines of the international Law of Armed Conflict (LOAC).

This research examines the unique new cyber battle space and explains why it poses a significant threat to the U.S.  It studies attribution and how difficulties in this area create significant issues for deterrence of cyber-attacks.   LOAC is explored with consideration of how these international laws apply to operations in the cyber domain.  Finally, the research will show that if the U.S. continues to apply LOAC to cyber conflicts and remains unable to definitively attribute attacks, it will be unable to deter future cyber-attacks.

Cyber weapons are very different from traditional weapons used by nation states because their possession is not limited to just nations.  Nuclear weapons, for example, are typically only in the hands of other countries, and even this is limited to very few countries subject to heavy regulation and monitoring.  More than 140 countries, however, are reported to have or to be developing cyber weapons and more than 30 countries are actually creating units in their military devoted strictly to cyber operations (Jenson 2012, 4).  In addition to nation states, terrorist organizations and even “hacktivist” organizations possess very capable offensive cyber capabilities (Rosenzweig 2013, Chapter 5).  Former U.S. CYBERCOM Commander, General Keith Alexander, included this concern in a statement to Congress, saying “in 2010 we saw cyber capabilities in use that could damage or disrupt digitally controlled systems and networked devices, and in some cases we are not sure whether these capabilities are under the control of a foreign government” (Alexander 2012).  This ability of hundreds of state actors, and many non-state actors to operate nefariously in cyberspace significantly impacts deterrence in a way that was not an issue with the nuclear threat (Jenson 2012, 4).  Rather than deter against attacks from just a few, well-known attackers, the U.S. must now deter hundreds of attackers, each with differing abilities and motivations.

Not only must the U.S. deter a broader spectrum of threat actors, it must also deter against a wider variety of threats than it does with nuclear deterrence.  The reality with nuclear war is that any nuclear attack is considered catastrophic, thereby limiting the number of necessary planned responses.  A cyber operation may consist of anything from a small penetration to test a system’s security, the defacing of a website, the crippling of a weapon system, the stealing of sensitive plans for the development of a new capability, or an attack causing actual physical damage such as Stuxnet.  This breadth of potential attacks means deterrence strategy for cyber-attacks must be much broader than for nuclear attacks.  It must account for a wider assortment of potential attackers and potential types of attacks.

Continue to full article . . .

Picture: Rick Naystatt ( [Public domain], via Wikimedia Commons

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.