Creating Safe Cyberspace: Strategies for Deterring Cyberattacks

Thousands, perhaps even millions, of successful cyberattacks occur each year across governmental and commercial sectors in the U.S., and attempts at cyber infiltration and hacking recorded by state and local governments often exceed a million cases each day. A growing reliance on the Internet creates a greater level of cyber vulnerability and a new threat to U.S. homeland security. Cyberattacks in the form of espionage can disrupt military operations, financial systems, and energy access.

For example, in response to Sony’s portrayal of an assassination attempt on Kim Jong-un in its 2014 comedy The Interview, North Korea allegedly hacked the computer network at Sony Pictures Entertainment and exploited the information they obtained. Currently, U.S. intelligence agencies are investigating the Russia-WikiLeaks relationship, as U.S. intelligence claims that Russia meddled in the 2016 U.S. presidential elections by helping WikiLeaks to hack and leak a series of Democratic National Committee emails. As illustrated by these intrusions, cyberattacks often have political connotations.

Despite the wide range of targets and massive political repercussions, few means exist for deterring such threats. The classic theory of deterrence, as Thomas Schelling asserts in The Strategy of Conflict (1960) and Arms and Influence (1966), is to prevent potential attackers from initiating threats by creating the perception that massive retaliatory measures will follow. Deterrence ensures that the costs of initiating an attack will outweigh its expected benefits. This mechanism is often used in negotiations regarding weapons of mass destruction, such as nuclear weapons, but it rarely surfaces in the context of cybersecurity. Cyber threats triggered by lines of code seldom reveal the origin of an attack, and knowing the locus of that code does not provide concrete clues as to the attackers’ physical location.

Thus, the conventional meaning of deterrence is too narrow, since retaliation in cyberspace is difficult due to the problem of attribution. In light of the difficulty of formulating effective cyber dissuasion strategies, political scholar and former diplomat Joseph Nye notes in a recent paper that cyber deterrence need not be confined to in-kind or in-domain responses; rather, the means of cyber deterrence can take various forms (i.e., diplomatic, informational, military, and economic) as long as they do not infringe upon international law. To illustrate this point, he lays out four strategies for deterrence in cyberspace.

Threat of Punishment. Cyber deterrence based on the threat of retaliation is unlikely to be effective, even when accounting for the plethora of possible retaliatory instruments outside the cyber domain. The ambiguity of attribution is too great a barrier. Whereas conventional strike systems like ballistic missiles can be easily traced to their source, computer code and malware cannot. Although governments and private actors have been developing their ability to discover attackers in response to growing cyber threats, this has only helped in detecting a very small portion of cyberattack originators.

Denial. Cyber defenses often appear to be incomplete as offense overtakes defense. However, cyber defenses can work effectively if they have high levels of resilience, such as the ability to reinstate lost information. High resilience reduces the perpetrators’ incentive to attack, because doing so would be futile. Similarly, other techniques for reducing expected benefits, increasing costs, and raising risks can sway potential attackers’ cost-benefit analysis for a cyberattack. That said, the Internet of Things immensely expands the surface to be defended, blurring the foundation on which resilience is to be built.

Entanglement. Entanglement refers to the interconnectedness and interdependency that make cyberattacks and destruction on the victim’s side incur large costs for the attackers as well. If considerable benefits exist due to the relationships between the entities, a potential attacker may not want to lose those benefits by initiating threats. For example, China would not initiate a cyberattack that imposes serious costs on the U.S. economy because doing so would incur significant costs for China as well, due to the economic interdependence between the two countries.

Norms. Developing normative taboos can deter cyber threats because they impose costs on attackers related to loss of reputation when some degree of attribution is available. However, weapons used in cyberattacks often consist of computer programs that can be used for good or ill. Thus, it is ineffective to blame the design of computer code or the possession of particular programs for a cyberattack. One approach is to build normative consensus that prohibits the use of cyber instruments against certain types of targets, such as civilians and civilian facilities. This approach to the use of norms is being supported by multilateral institutions; for example, in 2015, the United Nations Group of Governmental Experts (UNGGE) focused on dealing with cyberattacks against certain civilian targets, rather than developing a ban on particular software.

These strategies may deter some actors or actions, but not others. For example, entanglement and normative taboos are unlikely to impose serious economic blowback or reputational costs to North Korea because it is weakly connected to the international economic system. However, when properly used, entanglement and norms—or a combination thereof—can affect perceptions of the costs and benefits of cyberattacks. The Budapest Convention on Cybercrime promotes the idea that all states have a common interest in addressing malicious behaviors in cyberspace by improving collaborative capacity-building techniques and reconciling national laws. As states’ economies become more interdependent via the Internet and collectively begin to recognize the importance of formulating practical international cyber security laws, such approaches will continue to gain significance.

Article source: Joseph Nye. “Deterrence and Dissuasion in Cyberspace.” International Security 41(3). (2017): 44-71.

Featured photo: cc/(cybrain, photo ID: 599903446, from iStock by Getty Images)