Assessing Deterrence Options for Cyber Weapons
Elizabeth E. Wanic
Computer Science Department
U.S. Naval Postgraduate School, Monterey, California, US
lizwanic@gmail.com
Neil C. Rowe
Computer Science Department
U.S. Naval Postgraduate School Monterey, California, US
ncrowe@nps.edu
Abstract—With the increasing frequency of cyberattacks due to nation-states, there has been growing discussion on how they can be deterred since the U.S. has been ineffective at deterring many Russian and Chinese cyber operations. This paper examines deterrence analysis and discusses its applicability in cyberspace. It describes differences between cyber weapons and conventional weapons and outlines the implications these differences can have on the effectiveness of cyber weapons as a deterrent. Motivations and expected outcomes of the cyber operations taken by the U.S. and its adversaries, including Russia, China, Iran, and North Korea, are highlighted. Possible deterrence enablers are discussed such as stockpiling cyber weapons, indicting individuals, imposing sanctions, improving defenses, demonstrating capabilities, using deceptive bait, counterattacking, and creating international agreements. The effectiveness of these actions in deterring adversaries from deploying their cyber capabilities is evaluated and recommendations are made.[1]
Keywords—cyber operations, deterrence, cyberspace, cyberattack, nation-state, stockpile, deception, indictment, sanction, counterattack, cyber defense
As in other domains, nations seek to prevent adversaries from taking advantage of them in cyberspace, and seek to stop cyber actions that would harm their interests. Deterrence strategies seem to be partly effective as we have not seen full-scale cyber warfare. For now, nations seem to be content with performing or condoning actions below the threshold of armed attack that do not invite escalatory retaliation [1]. However, if a Chinese cyberattack shut down the power of a United States military facility, they would expect the U.S. to respond. Several incidents could have provoked retaliation but did not. An example is the Stuxnet attack against the Iranian Natanz nuclear enrichment facility, which has subsequently been attributed to the United States and Israel [2]. However, at the time it was discovered in 2010, attribution of cyberattacks was very difficult; and if Iran was not sure who to blame, against whom would they retaliate?
Recent years have seen an increase in the types of offensive cyber activity short of cyber-warfare. Perhaps potential attackers have concluded that lesser actions such as hacking private companies and email servers better serve their goals than outright cyber warfare. If so, then deterrence efforts should be rethought to cover these lesser attacks as well. Developing effective policies requires examination of attacker objectives and the means by which they intend to achieve them, along with an updating of an overall strategy.
Deterrence can be defined as discouraging adversaries from taking an undesirable action against one’s interests. It can be achieved through the threat of consequences or by fostering the perception that it will take too great an effort to achieve success. Deterrence as a concept was discussed most thoroughly for nuclear weapons during the Cold War [3].
Employing the threat of consequences to deter adversary actions is termed deterrence by punishment [4]. This type of deterrence aims to cause an opposing force to believe that if they were to take certain actions, a counter-strike with severe negative effects would be forthcoming. An example of deterrence by punishment was the buildup of armaments and military capabilities by the United States and Soviet Union during the Cold War. Consequences can involve military action, sanctions, or loss of political standing. Retaliation may not necessarily be in kind, as for example a military action could result from a perceived political injury. Those with more to lose in the political arena may be more affected by political retaliation, while those with less military power might feel more threatened by an adversary that could devastate them militarily. Rogue states can be more difficult to deter with sanctions or political pressure.
There is an analogy in deterring crime by the threat of punishment. Convicted criminals are subject to monetary fines, prison or jail time, and in some cases, capital punishment. However, most evidence shows the deterrent effect is not strong, and increases in punishments do not correlate with decreases in crime [5]. Nonetheless, deterrence by threat of punishment could be more effective against nation-states. As nations and their governments are aggregations of different psychologies, they tend to be more rational than individuals, who often act in more selfish or irrational ways [6].
Another deterrence method is deterrence by denial, fortifying your assets to a degree that an adversary must expend an unacceptable amount of energy, time, or resources to achieve their aims [4]. Deterrence by denial does not require that the adversary be convinced of their ultimate defeat were they to enter into a contest.
There has been much debate on how to model the behavior of decision makers within the framework of deterrence theory as well as on the effectiveness of deterrence policies. A basic model for deterrence looks at the assumption of costs and risks in relation to the anticipated benefits, stating that if C + R > B, where C represents the costs, R the risks and B the benefits of taking a certain action, then the attacking force can be deterred [7]. An attacker uses these estimates to determine whether it is worthwhile to attack, while the deterrer uses them to assess whether their deterrent strategy is adequate.
A further refinement is to include the likelihood of the expected retaliation. Then an attacker will not take an action if p(C + R) > (1-p)(B), where p denotes the probability of retaliation as estimated by the attacker, and C, R, and B are defined as above. Both the attacker and deterrer may have different estimates of p, and the deterrer can try to increase the perceived estimate of p by the attacker [7]. This kind of deterrence only works if the attacker believes that the threat of retaliation is real and that the defender has the will to act. Merely having a large stockpile of weapons or superior capabilities is not enough. In fact, it has been noted that states with superior capabilities less often initiate conflict than states or other entities with inferior capabilities [8]. Another important issue is that overall capabilities and strength are less important than the perceived ability to secure success in one’s attack before retaliation can begin.
These simple models lack other factors which must be considered to understand a country or leader’s choice of actions, such as trade, alliances, and the local military balance [9]. Furthermore, rational thinking based on objectively calculated outcomes is not necessarily done; perception can prove more important than reality, and even a rational actor may make an irrational choice if there appears to be no good alternative. Deterrence is never guaranteed. The policy itself could have been ill-conceived or an optimal policy could have been frustrated by an unknowable event [10]. Despite the imperfect application of deterrence theory in real scenarios, deterrence as a concept continues to play an important role in international relations and defense strategies.
An additional problem with applying such traditional modeling to cyber weapons is that their effects are highly varied. Cyber weapons can shut down an industrial-control system, capture keystrokes, turn on or off power, increase the speed of an autonomous vehicle, or manipulate, erase, or create data. Furthermore, while indiscriminate death and destruction can result from deployment of nuclear weapons, cyber weapons can be engineered not to cause this level of physical damage. Therefore, many of their uses will not be judged to justify retaliation, and a threat of destructive counterattack will not be credible.
Cyber weapons also differ from other weapons in that damage assessment is difficult [11]. For example, if a cyber munition is intended to shut off power to a military installation and nothing is reported, the target could be concealing what happened or the weapon may not have worked. Furthermore, if it is observed that the power at a target has indeed gone down, the weapon may have succeeded but it could also be the result of routine maintenance. A cyber weapon whose effect on its intended target is unclear has a weakened deterrent effect against future attacks. Furthermore, as cyber weapons often exploit specific vulnerabilities, a demonstration of a cyber weapon to prove its capability exposes at least some information about those vulnerabilities and provides clues to patching them. The weapon then loses much of its effectiveness as a deterrent.
Attribution provides another difference between cyber weapons and conventional or nuclear weapons. If the latter types were delivered by aircraft, the source of the weapons could be inferred with high certainty from knowledge of the aircraft and their routes. Attribution of cyber weapons is less certain. Many methods are necessary, some of which can take a long time. Stealth and deception with cyber weapons add additional complexity that does not exist for nuclear weapons. Moreover, cyber weapons can be easily sold or donated, further complicating the meaning of attribution.
At present, deterrence efforts against Russian actions in cyberspace do not appear to be succeeding. In June of 2013, the U.S. and Russia agreed to cooperate on matters related to malicious actors or malware inside their territories in an effort to combat malicious cyber activity [12]. Such an agreement supported collaboration and information sharing on joint threats while also attempting to hold the Russian government responsible for actions originating in their country. However, as Russia has continued to launch increasingly damaging cyberattacks against the U.S. and its allies since this agreement, the secondary aim has not been achieved. Russia continues to be undeterred in their denial-of-service attacks against the Ukraine, and as the indictment of the Russians for the 2016 U.S. elections hacking shows, their efforts against the U.S. have intensified as well [13].
While the Chinese do not seem to be deterred in their actions against weaker states, they have tended to avoid attacks against stronger powers in favor of infiltration of networks and theft of intellectual property. In 2015, an agreement was made between China and the U.S. to cooperate on key issues including theft and economic cyber threats. The agreement omitted mention of other types of malicious cyber activity such as infiltrating government databases or military installations, despite its being reached only months after the hack of the U.S. Government Office of Personnel Management which was later attributed to China, in which personal data of over 20 million government employees and contractors was stolen [14]. As many of the Chinese actions against the U.S. are only cyber espionage, such as the OPM hack and thefts of plans for military equipment [15], they often fall outside the scope of military deterrence efforts. Nonetheless, Chinese economic espionage exploits can hurt national security interests, and directed efforts are required to prevent and discourage them.
The North Koreans have been quite active in their cyber actions against both the U.S. and South Korea, as well as causing other damage worldwide, and deterrence against them does not seem to be working. Responses have mostly been just identifying them as the perpetrator of the attacks, which has done little to curb the behavior. Other attacks attributed to North Korea, such as the theft of $81 million from Bangladesh’s account with the New York Federal Reserve Bank in 2016 and game exploits in South Korea appear to be financially motivated [16]. Despite being one of the most heavily sanctioned and impoverished nations, North Korea does not seem to be deterred in their cyber exploits, much as they have been undeterred in nuclear weapons development.
The international community has managed to deter Iran to some extent in their aims to develop nuclear weapons through sanctions and inspections. However, with the withdrawal of the U.S. from the nuclear deal earlier this year, Iran may increase their cyber activity, particularly against the U.S. in retaliation for what they feel is unfair treatment [17, 18]. At this point, Iran has demonstrated their capabilities against a number of nations so deterrence against them has not been strong.
In 2017 the U.S. Defense Science Board Task Force on Cyber Deterrence issued a report detailing its recommendations for strengthening cyber deterrence and outlining major cyber threats, including those from state and non-state actors [19]. The report noted that the threat of cyberattacks was increasing faster than vulnerabilities could be identified and patched, and that deterrence must play a major role in the protection of the U.S. and its allies in this sphere. The importance of resiliency for critical infrastructure and military systems, along with the need to adjust deterrence efforts to particular adversary tactics and to improve attribution capabilities, were also addressed.
Most U.S. Cyber Command efforts have been concentrated on defensive programs but recently it has obtained more authority to conduct offensive operations [20]. This may be a reaction to the perceived failure of other methods of deterring adversaries. The U.S. has come under attack domestically for their inability to deter major cyberattacks including the 2016 elections hacking by Russia. Some have speculated that the U.S. was deterred from action in response to these hacks for fear of escalation or worries about superior Russian capabilities [21]. Similar deterrence appears to impede U.S. efforts to retaliate against China.
For conventional and nuclear weapons, countries try to deter by building arsenals of munitions, with the downside that this can lead to an arms race. Deterrence requires a credible threat of serious retaliation. With cyber weapons however, any nation can claim to possess cyber weapons and to be building an arsenal. Such an accumulation would be less visible than with other kinds of weapons and could be falsely claimed. Deception can be used to reinforce an impression of cyber weapons capabilities. For example, leaking documents about false capabilities can create the impression that they are ready for use, and hinting at missions that have been achieved in press conferences and interviews can promote one’s capabilities.
But until the weapon is used, no one can know for certain whether or not it exists or is effective, and a threat is not very credible. A false capability could be simulated in a controlled setting where the results shown are not actually those of the cyber weapon being tested. Such an event requires some degree of secrecy which can be hard to maintain. In addition, any demonstration of a weapon, even a false one, gives away some of its secrets, as will be discussed in Section E.
Cyberattacks usually violate criminal laws. Many cyberattacks from nation-states are more like crime than combat. Looking into ways to fight cybercrime can provide additional tools to deter these types of actions. Past cases of crime can be examined to determine what has been effective in curbing it and to what extent, and recommendations could be made where crossover successes of these strategies can be envisioned. Profiling cyber criminals and noting their signatures, or maintaining repositories of malicious code indexed by country of origin, could potentially be helpful. For instance, North Korean malware has distinctive characteristics that make it often easy to recognize.
The U.S. has issued indictments for several perpetrators of attacks against government and financial institutions done on behalf of nation-states including Iran and Russia. The U.S. has also indicted Chinese nationals, both in 2014 and 2017, for cases of hacking related to economic espionage [22]. No one named in these indictments has been extradited, though a Chinese hacker was arrested in August 2017 in Los Angeles on charges of using the same malware as the perpetrators of the personnel-database attack two years before [23]. The Russian indictment may have been a warning to others considering future attacks [13]. However, when perpetrators of cyberattacks are acting on behalf of their governments, it seems likely that they would be afforded protections at home, and, while an indicted individual might risk arrest or extradition while traveling to a country that has an agreement with the U.S., many actors cannot choose their involvement or travel freely. Therefore, indictments serve only as a weak deterrent.
Sanctions can be an effective deterrent as exemplified by the Iraqi dismantling of its chemical weapons program in the mid-1990s [24]. On the other hand, sanctions against North Korea to deter its development of nuclear weapons have been unsuccessful. It is possible to impose sanctions on a nation after their use of cyber weapons or sponsorship of cyberattacks. However, many nations that have sponsored cyberattacks, including Russia, North Korea and Iran, are already subject to sanctions for other reasons. Additionally, sanctions are usually targeted against narrow categories of products, but it would be infeasible to sanction the purchase of computer equipment or software.
Deterrence by denial can be effective when the conducting of cyberattacks is clearly costly compared to the likely benefit. Increasing one’s defenses is unlikely to deter the adversary from all cyberattacks, since a major gain from an attack is always possible due to unexpected vulnerabilities. However, there are significant labor costs associated with attempting difficult attacks like infiltrating a network or reverse-engineering a SCADA protocol for a utility system, and this can provide a deterrent. While there have been many successful cyberattacks against U.S. businesses, including Equifax, Anthem, Target and Chase Bank, there have been substantially fewer against military entities [25]. This may suggest that the barrier to success is higher for military targets and some attackers have been deterred.
Of course, making one’s networks difficult to infiltrate and protecting one’s systems provides the additional benefit of keeping information and structures safe. Furthermore, intercepting malware from attacks through good defensive monitoring and honeypots can help to understand the adversary’s aims and capabilities. Thus, cyber defense is well justified even though it does not always deter.
Cyber weapons whose capabilities can be convincingly exhibited can have a stronger deterrent effect than those whose capabilities cannot be shown. Just as militaries stage demonstrations to show off new equipment and display novel weapons capabilities, a nation-state can do the same with its cyber weapons. Such a performance could be designed not to give away too many secrets if only the effects of a cyber weapon are shown. An example was operation Aurora which demonstrated the exploitation of a cyber vulnerability to destroy a power generator at Idaho National Labs [26]. Capabilities are more credibly demonstrated through offensive cyber operations. However, these risk providing detailed attack knowledge to the adversary who can use digital forensics to analyze the attacks in detail. Furthermore, many legal considerations affect any offensive action.
Deception can also compromise opponents in other ways. For example, repeated theft of intellectual property and trade secrets from governments and businesses by countries like China makes it possible to provide them with bait in the form of false documents [27]. The documents could provide designs that will ultimately not work or have software or hardware backdoors (clandestine access portals) in them. Strategically placing these documents on networks of espionage interest could slow down or compromise an adversary’s advancement efforts and could provide a way to shut down malicious systems later if desired. An adversary who is the victim of these efforts might be deterred from stealing more such documents that they suspect are untrustworthy.
Deterrence can also be achieved through the threat of automated counterattack. For example, a defender’s sites could be designed so that if they are attacked or intellectual property is exfiltrated, they would automatically insert malware into the data returned. The malware could be designed to harm the attacker’s systems, warn them, or gain access to the systems. An adversary who knows a defender has such capabilities could be deterred from attacking. However, an innocent third party whose systems were used without their knowledge to launch the attack could end up the victim of such retaliation.
Offensive cyber operations may serve as deterrents by forcing adversaries to use resources for defense, thereby leaving fewer resources available for conducting offensive operations. Such actions can also demonstrate capabilities that increase deterrence credibility [19].
Offensive cyber operations can have narrow aims, as with Stuxnet or the Trans-Siberian Pipeline operations [2, 28]. They can dismantle or degrade the capabilities of certain known actors and groups. Deterrence effects are enhanced by using reliable cyber weapons and announcing the conditions for their use.
The threatened response to a cyberattack could include the use of conventional or nuclear weapons. They should not be the first choice, but such retaliation methods should be considered in cases of very serious attacks. They would most likely be seen as escalatory due to the overt destructiveness of such weapons, but such a response would ensure the adversary knows their actions are unacceptable and increases the weight of their decision to continue them. However, such a response has yet to be seen from the United States, so it has not provided a credible deterrent to attacks on the U.S.
International norms for acceptable actions in cyberspace can contribute to deterrence. As with other weapons, states can agree on which types of cyber weapons are acceptable for use and which should be banned. Since different cyber weapons can achieve the same end, it is best to categorize them by the expected results.
The United Nations Group of Governmental Experts reports from 2013 and 2015 concluded that existing international law, including the UN Charter, applies to cyberspace and recommended the prohibition of state-sponsored attacks on critical infrastructure. NATO has published the Tallinn Manuals which outline the applicability of international law to cyber warfare and peacetime operations [29]. These publications seek to create a common understanding of permissible actions in cyberspace, although they are not a legally binding treaty on cyber munitions. But they have some deterrent effect as they are often a de facto standard. Further efforts by the international community to create a consensus on cyber actions will add to the deterrent effectiveness of such agreements.
Cyber deterrence is becoming more possible. A past reason for the inability to respond swiftly to cyberattacks was the difficulty of determining definitively who perpetrated the attack. Today’s attribution methods are more varied and more reliable, increasingly permitting rapid targeted retaliation to a cyberattack [30]. Publicly announcing that a cyberattack has been attributed to a state-sponsored activity alerts the offenders and others to the victim state’s attribution capabilities and can serve to prevent a subsequent response from being seen as arbitrary or escalatory. This allows a state to use a wider variety of capabilities to respond to cyberattacks, which can aid in deterring future attacks.
However, stockpiling of cyber weapons is not as much a deterrent as stockpiling of conventional and nuclear weapons. It is difficult to convince adversaries that you actually have the cyber weapons without compromising their effectiveness in a demonstration, and it is difficult to convince adversaries that you have the will to use them when provocations, especially cyber ones, rarely rise to the level that would justify an armed response.
International agreements can be a more effective deterrent. While the international community has considered issues of security in cyberspace, more work is needed to seek agreement on acceptable cyber actions and to formulate a unified response to certain actions. Sanctions, announcing attribution, and even offensive operations work better with at least partial international cooperation. By discussing the critical issues and designating certain cyber actions as unacceptable, nations can operate from an agreed understanding. They then can work together to hold rogue states to account through the abovementioned methods as well as through conventional means such as diplomacy.
Deterrence of other forms of cyber threats such as misinformation campaigns should be considered as well. Many of the most harmful cyber threats that we are seeing today are extended and complex propaganda campaigns aimed at undermining state authority and causing civic unrest. Such strategies are employed by both Russia and North Korea as part of their military doctrines. Research should be conducted to find methods to help government and private-sector entities monitor news stories and social-media posts associated with these campaigns, along with ways to help citizens inoculate themselves against these efforts.
Cyber espionage, cybercrime, and cyberattacks are all related today, and governments need an integrated response to them. Network infiltration can result in information being gleaned for espionage purposes, theft of intellectual property or access to critical infrastructure, so deterrence planning should use a broad strategy. This includes prevention of attacks on private-sector entities that could compromise national security. When private-sector issues create public risk, a government must take strong action. Work to improve cooperation and information sharing between the many government agencies dealing with cyberattacks can also help to provide a more comprehensive deterrence strategy.
Dorothy Denning and Ryan Maness contributed to these ideas.
[19] Defense Science Board of the U.S. Department of Defense, Task Force on Cyber Deterrence, February 2017. Retrieved from https://www.acq.osd.mil/dsb/reports/2010s/dsb-cyberdeterrencereport_ 02-28-17_final.pdf, November 28, 2018.
[1] This paper appeared in the Intl. Conf. on Computational Science and Computational Intelligence, December 2018, Las Vegas, NV, USA. This work was sponsored in part by the U.S. National Science Foundation under grant 1318126.