Deterring cyber attacks: Old problems, new solutions
This article was first posted to The Conversation.
As the investigation into Russia’s interference in the U.S. election deepens, it is becoming obvious that the events in 2016 are just the tip of an iceberg.
Ever since the Russian cyber assault on Estonia in 2007, policymakers and cyber security scholars have debated how best to deter cyber attacks that cross international borders. Yet both state and non-state actors continue using the internet for malicious purposes with an unacceptable level of impunity.
The growing global market in cyber crime is projected to hit U.S. $6 trillion by 2021. Curtailing the risk requires new approaches.
Fundamentally, deterrence is about convincing an adversary that the costs of an attack outweigh the benefits. One of the problems in cyber deterrence policy has been a reliance on ideas that were formulated in the very different security environment of the Cold War.
Cold War concepts rely on deterrence by punishment (striking back at an adversary with retaliatory attacks) and deterrence by denial (denying your adversary the ability of a first strike, for example by having too many hidden nuclear missiles sites). While these binary models may have applied in the context of two nuclear superpowers locked in a decades-long geopolitical conflict, they don’t translate easily to a global network of interconnected computers.
The first problem is attribution. If you can’t identify the actor responsible for a cyber attack, how can you punish them? Retaliatory cyber attacks can also cause collateral damage. They drag in third parties who may come to the assistance of the adversary, escalate cyber conflict and legitimize the use of cyber capabilities for political and strategic gain. The prospect of using military force to punish cyber attackers is also viewed as disproportionate as a response to most malicious cyber activity.
Deterrence by denial is a similarly problematic framework. The “attack surface” the internet presents is staggeringly large. The number of internet-connected services is set to reach 75 billion by 2025. It is unrealistic to expect that we can ensure that all those devices are secure and cannot be used as back doors into other computer systems.
Before leaving office, the Obama administration assigned $19 billion for research on cybersecurity.
One of the priorities of this funding was to ensure further improvements to attribution technologies and processes. This could make a big difference to the effectiveness of cyber deterrence, especially when combined with clearer communication by policymakers about the evidence they have about the source of attacks. Cutting through some of the smoke and mirrors put in place around the Putin government’s cyber operations should be a high priority.
Another radical proposal is to change how the internet operates so that it becomes an identified and attributed network where logging in involves providing specific personal identification. This has been given serious attention in the U.S. national security community.
It has obvious implications for maintaining the internet as a free and open global resource. But the internet will have to keep evolving to deal with the growing impact of cyber attacks. Building a more secure domain for some internet traffic is worth considering.
Changing how we think about attacks
New technology may help enhance cyber deterrence, but we will need to change our thinking too. During the Cold War, deterrence was absolute. Even one attack could have proven devastating. In contrast, deterrence in cyberspace will be cumulative. As the scholar Uri Tor has argued, cyber deterrence is about how to “postpone, limit, and shape a series of ongoing conflicts with a variety of state and sub-state actors.” It is not about preventing all attacks at all times.
The role of laws and norms in deterring malicious cyber activity should be given greater attention. Some countries don’t even have current laws that make hacking a criminal offence. This could be solved by more states signing up to the Budapest Convention on cyber crime, which requires the adoption of laws on cyber crime and enables collaborative policing to deal with cyber attackers.
New proposals coming out of the Tallinn Manual 2.0 process suggest the emergence of deterrence mechanisms through international law. This includes holding states to legal account when hackers are operating with impunity from within their territory or being directed by the state. In this scenario, a form of self-deterrence may emerge when governments realize that hackers pose risks to the states themselves.
Cyber resilience involves having backups for computer networks and the societal services they provide. A cyber attack would have minimal impact if systems are in place to replace an internet service as quickly as it is taken down.
Cyber resilience holds particular promise for critical infrastructure providers in the transport, health and energy sectors. These organizations will never have the authority to deter cyber attacks through retaliatory cyber countermeasures, but need to find ways to obscure the cyber targets on their backs.
Similarly, given recent efforts to subvert democracy through cyber operations, the resilience concept will have particular appeal to the electoral governance sector. Building resilience in our elections systems (including election advertising on social media) is a priority for democratic countries, especially in light of the recent scandals around Cambridge Analytica’s misuse of Facebook data during the U.S. election.