Deterrence in Cyber? Possible but Different
Happy new year? Germans kicked off their new year with a widespread dissemination of hacked data belonging to celebrities and prominent political figures including chancellor Angela Merkel. The stolen personal information, spreading via Twitter, included photos, chat logs, cellphone numbers, home addresses, emails, and more. The level of frequency and sophistication of cyber-attacks, from alleged Russian subversion of the US 2016 presidential campaign, to Wannacry or Petya, is growing and has an increasing impact on politics, societies and economies. Despite a growing amount of academic and practitioner’s attention, the question remains to how these kinds of activities can effectively be deterred.
Deterrence. Can it still work?
Incepting an idea is powerful. Since the end of the Second World War, in the midst of the Cold War dynamics and beyond the fall of the Soviet Empire, deterrence was seen as an appropriate strategy to prevent adversaries from taking specific actions, because the potential attacker’s would be discouraged by the other’s defense, and would be restrained by the fear of retaliation. Security was incepted and resting in the minds of the potential opponent. But does deterrence can still handle the nuances of the cyber space and the digital age?
At least, three aspects challenge the deterrence strategy.
- First of all, times are changing. Neither the bipolar international system of the Cold War nor a pure American dominance does exist anymore. It has been replaced by a diversity of actors and threats involved. Today, more than 30 nation-states have cyber-attack capabilities. Sophisticated digital toolkits are spreading like wildfire ranging from several nation-state with their excellent cyber capabilities like China or Russia to non-state… Klick um zu Tweeten The European Network and Information Security Agency (ENISA) identifies six threat agents, namely corporations, cybercriminals, employees, hacktivists, nation states and terrorists, while the NATO CCD-COE study adds state-sponsored agents as a seventh actor. They all have the ability to wage campaigns to seriously damage or disrupt critical infrastructure, cripple businesses, or attack devices used every day, without ever physically crossing a nations border. In fact, these cyberattacks offer potential adversaries’ low cost and almost complete deniability.
- Secondly, these state and non-state actors in cyberspace provide an asymmetric environment with unique characteristics, where concepts such as geography and sovereignty, military sphere and civilian sphere become blurry.
- Finally, given a diverse landscape of (potential) adversaries and a very complex threat assessment, classical deterrence requirements such as defined interests and drawn redlines are under constant scrutiny. How to proceed against private agents but presumably state-sponsored? This leads to shifts in security fundamentals. In fact, deterrence seeks at its core to preserve the „status quo“ by persuading adversaries not to do something. However, in a cyber age insidious state or non-state actors continue to leverage all facets of the cyberspace in dynamic, proactive fashion to achieve a fundamental shift in global power toward their advantage.
Research scholars appear divided on if the deterrence still applies in cyberspace. Joseph Nye recently specified four key mechanisms for cyber deterrence: denial, punishment, entanglement, and norms. Others do not see in deterrence a credible strategy anymore, because cyber is an entirely new strategic environment, one which has important distinctions from the traditional domains of land, sea, air, and space. But how can democracies operate in such environment and respond accordingly?
Holistic Approach: Keep Initiative
Given the disparate actor and threat environment, where private and public spheres mingle, sovereignty and domains become blurry, democracies have to innovated their strategic thinking when it comes to cyber deterrence and think bigger. A more holistic approach is needed, which recognizes cyberspace as a strategic environment with distinct dynamics. Three dimensions come to mind.
At the core lays the gap between policy and technology. Cyberspace is an operational environment of constant action, permanent contact and ongoing contests with adversaries. Klick um zu Tweeten While every new version of software or hardware can shift tactical capabilities, the interconnectedness of the cyberspace demands persistence – the gaining and retention of initiative. In such a dynamic thinking Democracies need agile policies which allow for offensive and defensive measures as well as anticipating and integrating the technological change coming. Defending forward with persistence and active engagement will guide a deterrence by retaliation, which holds adversaries accountable and impacts their risk calculus.
Moreover, a comprehensive approach of cyber security emphasizing resilience will include private and public actors in unique way. In most democracies the private sector owns infrastructure and data, has the biggest cross-national interdependence and is conceptional better equipped for the cyber age. Building resilience and focusing on the cyber ecosystem is part of a deterrence by denial, which includes capacity building, shared incident reporting and response, expanding quantity and quality of digitally literate people, technological research and development. Hence, collaboration has to be expanded and partnerships with the private sector strengthened.
Finally, weak cross-national cooperation and diverging legislation stacks the deck in favor of attackers. In Europe, more than one third of the cybersecurity strategies of the countries are older than four years, but 17 of 29 strategies believe in international cooperation. Hence, democracies have to promote democratic norms, creating an international framework for stability by defining clear global rules on acceptable practices and appropriate responses after attacks like criminal prosecution, economical sanctions or active retaliation. Though, there will be no easy blueprint. In their race for digital supremacy China and the U.S. will provide alter-native narratives on liberal norms, standards and protocols as preferred by Europe or other countries in Asia. If Europe does not define its future role as a colony in the American tech empire than it has to become a more serious security and defense actor. Klick um zu Tweeten Europe has to actively engage countries like Australia, India and other countries across Asia to shape progress in the international cyber agenda.
Old habits die hard, and outdated thinking harder still. Deterrence in a cyber age means an operational environment and strategy of constant action, permanent contact and ongoing contests with adversaries. Hence, the global digital ecosystem demands not just a pure military response. Recent attacks like in Germany proved a more holistic, even international, approach is needed including a range of political, social, economic, technological and legal responses. Security is achieved through imposed norms, clear expectations of state behavior, cooperation with non-state-actors, on an international level, but also a cyber initiative mindset. Deterrence, yes but different.
Der Artikel erscheint in den Proceedings zu einer Cybersecurity-Konferenz in Canberra, Sommer 2018.