Cyberdeterrence, and Cyberwar

Transcription

1 Cyberdeterrence, and Cyberwar

2 Prologue In the 1950s, defense against nuclear weapons was next to impossible Hence deterrence theory and its accoutrements Second-strike Extended deterrence Counterforce v. countervalue Today cyberwar appears to be a salient threat With everything being digitized, dedicated hackers could bring everything to a halt in theory Cyberdefense is expensive and leaky So why not protect this country against the new threat by threatening retaliation, as we did for the nuclear threat? A /2010

3 Purpose Discuss cyberdeterrence and whether it makes sense That is, about decisions made by states not colonels Is offense the best defense? Is directed against states (especially if responding in kind) Tease out some of the salient characteristics of cyberwar -- which may result from: The failure of deterrence to forestall attack Escalation of tit-for-tat carried out in the name of deterrence Examine some dynamics of cyber-escalation Akin, in some ways to intra-war deterrence A /2010

4 What Cyberwar Is A /2010

5 What Cyberwar Is The use of information (messages) A /2010

6 What Cyberwar Is The use of information (messages) to harm target information systems A /2010

7 What Cyberwar Is The use of information (messages) to harm target information systems making them fail A /2010

8 What Cyberwar Is The use of information (messages) to harm target information systems or corrupting their contents making them fail A /2010

9 What Cyberwar Is The use of information (messages) to harm target information systems or corrupting their contents making them fail Information attacking information by attacking information systems A /2010

10 What Cyberwar Is t Cyber-espionage (despite similar methods) Far different treatment by international norms Electronic warfare (despite similar modalities) Directed energy (microwave) attacks on systems Psychological operations (even though cyberwar may produce strong psychological effects) Web site whack-a-mole And it goes well beyond flooding/ddos attacks Which only affect public-facing web sites And which many firms can offer protection against A /2010

11 What Cyberwar Cannot Usually Do Create direct permanent effect (usually) It does not break anything directly Systems can usually be restored What about Stuxnet? Preceded by 2007 Aurora experiment Iranians had little experience with normal operations Their devices have no stand-off safety guards or monitoring capablity Be used repeatably Cyberspace is made by its defenders Hackers can only follow paths that already exist Attacks expose holes, which can get patched Which is why Stuxnet I does not imply Stuxnet II The bag of tricks is depletable A /2010

12 Counterforce/Pre-emption Does t Apply in Cyberspace Because command-and-control can be simultaneously hosted in redundant servers, killing any one server may be pointless Of the prerequisites to cyber-attacks a computer, a network connection, hackers, know-how, intelligence only computers can (conceivably) be destroyed by a cyberattack Although defenders need to understand cyber-attacks quickly to minimize or reverse their damage, striking back quickly usually confers little protection A /2010

13 Outline Cyberwar and cyberdeterrence issues A cyberdeterrence decision cycle Controlling Cyber-escalation Conclusions A /2010

14 Generally Cyberattacks Have Two Motives Coercion To demonstrate capability and will But two caveats: It may induce more anger than fear It may escalate a local conflict into a strategic one Pre-emption If a physical attack is going to follow, it must come quickly Unless it is a feint or a test A /2010

15 Attribution Is Imperative Good attribution supports retaliation in three ways Avoids punishing the innocent Makes the case to the rest of the world (and potential attackers) Links action to reaction (retaliation) in the minds of attackers Proof beyond a shadow of a doubt is unnecessary What the accused state did is less important than what it can prevent (hackers need not work for states) but since cyberattacks rarely kill anyone, thresholds for punishment must be developed, communicated, and measured believably A /2010

16 But Attribution Is Hard Cyberattack Lacks obviousness of kinetic attack Leaves no physical evidence (e.g. DNA) States rarely suffer from being linked to a cyberattack (but would take more pains to hide if they did) Finding the machine does not show who did it could come from anywhere Attacker might be known.. If he boasts about it (e.g., to coerce) If he uses a known modus operandi If he makes a mistake Through human intelligence, video, etc. But will this happen often enough to be a basis for deterrence policy? A /2010

17 Predicting Battle Damage Is Also Hard Prediction timeframe Far in advance In the near term All the time Prediction difficult because: Systems change with every software update What can be observed about systems may say little about how the respond to attack: May have war reserve modes May have processes that kick in only when systems go awry Damage roughly proportional to downtime or persistence of corruption, but even system administrators don t know how fast they can reverse effects A /2010

18 Predicting Battle Damage Is Also Hard Prediction timeframe Far in advance In the near term All the time Prediction difficult because: Systems change with every software update What can be observed about systems may say little about how the respond to attack: May have war reserve modes May have processes that kick in only when systems go awry Damage roughly proportional to downtime or persistence of corruption, but even system administrators don t know how fast they can reverse effects A /2010

19 Predicting Battle Damage Is Also Hard Prediction timeframe Far in advance In the near term All the time Prediction difficult because: Systems change with every software update What can be observed about systems may say little about how they respond to attack: May have crisis reserve modes May have processes that kick in only when systems threaten to go awry Damage roughly proportional to downtime or persistence of corruption, but even system administrators don t know how fast they can reverse effects A /2010

20 Predicting Battle Damage Is Also Hard Prediction timeframe Far in advance In the near term All the time Prediction difficult because: Systems change with every software update What can be observed about systems may say little about how they respond to attack: May have crisis reserve modes May have processes that kick in only when systems threaten to go awry Damage roughly proportional to downtime or persistence of corruption, but even system administrators don t know how fast they can reverse effects A /2010

21 Cyberwar May Be Hard to Control Escalation into violence is always a risk A tit-for-tat may activate third-party hackers Cyberwar termination how do we know they stopped? is very difficult because of the attribution problem, particularly if third-party hackers are activated yet, to complain of being attacked in cyberspace is tantamount to admitting that you have been conned, something states may be reluctant to publicize, hence respond to A /2010

22 Outline Cyberwar and cyberdeterrence issues A cyberdeterrence decision cycle Controlling Cyber-escalation Conclusions A /2010

23 What Would a Decision Tree Look Like? Something s happening A /2010

24 First Determine What Something s happening The result of hacking? A /2010

25 Then Try to Figure Out Whether War or Crime Something s happening The result of hacking? Would a state do this? A /2010

26 Then Try to Figure Out Whether War or Crime Something s happening The result of hacking? Would a state do this? But call the FBI A /2010

27 Make Your Best Guess on Who Did It Something s happening The result of hacking? Would a state do this? Attack can be attributed? A /2010

28 Weigh Public Reaction Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Maybe retaliate sub rosa A /2010

29 and Public Relations Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Maybe retaliate sub rosa or tell the public A /2010

30 ...and Whether You Go Public with What you Know Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Can target make attribution public? Maybe retaliate sub rosa Maybe retaliate sub rosa A /2010

31 Determine Whether You Can Retaliate Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Can target make attribution public? Have a way to retaliate? Maybe retaliate sub rosa Maybe retaliate sub rosa A /2010

32 and Whether Retaliation Is Worth It Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Can target make attribution public? Have a way to retaliate? Maybe retaliate sub rosa Maybe retaliate sub rosa Retaliation do more good than harm? A /2010

33 Contemplate the Pressures on Target of Retaliation Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Can target make attribution public? Have a way to retaliate? Maybe retaliate sub rosa Maybe retaliate sub rosa Retaliation do more good than harm? Can attacker allay its public ire enough to counter-retaliate? Maybe retaliate sub rosa A /2010

34 and Hope for the Best Something s happening The result of hacking? Would a state do this? Attack can be attributed? Effects obvious to public? Can target make attribution public? Have a way to retaliate? Maybe retaliate sub rosa Maybe retaliate sub rosa Retaliation do more good than harm? Can attacker allay its public ire enough to counter-retaliate? YES Maybe retaliate sub rosa So, the target state hits back and that settles things or not

35 Outline Cyberwar and cyberdeterrence issues A cyberdeterrence decision cycle Controlling Cyber-escalation Conclusions A /2010

36 Fundamental Features of Escalation Control Attribution is often uncertain Attackers can be combatant states or third party states, nonstate actors, criminal organizations, or individuals So is predicting or even assessing battle damage Overall, because Intentions are poor predictors of actual effects and Perceptions may not match actual effects Perceptions can be two stages removed from intentions But perceptions are what breed pressure to respond Escalation in cyberspace looks different if Cyber operations are carried out against military targets Cyber operations go beyond targets for kinetic attack, or Cyber operations take place in what is otherwise peacetime A /2010

37 Escalation in Cyberspace Beyond Kinetic War Can Follow Many Paths Escalation that Raises Regime Security Issues Anti- Great Firewall Surveillance Systems Police Systems Escalation From Military to Dual-Use to Civilian Attacks on States to Attacks on their Allies Dual-use Facilities Critical Infrastructure In-theater systems of great power friends Health/safety systems All military systems of great power friends To Strategic Systems Out of theater Homeland based Strategic systems A /2010

38 Trying to Escalate is not the Same as Succeeding Others will see only (what they perceive as) effects and not the effort There is no way to tell how many man-years are being thrown at a task or whether anything is being kept in reserve (cf., U.S. escalation in Vietnam measured in troop deployments) There are also few good reasons not to allocate at the outset all cyberwarriors (already on the payroll) to a specific conflict The intent to escalate may not match the actual degree of escalation much less the perceived degree of escalation Kinetic Escalation Options/Outcomes Cyber Escalation Options/Outcomes Don t thing happens Don t thing happens Something is perceived to happen Do thing much happens (rare) Something happens Do thing happens; invisible failure thing happens; visible failure Something happens A /2010

39 But Escalation Can Also Be Accidental or Inadvertent Them Attacks that Imperil Safety Attacks on Civilian Infrastructure Attacks on Military Support They hack the FAA They hack one of our coal-fired power plants They hack Guam s port We hack into their 911 systems. We hack their hydropower dam We hack a civilian port in their country We hack their afloat naval supply facility Attacks on Personal Safety Attacks on Industrial Safety Attacks on the Homeland Attacks in the Field US Or maybe the induced malfunction in the naval supply facility broke the port management software. Unintended escalation is a greater risk when combatants fail to communicate thresholds or define them differently A /2010

40 Adversaries Can Interpret U.S. Escalation Decisions in Many Ways If we escalate in cyberspace, they might conclude, alternatively: We can escalate (if our attacks succeed and impress) We are willing to take risks but not casualties We believe cyberattacks on non-military targets are legitimate We know they have escalated and would risk mutual escalation to get them to stop (if they thought we were responding to their escalation) We are trigger-happy even though our detection mechanisms are weak (if they thought we were responding to something that did not occur or was not their fault) If we do not escalate or even respond, they might conclude: We do not have the capability to escalate We do not know it was they who attacked us or even whether the effects were those intended We do know but are showing restraint A /2010

41 Threatening Escalation to Control Escalation is Tricky Our threat to escalate may inhibit their escalation or make them stop, but only if They believe we have the means They believe we have the will (even in the face of potential counterresponse) Their escalation has no compelling military rationale They do not fear losing too much face by complying They feel that our declared red lines are well-defined, straightforward to monitor and fair (v. one-sided, arbitrary, unfounded in customary law, or self-serving), and They believe that if they do not cross the line neither will we A /2010

42 Outline Cyberwar and cyberdeterrence issues A cyberdeterrence decision cycle Controlling Cyber-escalation Conclusions A /2010

43 Conclusions Cyberwar is not just war carried on in another dimension (same for cyberdeterrence) In many cases, key questions are different In other cases, key answers are different Although cyberwar may share some facets of other types of warfare (e.g., electronic, terrorism), it merits consideration from first principles Compared to retaliation, defense, although expensive, is less problematic and risky Even if we do not forswear retaliation as a policy, we should think carefully before embracing it A /2010

44