Journal of Homeland Security and Emergency Management Volume 7, Issue 1
2010
Article 22
Leaving Deterrence Behind: War-Fighting and National Cybersecurity Richard J. Harknett∗
John P. Callaghan†
Rudi Kauffman‡
∗
University of Cincinnati,
[email protected] University of Cincinnati,
[email protected] ‡ Bluffton University,
[email protected] †
c Copyright 2010 Berkeley Electronic Press. All rights reserved.
Leaving Deterrence Behind: War-Fighting and National Cybersecurity∗ Richard J. Harknett, John P. Callaghan, and Rudi Kauffman
Abstract How should the United States organize itself to deal with the threat of cyberaggression? The initial effort of the Obama Administration, released in May 2009, focuses attention on the organizational and bureaucratic decisionmaking infrastructure necessary for cybersecurity and provides some general guidelines about goals and means. It does not address the more fundamental question of strategic approach. This article suggests the time has come to resolve the core issue of what organizing principle should drive national cybersecurity policy. Specifically, we argue that an offense-defense strategic framework must be adopted to think about and organize against cyber threats in the 21st century. This means that the United States must set aside deterrence—the dominant strategic anchor of the past fifty-plus years—and adopt a full war-fighting posture. What has worked in the nuclear realm, and remains relevant for homeland security against WMD terrorism, will not work in cyberspace. KEYWORDS: cyberaggression, deterrence, Obama Administration
∗
The authors thank the Charles Phelps Taft Research Center at the University of Cincinnati for its support.
Harknett et al.: War-Fighting and National Cybersecurity
1
“…the architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations" (Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure 2009, i).
INTRODUCTION How should the United States organize itself to deal with the threat of cyberaggression?1 The initial effort of the Obama Administration, released in May 2009, focuses attention on the organizational and bureaucratic decisionmaking infrastructure necessary for cybersecurity and provides some general guidelines about goals and means. It does not address the more fundamental question of strategic approach, which remains under development. However, the issue of strategy is critical to resolve, since ultimately the U.S. national cybersecurity infrastructure must align around a core organizing principle. Over the past two decades, the resolution of what that strategic framework should be has received less attention than it should, because the challenges of cybersecurity have continued to evolve rapidly.2 This article suggests the time has come to resolve the fundamental question of what organizing principle should drive national cybersecurity policy. The implication of our core conclusion is significant and its implementation will be difficult. Major reconsideration of how we conceive of cybersecurity and the relationship of government to national cyberdefense are necessary. Understanding the fundamental nature of cyberspace as a strategic military environment is critical for organizing national security infrastructure and developing national policy that will lead to the strategic outcome of a more secure cyberworld. For most of human history, security planning centered on the ebb and flow of offensive and defensive capabilities. Offense seeks to use force to gain control over assets or compel loss of control; defense seeks to use force to retain control over assets and limit damage (Adams 2003-04, 53). Once conflict is commenced, victory is ultimately 1
We use the term cyberaggression to capture the range of activities associated with disruptive computer hacking, cybercrime, cyberespionage, cyberconflict, and cyberwar recognizing that each of those terms provides greater precision to specific realms of aggression. 2 Acts of cyberaggression are reported regularly throughout the world. They range from minor nuisances to substantial, ongoing attacks on national and even international infrastructure. The three-week cyber attack on Estonia beginning on April 27th of 2007 compelled NATO leaders to begin to address the need for a systematic plan to deal with cyberaggression (Bruno 2008; Wilson 2007, CRS-7-8). In April 2009, U.S. Defense Secretary Robert Gates said the U.S. government is under cyber attack "virtually all the time, every day" ("Gates: Cyber Attack A Constant Threat," 2009). Most recently, insurgents in Iraq used off-the-shelf technology to intercept signals from U.S. drones (Gorman, Dreazen, and Cole 2009). These, and the many other similar examples, suggest cyberaggression is an ever-present aspect of the current defense environment and strategies must be developed to deal with it accordingly.
Published by The Berkeley Electronic Press, 2010
2
JHSEM: Vol. 7 [2010], No. 1, Article 22
determined by superior technology, ability, and execution that either overcomes the defensive measures or blunts the offensive thrusts. The recognition that war is possible and that one had to be prepared to fight (to engage in the sustained infliction and blunting of damage) was a fairly unassailable organizing principle for nearly two millennia. The detonation of the atomic bombs ushered in a new era of security theorizing and strategizing around the concept of deterrence, which seeks to prepare to use force to demonstrate the capacity to inflict punishment if an attack occurs (Adams 2003-04, 53). "Throughout the cold war," as Lawrence Freedman notes, "the concept of deterrence was central to all strategic discourse" (2004, 1). We tend to overlook, however, that the notion that military forces needed to be organized around the ultimate objective of war avoidance, rather than war-fighting, represented a radical departure in strategic thinking from most of warfare's history (Freedman 2004, 16). Counter-intuitively, we argue that an offense-defense strategic framework must be adopted, once again, in order to think about and organize against threats in cyberspace. The dominant technology of the day and the manner in which it can be effectively employed structures the strategic military environment and dictates the approach that must dominate. We argue that cyberspace is an environment of offense dominance in which deterrence is easily overwhelmed. Therefore, anchoring national security around the goal of avoiding war is a recipe for defeat. When it comes to cyber, this means that the United States must set aside deterrence as the overarching concept. This raises the challenge of applying in one area of threat management (cyber) a different framework than is to be applied elsewhere. Deterrence should remain the dominant strategic approach for conventional and nuclear threat environments. The complications arising from maintaining parallel security approaches, as well as the obvious potential for these security realms to blur with each other, will require dedicated analysis. For this article, we shall attempt to establish why cyberdeterrence needs to be set aside as the organizing strategic approach and lay out the implications for adopting an alternative offense-defense framework. The first section provides background on recent cybersecurity policy establishing two points for discussion: first, that more precision is needed when assessing national cyber policy (one cannot determine appropriate policy responses if one does not accurately define the threat to which one is seeking response); second, that current policy is problematic in its strategic orientation. The second section will provide a framework for assessing cyberaggression. The third section will explain the inadequacy of deterrence as the strategic response to cyberaggression. The final section will introduce an offense-defense framework and highlight how this perspective provides an appropriate basis for developing a resilient and effective national cybersecurity policy. CYBERSECURITY STRATEGY IN THE BUSH ADMINISTRATION The Bush Administration completed its National Strategy to Secure Cyberspace in 2003. That specific strategy was implemented in the broader context of two follow-on official
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
3
documents: the National Strategy for Homeland Security (updated in 2007), and the overarching strategic-level U.S. National Security Strategy (2002/2006). The National Strategy to Secure Cyberspace (NSSC) set deterrence of cyber attack as an explicit objective stating in several instances that "deter(ring)" cyber threats was a goal of the United States. The document presented a retaliatory posture stating, “When a nation, terrorist group, or other adversary attacks the United States through cyberspace, the U.S. response need not be limited to criminal prosecution. The United States reserves the right to respond in an appropriate manner" (2003, 50). In order to raise the potential costs associated with cyber attacks, the NSSC explicitly framed cyber attacks in the broader context of military response. This represented an expanded understanding beyond that of criminal activity (both for profit and nuisance) handled through the judicial system.3 Nevertheless, the strategic objective of deterrence was hedged throughout the document. The document noted that the “strategy cannot be to eliminate all vulnerabilities, or to deter all threats” (2003, 28). Despite this acknowledged limitation, the default toward trying to achieve deterrence remained in the NSSC as well as in the subsequent National Strategy for Homeland Security (NSHS) and the overarching National Security Strategy (NSS). Both of these broader policy documents addressed deterrence as both an important underlining strategic framework and as a vital strategic outcome. These documents were light on cyber issues, addressing the term in the context of the full spectrum of new threats for which the United States had to prepare. Cyber threats were classified as “disruptive challenges from state and non-state actors who employ technologies and capabilities (such as biotechnology, cyber and space operations, or directed-energy weapons) in new ways to counter military advantages the United States currently enjoys" (NSS 2006, 43-44).4 The NSHS noted that terrorists, foreign governments, and criminals were likely to exploit the cyber realm (2007, 28). An emphasis on terrorism influenced the discussions of deterrence in both broader documents. The document adopted a strategy of "deterrence through denial" (2007, 26), stating “as a protective function, this concept of ‘deterrence through denial’ requires additional actions, including increased defensive postures at potential sites of attack” (2007, 25-26). The policy noted that “actors can be deterred and dissuaded from conducting attacks if they perceive that they are not likely to achieve their objectives or that the costs of their efforts are too high” (2007, 25). In addition, other sections of the document suggested an understanding of the need to credibly signal possible responses; the door was left open to retaliatory-based deterrence alongside denial efforts. For example, the 3
Clinton-era National Security Strategy documents also discussed deterrence, the emergence of transnational threats, and the potential of cyber attackers, stating, “for these actors to be deterred, they must believe that any type of attack against the United States or its citizens will be attributed to them and that we will respond effectively and decisively to protect our national interests and ensure that justice is done” (A National Security Strategy for a New Century 1998, 12). 4 The sole superpower capacity of the United States has led to a focus in security circles on the notion of asymmetric threats; that is the notion that opponents cannot take on the United States directly militarily and thus will seek capacities that present asymmetric problems. Cyber represents one such possibility.
Published by The Berkeley Electronic Press, 2010
4
JHSEM: Vol. 7 [2010], No. 1, Article 22
strategy assumed that “terrorist actors also can be deterred or dissuaded from conducting attacks if they fear potential consequences for their actions” (emphasis added, 2007, 26). The document admitted that all acts would not be deterred, but reserved the right to respond with all "instruments of national power" (2007, 27). In its entirety, the National Strategy for Homeland Security meaningfully acknowledged deterrence (allusions to both deterrence effects and deterrence as strategy), particularly as it relates to terrorism, and lent some weight to protection of the cyber realm. In summary, U.S. cyber doctrine under the Bush Administration recognized a range of threats across the realm of cyberspace. All three associated policy documents mentioned efforts to deter these threats, fluctuating between techniques to achieve deterrence effects through denial measures to references toward a dedicated cyberdeterrence strategy. In this sense, U.S. official policy took a middle ground approach. It recognized the need to signal credible resolve and to respond appropriately to adversary cyber activities in order to limit, if not deter them, but acknowledged cyberspace was a difficult deterrence environment. The shortfalls of a deterrence approach were assumed in Bush doctrine, but a direct setting aside of deterrence as an explicit strategic objective was not broached. THE OBAMA ADMINISTRATION APPROACH TO CYBERSECURITY The Bush approach to cybersecurity was put under review at the beginning of 2009. The incoming Obama Administration immediately prioritized cybersecurity, promising a review and new direction for the United States within six months. The administration released its Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (CPR) in late May, 2009. The review was clearly preparatory in terms of a forthcoming national cybersecurity strategy. The review document focused on restructuring the bureaucracy and was more an outline of steps needed to be taken in order to effectively develop a strategic/doctrinal document – in essence a plan on how to plan (CPR 2009, iii). Even so, in this early stage of administration thinking the document provided insight into a likely approach. The Obama CPR begins by broadly defining cybersecurity policy as: strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure [emphasis added] (CPR 2009, 2).
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
5
This is the only mention of “deterrence” in the entire seventy-six page document. In this context, it is difficult to determine precisely what is meant by its inclusion, whether it refers to a committed deterrence strategy or simply the inclusion of deterrence effects achieved through denial capabilities. While the CPR does not offer a definitive indication of a forthcoming major strategic shift, it does lay more emphasis in exploring legal approaches to cybersecurity, and ties this legal approach into a consideration of coordinated international norms. The CPR states, "International norms are critical to establishing a secure and thriving digital infrastructure. The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force” (2009, iii-iv).5 It goes on to say "differing national and regional laws and practices – such as laws concerning the investigation and prosecution of cybercrime; data preservation, protection, and privacy; and approaches for network defense and response to cyber attacks – present serious challenges to achieving a safe, secure, and resilient digital environment" (2009, iii-iv). The document appears to commit primarily to a defensive approach to cybersecurity. It states, "The United States needs a comprehensive framework to ensure a coordinated response by the Federal, State, local, and tribal governments, the private sector, and international allies to significant incidents. Implementation of this framework will require developing reporting thresholds, adaptable response and recovery plans, and the necessary coordination, information sharing and incident reporting mechanisms needed for those plans to succeed" (2009, iv-v). In short, throughout the document legal terminology and organizational solutions are common but specific strategic/military concepts are limited. The major task ahead is to fill in the operational and strategic orientation that will be necessary for national cybersecurity. The CPR of the Obama Administration seems to recognize the offensedominant nature of cyberspace and suggests a defensive, legal, and norm-based approach to cybersecurity. As written, the Cyberspace Policy Review does not suggest an inclination toward a dedicated cyberdeterrence strategy, but it does not explicitly reject one.
5
Eleven years ago the Clinton Administration’s National Security Strategy stated almost the exact same goal: “No area of criminal activity has greater international implications than high technology crime because of the global nature of information networks. Computer hackers and other cyber-criminals are not hampered by international boundaries, since information and transactions involving funds or property can be transmitted quickly and covertly via telephone and information systems. Law enforcement faces difficult challenges in this area, many of which are impossible to address without international consensus and cooperation. We seek to develop and implement new agreements with other nations to address high technology crime, particularly cyber-crime” (NSSNC 1998, 17-18).
Published by The Berkeley Electronic Press, 2010
6
JHSEM: Vol. 7 [2010], No. 1, Article 22
DEFINING THE THREAT: CYBERAGGRESSION This article contends that an explicit move away from deterrence as an organizing construct is in order and should be the doctrinal shift adopted in the new national cybersecurity policy of the United States. However, before one can address strategy, clarity concerning threat assessment is necessary and in the realm of cyber such definitional precision is still a work in progress.6 How does one categorize the distributive denial of service (DDOS) attacks that took place in July 2009 against U.S. and South Korean assets? Was it nuisance hacking, an organized crime syndicate revealing capabilities to other prospective targets to lay the grounds for extortion, a country engaged in espionage and reconnaissance to test American and Korean countermeasures, or a ‘shot-across-the-bow’ warning from a country to establish credible capacity to engage in cyberwar? What is most challenging here is that the execution of the computer program itself behind the attack could be related to any of these categories and thus the technical aspects of the attack reveal very little. It does not reveal the source and it does not, importantly, reveal the intent. The U.S. national security (and judicial) system is organized around responding to sources and intent (what agency leads a response depends on who the aggressor is and what the intention was). This poses an inherent problem in cyberspace and, therefore, a distinct set of threat definition and response structures must be considered. We suggest that the term cyberaggression be used as the broadest category to encompass all unacceptable coercive activity in cyberspace and then establish subcategories that form a continuum of cyberaggression from the individual level to the national/international level. Each sub-category, itself, may contain activity with a range of severity.7 To this end, the authors propose a three-tiered consideration of cyberaggression. Implicit in this categorization is that not every cyber threat reaches the level of national security concern, but given the unique, ubiquitous and dual-use nature of digital and computer technology, a national cybersecurity strategy must comprehensively consider the interconnectivity across the continuum of cyberaggression. Another important feature of the following classification is that it is organized around outcomes, rather than sources. In the conventional military realm, it took the capacity of a nation itself to threaten the security of another country. Cyberspace opens the possibility that such a capacity can be held at the level of a relatively small group. Given the nature of the technology, identifying the source of serious attacks will remain difficult. This limitation is important, because in terms of security responses, the United States organizes itself currently around identifying the source of an attack. Who is the lead agency (from local law enforcement to the FBI to CIA and DOD) in responding to aggression currently 6
See Arquilla and Ronfeldt (1993) for foundational discussion of cyber-related terminology. For example, under cybercrime one would include cyberbullying, which many schools around the country have established policies to curtail and for which legal/criminal sanctions are in their nascent stage of development to major identity theft scams that are creating losses from fraud in the billions of dollars. 7
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
7
depends on who the aggressor is. This response structure needs to be re-thought in cyberspace and will require important adjustments in U.S. legal and bureaucratic standards (Harknett 2000b). Disruptive hacking of military networks by teenagers in their basement is a national security concern because it is directed at national security assets and should be handled differently than the same individuals directing the same disruptive programming at classmates they do not like at school. In the former case, the intent is not individual harm, but disruption of national security assets and should involve much more serious sanctions and responses. U.S. information warfare operators defending national security assets need to protect those assets regardless of whether the attack is launched by the Chinese People Liberation Army’s cyberbrigade, Russian nationalists acting as third-party mercenaries, or an exceptionally intelligent sixteen-year-old like Jonathan James.8 Therefore, a focus on outcomes rather than source is critical for developing a stronger threat assessment framework. The first tier of cyberaggression – cybercrime – encompasses those attacks directed at individuals or organizations that involve disruption or minor destruction of data for the purposes of individual harm or financial profit. These actions do not rise to the level of a national security concern and will remain the province of law enforcement and legal response structures.9 In the context of national response, they do not warrant a national cyberdeterrence strategy. In fact, at the higher end of criminal activity (major fraud), there remains a self-deterring dynamic in place that keeps it below a national security concern. Criminals that seek profit need the system from which they extract profit to function sufficiently well so as to continue to generate profit; thus, cybercrime will tend to avoid major disruption or destruction of digital environments as an objective. The second tier is cyberespionage and reconnaissance. These actions remain manipulations of digital environments, rather than systemic assaults on infrastructure or networks. The goal here is to gather information through infiltration (success is dependent on little disruption and no destruction of assets, since being undetected over a long-time is the ideal condition to achieve maximum extraction of information) or to gather information through probing attacks that reveal how a particular system would respond. While probing action might involve placing stress on networks, they are by their nature meant to remain limited actions that leave networks functioning (and thus, observable in their response actions). This tier of cyberaggression is directed at business activity as much as national
8
Jonathan James hacked into DoD and NASA computers in 1999 and was sentenced to sixteen months in juvenile detention in September 2000. One of the more famous hackers of all time, he was the first juvenile to be sentenced for his offense (Stout 2000). 9 Immediate response to cyberaggression will remain with the owners of the network servers under attack. The issue here from a deterrence perspective is in the aftermath of an attack, what response can be threatened prospectively so as to dissuade an attack in the first place and who will be responsible for carrying out the threatened response.
Published by The Berkeley Electronic Press, 2010
8
JHSEM: Vol. 7 [2010], No. 1, Article 22
security assets with corporate espionage an increasing problem.10 As it relates to national assets, such activity does present national security challenges. While dealing with the cyber version of spying presents new challenges, counterintelligence activities are adapting. For deterrence, diplomatic and economic threats have traditionally been used to manage the extremes of these cases with minimal success as is apparent in the fact that spying is a consistent human activity. Since we currently do not apply deterrent threats to conventional spying, there is little incentive to apply it to the cyber realm. Probing does raise a more nuanced problem, but states have used this technique, even during the cold war, to test opponents’ capabilities as well as commitments (when thresholds have not been clear). During this period, states relied on diplomatic and economic means, as well as the threat of escalation, to contain probes when their occurrence continued to mount.11 The key is establishing when such action crosses the threshold from probe to act of war. The final tier, therefore, involves the highest end of cyberaggression – acts of war. Here, we suggest a new term to provide greater precision to analysis of national cybersecurity policy. Most of the literature uses the term cyberwar to capture this tier; however, ambiguity remains about the range of activities that the term covers.12 The more encompassing term is cyber-leveraged war (this phrase places the emphasis on war, rather than cyber, which in an outcome-based schematic provides more clarity). Take for example an attack that uses computer hacking to disrupt the computer control system (SCADA) of an electrical plant leading to the physical shut down of power grids with destruction of transformers. Such an attack uses a digital weapon to bring about the collapse of the electrical grid, but the outcome is no different than if a conventional bomb had kinetically destroyed the transformer station.13 A national cybersecurity policy must deal with not only pure digital attacks on computer networks, but attacks that lead to disruption or destruction of physical infrastructure as well. The term cyber-leveraged war enables us to capture both contexts. An attack that destroys financial institutions’ records on a major scale in the 10
“It’s not just specifics like R&D results that are prized, but information on financial stability and funding, strategic plans and on corporate capability and performance” ("Foreign Government inspire Cyber Attacks on Corporate Targets," 2009). 11 Emphasizing the threat of escalation is sometimes referred to as deterrence within crisis. The key dynamic here is establishing thresholds during a crisis that dissuades the opponent from moving beyond the initial hostile act. The Berlin Crises of 1958-61 are classic examples. 12 Arquilla and Ronfeldt (1993) defined netwar as "information-related conflict at a grand level between nations or societies. It means trying to disrupt, damage, or modify what a target population knows or thinks about itself and the world around it." Cyberwar referred to "conducting, and preparing to conduct, military operations according to information-related principles." The key distinction was that cyberwar connoted action against government and military targets, while netwar connoted actions against the larger (civilian) society. Our definition attempts to further the evolution and precision of the terminology provided by Arquilla and Ronfeldt given the changes in the cyber realm over the past two decades. See also Kinley (2008) and Yurcik (2000) for discussion of cyberaggression as an act of war. 13 Such a scenario was explored in September of 2007 when the U.S. government demonstrated the capacity to destroy a generator using a cyber attack (Meserve 2007; Bruno 2008).
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
9
expectation of creating a banking panic is an act of war, whether it was achieved digitally or through conventional bombing.14 This third tier – cyber-leveraged war – encompasses aggression meant to bring about systemic disruption or destruction of cyber-related infrastructure critical to a nation’s economic, political, and societal functioning. The critical question is whether the default strategy of the last 60 years – deterrence – remains relevant at this tier.15
THE REQUIREMENTS OF CYBERDETERRENCE "Deterrence is concerned with deliberate attempts to manipulate behavior of others through conditional threats;" in essence, it is a "coercive strategy" (Freedman 2004, 6). As such, deterrence entails signaling intent and capability to inflict damage once enemy behavior crosses a particular threshold. The contingent nature of deterrence is critical. The infliction of costs by a deterrer on a would-be attacker must be contingent on the attacker actually taking actions that have been prescribed as unacceptable. When you deter you are attempting to influence future behavior with the promise of related future responses (Harknett 1996). Deterrence theory hinges on the principle of retaliation in kind, where the cost inflicted by the response will at least match the cost inflicted by the attack. "Reliance on deterrence assumed that the threat of force could contain hostile behavior of others" (Freedman 2004, 2). In contrast to the military history of offense and defense, which focuses on active war-fighting to measure success, deterrence success is measured by the lack of conflict itself. During the last-half of the 20th century, war avoidance as strategic outcome became the assumed default, because all sides in the cold war came to recognize the incontestability of nuclear weapons (Freedman 2004; Harknett 2000a). Implementing a dedicated deterrence strategy against cyberaggression entails establishing a credible commitment to respond to attacks. The credibility of deterrence depends on the capability to detect attack, determine its source, and inflict appropriate cost in response. Importantly, the political will to carry out the promised retaliation must be signaled clearly in advance of any aggression. Cyberspace raises significant challenges on all of these necessary components for successful deterrence.
14
For definitional precision, cyberwar should be considered a sub-set of cyber-leveraged war identifying acts of war that involve only digital/computer-based destruction or disruption. 15 One element missing from most debate that is common to all three tiers is individual norms concerning security and how an individual's lack of security should be considered a national security concern. The July 2009 DDOS attacks leveraged, by some reports, 50,000 compromised computers that were infiltrated and used to launch the attack program (Markoff 2009b). In this sense, the lack of individual concern for computer safety (use of robust passwords, firewalls and updated security software) amounts to a significant capacity for cyberaggression. Serious effort must be dedicated to developing a civic sense of duty regarding personal computing to close this vulnerability gap. See Harknett and Stever (2009).
Published by The Berkeley Electronic Press, 2010
10
JHSEM: Vol. 7 [2010], No. 1, Article 22
TECHNOLOGICAL CAPABILITIES In traditional military contexts, surprise attack has typically been sought to gain advantage on the battlefield. Once the attack is launched, however, surprise is lost and the battle ensues. In cyberspace, aggression against networks at the Tier 1 and Tier 2 levels are not easily detected and can be concealed for significant periods of time. There are over 3 million unauthorized attempts to access Defense of Department computers per day; U.S. government systems are the most targeted for cyberaggression in the world and experts agree that only a small fraction of attacks are detected and/or reported (Dobitz et al 2008, 7; Rollins and Wilson 2007, CRS-17).16 The "Moonlight Maze" (1998) and "Titan Rain" (2003) operations went undetected for many months, if not years (Rollins and Wilson 2007, CRS-17; Dobitz et al 2008, 11).17 The nature of cyber-leveraged war is such that, like traditional war, while surprise can be attained (and is highly likely), the disruption and destruction of assets at Tier 3 cyberaggression will make the situation rather obvious. The more unique feature in these instances, however, is that while the United States may know it is under attack, the identity of the attacker will likely not be readily apparent. Under current conditions, attackers in cyberspace have the upper hand in their ability to conceal their identities. In July 2009, attacks on U.S. and South Korean government websites were widely reported in the media and while early speculation suggested North Korea was behind the attacks, this could not be verified publically (Markoff 2009b; Kim 2009).18 The sheer volume of identity theft scams and spam on the internet attests to the underlying problem of source identification.19 The more confident a potential attacker is of remaining anonymous the weaker deterrence becomes, so the technical ability to achieve source attribution is an essential requirement for deterrence credibility. However, even if attribution is possible, an attacker must be convinced that the deterrer can inflict retribution, and this presents another significant problem for cyberdeterrence. Part of the measure of deterrence credibility is the appropriate linkage between the act that one wishes to deter and the retaliatory response associated with the prospective challenge. When implementing a dedicated deterrence strategy, the deterring state must choose a level of adversarial aggression that it finds 16
A 2005 computer security report by IBM noted 237 million security attacks worldwide in the first half of that year with the U.S. government leading with 54 million attacks reported. As noted, most attacks go undetected or unreported and the number of instances has likely increased over the past several years. 17 The "Moonlight Maze" operation likely began in the spring of 1998 and although details remain classified, the source was likely Russian. "Titan Rain" is suspected to have originated in China; it has received significant media attention, albeit years after the fact (See for example The Washington Post on August 25, 2005; TIME on August 29, 2005; The Guardian on September 5, 2007; and Forbes on February 24, 2008). These events attest to the challenge of detecting and attributing near-constant cyberaggressions. 18 North Korea's responsibility was leaked by South Korean officials in October 2009, but not confirmed by either the South Korean or U.S. government. 19 The number of identity theft victims rose 22 percent in 2008 to a record 9.9 million, which represents one in 23 U.S. adults. Losses totaled some $45 billion (Stempel 2009).
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
11
unacceptable and signal to the adversary that any violation of the chosen threshold will result in retaliation. The mechanisms of signaling and the perceptions of capabilities associated with carrying out the threatened retaliation are of fundamental importance. Current articulated U.S. cyberdeterrence policy fails to deal with this calibration of deterrence adequately, primarily because the nature of cyberspace makes credibility nearly impossible to sustain. THE INHERENT WEAKNESS OF CYBERDETERRENCE Current U.S. doctrine for securing cyberspace states: The Nation will seek to prevent, deter, and significantly reduce cyber attacks by ensuring the identification of actual or attempted perpetrators followed by an appropriate government response [emphasis added] (NSSC 2003, 29).
The security challenge in cyberspace is that the range of possible forms of attacks – the technology and sources behind them – evolves at an unprecedented rate. If one accepts "Moore's Law" – which suggests computational power doubles approximately every two years – the range of unanticipated innovation is extraordinary and the possible becomes probable rather quickly.20 Few anticipated the rapid development of wireless communication at speeds comparable to networked computing just a few years ago and now investments in hard-wired data ports made within the last five years seem antiquated. Establishing a clear deterrent response to specified types of attacks leaves open the possibility that a specific type of challenge will not have been considered and, therefore, the challengers will not consider themselves susceptible to deterrent response.21 Since it is very difficult to anticipate forms of cyberaggression, current U.S. policy attempts to avoid this problem through the catch-all threat of “appropriate government response.” As a communication strategy, ambiguity can undermine deterrence in many ways. If the category of attack to be responded to is too broad and, therefore attacks occur and little cost is exacted in response, potential attackers will find the deterrent threat hollow. The fact that
20
Moore's Law, described by Intel founder Gordon Moore in a 1965 article, suggests the number of microprocessors on every circuit would double every two years. This prescription, which has remained generally on target since 1965, has come to represent in popular parlance the rate of technological change and the ratio of computing power per unit (Markoff 2009a). 21 Two classic examples of this type of deterrent failure are the 1950 North Korean attack on South Korea and the 1990 Iraq attack on Kuwait. In these instances, articulated U.S. policy may have lead Kim Yong Il and Saddam Hussein to calculate they were not in a deterrence environment.
Published by The Berkeley Electronic Press, 2010
12
JHSEM: Vol. 7 [2010], No. 1, Article 22
thousands of minor attacks occur each day on U.S. government systems suggests that perpetrators are hardly concerned about repercussions.22 What are the costs associated with appropriate responses? Even if the United States identifies attackers, will they be deterred by such ambiguity? In the cold war, a delicate balance was struck between the awesome threat of nuclear use and the annunciated policy of when the nuclear threshold would be crossed. There was a desire to avoid absolute demarcation of what circumstances would lead to the nuclear launch order so as not to encourage the Soviet Union to consider attacks just short of the nuclear threshold. The ambiguity of the escalation ladder, however, was off-set through deployment of nuclear weapons to the tactical level (so as to pose the problem to the Soviets that most aggression on their part would lead to nuclear use) and through the inherent capability credibility of the technology itself. Brinkmanship (aggression just short of casus belli) is very dangerous in a nuclear environment, because if you mismanage crisis dynamics the costs would be catastrophic. Overcoming the undermining nature of ambiguous deterrent threats in cyberspace cannot be solved in a similar fashion. Therefore, there is an incentive to bolster deterrence through clear articulation of what actions are unacceptable to the point that they will involve significant U.S. government retaliatory response; that is, communicate clear signals of intent. There is a structural dilemma (what might be termed "the Acheson Dilemma") here, however: clear articulation of response linked to specific challenges establishes what falls outside of the deterrent environment.23 However, broad catch-all commitments on what will be responded to will undermine deterrence credibility, when sanctions do not occur. While this dilemma exists for all deterrence environments it is particularly acute in the cyber realm given the uncertainty that exists about possible sources, the technology itself, and, therefore, what is in the realm of the "possible" for attackers. So programs launched to hack into Defense Department systems impact national security because the system under attack is directly related to national security; however, the same essential technique might be directed at a business and would be classified and handled clearly as a criminal act. Are the former attacks to be included in the list of actions for which the United States will respond with force because of the system under attack? If that is perceived as disproportionate (it is treated as mere crime elsewhere) it becomes unrealistic to make such retaliatory threats and, 22
One way to begin to reduce this slightly would be a national effort to publicize criminal prosecutions of cybercrime and cyber attacks on government systems, thus establishing a norm of unacceptability and some expectation of cost. Interestingly, most private sector entities have defaulted to very low profile responses in order to reduce attention to cyber vulnerabilities. The business response to cyberfraud has been to build it into their business models and, of course, the market has responded with a new line of business ventures to protect against identity theft. 23 U.S. Secretary of State Dean Acheson made a speech in 1949, in part to articulate clearly U.S. vital interests abroad. It was understood to signal an umbrella of protected states that the United States would not allow to fall into communist hands. Acheson did not mention Korea. When South Korea was attacked in June 1950, the question arose as to whether the previous omission of Korea led communist planners to be more aggressive on the expectation that the United States would not respond.
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
13
yet to make such threats and not follow through will undermine deterrence. Following this logic through, however, leaving such attacks off the list of what will be deterred robustly, simply invites attack. This challenge is compounded by a related second conundrum – the Menu Dilemma – that is again exacerbated by the features of cyberspace. Simply put, the deterring state has an incentive to rely on a range of deterrent responses so as to enhance the ability to respond to various sorts of attacks (anticipated and unanticipated). Ideally, the United States wants to deter as much cyberaggression as possible and, therefore, has an incentive to calibrate appropriate responses to specific actions to enhance deterring such actions. So, criminal acts are conceived as more credibly deterred through legal mechanisms than military ones, while acts of war are subject to military response. However, this flexibility in response provides the challengers the opportunity to manipulate their attack to a level of maximum advantage-minimal cost; in essence, select from a menu of attack options. In its current form, U.S. cyberdeterrence strategy rests on the ambiguous doctrine that cyber attacks will elicit “appropriate government response” (NSSC 2003, 17). In practice, the range of response includes: • Monetary fines • Incarceration • Diplomatic isolation • Economic sanctions • Direct cyber counteraction • Kinetic military response (conventional or special-ops) Since deterrence credibility requires clear signaling of costs associated with unacceptable actions, cyberdeterrence faces a problem of complexity and application. A challenger can adjust attacks to the threshold of response they may find (from a cost infliction standpoint) acceptable. Cyberaggression of the first and second tier nature (cybercrime and cyberespionage) elicit responses in which cost infliction can be perceived as distant and manipulable. Fines and incarceration can be contested and potentially avoided through courts (even if you are caught overseas and extradited) and diplomatic isolation and sanctions have notoriously been weak as deterrents. Direct cybercounteraction can inflict damage to a challenger’s digital capacities, but two factors – offensive advantage and blowback (discussed below) – tend to undermine the cost infliction credibility here as well. So, most cyber attacks may be calibrated to fall just short of the threshold related to kinetic military responses. While the introduction of more clarity about the type of deterrent responses reduces ambiguity undermining deterrence, the strategy can also suffer from challengers having enough information about deterrent capabilities to design around them. The problem is that none of the range of “appropriate government responses” in cyberspace benefit from the capability credibility associated with nuclear deterrents. Judicial responses through to and including conventional military responses are all open to some manipulation in which the challenger may convince themselves that the promised deterrent costs threatened in response can be contested and reduced to an acceptable level.
Published by The Berkeley Electronic Press, 2010
14
JHSEM: Vol. 7 [2010], No. 1, Article 22
The apparent solution to both of these problems is to set the response threshold at a very low level and punish everyone harshly who crosses the threshold;24 however, such an approach leads to a significant self-limiting problem that again suffers from a credibility problem – the Decision Dilemma. Are decisionmakers willing to kill people who disrupt or destroy data? Acts of war have tended to allow for such a response. In the continuum of cyberaggression, the range of possible attacks that can undermine critical national infrastructures is significant and growing. It is important to note that attacks may have both immediate and lingering effects. Purposeful interruption of an electrical grid25 will not only cause immediate hardship, but will have economic repercussions as people respond with new approaches to securing electricity. But is that direct interruption of electrical service through disruption of SCADA systems of sufficient provocation that the United States will launch a cruise missile attack on the organization or state that was behind the attack?26 A robust national deterrence strategy directed at cyber-leveraged war ultimately moves decision-making out of the military operational realm into the political strategic environment with all that that entails. The credibility of deterrence at this stage depends not only on the capability to detect attack, determine its source and inflict appropriate cost, but also on the political will to carry out the promised retaliation. The point here is that reliance on kinetic military operations as an ultimate deterrent in cyberspace may be less credible than one tends to think because it remains contestable at both the cost infliction level and at the level of political will. The response may be disproportionate, inadequate or may not come at all.27 This holds for all deterrence, but the ambiguity associated with cyber attacks raises the decision dilemma further. You cannot sustain a deterrence strategy of bluff and thus you can only attempt to deter those things to which you are willing to respond. It is unclear as to what norm can be applied in relation to digital attacks of disruption and destruction of data and use of force responses. Decisionmakers will struggle with this formula.
24
Here, we leave aside the real problem of whether the source of the attack can be identified. Societal reaction to a purposeful attack on infrastructure is likely to be different than interruptions caused by natural forces. The psychological fear of the next attack will impact individual behavior more significantly than concern over the chance of a future wind storm damaging the same electrical lines. 26 One might consider a digital retaliation meant to destroy the attacker’s digital infrastructure. Whether this would be sufficient cost infliction is open to debate given the low entry cost for offensive action. Additionally, the technique of using botnets, essentially co-opted personal computers as the “army” engaged in the attack, raises the unacceptable prospect of damaging our own populace’s computing infrastructure. 27 One reason put forth for the need for the United States to achieve a recognizable level of success in both Iraq and Afghanistan is to avoid undermining the deterrence credibility of our military forces. If challengers conclude that they can fight and outlast the United States, deterrent threats that promise the United States will respond militarily to attacks on its interests will be severely undercut for motivated challengers. 25
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
15
FACING THE REALITY OF CYBERAGGRESSION Success in avoiding nuclear war has encouraged strategists to extend the notion of deterrence to all realms of conflict and reference to it is pervasive in U.S. security documents. Military and academic theorists continue to assume its utility as an organizing construct. As one comprehensive evaluation notes, “deterrence should and will remain a core concept in our twenty-first century national security policy, because the prevention of war is preferable to the waging of it” (Chilton and Weaver 2009, 31). What is problematic about this default orientation is that most current literature acknowledges the challenges of cyberspace that we have delineated above as they relate to deterrence, and yet does not argue that cybersecurity needs to fundamentally rest on a different security framework. For example, Martin Libicki offers intriguing analysis that ultimately hedges, stating: “Granted, it is both extreme and unnecessary to foreswear deterrence (that is, to repeat, deterrence through punishment in kind) altogether, if only to have a credible response when some state openly challenges the United States in that realm” (2009, 176-177). However, the author asserts that before contemplating deterrence as its primary response to the threat of state-sponsored cyber attacks, the United States may first want to exhaust other approaches, such as diplomatic, economic, and prosecutorial means (Libicki 2009, 176-77). The problem here is to distinguish between organizing frameworks and security effects. National security policy should arrange security capabilities around strategies that will produce the most security possible in any realm of conflict. The credible threat (having the operational means) of preventive offense, preemptive strike, retaliatory response, resilient defense each in their own way can cause pause in the minds of potential challengers – that is, they can produce deterrent residuals. However, the essential question of this article is whether the United States should anchor its cybersecurity capabilities around the framework of deterrence, which presumes that the main strategic objective of war avoidance is achievable in a sustained manner. The empirical record to date regarding cyberaggression does not support the basic assumption that avoidance of cyberaggression is sustainable. Leaving aside lower tiers of cyberaggression, while the prevention of cyber-leveraged war may be preferable, it is not sustainable. Basing U.S. national security strategy on a framework fundamentally geared toward prevention will prove disastrous, when the strategic environment requires an attack posture of mitigating damage (defense) and undermining the attack capacity of opponents (offense). We cannot squeeze security threats to fit our conceptual preferences; our security strategies must face the reality of the threats themselves. Again, while there is recognition of the challenges of cyberspace among analysts, setting aside deterrence as an organizing structure has been rejected. Two re-adjustments to traditional deterrence approaches have been offered to deal with emerging 21st century threats, but, according to our analysis, neither can overcome the distinctive nature of cyberthreats.
Published by The Berkeley Electronic Press, 2010
16
JHSEM: Vol. 7 [2010], No. 1, Article 22
In 2003-04, U.S. Strategic Command initiated a review of the relevance of deterrence.28 The review ultimately offered the notion of tailored deterrence as a response to the extensive list of threats the United States faces. Re-affirming the applicability of tailored deterrence, Kevin Chilton and Greg Weaver recently stated “effectively influencing a competitor’s decision calculus requires continuous, proactive activities in the form of deterrence campaigns tailored to specific competitors. Competitors have different identities, interests, perceptions, and decision-making processes and we may seek to deter each competitor from taking specific actions under varied circumstances” (2009, 34). It is extremely difficult to tailor response against attacks from sources not easily identified. The National Strategy for Securing Cyberspace itself noted, “the speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all” (2003, viii). The attribution problem undermines tailored deterrence significantly. Tailored deterrence rests on just the opposite evaluative model suggested as essential for cybersecurity earlier in this article. Given the difficulty of attribution, security responses must be based on outcomes to be avoided (or contained) and not the traditional focus, which assumes that type of response depends on who attacks. The deterrent credibility of tailored responses is also undermined by the very contestable nature of the potential deterrent responses themselves. In order to enhance the credibility of a cyberdeterrence approach, the United States would have to convince prospective challengers that the specific tailored response will inflict unacceptable costs (Rattray 2001, 475). However, revealing cyber tactics and capabilities in advance will provide challengers with enough information to design around the tailored threat. A structural dilemma thus exists: tailored credibility suffers if the challenger is unconvinced that unacceptable costs can be inflicted; but the actions taken to convince will provide a pathway to avoid or mitigate the deterrent costs and, therefore, the deterrent threat will fail.29 The second refinement that has been offered to retain deterrence as the relevant security framework is found in the current National Strategy for Homeland Security, which calls for “the concept of deterrence by denial” (2007, 25). This approach suggests that if defensive measures can be taken that raise the hurdles of attack sufficiently so that the likelihood of success is quite low, a challenger will be disinclined to attack in the first place. A strong defense does not simply mitigate costs if an attack occurs, but it can dissuade attacks from beginning.30 28
See Strategic Deterrence Joint Operating Concept (2004). Chilton and Weaver (2009) acknowledge this condition as a difficult decision trade-off, however, it is much more fundamental and problematic because it is a structural condition of relying on contestable deterrent threats. For more on contestability and deterrence, see Harknett (1994). 30 One should note that offensive attack may be motivated to achieve a gain, but also to avoid a loss. Thus, effective deterrence must calibrate not only how much cost an attacker will bear to achieve an expected benefit, but also how unacceptable the current status quo is to a prospective attacker. The costs from denial must outweigh costs associated with maintaining an unacceptable status quo. 29
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
17
Deterrence by denial may work in a very specific strategic environment; namely, where the marginal cost of increasing defensive measures is lower than the marginal cost required of increasing offensive measures to achieve success on the attack. This cost measure includes the totality of time, energy, and finances needed to bring about technical, tactical, and operational innovations that will undermine defensive measures sufficiently to make achievement of some goal through offensive attack plausible.31 An environment in which defensive measures can outpace offensive innovations can be understood as defensedominant and potentially supportive of deterrence by denial approaches. Relying on deterrence by denial, as NSHS 2007 espouses, must be distinguished from temporary deflection of attacks through superior defense. An attacker that is continually probing, but does not launch a full attack because they cannot get around a strong defense, is not an attacker being deterred; it is an attacker being frustrated and contained (defended). One might suggest that a strong defense provides some residual deterrent effect in that a frustrated attacker may have to give up a certain prospective line of attack; but you have not changed the attacker’s decision calculus from one seeking to achieve objectives through aggression to one that seeks the same objectives while avoiding war (the difference between an offense-defense strategic environment and a deterrencedominated strategic environment). The elementary conditions of cyberspace completely undermine deterrence by denial. Simply put, cyberspace is an offense-dominated security environment. First, the overall marginal cost to innovate and initiate offensive attack is very low. The technology (hardware/software) is widely available and continues to become more accessible (ease of use and financial cost). For example, in an attack against financial institutions in 2009 offthe-shelf software available for $40 was modified to penetrate the ATM systems of the Royal Bank of Scotland.32 Second, the skills needed to use digital technology and computer-based networked systems are proliferating across the global population exponentially (there are more computer-literate teenagers than nuclear physicists). The combination of accessible technology and growing skill sets creates a vibrant innovation environment. When put into military security terms, while nothing precludes innovation on defensive measures, there is very little burden toward innovation itself and, therefore, we can assume that a foundational feature of the strategic cyber environment is constant offensive innovation as an extension of Moore’s Law. Cyber attackers expend little of their offensive potential in probes and reconnaissance (and even broader, low level attacks) relative to defensive countermeasures they face, and, therefore, are not deterred by the prospect of attacks that fail to achieve success ("Gates: Cyber Attack A Constant Threat," 2009). In fact, the marginal costs are low enough that attacks can be launched that assume failure simply in an effort to learn 31
It is important to note that for deterrence to fail, the attacker need only perceive that success is plausible at an acceptable price. 32 The software Black Energy developed in Russia is widely available. A more sophisticated version to steal bank account log-in data was sold on the internet for $700 (Gorman and Perez 2009).
Published by The Berkeley Electronic Press, 2010
18
JHSEM: Vol. 7 [2010], No. 1, Article 22
more about the defensive measures that are in place. Analysis of suspected Chinesesponsored aggressions suggest initial phases are often used to gain access or gather information on users and/or defenses to use in more sophisticated follow-on attacks (Northrop Grumman 2009, 51-58). In an offense-dominant strategic environment, attrition warfare may be quite acceptable as a strategy to achieve the challenger’s goals. Distributed Denial of Service attacks have this feature. Servers are bombarded with expendable assets in frontal assaults that, unlike conventional military battlefields such as the First World War, do not necessarily bleed the challenger dry. The use of botnets of private computers provides a tremendous reservoir of offensive capability that is not easily cut off. Because compromised computers used for botnet attacks are also individual platforms that produce business, economic and communication outcomes for their owners, damaging those computers in response to attacks can have secondary blowback effects on the U.S. economy (inducing such blowback, in fact, may be a strategic objective of the attack).
OFFENSE-DEFENSE, DETERRENCE, AND THE INFORMATION AGE A substantial academic literature on deterrence has informed security policy for decades. In the case of cyberspace, however, the significant literature on offense-defense theory33 provides a more suitable basis for developing effective cybersecurity responses. The main focus of the offense-defense framework is the offense-defense balance (ODB) as an explanatory variable. Most of the hypotheses found in this literature suggest specific dynamics can be associated with strategic environments that bias towards offense, towards defense, or are balanced. Studies have found, for example, that an offensefavorable balance leads to a higher incidence of war; certain forms of alliances; more intense arms racing; brinksmanship and crisis escalation; and, higher barriers for international cooperation with the opposite dynamics holding true when defense dominates (Biddle 2001, 745).34 Much of the debate within the literature has been around developing more precision in measuring the ODB. While the specific range of measures varies, generally offensive environments reveal the traits noted earlier (low marginal cost and lower relative skill) and dynamic factors of force employment. Stephen Biddle (2001) has suggested that the combination of the base technology, the numerical balance of forces and the core tactics 33
For a detailed discussion of offense-defense theory, see Quester (1977), Jervis (1978), Levy (1984), Glaser and Kauffman (1998), Van Evera (1999), Lieber (2000), Biddle (2001), Adams (2003-04), and Brown et al (2004). 34 A deterrence perspective does not orient overall policy towards these critically important areas of focus. Adopting an offense-defense approach, thus, not only produces a more appropriate strategy response, but it encourages thinking about the dynamics of alliances for example. In cyberspace what conditions will promote states to align with non-state groups in cyber attacks? Russian nationalists, not the Russian government, were credited with attacks on Lithuanian and Georgian internet sites, but what relationship exists? Is this purely independent, encouraged but not directed, or a cyber mercenary structure acting as an effective ally?
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
19
available to combatants will define the offense-defense strategic balance. A preliminary application of these traditional military measures to cyberspace supports the assessment of an offense-dominant environment. Not only does the technology have a significant marginal cost advantage, but the reservoir of offensive forces can be organized to gain numerical advantages that are exponentially greater than what is available to the defense. This is a structural condition of cyberspace. We have already noted on the offensive side the ability to bring tens of thousands of computers together as botnet armies, but it is important to note the rather fragmented nature of defensive forces. Critically, defensive forces are divided across the broad private-public chasm. Government agencies charged with protecting U.S. critical infrastructure are limited in their ability to actively participate in the defense of those infrastructures that are privately-held (and privately defended). Within specific private industry, there is a structural obstacle to coordinated defense in that each company is an economic competitor of the other. There are limits to the coordination possible between CitiBank and Bank of America due to proprietary rights. In fact, “competing” for customers by being better at securing one from identity theft is built into the business model. While better coordination between government and industry and across private companies can develop to work against catastrophic failures, a level of fragmentation will remain and, thus, create an inherent numerical offensive advantage. Perhaps most significantly, the operational opportunities open in cyberspace again bias toward the offense.35 Biddle (2001) notes that to the degree to which cover, concealment, dispersal of forces, mobility, and rapid infliction of cost are available to offensive forces, the ODB will favor the offense. In cyberspace, all of these measures are in place. Cyberaggressors can cover their attacks with ease and concealment (avoiding attribution) remains high. Attacks can come from many flanks simultaneously using servers and digital devices globally. The mobility gained from being able to move attacks from one server base to another line of attack again advantages the offense. Finally, the sheer speed of cyberaggression creates an enormous advantage. The 2009 FBI indictment in the Royal Bank of Scotland case notes that over $9 million dollars was stolen from 280 ATMs worldwide in a matter of hours (Gorman and Perez 2009). Again, structural limitations on the defensive side compound this advantage on the offensive side. Operationally, defensive operations are more effective the degree to which defenses can be layered in depth. Ease-of-access is one of the main advantages of the digital world and an inherent feature of the internet and related digital technologies. If concerned about security/defense, one naturally assumes a primary organizing principle of limiting access; the internet and related technologies are built on the opposite default principle. The convenience and efficiency gained through easy access are now essential cornerstones of life in the digital world. The system and its structure cannot be reinvented, but only modified. Thus, more code can be “layered” into networks, but this cannot close the offensive advantage. More defensive code, counter-intuitively, may in fact produce more 35
For discussion of ODB as an operational-level variable see Biddle (2001) and Adams (2003-04).
Published by The Berkeley Electronic Press, 2010
20
JHSEM: Vol. 7 [2010], No. 1, Article 22
opportunities for offensive operations. Overburdened systems will tend to crash more easily and more sophisticated security protocols may be ignored by users requiring more automation, or in the language of an offense-defense environment, more catastrophic breakthrough points. Defense in depth requires more cumbersome programming, intrusive management of systems, and coordination across private-public networks – none of which is likely to be easier to sustain than offensive innovations. Across all measures, cyberspace is an extreme case of an offense-dominated environment. Deterrence is unachievable in such a battlespace.
CONCLUSION Cyberaggression exists in a realm of constant attack and counteraction. It is a strategic environment of offense-defense that requires a national cybersecurity strategy that emphasizes the need for war-fighting capabilities, rather than war avoidance postures. Improved security will rest on the United States obtaining defensive capabilities that can actively blunt attacks (as opposed to dissuade them) and offensive capabilities that can advance U.S. interests and mitigate the damage of enemy attacks by degrading their capacity to sustain such attacks. If some actors are dissuaded from certain levels of attack due to robust defenses or preemptive offensive capabilities, this should be considered a by-product of sound defense planning (a momentary deterrent residual), but not an expected strategic objective that can be sustained over time. Planning should assume that such a robust defense, because it is robust, will be undermined eventually as the offense-dominant nature of the environment will allow the attacker to innovate technically, tactically and operationally with some prospective success. The inherent characteristics of cyberspace require adoption of a full war-fighting posture that moves out of the fifty-plus year comfort zone of deterrence as the dominant strategic anchor. We must organize thinking about managing cyber-leveraged war so that damage is contained and reduced. Counter-intuitively, these futuristic threats require us to adopt the historical posture of traditional warfare. This does not mean we must accept a perpetual state of war in cyberspace. Importantly, as the ubiquity of cyber grows societally across the globe, effective norms against cyberaggression will become increasingly important in reining in unacceptable forms of behavior in this new realm of human interaction. But, in facing down threats to national security, the United States must organize itself around the reality of war preparation and fighting, rather than the hope of avoidance, as the principle upon which cybersecurity will be advanced.
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
21
REFERENCES Adams, Karen Ruth. 2003-04. “Attack and Conquer: International Anarchy and the Offense-Defense Deterrence Balance,” International Security 28, 3 (Winter), 45-83. Arquilla John and David Ronfeldt. 1993. "Cyberwar is Coming!" in Comparative Strategy 12, (Spring). _______1997. In Athena's Camp: Preparing for Conflict in the Information Age, Santa Monica, CA: Rand. Biddle, Stephen. 2001. "Rebuilding the Foundations of Offense-Defense Theory," Journal of Politics, 63, 3 (August), 741-744. Brown, Michael E., Owen R. Cote' Jr., Sean M. Lynn-Jones, and Steven E. Miller. 2004. Offense, Defense, and War. Cambridge, MA: MIT Press. Bruno, Greg. 2008. “The Evolution of Cyber Warfare,” Council on Foreign Relations. February 27, 2008. http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.html?breadcrumb=% 2F. Chilton, Kevin, General, and Greg Weaver. 2009. "Waging Deterrence in the Twenty-First Century," Strategic Studies Quarterly, (Spring), 31-42. Dobitz, Kyle, Brad Haas, Michael Holtje, Amanda Jokerst, Geoff Ochsner, and Stephanie Silva. 2008. "The Characterization and Measurement of Cyber Warfare," USSTRATCOM Global Innovation and Strategy Center (GISC) Project 08-01, May 2008. http://handle.dtic.mil/100.2/ADA497907. “Foreign Government Inspire Cyber Attacks on Corporate Targets.” 2009. Intellisec: Decision Risk, and Forensics. July 5, 2009. http://www.intellisec.com/blog/2009/07/05/foreign-government-inside-cyber-attacks-oncorporate-targets-forensic-protection/ Freedman, Lawrence. 2004. Deterrence. Malden, MA: Polity Press. "Gates: Cyber Attack A Constant Threat." 2009. CBSnews.com, April 21, 2009. http://www.cbsnews.com/stories/2009/04/21/tech/main4959079.shtml
Published by The Berkeley Electronic Press, 2010
22
JHSEM: Vol. 7 [2010], No. 1, Article 22
Glaser, Charles L. and Chaim Kaufmann. 1998. "What is the Offense-Defense Balance and Can We Measure It?" International Security 22, 3 (Spring), 44-82. Gorman, Siobhan and Evan Perez. 2009. "FBI Probles Hack at Citibank." December 22, 2009. http://online.wsj.com/article/SB126145280820801177.html Gorman, Siobhan, Yochi J. Dreazen, and August Cole. 2009. "Insurgents Hack U.S. Drones." December 17, 2009. http://online.wsj.com/article/SB126102247889095011.html. Harknett, Richard J. 2004. "Integrated Security: A Strategic Response to Anonymity and the Problem of the Few." National Security in the Information Age. ed. Emily O. Goldman. Portland, OR: Frank Cass.’ _______2000a. "State Preferences, Systemic Constraints, and the Absolute Weapon. In The Absolute Weapon Revisited. eds. T.V. Paul, Richard J. Harknett, and James J. Wirtz. Ann Arbor, MI: University of Michigan Press. _______2000b "Threat as Outcome: The Security Challenge of Information Technology," ITIS Working Paper No. 1, Joint Center For International and Security Studies _______1996. "Information Warfare and Deterrence." Parameters (Autumn), 93-107. _______1994. "The Logic of Conventional Deterrence and the End of the Cold War," Security Studies 4, 1 (Autumn), 86-114. Harknett, Richard J. and James A. Stever. 2009. "The Cybersecurity Triad: Government, Private Sector Partners, and the Engaged Cybersecurity Citizen," Journal of Homeland Security and Emergency Management. 6, 1 (December). Jervis, Robert. 1978. "Cooperation Under the Security Dilemma." World Politics 30, 2, 167-214. Kim, Jack. 2009. "North Korea behind cyber attacks: South's spy chief." Reuters.com. October 29, 2009. http://www.reuters.com/article/idUSTRE59T09B20091030. Kinley, Kelli. 2008. "What Constitutes an Act of War in Cyberspace?" Masters paper presented to Air Force Institute of Technology, March 2008. http://handle.dtic.mil/100.2/ADA480404.
http://www.bepress.com/jhsem/vol7/iss1/22
Harknett et al.: War-Fighting and National Cybersecurity
23
Levy, Jack S. 1984. "The Offensive/Defensive Balance of Military Technology: A Theoretical and Historical Analysis." International Studies Quarterly 28, 2 (June), 219238. Libicki, Martin C. 2009. Cyberdeterrence and Cyberwar. Santa Monica, CA: RAND Project Air Force. _______1998. “Information War, Information Peace,” Journal of International Affairs 51, 2 (Spring). Lieber, Keir A. 2000. "Grasping the Technological Peace." International Security 25, 1 (Summer), 71-104. Markoff, John. 2009a. "After the Transistor, a Leap into the Microcosm." New York Times. August 31, 2009. http://www.nytimes.com/2009/09/01/science/01trans.html. _______2009b. "Internet's Anonymity Makes Cyberattack Hard to Trace." New York Times. July 16, 2009. http://www.nytimes.com/2009/07/17/technology/17cyber.html Meserve, Jeanne. 2007. "Mouse click could plunge city into darkness, experts say." CNN.com. September 27, 2007. http://www.cnn.com/2007/US/09/27/power.at.risk/index.html?iref=newssearch#cnnSTC Video Northrop Grumman. 2009. Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation. Prepared for The US-China Economic and Security Review Commission, October 9, 2009. http://handle.dtic.mil/100.2/ADA509000. Quester, George H. 1977. Offense and Defense in the International System. New York, NY: Wiley. Rattray, Gregory. 2001. Strategic Warfare in Cyberspace. Cambridge, MA: MIT Press. Rollins, John and Clay Wilson. 2007. Terrorist Capabilities for Cyberattack: Overview and Policy Issues. Congressional Research Service (CRS) Report for Congress, January 22, 2007.
Published by The Berkeley Electronic Press, 2010
24
JHSEM: Vol. 7 [2010], No. 1, Article 22
Stempel, Jonathan. 2009. "Identity Fraud Up in Total Dollars, Victims." Reuters.com, February 9, 2009. http://www.reuters.com/article/domesticNews/idUSTRE51831G20090209 Stout, David. 2000. "Youth Sentenced in Government Hacking Case." New York Times. September 23, 2000. http://www.nytimes.com/2000/09/23/us/youth-sentenced-ingovernment-hacking-case.html. The United States Government. 2009. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf. _______2007. National Strategy http://www.whitehouse.gov/homeland/ book/.
for
Homeland
Security.
_______2006 U.S. National Security Strategy. http://www.whitehouse.gov/nsc/nss/2006/. _______2004 Strategic Deterrence Joint Operating Concept. http://www.dtic.mil/dtic/. _______2003. National Strategy to Secure Cyberspace. http://www.whitehouse.gov/pcipb/ _______1998. A National Security Strategy http://www.au.af.mil/au/awc.awcgate/nss/nssr-1098.pdf
for
a
New
Century.
Van Evera, Stephen. 1999. Cause of War: Power and the Roots of Conflict. Ithaca, NY: Cornell University Press. Wilson, Clay. 2007. Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. Congressional Research Service (CRS) Report for Congress, November 15, 2007. Yurcik, William. 2000. "Information Warfare Survivability: Is the Best Defense a Good Offense?" Proceedings of the 5th Annual Ethics and Technology Conference, Loyola University, Chicago IL. USA, July 2000.
http://www.bepress.com/jhsem/vol7/iss1/22