Sign In

Communications of the ACM

[email protected]

Deterrence After Stuxnet


John Arquilla

In his classic Deterrence before Hiroshima, George Quester noted how quickly—just a decade after the dawn of powered flight—aircraft were put to use for purposes of the "rapid infliction of great pain on civilian populations." During World War I, German long-range strategic attacks were carried out with Zeppelin airships and Gotha fixed-wing bombers. Damage was relatively light, but the fear generated was great. By World War II, combatants on both sides had developed considerable capacities for turning enemy cities to rubble via aerial bombardment—a principal goal pursued with bloody gusto, undeterred by retaliatory threats. 

Only the emergence of atomic weapons, with their appalling destructive power, began to spark serious thinking about deterrence after the hecatombs of Hiroshima and Nagasaki. Thus emerged an odd sort of strategic stability—and also a suicide pact—in the form "mutual assured destruction" (MAD), which is still the regnant doctrine today. The innocent are held hostage by the threat of nuclear holocaust—in perpetuity. 

Cyber weaponry may be following a similar path in the wake of the Stuxnet attack on Iran in 2009-10, which proved bits and bytes can cause physical destruction of the sort normally achieved by bombs and bullets. No doubt other such worms are in development—in very many places—along with viruses and other elements of virtual arsenals. The most significant difference between attack from the air and strikes from cyberspace is that the latter are disruptive rather than destructive. Another difference is that, where it takes great national power to mount sustained aerial bombing campaigns, a high barrier to entry, first-rate cyber attack capabilities can be achieved by many nations—as well as by networks of non-state actors. 

Thus the apparent "usability" of cyber attack (causing disruption is more thinkable than effecting mass destruction) and the relatively easier "accessibility" of such a capability (due to much lower cost, along with widely diffused global expertise) may create a situation in which deterrence becomes problematic. When the "D" in MAD stands for "destruction," deterrence is robust. But when the grim acronym is read as "mutual assured disruption," a less stable situation will likely arise.

Therefore, the relevance of thinking about deterrence in the pre-atomic age should be recognized, and considered in the international discourse on cyberwar. Indeed, it is striking to see, even in quite early works, the rejection of MAD-like scenarios. For example, in his book Air Defence, published in 1929, E.B. Ashmore concluded retaliatory threats would not deter; rather, they would lead to the "spectacle of two nations hammering away at each other's capital, with no immediate object but mutual destruction." 

Instead of reliance on retaliatory action, Ashmore argued in favor of developing air defenses. His voice, and some others, carried enough weight to encourage British leaders to design and build a very effective Fighter Command—a defense network in which radars and observation posts were to vector in attack aircraft to intercept enemy bombers. The system worked well enough to win the Battle of Britain, but it did not, in the first place, deter the Luftwaffe from trying to bring England to its knees by means of aerial bombardment. 

The situation is likely the same with cyberspace today. The threat of retaliation with virtual weapons of mass disruption probably won't deter, for the same reasons that air attacks were to spark Ashmore's "spectacle of mutual destruction" during World War II. The urge to hit back is simply too great, especially if doing so doesn't run the risk of apocalyptic results for all, as an exchange with atomic weapons does. Nuclear deterrence is a "one-off" situation; strategic cyber attack is much more like the air power situation that was developing a century ago, with costly damage looming, but hardly societal destruction.

An important further wrinkle today is that cyber attackers may be able to hide behind a veil of anonymity, or of plausible deniability—as so many powers, great and small, already have. Even when the identity of the attacker is uncovered, if the malefactor is a network rather than a nation, it is unclear against whom and how to retaliate. 

The simple fact of the matter is that, absent the enthusiastic enactment of some kind of international agreement to refrain from cyber attacks on civilian targets (nobody is likely to keep from striking information systems of militaries in time of open warfare), deterrence is in pretty poor shape. Yes, nuclear deterrence still looks quite robust, but when it comes to cyber attack, the world of deterrence after Stuxnet looks remarkably like the world of deterrence before Hiroshima: bleak.

The challenge now is to design an Information Age version of Britain's Fighter Command of 75 years ago. Evidence at hand suggests most of the world's nations are quite far from that goal. The United States is a particular laggard, as former Washington cyber czar Richard Clarke sees it; in his book Cyber War, his assessment of the virtual defenses of the leading cyber powers puts the United States in last place. The best cyber defenses, he asserts, are in North Korea, followed in order by China, Russia, and Iran. Perhaps they have all been reading up on the origins, development, and performance of Fighter Command.


 

No entries found