Sign In

Communications of the ACM

BLOG@CACM

Stop Trying to Deter Cyberattacks


In world affairs, the concept of deterrence—the notion of convincing an opponent to refrain from attacking or otherwise acting aggressively—has a long, checkered history.  Nevertheless, today there are determined efforts under way by soldiers, scholars, and scientists in many countries to try to make deterrence work in cyberspace.  They should contemplate not only the current technical challenges to cyber deterrence, but also the overall record of the deterrence concept.  It might make them think twice, and then switch their focus simply to shoring up defenses.    

One of the most famous deterrence failures was the costly construction of a German battle fleet in the decade or so before the outbreak of World War I in 1914.  The idea was that this "risk fleet" posed such a threat to do grievous damage to the Royal Navy that Britain would stay out of a Continental conflict.  It didn’t work, and a naval blockade was put into force that eventually strangled the German war effort.  A generation later, the French made a massive investment in the Maginot Line, based on the hope that it would deter a German attack.  Another failure.

More generally, Paul Huth’s Extended Deterrence and the Prevention of War, a seminal study of all efforts to deter attacks on one’s friends or allies during the period 1885-1984—nearly sixty instances—reflected a global failure rate exceeding 40%.  A pretty chancy business, especially when open warfare was often the outcome of the failures of deterrence.  Also, it is especially worth noting that, in cases in which the deterring power was significantly weaker than the aggressor, the failure rate rose to 100%.

Even in the nuclear realm—where the bizarre notion of "mutual assured destruction" (MAD) is supposed to keep all safe from Armageddon—the record of deterrence has been spotty, mostly because nukes are only good for deterring nukes.  Atomic weapons have done virtually nothing to deter other forms of aggression and subversion, from the Vietnam era to the more recent annexation of Crimea that saw Russia easily sweep aside the Budapest Agreement that supposedly guaranteed Ukraine’s territorial integrity.

With the foregoing in mind, the key question today is, "Given the very problematic historical record, why should anybody think that cyber deterrence will somehow now become a useful and functional policy option?"  And when one adds the fresh wrinkles of anonymity and/or deniability of the perpetrator, the low cost—relative to other forms of aggression—of cyberspace-based attack, and the virtually nonexistent barriers to entry that diffuse power to swarms of hackers, the goal of achieving reliable, robust cyber deterrence seems well out of reach.

Some leaders from around the world’s military, intelligence, and policy communities recognize the daunting challenge of cyber deterrence, and have chosen to "bulk it up" with a range of punitive options. I am aware, for example, of a strand of thinking that extends across the U.S. defense establishment and the civil government that urges including economic sanctions and—very much depending on the level of cyber disruption that is done—even the possibility of taking military retaliatory action in response to virtual attacks.

The problems with these options are manifold. First and foremost, the attack may come from a network, not a nation, and neither the identities of the network members nor their links to hostile nations may ever be reliably determined. As to nations that have been singled out as cyber malefactors—see the current case of the U.S. charging Russia with interference in the presidential election—imposing sanctions isn’t much of an option.  There is little trade between the U.S. and Russia, and retaliatory economic action by Moscow, say by withholding natural gas deliveries to Western Europe, would be devastating.

As to any kind of military retaliatory action, that would simply be out of the question against a major power like Russia, or China, or even a small but bellicose country like North Korea. More likely than not, the threat to take military action against almost any country in retaliation for a cyberattack will be seen as hollow.  We don’t yet live in a world where a death-dealing blow is seen as an ethical response to hacking.

So, whither cyber deterrence?  In my view, let it wither. History tells us deterrence has generally been a weak reed. Let us learn that lesson.  But perhaps there is another historical insight that can be plumbed to guide our thinking. In his magisterial study, The Grand Strategy of the Roman Empire, Edward Luttwak noted that Roman leaders were highly skeptical about the very idea of deterrence. Instead, they built a system based on perimeter, as well as depth, defenses, for they knew the Empire "did not face a single enemy, or even a fixed group of enemies, whose ultimate defeat would ensure permanent security . . . the frontiers would always remain under attack."

So it is on the electronic frontiers today which undoubtedly will "always remain under attack." Rome’s defenses lasted for several centuries, the Byzantine half of the Empire for 1,000 years after the fall of Rome.  May we be as fortunate in cyberspace.


 

No entries found