DETERRENCE IN CYBERSPACE:WHY IS IT HARD?

POL370F

PROF. BENJAMIN BARTLETT

MIAMIUNIVERSITY

REMINDER: TWO MAIN TYPES OF DETERRENCE

1. Deterrence by denial.
2. Deterrencebypunishment.

WHAT DOES DETERRENCE BY DENIAL INCYBERSPACELOOKLIKE?

1. Build up your defenses (anti-virus/firewallsoftware, good security practices, training, etc.).
2. Advertise those defenses.

WHAT MAKES DETERRENCE BY DENIAL INCYBERSPACE DIFFICULT?

1. Difficultto make your defenses“forbidding”: hardto find, much less close,all vulnerabilities; “weakest link” problem; etc.
2. But, also hard to advertise defenses:
1. Many of your defenses (training, procedures, etc.) are not observable.
2. Advertising the particular security software, etc., you are using makes you morevulnerable.
3. (Also,ironically,advertisinghowstrongyourdefensesarecanattract a certain kind ofhacker, though it may deter other types of adversaries.)

WHATDOESDETERRENCEBYPUNISHMENTLOOKLIKEINCYBERSPACE?

• Intruth,deterrencebypunishmentincyberspacelookslikeanyother case of deterrence by punishment.
• Why?Becauseunlikedeterrencebydenial,where you have toprotect yourselfin cyberspace, you can threaten a non-cyberpunishment if you prefer.
• Example: threatening a missile strike if your infrastructure isdamaged via a cyber attack.

TWO CATEGORIES OF PUNISHMENT

1. Within-domain: threatened punishment for acyber operation is another cyber operation.
2. Cross-domain:threatenedpunishmentforacyberoperation issomethingnon-cyber.

REVIEW: WHAT IS NECESSARY FOR SUCCESSFULDETERRENCE BY PUNISHMENT?

1. Need tobeabletodemonstrate that you havethe capability to carry out the threat.
2. Target needstobeconvincedyouarewillingtocarryoutthethreat.

WHATMAKESDEMONSTRATINGCAPABILITIESDIFFICULT?

• Abitofatrickquestion:
• Forwithin-domaindeterrence,thisishard:
• Difficult to observe offensive cyber capabilities.
• Ifyoudemonstrate or explain a cyber weapon, you cannotuse it after that.
• But, you can use cross-domain deterrence, and pick acapability you can demonstrate.

WHAT MAKES DEMONSTRATING WILLINGNESSDIFFICULT?

1. Most cyber operations cost the victim state very little, butareof high benefit to the state conducting the operation.
• Hard to find a punishment with a low enough cost to thethreatening state to be believable and that would cause enoughharmto outweigh the benefits of the potential cyber operation.
2. Theattributionproblem.

WHAT IS THE “ATTRIBUTION PROBLEM”?

• The attribution problem is the difficulty in figuring out whodidwhatincyberspace.
• If youthreatentopunishsomeoneiftheyconduct a cyberoperation, and then a cyber operation happens, how doyou know it was them?

WHY ISTHIS A WILLINGNESS PROBLEM?

• Not knowing for certain who committed the operation doesnot stop you from punishing someone (or even multiplesomeones).
• But,there is almost certainly a cost involved with punishingthe wrong someone, and the actor you are trying to determight believe you are unwilling to pay that cost.

TWOWAYSTO STRENGTHEN DETERRENCE BYPUNISHMENT

1. Get betteratattribution.
2. Bewillingtopunishatalowercertainty.
• There is probably a trade-off here: the lower the damage caused bythe punishment, the more willing a state will be to be wrong.
• For example, if you just name-and-shame and are wrong, no big deal;if you use a military strike and are wrong, that probably hasconsequences.

CONCLUSION

1. Deterrence by denial is difficult because it is hard toprove you have strong defensive capabilities.
• On the other hand, do not have to worry about attribution.
2. Deterrencebypunishmentis difficult because it is hard tomake certain you are punishing the right actor, and thereare consequences for getting it wrong.