An Example of Deterrence in Cyberspace
In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.
I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump, by Michael Isikoff and David Corn. Here’s the quote:
The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.
“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure—and possibly shut down the electrical grid.
The second is from the book The World as It Is, by President Obama’s deputy national security advisor Ben Rhodes. Here’s the New York Times writing about the book.
Mr. Rhodes writes he did not learn about the F.B.I. investigation until after leaving office, and then from the news media. Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations. Mr. Obama did impose sanctions after the election but Mr. Rhodes’s suggestion that the targets include President Vladimir V. Putin was rebuffed on the theory that such a move would go too far.
When people try to claim that there’s no such thing as deterrence in cyberspace, this serves as a counterexample.
EDITED TO ADD: Remember the blog rules. Comments that are not about the narrow topic of deterrence in cyberspace will be deleted. Please take broader discussions of the 2016 US election elsewhere.
Wayne Anderson • June 7, 2018 6:36 AM
The cyber battlefield is just that – a battlefield – at the nation state level. I think in the plethora of motivations and attackers we forget that aspect.
Deterrence in a commercial or enterprise context is a more difficult concept as few enterprises have either the legal authority/protection or real capability to repel a determined attacker – even organized crime. The primary tool for deterrence is the risk of am arrest or detention which is often minimal as a deterrent due to complex international geopolitics and legislative landscape – to say nothing of the complexity of some types of attributive investigation.
That being said, the nation-state notion of deterrence I think is many faceted, as cyber is a land where aside from the “Alamo” type battle of Ukraine being crushed by Russia, we have not yet seen two states with significant capability be willing to go to a full scale engagement.
In that view we see a concept akin to MAD theory in other types of WMD coming into place. I say it is multi-faceted because cyber seems to have analog not only to tanks and WMD, but to the former HumInt component of the late cold war transported into our time as well. We all profess outrage about eeach other’s data infiltration while any number of governments have active, well-staffed programs using electronic means to “create” SigInt remotely all the time.
Even while we stop short of many types of cyber/kinetic crossovers, we appear to have “accepted” some MAD type battlefield ROE amongst the global community which at a macro level permits information theft through a certain level. To use a cold war analogy, It is ok to send the cyber trenchcoats and fedoras, but don’t use a gun on the street or the opposing state will have to react in public and you risk political will to do something about it.
At the same time, we see some clear trends in the defensive state of the cyber world. Richard Clarke (and others) early warnings to us on the needed political will have become reality – we in democratic society saw early attempts to protect transitive and enterprise links as an infringement on our libertarian ideals of access and speech. Which has created exactly the kind of threats to liberty and economic prosperity that we tried to prevent from our own agents – by enabling the other side to have that leverage when/if they choose to exercise it.
When we struggle daily to attribute attacks to whichever red-flag nation started them, when we struggle to get basic HumInt and have only variable success with SigInt in China, and when we struggle to then defend and maintain our own “arsenal” because sensibilities in a small number of people can compromise an entire class of weapons systems – is it any wonder that the deterrence outlines are illuminating for the first time, and with a tilt to the advanced authoritarian regimes on the field?
At some date, developed countries may discover that our focus on individual liberty which at times has been our greatest strength for economic development has also been our greatest weakness. Unfortunately not the monologue of the enemy of some hero film where shortly the field will change, love will conquer all, but a statement of reality in a world where certain kinds of weakness can have real life effects. Sure, we have some pretty amazing people and capabilities as well, but we have to run hard to stay there, and it’s an open question whether having some of the sharpest spears and no wall will withstand the Romans at the gate who have been tunnelling and mapping us for a decade.