ÈÍÒÅËÐÎÑ > ¹77, 2015 > Rethinking the Cyber Domain and Deterrence
Dorothy E. Denning
As the Department of Defense (DOD) formulates strategy and doctrine for operating in cyberspace, it is vital to understand the domain and how it relates to the traditional domains of land, sea, air, and space. While cyberspace has distinct technologies and methods, it shares many characteristics with the traditional domains, and some of the conventional wisdom about how cyberspace differs from them does not hold up under examination.
These similarities are especially relevant when it comes to strategies for deterrence. Just as any attempt to develop a single deterrence strategy for all undesirable activity across the traditional domains would be fraught with difficulty, so too for cyberspace. Yet this is how many authors have approached the topic of deterrence in cyberspace. Instead, by focusing on particular cyber weapons that are amenable to deterrence or drawing from existing deterrence regimes, the issues become more tractable.
But first, two key attributes of cyberspace must be examined, as they show why cyberspace strongly resembles traditional domains. These are the roles played by man vs. nature and the malleability of the domains. Other similarities across the domains are described later in the context of deterrence.
Man and Nature
Conventional wisdom holds that cyberspace is made by man, whereas the traditional domains were created by nature. This is reflected in the Department of Defense Strategy for Operating in Cyberspace: “Although it is a man-made domain, cyberspace is now as relevant a domain for DoD activities as the naturally occurring domains of land, sea, air, and space.”1 General Michael Hayden, USAF (Ret.), former Director of the National Security Agency and the Central Intelligence Agency (CIA), similarly noted: “the other domains are natural, created by God, and this one is the creation of man.”2
This distinction of manmade vs. natural permeates the cyber warfare literature. Martin Libicki, a senior management scientist at the RAND Corporation and one of the leading thinkers about cyber warfare, writes, “Everyone concedes that cyberspace is man-made. This is what makes it different from its predecessors.”3
While it is certainly true that cyberspace would not exist without the computers and networks created by man, all domains of warfare, with the possible exception of land, are fundamentally manmade. The maritime domain would not exist without boats, the air domain without planes, and the space domain without rockets and satellites. Indeed, these domains, along with their respective military forces, were created only after the introduction of naval vessels, military aircraft, and spacecraft, respectively. Even the domain of land is substantially manmade. Although land forces could in principle fight it out with sticks and stones, and move only on foot or the backs of horses and camels, they instead deploy a plethora of manmade tools, vehicles, and weapons to support operations over terrain that has been substantially altered by man through the construction of roads, bridges, tunnels, buildings, canals, pipelines, and so on. Indeed, urban warfare takes place in an environment that is predominantly manmade. Nature, and especially geography, still matter, but none of the traditional domains, including land, can be understood, let alone operationalized, in today’s world without accounting for the artifacts of mankind and the changes man has made to the environment.
At the same time, cyberspace has a substantial natural component. It relies heavily on electromagnetic waves, as well as natural elements such as silicon. Indeed, the electromagnetic spectrum—that is, the range of all possible wavelengths and their associated frequencies, to include radio, infrared, and light waves—is crucial to communications in cyberspace. All communications, regardless of whether they are transmitted through the air or over wires or optical fibers, take the form of electromagnetic waves. And even though these waves are generated by manmade devices that convert digital information into continuously varying wave forms, they have the same physical makeup and are constrained by the same laws of physics as the naturally occurring ones in background radiation. Electromagnetic waves are to cyberspace much as land, water, air, and space are to the traditional domains of warfare. They are a medium for movement, in this case digital objects instead of people and equipment. The waves themselves travel through land, water, air, or space, so in a sense they are a medium within the other media—but then so too are rivers and canals with respect to land.
Computer networks, of course, are manmade. But they are like the manmade road and rail networks in the domain of land; both provide infrastructure over which much movement takes place. Moreover, just as the placement of roads and train tracks is strongly influenced by geography, so too is the placement of cyber infrastructure such as cell towers and cables.
There is another, perhaps even more fundamental reason why the man vs. nature dichotomy breaks down: all of the domains encompass more than just their physical manifestations. They are domains of human practice and, as such, constrained by the actions and decisions of humans. For example, even though the borders separating one country from another often follow natural geographic formations such as mountain ranges and bodies of water, they are set by man, as are the boundaries that separate one property owner from another within a country. Moreover, the legitimacy of these borders relies on human agreements, which in turn are backed by manmade laws, regulations, and means of enforcement. International borders are often at the root of conflict, such as those involving Ukraine, Georgia, Kashmir, and islands in the South China Sea. But even when borders are not in dispute, conflict can emerge over other human agreements, especially those of national governance. The civil war in Syria and recent coup in Thailand illustrate this fact.
Recognizing the role of humans in all domains of warfare is essential to understanding deterrence. Deterrence is fundamentally about influencing the decisions and actions (or inactions) taken by human beings, not nature. It is highly dependent on human agreements, both nationally and internationally.
At the international level, the Charter of the United Nations (UN) together with other international agreements, including the Geneva and Hague conventions and customary international law, form a body of agreements referred to as the Law of Armed Conflict (LOAC), which is concerned with state activity across all domains of warfare, prescribing conditions under which states may and may not use their military forces. State activity is also constrained by numerous other agreements that cover such areas as trade, travel, telecommunications, finance, the environment, energy, weapons, crime, and embassies.
At the national level, domestic laws, regulations, contracts, and other types of agreements, together with various means of enforcement including police and the criminal justice system, restrict activity within a state’s borders. Within organizations, policies, procedures, and personnel agreements restrict the actions of their employees.
As domains of human practice, all domains of warfare are further constrained by the skill and initiative of their human practitioners, and by the resources those practitioners are able to acquire to meet their objectives. Nature, by itself, will not engage a foreign adversary. Militaries must plan, resource, and execute their operations, whether in cyberspace or a traditional domain of warfare. While some of the skills needed to operate effectively in the cyber domain differ from those in other domains of warfare, other skills such as the ability to communicate effectively, work with others, build trust, and manage projects do not.
It is tempting to think that it is easier, cheaper, and faster to act in cyberspace than in traditional domains. After all, it is just a matter of moving, processing, and storing bits—not people and physical objects. But resources and skillsets matter as much in cyberspace as any other domain. Lacking adequate bandwidth, for example, it may be faster to move digital objects by downloading them to portable media and shipping the media than by sending them over a slow network. And surely one of the reasons why terrorists still prefer bombs to bytes is that it is easier for them to build and deploy explosives than to achieve comparable effects with cyber weapons. Developing a sophisticated cyber warfare capability requires considerable upfront investment.
The manmade vs. nature distinction has led to a conclusion that cyberspace is easier to change than the traditional domains. General Hayden, for example, wrote, “Man can actually change this geography, and anything that happens there actually creates a change in someone’s physical space.”4 Libicki emphasized the importance of this aspect: “What matters is that cyberspace is highly malleable by its owners, hence its defenders, in ways other media are not.”5 If true, this would suggest that cyberspace might be more amenable to deterrence by denial, that is, through security defenses, than other domains of warfare.
While some things are easy to change in cyberspace, the overall malleability of the domain is severely limited by standards, interoperability requirements, legacy software, regulations, and the resources and inertia needed to make changes. The switch from version 4 to version 6 of the Internet Protocol (IP), for example, has been taking years. As of May 2014, the bulk of Internet traffic is still carried in version 4 packets, including over 96 percent of the traffic connecting to Google servers.6 There are many reasons for the slow adoption, but a survey of industry professionals found that the top reasons were transition costs, compatibility issues, and security concerns.7 The security issues are interesting; while version 6 mandates support for encryption and authentication, it effectively breaks security products such as firewalls and intrusion prevention systems that were developed for version 4.
There are numerous other examples demonstrating the slow adoption of new Internet protocols and standards, including ones that would thwart many of the cyber attacks that plague cyberspace today, such as denial-of-service and phishing attacks that rely on spoofing an IP address, email account, or organization in cyberspace.8 In addition, organizations can be slow to adopt improved versions of operating systems and application software, as illustrated by the many installations still running Windows XP and applications built for it, and they can be slow to install security patches for published vulnerabilities.
This lag in adoption is seen in industrial control systems that operate critical infrastructure such as power generation and distribution, oil and gas distribution, and water treatment and distribution. Many of these systems run legacy software that offers practically no security, but meets performance, reliability, and safety objectives that drove decisions before the threat of cyber attacks became an issue. To make matters worse, these systems are often connected to the Internet, exposing them to cyber threats for which they lack defenses. Operators may be reluctant to update and patch these systems for fear of breaking something and disrupting essential services.
Within the Federal Government, the ability to acquire new cyber technologies is hampered by procurement regulations. Acquisition delays of 5 to 10 years are not uncommon in the military.
The malleability of cyberspace is also constrained by the time and resources required to install infrastructure such as cables and satellites, as well as by the laws of nature. Fred Cohen, for example, showed three decades ago that it was impossible to develop a computer program that would detect any computer virus by either its appearance or its behavior.9
At the same time, traditional domains of warfare, especially land, can be reasonably malleable. While building highways and bridges can take considerable time, and mountains and forests are immovable, it can be relatively easy to make certain types of changes in some geographic areas—for example, to install surveillance equipment, plant and detonate explosives, and reposition troops—all of which can significantly impact military operations. In all domains, militaries have to contend with change and uncertainty brought on by adversary actions and nature.
Cyberspace itself is also increasing the malleability of other domains of warfare. With additive manufacturing, also known as three-dimensional (3D) printing, it becomes possible to transform digital blueprints into physical weapons and other types of devices. Instead of building a device in a manufacturing plant in one country and then shipping it to a facility in another, a digital blueprint can be transmitted to a 3D printer at the intended destination.
Cyberspace has an advantage over the traditional domains in that if a cyber operation alters digital objects without affecting objects external to cyberspace, its effects can be undone by restoring the original bits. Thus, if a cyber operation shuts down a power generator by tampering with bits in its control system, for example, it may be possible to restore power simply by resetting the bits. By contrast, if the generator is shut down with a bomb, it must be physically rebuilt or replaced. Additive manufacturing, however, may someday remove even some of this advantage.
Deterrence in Cyberspace
The literature on cyber deterrence reveals many challenges to the very concept.10 These include the:
Authors who have compared cyber deterrence with nuclear deterrence have generally found that the principles that have made nuclear deterrence effective for over half a century fall apart in cyberspace.11
One reason why the concept of cyber deterrence raises so many challenges is that the term is extremely broad. In no other domain of warfare do we address the topic of deterrence across an entire domain. There is no notion of “land deterrence,” “sea deterrence,” “air deterrence,” or “space deterrence.” Rather, we direct our attention to particular weapons and activity. Some of these may be tied to specific domains of warfare and even geographic areas, such as deterrence of Somali pirates in the Gulf of Aden, but others are not, such as deterrence of state-level aggression generally.
Consider nuclear deterrence. It is about a specific type of weapon, not a domain of warfare. In fact, it crosses all domains of warfare, as nuclear weapons can be launched from land-based missiles, fired from submarines, or dropped from bombers against targets in any domain. The success of nuclear deterrence is contingent on the nature of the weapon, which inherently limits its casual development and deployment. Nuclear deterrence is directed primarily at nation-states and, by extension, state-sponsored terrorists. It relies primarily on retaliation or punishment, including nuclear counterstrikes leading to mutually assured destruction. But nuclear deterrence also depends on restricting the states that have nuclear arsenals and the spread of the knowledge and materials required to develop the weapons, sometimes called “deterrence by denial.” This in turn is supported by the establishment of international norms and agreements that limit the acquisition and use of nuclear technologies, such as the Nuclear Non-Proliferation Treaty of 1968. Both denial and norms can have a deterrent effect by dissuading parties from even attempting to acquire nuclear weapons.
In traditional domains of warfare, there are all sorts of nefarious activity that one would like to deter, including bombings, chemical and biological attacks, genocide, terrorism, armed invasions by foreign military forces, theft, bribery, fraud, extortion, embezzlement, insider trading, political corruption, arson, murder, espionage, vandalism, kidnapping, sexual assault, child and elder abuse, and animal abuse. Some of this activity falls in the area of national security and military operations, but other activity falls in the area of domestic crime and law enforcement. Given the enormous scope of the actors and activities involved, it would be difficult to develop an effective deterrence strategy that covered it all. Attempting to do so would inevitably raise many of the same problems that have surfaced in studies of cyber deterrence. For example, like many cyber weapons, many physical weapons, to include knives and guns, are easy to acquire and difficult to control. Street crimes such as vandalism, arson, and theft can be easy to commit but difficult to prevent and attribute.
Cyberspace is becoming as rich a domain of activity as land. It supports a large and ever growing set of operations relating to communication, finance, business, commerce, education and training, research, entertainment, health care, the environment, energy, government, military operations, and more. And, like all domains of warfare, it is used for both civilian and military activity. To get our hands around deterrence in cyberspace, we need to move beyond general statements about the domain as a whole to statements about situations where deterrence could play a meaningful role. One might argue that cyber deterrence is really about a particular type of weapon and not the domain, and in that regard its focus is similar to nuclear deterrence. But the comparison is not fair. Cyber weapons constitute the entire set of methods and tools that can produce effects in cyberspace, ranging from simple weapons that are readily acquired and used by “script kiddies” with no real skill in the domain, to those that require an advanced capability to develop and successfully deploy, such as was the case with Stuxnet. They also range from weapons whose effects are minor to ones that could potentially lead to death. By contrast, nuclear weapons are a highly lethal subset of all explosives, and explosives in turn are just a subset of all the physical weapons that can produce effects in traditional domains.
Just as we do not sweep all physical weapons into a single strategy of deterrence, we should not try to sweep all cyber weapons into a single strategy. Rather, we need to narrow our treatment of deterrence as it relates to cyberspace. The following suggests two approaches: one centered on particular cyber weapons, the other on existing deterrence regimes. These are not exclusive, but rather orthogonal or complementary. Others have advocated tackling the deterrence issues by taking into account the geopolitical context12 and applying principles of tailored deterrence, both of which can be used with the ones suggested in this article.13
Deterrence for Classes of Cyber Weapons
The first approach is to focus on relatively narrow classes of cyber weapons where deterrence might be feasible. For example, consider nuclear electromagnetic pulse weapons, sometimes referred to as nuclear EMPs or simply NEMPs. These are nuclear weapons that would be detonated at high altitudes above Earth with the objective of damaging electronic devices rather than killing persons or blowing up buildings. Because so much critical infrastructure depends on computers and other electronic devices, the effects of a well-placed NEMP attack could be devastating not only to cyberspace but also to all domains of activity and society as a whole. Testifying before Congress, former CIA Director James Woolsey noted that a nuclear warhead, launched with a medium-range missile from the Gulf of Mexico and detonating at an altitude of 400 kilometers, would generate an EMP field on the ground with a radius of 2,200 kilometers, “covering all of the contiguous 48 United States, causing a nationwide blackout and collapse of the critical infrastructures everywhere.”14
Because NEMPs are nuclear weapons, they automatically fall under the umbrella of nuclear deterrence. In addition, unlike nuclear weapons that detonate directly against their targets, their effects can be denied, as electronics can be hardened against the damaging radiation emitted by these weapons. While such hardening may not be practical for all electronic devices, it might be worth applying to critical infrastructures vital to society.
Numerous cyber weapons lend themselves to deterrence by denial, including any weapon that can be thwarted with the adoption of existing security technologies and practices. As noted earlier, many denial-of-service and phishing attacks can be stopped with anti-spoofing technologies that already exist. Deterrence strategy could focus on stimulating greater adoption of these technologies and on developing additional ones. In addition, many cyber weapons exploit vulnerabilities in existing systems for which there are patches or fixes. Deterrence strategy could promote more rapid and widespread adoption of these fixes. Strong defenses can convince would-be perpetrators that a cyber attack will likely fail and, therefore, is not worth implementing.
Some classes of cyber weapons might be suitable for deterrence by punishment. Even though many cyber attacks are difficult to attribute and therefore punish, others are not. Cyber activists operating under the banner of Anonymous, for example, used a cyber weapon called the Low Orbit Ion Cannon to conduct denial-of-service attacks against targeted Web sites. This tool did not, however, give its users anonymity, and 19 people who used it during “Operation Payback” in 2011 against PayPal, Mastercard, and Visa were identified and arrested, including 14 in the United States.15
Still other types of cyber weapons might be suitable for deterrence by norms and agreements. NEMPs, as nuclear weapons, fall in this category. If a cyber weapon is ever developed that could cause massive deaths, it might be similarly categorized.
Deterrence Through Established Regimes
A second approach to deterrence in cyberspace is through the application of deterrence regimes established for other kinds of activity. As already noted, we can do this with NEMPs, drawing on existing strategies and mechanisms for nuclear deterrence. But we can also do it more broadly and apply established strategy for deterring state-level aggression and crime by nonstate actors.
LOAC is particularly relevant to deterring state-level aggression. Although it predates cyberspace, government officials, scholars in the area of international law, and cyber experts generally agree that it applies to cyberspace. A UN group of government experts affirmed this: “International law, and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible” cyberspace.16 The Tallinn Manual, sponsored by the North Atlantic Treaty Organization, offers rules for applying LOAC to cyberspace,17 and DOD has stated that its actions in cyberspace will be governed by LOAC and all other applicable domestic and international legal frameworks.18 LOAC supports deterrence by both norms and punishment by establishing principles for the use of force by states and for responses by the international community to state acts of aggression.
In addition to LOAC, other international agreements might serve to deter certain activity. One such agreement is the World Trade Organization (WTO) Agreement on Trade-Related Aspects of Intellectual Property Rights, which requires participating nations to protect trade secrets. Both the United States and China are members of WTO, and in response to the indictments of five members of China’s People’s Liberation Army for stealing trade secrets, Senator Charles Schumer called on the U.S. representative to the WTO to file suit at the WTO against China for state-backed cyber espionage.19
Well-tempered statecraft can deter aggressive state behavior in all domains of warfare. Also, to the extent that the affairs of states are intertwined, especially economically, there is some deterrence by interdependency or entanglement; if one state harms another, it will also harm itself.
Crimes committed by nonstate actors have been deterred traditionally through norms via religious and moral teachings as well as crime statutes; by punishment via law enforcement and the criminal justice system; and by denial via fences, locks, alarms, guards, and other mechanisms that control entry into protected spaces. In addition, surveillance devices such as security cameras can help catch criminals such as shoplifters, muggers, and vandals who would otherwise not be identified and caught, thereby strengthening deterrence by punishment. Community policing, especially in “hot spots,” and neighborhood watch groups can also deter street crime.
Cyber crimes can be deterred by the same types of mechanisms. In the United States, the Computer Fraud and Abuse Act of 1986, together with its amendments and other laws that apply to cyberspace, set norms for acceptable behavior in cyberspace. Many of these norms appear in the domestic crime laws of other countries as well. In addition, they are included in the Council of Europe (COE) Convention on Cybercrime. As of March 2014, 42 countries had ratified the Convention and 11 more had signed it, showing strong international consensus regarding much cyber activity.20 While these laws obviously have not deterred those persons who commit cyber crimes, they likely deter those who view themselves as law-abiding citizens.
At least one study has shown that deterrence by punishment applies to cyber crime. Researchers at the National University of Singapore found a 36 percent reduction in cyber attacks relating to 49 reports of government enforcement actions in eight countries.21 However, more studies are needed to validate (or refute) these results and to determine factors that can make a difference. While it would be overly optimistic to assume that the persons behind all cyber attacks could be caught and punished, improved methods of cyber forensics and attribution, coupled with greater international cooperation such as that facilitated by the COE Convention on Cybercrime, could lead to greater deterrence by punishment.
Deterrence by denial is practiced every day in cyberspace via cyber security mechanisms and practices, including the regular installation of security patches, the use of strong methods for authentication, and the application of firewalls, black and white lists, intrusion prevention systems, antivirus tools, encryption, and so forth. We can aim for even more effective cyber security in the future by placing greater emphasis on security during the design, development, installation, and operation of new cyber technologies, but it is not likely to ever be completely foolproof, for much the same reason that crime overall will never be fully eliminated. Still, denial offers the best means of deterrence, whether in cyberspace or not, in those situations where it can be applied and is cost effective. Much of the literature on deterrence in cyberspace recognizes this.
Cyber technologies are inherently different from those that define the traditional domains of warfare. After all, they are used to move, process, and store digital objects across computer networks—not people and physical objects across land, sea, air, and space. But technology aside, cyberspace shares many of the same characteristics as other domains of warfare. All have both manmade and natural elements, and the malleability of all is subject to considerable constraint. Importantly, all are domains of human practice, characterized by a wide range of activity by both state and nonstate actors, some of which is hard to attribute, and by a variety of weapons ranging in availability, cost, and effects produced.
Because cyberspace is such a rich domain, studies of “cyber deterrence” raise as many problems as would be raised by a comparable study of “land deterrence.” This does not mean that deterrence in cyberspace is impossible, only that a more focused approach is needed, as has been followed in traditional domains of warfare. One possible approach is to consider classes of cyber weapons that lend themselves to deterrence. Another is to consider existing deterrence regimes, including international regimes governing nation-states and domestic regimes governing nonstate criminal behavior. These approaches can be combined with others that are tailored to particular actors or geopolitical contexts. Together, they may offer a tractable approach to deterrence in cyberspace. JFQ