Cyber Deterrence

Effectively Exercising Deterrence in the Cyber Domain

Jim Chen U.S. Department of Defense National Defense University, Fort McNair, Washington, DC., USA [email protected] Abstract: Deterrence is a coercive strategy used for the purpose of avoiding a war or preventing the escalation of a war. In the physical domains such as land, sea, air, and space, nuclear deterrence was successfully used in the Cold War, thus preventing a nuclear war between the U.S. and the Soviet Union. In the new man-made and virtual domain for warfare, i.e. cyber domain, how deterrence can be effectively applied is one of the biggest challenges that we are facing today. To address this question, different types of operations in the cyber domain have to be identified and categorized. Recognizing different categories as well as their unique impact can help to select the most appropriate cyber deterrence strategy in dealing with the challenges in a specific context. This paper intends to identify different categories of cyber operations and then propose a new model of deterrence implementation that incorporates cyber deterrence into traditional deterrence. This novel approach not only makes it possible to effectively apply varied types of deterrence measures based on corresponding contexts in varied domains but also makes it possible to use cyber means for retaliation in non-cyber domains of warfare, thus enriching deterrence theories as a whole. Keywords: deterrence implementation, levels and categories, cyber operations, retaliation, cyber domain, deterrence theories

1. Introduction Deterrence is a strategy that supports the purpose of avoiding a war or preventing the escalation of a war. In Haddick (2017)’s term, it is “a key concept for achieving U.S. national security goals”. There are two major approaches in deterrence theories in the U.S. during the Cold War. One is deterrence by denial, which intends to scare an adversary away with retaliatory offense capability backed up by a strong defense and resilience capability. The other is deterrence by punishment, which takes advantage of the deterring effect of uncertainty in creating a stable balance of terror. Stable deterrence, as well put by Payne (2008), “could be orchestrated to proceed from mutual prudence born of mutual vulnerability” so that both sides have to “exercise self-control” because of the irreversible and disastrous consequences. Currently in the cyber domain, deterrence by denial is well executed. However, as uncertainty in this new domain is not well identified, deterrence by punishment is practised in a revised way, i.e. turning to non-cyber domains such as the diplomatic, economic, and military domains. In order to use uncertainty as the magic of threats, Chen (2017) resorts to surprise operations in the cyber domain and proposes a new deterrence strategy, i.e. deterrence by engagement and surprise. This proposal, which bridges the gap of not having cyber means for deterrence, helps to build a cyber deterrence continuum that starts from defense and resilience, moves to deterrence, and ends with retaliatory offense. The establishment of such a continuum creates strategic depth and operational flexibility for cyber deterrence. It also leads to further systematic analysis of cyber deterrence. Given the fact that cyber deterrence employs varied means and capabilities across multiple domains, it is worthwhile to find out the types of deterrence specifically suitable to each relevant domain. The discovery of such correlation can provide guidance for the selection of a suitable deterrence strategy over others in a particular context, thus helping to figure out how the strategy can be implemented. As a result, effective and efficient deterrence across domains can be executed. In order to find out such correlation, it is necessary to delineate different categories of cyber operations. Unfortunately, this is not well explored so far, especially in the context of cyber deterrence. In most cases, operations are categorized either as cyber operations or as non-cyber operations. No further classification is looked into deeply and thoroughly. This research intends to address this categorization issue. The outcome of the research not only can enrich deterrence theories but also can help to develop rules of engagement in cyberspace, thus providing guidance for the implementation of deterrence strategies.

120

Jim Chen

This paper is organized as follows: Here in Section 1, the theme of the research is discussed. In Section 2, an analysis of the challenges is conducted. In Section 3, a model of cyber deterrence implementation with categorization of cyber operations is proposed. In Section 4, the benefits of this model are discussed. In Section 5, a conclusion is drawn.

2. Issues in cyber deterrence implementation In the cyber domain, the implementation of cyber deterrence is always a challenge. This is related to two issues. One is the lack of cyber deterrence strategies, especially the strategies that are accustomed to this man-made domain. The other is the lack of guidance with respect to the implementation of cyber deterrence strategies. In other words, it is not clear under what circumstances deterrence by denial or deterrence by punishment should be used. As held by Shea (2017), “Whereas we have a good idea how to deter a nuclear or conventional attack, to deal with crises in the traditional domains, to employ arms control or confidence-building arrangements, we still do not have a good idea of how to deter or respond to major cyberattacks, even when they are clearly designed to undermine our governments or our political processes.” To address the first issue, Chen (2017) proposes deterrence by engagement and surprise. This strategy uses cyber means in deterrence. The second issue has still not been well addressed. There are varied types of operations in the cyber domain. The impact that they have are quite different. However, there is no guidance that shows how they should be treated differently, when deterrence strategies should be used, and what deterrence strategies should be used. Let us check the reality first. The cyber deterrence strategies currently used rely on defense and punishment. They are not very effective as they fail to scare adversaries away in cyber attacks. For example, Morgan (2017) estimates that global ransomware damage costs is up from $324 million in 2015 to $5 billion in 2017, “a 15X increase in two years, and expected to worsen”. Larson (2017) lists the major cyber hacks of 2017 such as Equifax data breach with the loss of the personal data of 145 million people, leaked government tools, WannaCry that got spanned in more than 150 countries and took down many businesses, NotPetya virus that targeted Ukrainian businesses with compromised tax software, Bad Rabbit ransomware campaign that compromised news and media websites, almost 200 million voter records exposed, and hacks that targeted school districts. In addition to some of the hacks mentioned above, Mittal (2017) includes the following into the list: Cloudbleed security bug that leaked sensitive data of affected users such as passwords and authentication tokens, and HBO hack with 1.5 terabytes of information stolen including scripts and episodes of popular TV show Game of Thrones. There are other reasons for the unsuccessful implementation of deterrence in the cyber domain. They cover various aspects such as legal, psychological, strategic, financial, and operational aspects. First, legally, attribution is slow as it needs time in acquiring, examining, and analyzing evidence in an investigative process. To make things even more complicated, attackers have developed various ways of hiding their identity by using botnets or hijacked hosts while launching attacks. The camouflage further slows down attribution. Second, psychologically, people’s responses towards attacks in the virtual world are different from people’s responses towards attacks in the physical world. As damages cannot be seen with eyes in most cases, attacks in the virtual world seem to be less severe than those in the physical world in many cases. In other words, not seeing is less believing. Besides, Wells (2017) discusses disinformation campaigns that “aim to undermine citizen confidence and core beliefs". Such a campaign may not be recognized at the time when it is launched. It may take days, weeks, months, or even years to recognize such a campaign. Should it be recognized, it is still difficult to quantitatively measure the true damage that it has caused. This renders quick and well-cooperated countermeasures impossible. Third, strategically, most cyber attacks are deliberately designed to be below the threshold of physical armed attacks. This makes it difficult for defenders to carry out retaliation traditionally used in the physical world. In many cases, intruders walk away without being punished. This sets bad examples for other intruders.

121

Jim Chen

Fourth, financially, the cost of retaliation is not cheap. Depending upon the measures used in varied domains, the cost may go higher. In addition, an economic sanction may affect multiple parties in a global economic environment even the intruder side gets the hard hit. Fifth, operationally, collaboration requires a great amount of time and efforts from all parties involved due to diverse interests and capabilities. Should an economic measure or a military operation be deemed necessary after a severe cyber attack from an adversary, a response must be well orchestrated from all the relevant domains to guarantee its effectiveness. All these factors make deterrence hard to be implemented in the cyber domain. In order to change this situation, different categories of cyber operations should be identified. At least one corresponding deterrence strategy should be selected to accommodate for the uniqueness of each category. This not only can avoid the “one-size-fits-for-all” issue but also can forcefully and effectively address specific challenges with appropriate deterrence strategies.

3. A model of cyber deterrence implementation Libicki (2009) proposes a four-layer model of responses based on the level of belligerence. He maintains that cyber responses are less belligerent than physical force response or nuclear force responses. Hence, the cyber layer is below the other two layers. This model is displayed below in Figure 1:

Figure 1: Libicki (2009)’s responses by rough order of the level of belligerence According to Libicki (2009), the belligerent effect of cyber retaliation is limited, “because no feasible act of cyberretaliation is likely to eliminate the offending state, lead to the government’s overthrow, or even disarm the state. Thus, a state could attack, suffer retaliation, and live to attack another day.” This shows that cyber deterrence is limited in its capability with respect to belligerence, comparing it with that of nuclear force or physical force. This representation is based on the level of belligerence. It treats each level independently without considering the penetration of cyber components in other domains. Besides, such a representation does not take into consideration the levels of attacks based on impact analysis. Should attacks be examined with this new perspective, one may find out that a cyber-physical attack, which may cause catastrophic physical damage, is more severe than a phishing attack against one individual user on a local system. Such a difference should be captured in the representation. Wells (2017) argues for at least two types of operations in the cyber domain. He maintains that “today cyberspace operations closely relate to cyberwar with potential impacts on military systems, critical infrastructures, etc., while netwar is increasingly relevant to the cognitive and emotional disruption of societies”. Cognitive-emotional conflict, he explains, is “a struggle to affect the thoughts and values of people at all levels

122

Jim Chen

of an opponent’s organization and society, using technical and other informational means, while preserving the resilience of one’s own organizations and society, and attracting the uncommitted”. Obviously, the cyber level in Figure 1 does not capture the difference between these two types of operations. Should this difference be captured the revision of the representation is required. Nowadays, even in the non-cyber domains, such as the physical force domain, a cyber dimension is crucially involved and cannot be ignored at all. As maintained by Shea (2017), “the recognition that every future crisis or conflict will have a cyber dimension, and that just as NATO has had to build missile defense and conventional postures into its traditional nuclear-based deterrence strategy, it will need increasingly to incorporate cyber expertise and capabilities as well”. McDew (2017) shares the same view. He retains that “logistics readiness is wartime readiness, and that means we need to guarantee superiority in the cyber domain to survive and operate effectively in the more traditional domains”. Likewise, the representation in Figure 1 does not capture this. To capture all these differences, it may be argued that cyber operations can be conducted at multiple levels. At one level, they are conducted for defense and resilience purpose. At another level, they are conducted only within the virtual domain. Intelligence collection, surprise operations, information operations fall into this category. At still another level, they are conducted both in the virtual domain and in the physical domain. An offensive cyber-physical operation is an example for this type. At a level above all the previous levels, they are embedded into physical military operations, such as nuclear force operations and physical force operations. Once these levels are set up, different cyber deterrence strategies can be customized and used for different purposes. Deterrence by denial can be utilized at Level 0, where strong defense and resilience are the focus. Deterrence by engagement and surprise can be employed at Level 1 and Level 2, where operations are conducted only within the virtual domain. Deterrence by punishment is applied at Level 3, Level 4, Level 5, Level 6, and Level 7, where operations are conducted both in the virtual domain and in the physical domain. This representation is well captured in the model in Figure 2. Besides, the types of retaliation are also well captured there. The first category, which includes Level 1, requires neither prompt response nor forceful retaliation. This category is represented in blue to indicate low-level severity with respect to retaliation. The second category, which includes Level 2 and Level 3, requires prompt response but not forceful retaliation. This category is represented in yellow to indicate mid-level severity with respect to retaliation. The third category, which includes Level 3, Level 4, Level 5, Level 6, and Level 7, requires prompt response and forceful retaliation. This category is represented in red to indicate high-level severity with respect to retaliation. Within one category, the degree of severity with respect to retaliation at one level is different from that at another level. For instance, retaliation utilizing physical force is more severe than retaliation employing diplomatic response. Using the levels and categories, the differences among deterrence by denial, deterrence by engagement and surprise, and deterrence by punishment are well captured. Such categorization can capture the difference in terms of the impact of attacks. For instance, cyber-physical attacks may cause catastrophic consequences within a short period of time. Hence, immediate response is required in dealing with this category of attacks. However, an information operation that attempts to influence a group of people requires a long period of time. Hence, immediate response may not be a must, but the scale of response should be wide enough to cover ideological, political, and social domains. These examples reveal that for some categories prompt and forceful retaliation is immediately needed while for other categories delayed responses are acceptable. As shown in this model, cyber operations that are only within the virtual domain can be conducted at multiple levels, namely, Level 0, Level 1, and Level 2. These levels are covered by two different cyber deterrence strategies. Also shown in this model is the entailment of cyber capabilities in the physical domain, such as Level 6 and Level 7, as cyber means are used in physical force responses and nuclear force responses. This representation supports the claim that warnings and surprise operations are less severe than diplomatic responses while offensive cyber responses are more severe than diplomatic responses.

123

Jim Chen

Figure 2: Model of cyber deterrence implementation: Levels and categories of operations and retaliation It is evident that this model is able to truly reflect the reality and this representation is able to capture a lot of subtle nuances. The benefits of this model are discussed in the next section.

4. Discussion The proposed model of cyber deterrence implementation, which enjoys a continuum of responses and retaliation measures, possesses a number of benefits as discussed below. (1) At the operational level, this model can draw a clear line between cyber attacks that cause catastrophic physical damage and cyber attacks that cause mere virtual damage and no physical damage. This makes it easy to create or revise rules of engagement. With such categorization, any attacks against Internet of Things (IoT) devices are treated as severe attacks since IoT devices are all physically associated and the effect of attacks is in the physical domain. Hence, any cyber-physical attacks are considered as cyber offensive operations. Once the monetary value of a physical damage is figured out, this model can be used as a guidance to quickly identify appropriate deterrence measures to deter attackers or identify appropriate retaliatory measures to quickly control the situation. (2) At the legal level, this model not only can help to identify the use of force based on the Law of Armed Conflict (LOAC) and Article 2(4) and Article 51 of the United Nations Charter but also can support anticipatory self- defense. Generally speaking, the use of force most frequently occurs at Levels 5-7 of this model. However, before a conflict gets escalated to those high levels, the corresponding cyber activities may be detected at Level 1 and Level 2. This may provide defenders with an opportunity of exercising anticipatory self-defense. In Tallinn Manual 2.0, Schmitt (2017) states that “even though Article 51 does not expressly provide for defensive action in anticipation of an armed attack, a State need not wait idly as the enemy prepares to attack. Instead, a State may defend itself once and armed attack is ‘imminent’”. In addition, this model helps to improve current law and regulations and helps to develop new law and regulations. Besides, the asset value, the damage cost, and other relevant factors can help to determine if the LOAC should be applied. (3) At the military level, this model helps to implement customized cyber deterrence strategies and develop new doctrines that can deter, disrupt, and deny cyber attacks from adversaries. The operations at Levels 5-7 are all cyber-enabled operations. The operations at Level 5 affect critical infrastructure, while the operations at Level 6 and Level 7 are just cyber-enabled military operations. It is stated in the DoD Deterrence Operations Joint Operating Concept (DO JOC), “In the future, joint force commanders will pursue deterrence objectives vis-à-vis both nation-states and non-state actors”. Deterrence by engagement and Surprise is capable of dealing with both nation-state actors and non-nation-state actors, thus making it possible for this model to address this challenge. (4) At the national and international collaboration level, this model helps to set up the basis for international negotiation. As cyber-physical attacks occurs at Level 5 while pure cyber operations occurs at Level 1 and Level 2, rules of engagement and levels of punishment can be easily made with respect to the protection of critical

124

Jim Chen

infrastructure. This model also makes it possible to develop collaboration at different levels for different purposes. Thus, treaties can be signed for the protection of assets either at one specific level, say Level 5 cyber- physical responses, or at multiple levels. This analysis above clearly shows what is missing and what is needed with respect to cyber deterrence implementation. It also reveals the benefits of this model, which is capable of providing guidance for the implementation of cyber deterrence.

5. Conclusion In this paper, different types of operations in the cyber domain are identified and categorized. A new model of cyber deterrence implementation that consists of varied levels and categories of operations and retaliation is proposed. Different cyber deterrence strategies are associated with different categories. This novel approach not only makes it possible to effectively apply varied types of deterrence measures based on corresponding contexts in varied domains but also makes it possible to use cyber means for retaliation in non-cyber domains of warfare, thus enriching deterrence theories as a whole.

References Chen, J. (2017) “Cyber Deterrence by Engagement and Surprise”, PRISM, Vol.7, No.2, pp.101-107. Haddick, R. (2017) How Do SOF Contribute to Comprehensive Deterrence?, Joint Special Operations University (JSOU)

Report 17-11, The JSOU Press. Larson, S. (2017) “The Hacks that Left Us Exposed in 2017”, December 18, 2017. Retrieved from

http://money.cnn.com/2017/12/18/technology/biggest-cyberattacks-of-the-year/index.html. Libicki, M. (2009) Cyberdeterrence and Cyberwar, RAND Corporation. McDew, D. (2017) “Power Projection in the Digital Age: The Only Winning Move Is to Play”, PRISM, Vol.7, No.2, pp.31-38. Mittal, T. (2017) “Ransomware On the Rise: What Were the Biggest Cyber Attacks of 2017?”, December 5, 2017. Retrieved

from https://yourstory.com/2017/12/cyber-attacks-2017-ransomware-malware/. Morgan, S. (2017) “Top 5 Cybersecurity Facts, Figures and Statistics for 2017: Predictions and Observations Provide a

30,000-Foot View of the Cybersecurity Industry”, October 19, 2017. Retrieved from https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html.

Payne, K. (2008) The Great American Gamble: Deterrence Theory and Practice from the Cold War to the Twenty-First Century, National Institute Press.

Shea, J. (2017) “How Is NATO Meeting the Challenge of Cyberspace?”, PRISM, Vol.7, No.2, pp.19-29. Schmitt, M. (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge University Press. U.S. Department of Defense. (2006) Deterrence Operations Joint Operating Concept, Version 2.0, Washington DC. Wells II, L. (2017) “Cognitive-Emotional Conflict: Adversary Will and Social Resilience”, PRISM, Vol.7, No.2, pp.5-17.

125

ix

Biographies

Conference and Programme Chairs

Janice M. “Jan” Hamby, is Rear Admiral (Retired), U. S. Navy Chancellor, Information Resources Management College (IRMC), National Defense University. As Chancellor, RADM (Ret) Jan Hamby, USN, provides strategy and vision to the IRMC in its mission to educate future senior leaders of the cyberspace domain. During her Navy career

she focused on the employment of telecommunications, space and computer systems to make information available for command and control of the Force and to enhance decision making at all levels of the chain of command. Her service included two command tours, positions on the Navy, NORAD/USNORTHCOM, Chairman of the Joint Chiefs of Staff, and Secretary of Defense Staffs, and operational assignments in aircraft carriers, directing the Navy’s offensive and defensive cyber forces, and Baghdad, Iraq. She served as senior officer and community leader for the Navy’s Information Professional officer corps. Highly decorated, her highest military award is the Defense Distinguished Service Medal. She holds master’s degrees in the Management of Information Systems, Business Administration and National Security and Strategic Studies.

Dr. Hurley is currently Professor, National Defense University, focusing on Data Analytics and Cyberspace strategies. He has over 35 years’ experience in the area of data and information management. He served as Senior Manager, Distributed Computing in the Networked Systems Division, The Boeing Company, Bellevue, WA. Dr. Hurley was Professor of Electrical Engineering and Director of three research

centers (Scalable and Embedded Applications Center, Materials Processing Assessment and Characterization Center, and Avalon Scalable Embedded Computing Center) and the Co-Director, Army Center of Excellence in Electronic Sensors and Combat at Clark Atlanta University, in Atlanta, GA.

Dr. Jim Q. Chen is Professor of Cybersecurity in the College of Information and Cyberspace at the U.S. National Defense University (NDU). His expertise is in cybersecurity technology, cyber strategy, cyber warfare, and cognitive science. He has published widely on these topics. He is a recognized cyber security expert.

Conference Director

Dr Edwin “Leigh” Armistead is the President of Peregrine Technical Solutions, a certified 8(a) small business that specializes in Cyber Security. A retired United States Naval Officer, he has significant Information Operations academic credentials having written his PhD on the conduct of Cyber Warfare by the federal government

and has published three books, in an unclassified format in 2004, 2007 and 2010, all focusing on full Information Warfare. He is also the Chief Editor of the Journal of Information Warfare (JIW) https://www.jinfowar.com/; the Program Director of the International Conference of Cyber Warfare and Security and the Vice-Chair Working Group 9.10, ICT Uses in Peace and War.

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.