Despite the mainstream view of cyberwar professionals and theorists, cyber deterrence is not only possible but has been working for decades.
Cyberwar professionals are in the midst of a decades-old debate on how America could deter adversaries from attacking us in cyberspace. In 2010, then-Deputy Defense Secretary Bill Lynn summed up the prevailing view that “Cold War deterrence models do not apply to cyberspace” because of low barriers to entry and the anonymity of Internet attacks. Cyber attacks, unlike intercontinental missiles, don’t have a return address.
But this view is too narrow and technical. The history of how nations have actually fought (or not fought) conflicts in cyberspace makes it clear deterrence is not only theoretically possible, but is actually keeping an upper threshold to cyber hostilities.
The hidden hand of deterrence is most obvious in the discussion of “a digital Pearl Harbor.” In 2012, then-Defense Secretary Leon Panetta described his worries of such a bolt-from-the-blue attack that could cripple the United States or its military.
Though his phrase raised eyebrows among cyber professionals, there was broad agreement with the basic implication: The United States is strategically vulnerable and potential adversaries have both the means for strategic attack and the will to do it.
But worrying about a digital Pearl Harbor actually dates not to 2012 but to testimony by Winn Schwartau to Congress in 1991. So cyber experts have been handwringing about a digital Pearl Harbor for more than 20 of the 70 years since the actual Pearl Harbor.
Waiting for Blow To Come?
Clearly there is a different dynamic than recognized by conventional wisdom. For over two decades, the United States has had its throat bared to the cyber capabilities of potential adversaries (and presumably their throats are as bared to our capabilities), yet the blow has never come. There is no solid evidence anyone has ever been killed by any cyber attack; no massive power outages, no disruptions of hospitals or faking of hospital records, no tampering of dams causing a catastrophic flood.
The Internet is a fierce domain and conflicts are common between nations. But deterrence — or at least restraint — has kept a lid on the worst. Consider:
■ Large nations have never launched strategically significant disruptive cyber attacks against other large nations. China, Russia and the United States seem to have plans to do so not as surprise attacks from a clear sky, but as part of a major (perhaps even existential) international security crisis — not unlike the original Pearl Harbor. Cyber attacks between equals have always stayed below the threshold of death and destruction.
■ Larger nations do seem to be willing to launch significant cyber assaults against rivals but only during larger crises and below the threshold of death and destruction, such as Russian attacks against Estonia and Georgia or China egging on patriotic hackers to disrupt computers in dust-ups with Japan, Vietnam or the Philippines.
The United States and Israel have perhaps come closest to the threshold with the Stuxnet attacks but even here, the attacks were against a very limited target (Iranian programs to enrich uranium) and hardly out of the blue.
■ Nations seem almost completely unrestrained using cyber espionage to further their security (and sometimes commercial) objectives and only slightly more restrained using low levels of cyber force for small-scale disruption, such as Chinese or Russian disruption of dissidents’ websites or British disruption of chat rooms used by Anonymous to coordinate protest attacks.
In a discussion about any other kind of military power, such as nuclear weapons, we would have no problem using the word deterrence to describe nations’ reluctance to unleash capabilities against one another. Indeed, a comparison with nuclear deterrence is extremely relevant, but not necessarily the one that Cold Warriors have recognized.
Setting a Ceiling
Nuclear weapons did not make all wars unthinkable, as some early postwar thinkers had hoped. Instead, they provided a ceiling under which the superpowers fought all kinds of wars, regular and irregular.
The United States and Soviet Union, and their allies and proxies, engaged in lethal, intense conflicts from Korea to Vietnam and through proxies in Africa, Asia and Latin America. Nuclear warheads did not stop these wars, but did set an upper threshold neither side proved willing to exceed.
Likewise, the most cyber capable nations (including America, China and Russia) have been more than willing to engage in irregular cyber conflicts, but have stayed well under the threshold of strategic cyber warfare, creating a de facto norm. Nations have proved just as unwilling to launch a strategic attack in cyberspace as they are in the air, land, sea or space. The new norm is same as the old norm.
This norm of strategic restraint is a blessing but still is no help to deter cyber crime or the irregular conflicts that have long occurred under the threshold. Cyber espionage and lesser state-sponsored cyber disruption seem to be increasing markedly in the last few years.
Nations have been unwilling to take advantage of each other’s vulnerable infrastructures perhaps because, as Joe Nye notes in his book, “The Future of Power,” “interstate deterrence through entanglement and denial still exist” for cyber conflicts.
The most capable cyber nations rely heavily on the same Internet infrastructure and global standards (though using significant local infrastructure), so attacks above a certain threshold are not obviously in any nation’s self-interest.
In addition, both deterrence by denial and deterrence by punishment are in force.
Despite their vulnerabilities, nations may still be able to mount effective-enough defenses to deny any benefits to the adversary. Taking down a cyber target is spectacularly easy and well within the capability of the proverbial “two-teenagers-in-a-basement.” But keeping a target down over time in the face of determined defenses is very hard, demanding intelligence, battle damage assessment and the ability to keep restriking targets over time.
These capabilities are still largely the province of the great cyber powers, meaning it can be trivially easy to determine the likely attacker.
During all of the most disruptive cyber conflicts (such as Estonia, Georgia or Stuxnet) there was quick consensus on the “obvious choice” of which nation or nations were behind the assault. If any of those attacks had caused large numbers of deaths or truly strategic disruption, hiding behind Internet anonymity (“It wasn’t us and you can’t prove otherwise”) would ring flat and invite a retaliatory strike.
Like conflict in any other domain, cyber campaigns are more than a string of tactical engagements of ones and zeros. Strategic aerial campaigns are more than a string of dogfights and a field marshal will never win a battle if he can never get his head out of the foxhole. Cyber strategists and theorists of military cyber power must pull our heads out of the stream of ones and zeros to see the larger picture.
Leaders of the world’s most capable cyber nations have assessed, conscious or otherwise, that it is not worth the potential punishment if they unleashed a strategic cyber campaign, an armed attack causing large-scale destruction, loss of life or economic impact similar to that from a military attack. Until we recognize this fact, we will continue to misunderstand the unfolding truths of cyber power. ■
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council and editor of the first history of cyber conflict, “A Fierce Domain: Cyber Conflict, 1986 to 2012.” You can follow his demystification of the overlap of national security and cyber on Twitter at @Jason_Healey.