Cyber Deterrence
Foreword
This article has been written as a quick study and a bit of ‘cyber fantasy’ of how cyber defences could be more active in thwarting big threats! I also draw on examples of deterrence in other domains of warfare and how these differ or share commonalities with the cyber domain.
I’m by no means a cyber warfare expert… :)
The Challenge
When comparing deterrence advancements of other warfare domains, cyber deterrence is certainly in its infancy. With the UK National Cyber Security Strategy update looming post 2021 (With potentially a United States update due), there could be questions following up of how the big players in cyber will continue to advance their national strategies to thwart the big threats to their Critical National Infrastructure. Will we see a more deterrent focused approach rather than defensive and responsive? Will we see more threat intelligence sharing between the Agencies and Large enterprises.
Deterrence is typically not independent of a domain of warfare, take for example when Israel launched an airstrike in response to a cyber attack, this was a mix of domains rather than a cyber on cyber interaction.
Classical deterrence gravitates around an opponents cost-benefit analysis, to dissuade malicious behaviour. That cost could be any metric, however, everyone has a price. For example, workload, too high profile, time, money, expertise in house etc. and that cost can be manipulated by their victims deterrence methods.
Deterrence routes us back to the beginning of wars, with the threat of violence in retaliation to an unwanted action, more recently, mutually assured destruction as a result of the use of nuclear weapons is our latest deterrent in the physical domain of warfare.
Do our conventional frameworks for deterrence maintain their applicability and meaning against APT’s in cyber space? Or do we have to theorise fresh frameworks/models for deterrence in the cyber space.
Overcoming The Challenge
With all that said, are we able to develop a defensive framework that allows us to have a deterrent method independent to cyberspace?
The answer is… depends. You can’t have one size fits all for a deterrence model, you must first ask what threats you wish to deter. By splitting cyber attacks into three sections, we can begin to categorise our deterrence models. Cyber theft which is the theft of information for financial and other personal gain, cyber espionage is the theft of information at a nation-state level for the purposes of an advantage in the global arena and cyber attacks are those that deny access and destroy systems/data. You then split the actors up, ranging from what we call ‘script kiddies’ right up to your state sponsored APT groups.
The other problem is attribution and knowing who is behind the attack. If you were to employ a deterrence model based on punishment and retaliation, your main issue is understanding the who as there is a lot of obfuscation and hiding behind the cyber domain.
Active Cyber Defence & Deterrence By Denial
There is always the theory that employing solid Active Cyber Defence (ACD) measures, you can raise the cost to almost any threat actor, as the time and personal investment would be too high to attack. Overtime as that ACD capability matures, the organisations/states credibility as a defensive powerhouse will, too. A reduction in attacks would be expected as a result.
By also employing a risk management/reduction approach, deterrence can be achieved in the form of denial, total prevention. Eliminating legacy infrastructure, a mature vulnerability management program, 24/7 monitoring with automation, hardening assets and auditing cloud services, to name a few examples.
The UK Trident Program & Deterrence By Punishment
Is it possible to demonstrate defensive credibility without becoming an APT yourself? I want to draw focus on the United Kingdom’s Nuclear Trident Program for this section. At a glance, it seems a very simple deterrence method, though it demonstrates itself to be quite a versatile framework in most scenarios.
Despite the Trident program considering Mutually Assured Destruction (MAD), it’s equally a deterrent and a reactive program. For example, the location of the Trident submarine is highly classified and could be in enemy waters, could be. That element of unknown there tied in with the already proven and demonstrated nuclear attack capability proves for a cocktail of pure deterrent.
If we were to mirror this in to the cyberspace, how would it look? Would a nation state have to maintain consistent persistence in another states systems, going unknown to distil some deterrence?
Not necessarily… Here’s why, threat intelligence is a great form of making use of reconnaissance, almost like the active sonar system on a submarine, just listening to the noise out there and disseminating what doesn’t impact the vessels threat model. This is a similar approach to being aware of your own assets and scanning them for vulnerabilities, however, performing this on the closest of enemies to keep a catalogue of actionable intelligence, as a deterrent by punishment. If an actor is caught by the unknown of what you know, the likelihood of you receiving an attack is decreased due to the potential cost in return of that attack.
What if a nation state gathered consistent cyber reconnaissance on its closest enemies with slight hints to notify them of their presence? Recon at the moment, does not constitute an act of war. If this act of reconnaissance was both directions, we could almost be at an agreement of MAD again in the cyberspace. This kind of deterrence is also viewed as a resilient approach to deterrence.
Nuisance Attacks — What can’t be deterred?
Zero motivation attacks such as those performed by LulzSec in around 2011 are those that can be messy and difficult to deter.
They mostly backed up high profile scenarios with hacking, their overall motive as described in their name, is the “lulz”, it was not to hack for financial profit, it was to cause mayhem and have fun by doing so.
The group displayed a statement called “50 days of lulz” where they stated that not only are the press getting bored of them, they’re getting bored of themselves. It’s quite an infant methodology where they had their attention and fun, it’s time to move on.
LulzSec were known for attacking Nintendo, Bethesda Game Studios, Sony. Though some attacks claimed to also have political motive such as the hack against PBS, which were motivated by a desire to defend WikiLeaks and Chelsea Manning.
In essence, this is the perfect example of how you can’t deter motive, and you will have to deter by denial, as it seems the cost of punishment was not high enough for this group either.
Conclusion
There are certainly a multitude of ways to implement deterrence into your cyber operations program. Along with a ton of online theories about how SOC’s can deter threats before they even hit the network edge.
I hope this sparked some thought into cyber deterrence, equally some thought into how your own defences stack against deterrence models such as:
- Deterrence by punishment
- Deterrence by denial
- Active cyber defence
- Assuring MAD in the cyber space without crossing domains
