How to build and expose cyber-warfare capabilities to ensure deterrence

Cyber-attacks are expected to reach unprecedented capability and distribution in the coming years. As cyber weapons become more complex, and deliberate attacks more frequent, how can security teams take action now to prevent future victimization?

 

Cyber GranadeToday, cyber capabilities are essential for nation-states and armed forces that want to be treated as credible players.

As the fifth dimension of warfare, cyberspace is an important world politics arena, and the digital world a domain where strategic advantage can be lost or won. Contrary to what we’d like to think, succeeding in the cyber domain is not merely a question of defense – at least not for the nation-states. Naturally, defense capabilities have to be as preventative as possible to reduce the effectiveness of an adversary´s cyber-attack.

However, despite the best defensive efforts, intrusions will occur. In the cyber domain, you must also be resilient enough to withstand attacks and failures and mitigate harm, more so than in other domains.

Creating cyber defense capabilities and resilience are fairly easy for the public to accept, but are not enough. Deterrence capabilities and policies to convince others not to launch a cyber-attack against you are essential, but can only be effective when teams build and demonstrate offensive cyber capabilities.

In all, cyber offensive capabilities are a must for nation-states to succeed in the current and future reality of both international and security policies. Defense, resilience, and offense are the foundation for a country’s overall ability to protect itself.

From nuclear to cyber deterrence

Deterrence emerged in the 1950s, in response to the new strategic challenges posed by nuclear weapons. During the Cold War, nuclear deterrence – the art of convincing an enemy not to take a specific action by threatening it with intolerable punishment or unacceptable failure – worked well in keeping the United States and Soviet Union in check.

While cyber deterrence should play a similar role in the digitalized world, the anonymity, global reach and interconnectedness of attacks greatly reduce its efficiency. Likewise, nations face suspicion and rumors surrounding their capabilities.

In the kinetic world, it is much simpler to evaluate an opponent’s capabilities. We can fairly accurately estimate how many tanks, interceptors, or submarines a given country possesses. Countries also openly expose their arsenal (in military parades for example) and operational skills by organizing large military exercises. In the logic of deterrence, even more important than having the actual capability is the perception of having that capability.

Awareness prevents conflicts

Deterrence depends upon effective communication between a state and the entity it wishes to deter. The strongest states are those that demonstrate capabilities to respond when attacked, and this is also the case in the cyber domain.

More countries are openly exposing their offensive policies and capabilities to improve their cyber domain credibility – essentially establishing rules for engagement. For example, for the first time since World War II, Germany has publicly disclosed it is developing offensive cyber weapons. Also, the latest Cyber Strategy of the United States emphasizes an offensive cyber policy, and it has been said publicly that the U.S. Defense Advanced Research Projects Agency (DARPA) is focusing its research on offensive cyber capabilities. Many countries have also announced that cyber-attack responses are not exclusively limited to the cyber domain.

The world’s nation-states need to more openly discuss their offensive cyber capabilities and readiness levels – just as we discuss missile arsenals or submarine fleets. We hear of great military exercises happening in the kinetic world, but seldom address cyber events. Today, countries are aware of and appreciate each other’s kinetic capacities – one reason why there are relatively few wars. Awareness prevents conflicts, at least between nation-states, and raises the threshold to conduct an attack. Many countries base defense policies on the assumption that a capable military and willingness to reveal your strengths to adversaries decreases your risk for attack.

The challenge of attribution

Attribution differentiates the logic of cyber warfare from that in other domains. Unlike kinetic attacks, cyber-attacks leave no physical evidence and can be masked or routed through another country’s networks, making attribution a challenge. Even if you are confident an attack came from a computer in a certain country, you cannot be sure the government is behind it. It is hard to deter if you cannot punish, and you cannot punish without knowing who is behind an attack. Moreover, responding against the wrong target not only weakens the logic of deterrence, but creates a new enemy. As a result, terrorists receive openings to engage in warfare formerly undertaken only by nation-states, but one likely only taken where minimal offensive capabilities exist.

While difficult, attribution is not impossible. It requires both technological solutions and diplomacy – namely, deep international cooperation. Countries should plan to establish (if they haven’t already) communication channels in case something extraordinary should occur in the cyber channel. As more countries openly discuss their cyber capabilities and offensive strategies, it will become much easier to approach and navigate political and geographic rules and norms in the cyber domain.

At the same time, some nations are taking responsibility for cyber-attacks to achieve a political advantage and send strong messages of deterrence. For instance, the U.S. government has unofficially admitted orchestrating the Stuxnet attack to demonstrate its capabilities to use an advanced cyber weapon against an adversary – just in time for a presidential election.

Offensive weaponry is needed for credibility and deterrence

The cyber arms race is accelerating, even if we would like to turn a blind eye to it. Armed forces and nation-states recognize the importance of offensive capabilities in building cyber credibility.

Building cyber capabilities relies on quality, not simply quantity. Currently, the most heated race is for the recruitment of talented individuals, and many countries are actively recruiting promising hackers. But so are, in all likelihood, al-Qaeda and other terrorist organizations.

In most countries it is not popular or even desirable to publicly discuss offensive cyber weaponry. However, it is now vital that nations explain offensive cyber capabilities logic to the general public. Naturally, cultural and national sensitivities vary how this is done, but in any case, leaders can summarize their offensive strategies in four points:

1. Defense through Offense: to be considered credible in both the military battlefield and in world politics, you must have offensive capabilities, just as you must have defensive capabilities and resilience. You simply cannot have a credible cyber defense without offensive abilities.

2. Take Preventive Action: offensive capabilities are a must to ensure deterrence. The ability to act offensively includes a strong preventive message to others, provided they understand it and believe it.

3. Strengthen your Defense: offensive thinking and building weaponry are vital for creating a stronger, more credible defense. It is essential to understand how an attacker acts, and to try to find all possible vulnerabilities in your defense. You must also develop your defensive potential by testing your current defense and training your forces. Without the ability to act as an attacker, no country can build an effective and credible cyber defense.

4. Stay Aggressive: when the lights go off, how will you defend with kinetic weaponry against your non-kinetic adversary? In today’s warfare, being defensive will hinder achieving your objectives. In some cases, offensive attack is still the best defense. Passive defense alone will not work.

Disclosing offensive weaponry becomes more visible and includes great risks

The secret development and use of offensive cyber capabilities among nations today is a worrisome trend. Offensive cyber weapons are sophisticated enough to paralyze critical societal infrastructures, endangering human lives.

With such threats looming, deterrence becomes more crucial. Merely talking about offensive cyber weapons in general terms will not create the same sense of fear as revealing or even demonstrating your capabilities. To show deterrence, nation-states must demonstrate their capabilities without sacrificing the advantage of surprise.

Currently, cyber warfare operates under guerrilla warfare norms, but change is imminent. As four-star general James Cartwright has said, “We’ve got to step up the game; we’ve got to talk about our offensive capabilities and train to them, to make them credible so that people know there’s a penalty to this.”

In the coming years, more nation-states will organize exercises and simulations to expose their offensive cyber capabilities and enhance their deterrent effect. However, in all likelihood this will not be enough.

Nation-states are forced to conduct cyber-attacks in real situations and against real targets, such as terrorist or activist groups, industrial plants, or possibly even against other states, and claim responsibility in order to increase their cyber deterrence. In May 2012, U.S. Secretary of State Hillary Clinton announced that U.S. cyber specialists attacked several al-Qaeda recruitment websites. This serves as a strong, deterrent political message of intent to use cyber weapons, and a glimpse into the future of cyber warfare.

Escalation is always a risk when cyber players deploy greater offensive capabilities. As history has shown, one event can lead to another, and spark greater conflicts. Releasing cyber weapons can also bring about unexpected side effects, the worst of which being total darkness of the unpredictable and interlinked digitalized world. Cyber deterrence within the area of operations may be very difficult to limit.

While secrets cannot be used as deterrents, revealing too much information about cyber weapons’ capabilities can allow your adversaries to close the vulnerabilities these weapons exploit, and solidify their defenses. Excessive cyber capability openness can accelerate the cyber arms race even more, and in ways that might be self-defeating. However, deterrence is much more viable if adversaries understand that the digital infrastructure is resilient, that credible threat detection and prevention systems are in place, and counterattack mechanisms are in place.

Civilians on the front lines of the cyber battle

Governments and armies alone cannot undertake cyber deterrence alone. Civilians are on the front lines of the cyber battle every day. Without the proper firewall and anti-virus software in place, attackers can easily overtake and remotely operate thousands of home computers daily. These botnet legions can turn a nation into its own cyber adversary.

Every individual plays a role in building more efficient cyber capabilities, resilience and deterrence. As a result, there is greater need than ever to raise general cyber security awareness, because there is greater potential than ever for advancing a nation’s economy and politics.

Countries will continue building and more openly using offensive cyber capabilities. However, if the general public does not understand how significantly offense impacts defense, it becomes more difficult to openly use these weapons for stronger cyber deterrence. Once the public understands the logic and seriousness of creating offensive cyber weapons, and their potentially devastating consequences, the threshold to use these weapons should rise. Along with that understanding will come what is most urgently needed – deterrence.

 by: Jarno Limnell, Director, Cyber Security, Stonesoft Corporation