Cyber and Cyber deterrence featured heavily in the Integrated Review published recently, with 114 individual mentions. The review emphasises the UK’s ambition to the deter, disrupt and deter adversaries in cyberspace. Along with repetition of previously announced developments, like the creation of the National Cyber Force and the establishment of a “cyber corridor” across the North, there was one statement which has prompted some shocking headlines in the press.
“Britain could respond to future cyber attack with nuclear strike” was how the Times covered the issue. The review actually stated a change in UK policy to allow for the use of nuclear weapons in the face of “weapons of mass destruction”, including “emerging technologies” that may have comparable impact to chemical, biological or nuclear weapons. Conflation of these issues in the press indicates a lack of understanding of international cyber strategy and how cyber operations are deployed. This article aims to cover the key differences between traditional deterrence theories and the newer concepts associated with cyber deterrence, before highlighting some of the issues surrounding deterrence in the cyber domain then concluding on how the UK can demonstrate effective cyber deterrence through capability and credibility.
What is deterrence?
Deterrence has traditionally been considered through a solely nuclear perspective. Simply put, the fact that a nation holds nuclear weapons, the capability to strike back and, crucially, has demonstrated the intent to do so has been sufficient to deter another nuclear armed state from executing a first strike. This underpins the Mutually Assured Destruction doctrine which has prevailed since the Cold War. Conventional deterrence follows a similar logic, with the aim of making a war the least appealing option for an aggressor.1 This approach works well in both the nuclear and conventional arenas as the effects of a kinetic strike and consequent military conflict are immediately evident and apparent. But in the cyber domain, where non-kinetic effects prevail, this calculation is much more difficult.
Let’s consider two of the most destructive cyber attacks in history. WannaCry, which famously affected the NHS, and NotPetya attacks both occurred in 2017. Both of these attacks used cyber weapons developed by nation states that were then unleashed on the wider world in an untargeted and opportunistic fashion – vastly exceeding their original target set and causing millions of dollars worth of collateral damage.2 If a cyber effect like this was proposed in support of a military operation, it would immediately be vetoed by a competent lawyer as it clearly breaches the Law of Armed Conflict principle of distinction. Uncontrolled cyber operations can lead to harmful unintended consequences, limiting their use in below threshold activities.
Military planners often consider the four D’s – deny, disrupt, destroy, degrade. Cyber effects are also temporary, transient and reversible unlike nuclear weapons. The recent supply chain attack on cyber security vendor SolarWinds saw suspected Russian actors compromise a widely used network monitoring tool in order to access thousands of networks, including in government and defence. It was billed variously as the worst cyber-attack ever and simultaneously business as usual for nation state espionage. This cognitive dissonance is caused by the wide range of cyber effects that can be delivered. Typical concerns regarding the disabling of critical national infrastructure are regarded as the most dangerous outcome, but it is much more likely that the aim of a cyber operation is to gain access for intelligence purpose. In military parlance, this is a “computer network exploitation” (CNE) activity rather than a destructive “computer network attack” (CNA). From our case studies, SolarWinds fits the former and WannaCry the latter. CNE is the more insidious, long term espionage activity that military cyber defence professionals fear the most. This is near impossible to deter as this type of strategic intelligence gathering has been a priority for governments for as long as the concept of a government has existed. It is for this reason that spying is often referred to as the world’s second oldest profession. 3
Proportionality
Media coverage have raised a major issue around the proportionally of cyber-attacks. The UK has never had a “no first strike policy” for nuclear weapons, which was reiterated in Parliament by then Defence Secretary Michael Fallon. This ambiguous position is designed to be difficult for an adversary to analyse and therefore introduce friction into their planning process. Nuclear weapons are a strategic deterrent against other nuclear states. Having capable full spectrum conventional forces provide deterrence for offensive actions below that threshold. For cyber operations, the deterrent effect is much less clear cut. While basic cyber hygiene measures can deter the lower levels of opportunistic hackers 4, for advanced persistent threats these represent only a nuisance. It is therefore difficult to have technical cyber measures that act as a deterrent. The threat of offensive cyber actions in return is implied but due to the nebulous nature of domain, lack of transparency and attribution undermines the effectiveness of this approach. One paper describing the Chinese attitude to deterrence suggests that “the anonymity, the global reach, the scattered nature, and the interconnectedness of information networks greatly reduce the efficacy of cyber deterrence and can even render it completely useless.” 5 The MOD’s own cyber primer highlights that cyber threat actors include all levels of capability and intent, from the lowest “script kiddie” and hacker for hire all the way up to nation state level actors – the dreaded “advanced persistent threat” (APT). Compared to the barriers to entry of other types of weaponry, there is a much wider pool of actors able to operate in cyberspace than in the nuclear realm for example. This shows that a one size fits all attitude cannot work and that tiered and tailored mitigations must be introduced in order to achieve satisfactory cyber deterrence.
Attribution
Low cost of entry into the cyber domain has resulted in the proliferation of a multitude of threat actors. This has manifested in cyber false flags, a notable example of which is the attack on the opening ceremony of the 2018 Winter Olympics in South Korea.6 Whilst the world’s eyes were on the opening ceremony, the back-end systems supporting the whole Olympic Games had been thoroughly compromised; the attack took out the security access system to all the Olympic buildings, including the stadium, and disabled the official Olympics app which provided ticketing, maps and other essential information to attendees and athletes. Only the determined actions of technical staff prevented the attack from having a longer lasting effect. Suspicion first fell on the Republic of Korea’s belligerent northern neighbour. Detailed forensic examination revealed contradictory and confusing data, pointing to numerous threat actors. Finally, one researcher could prove that it was not the DPRK behind the attack, but the Russians.7 It is thought that the suspension of Russian athletes from international competition was Russia’s motivation to carry out the attack. 8 So what? When advanced actors have the ability to mask their actions and misdirect investigators, then attribution of the intrusion is more challenging to prove. This in turn complicates our deterrence strategy when it is not clear who we are trying to deter.
Accountability
Nations that do not respect the rules-based international order are at an advantage when it comes to cyber operations. The costs they face in the event of an unmasking of their activity are fairly low. The US has led the way with indicting named individuals within Russian and Chinese offensive cyber units, meaning these people face potential arrest and sanctions should they travel to countries with an extradition agreement with the US. There is no evidence to suggest this has a significant deterrent effect and could prove counterproductive, as it potentially opens up US cyber operatives to similar treatment. This would have a greater impact on Western operations, as one key tenet we observe is the adherence to international rules and laws. Losing this moral authority could have a greater impact than even the rewards from a highly successful cyber operation, turning a tactical victory into a strategic loss.
So, what is Cyber Deterrence all about?
Deterrence is fundamentally about influencing an adversary’s decision-making process. Forcing them to consider a course of action that it positive to you and negative to them is an incredibly difficult task. The complexities posed in the cyber domain in terms of equivalence, proportionality, and attribution can both help and hinder this effort. Cyber deterrence is more difficult as the barriers to entry are so low, the risks minimal, and the rewards potentially extremely high. If cyber deterrence was possible, and working, then the UK would not face any cyber threats – in the same way that nuclear deterrence works as we have not been victim to a nuclear attack. This binary approach is not a suitable way to measure the effectiveness of cyber deterrence. Maintaining a national deterrence posture hinges on two key aspects: capability and credibility. The UK needs to consider how best to communicate and demonstrate our commitments to both areas. Building on our historic strengths in our intelligence agencies and developing the new National Cyber Force is one way to confirm and demonstrate our capability. Credibility is more difficult than simply creating new weapon systems and orders of battle. This relies on a cross-government approach to communicate to our allies and adversaries that we are willing and able to use our capability in support of our national goals as well as upholding the rules based international order as a responsible cyber power. These are the challenges facing the UK as we look to develop our cyber deterrence posture.
Luke
Luke has Air Force leadership experience , in the UK and on Operations. He also has experience working in the Cyber environment at the joint level.
Footnotes
- https://link.springer.com/chapter/10.1007/978-94-6265-419-8_4#:~:text=One%20could%20define%20conventional%20deterrence,to%20provide%20much%20analytical%20utility.
- “Sandworm” pp149-153, Andy Greenberg 2019
- Phillip Knightley (1986). The Second Oldest Profession. Spies and Spying in the Twentieth Century. W. W. Norton & Company. ISBN 0-393-02386-9.
- Implementing the NCSC 10 Top Controls is designed to mitigate 80% of threats to most organisations
- Tang Lan & Zhang Xin, The View from China: Can Cyber Deterrence Work?, in GLOBAL CYBER DETERRENCE: VIEWS FROM CHINA, THE U.S., RUSSIA, INDIA, AND NORWAY 1, 2 (Andrew Nagorski ed. 2010)
- “Sandworm” pp246-253, Andy Greenberg 2019
- https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html
- As described in the Netflix documentary “Icarus”