Cyber war creates far more than its share of Maginot strategy. How is it that we can hope to make deterrence work without the three elements that supported it during the nuclear age? McConnell’s article dated this coming Sunday (2/28/10) [sic] outlines three conditions, and then claims that the failure of these conditions isn’t really a problem. It’s a giant problem. Future cyber warriors will not suffer from our empty threats to respond with catastrophic cyber or conventional weapons.
During the Cold War, deterrence was based on a few key elements: attribution (understanding who attacked us), location (knowing where a strike came from), response (being able to respond, even if attacked first) and transparency (the enemy’s knowledge of our capability and intent to counter with massive force).
All three of these conditions fail.
Attribution is impossible without cooperation. Assessing Russian culpability for attacks against Georgia during the 2008 war required an international, private effort and more than a year of time. At present, we only have the cooperation of our allies, and at best partial cooperation.
Response requires access. In the cyber domain, access is the measure of distance. Preparing the ground for a careful, calibrated, and proportionate response requires huge amounts of time and expertise. We must have detailed counterstrike plans; but these are not limited to a few hundred cities and three prongs of a nuclear triad. These plans involve exponentially greater numbers of individual agencies, firms, and computer systems spread throughout the world. Let’s assume you can somehow identify a private foreign corporation is responsible for attacks against America. Computer network operations provide a vastly increased set of targets and methods of attack, but all of them require access. Consider a typical corporate infrastructure, replete with servers, desktop workstations, cloud computing services, smartphones, global travel, SCADA systems, and manufacturing plants. Consider their customers and stakeholders, including a global pool of investors (potentially including Americans), the host government, and an innocent civilian population (the firm in question could supply vital infrastructure, such as water, electricity, phone service, or banking). No matter what the planned response, cyber warriors will spend years preparing the ground by gaining access to target systems, or risk ineffectual and indiscriminate counterattacks.
Transparency is the key to ineffective response. In everyday cyber security, the greatest threat is the unknown threat. Blogs and books about Zero Day Threats–threats that your Norton AntiVirus can’t screen out because they’re too new to have a “fingerprint” in the database–abound. Our adversaries already know we listen to essentially all broadcast media and cellular phone conversations worldwide. They operate within the paradigm of the global passive adversary: they attempt to segment the parts of the conversation so that our listening efforts can’t reassemble all the pieces. They use disposable cell phones and cell phone numbers. They use paper communications rather than email and bank wires. The greater the threat of an American response against a given information system, the greater the incentive for our adversaries to harden those systems against unauthorized access. Concerted efforts by national governments to steal information from our civilian and military computers in the 1990s and 2000s shocked the national press because the scale of the intrusions was previously unthinkable. In the nuclear age, Dr. Strangelove pointed out that transparency was essential to the strategic function of the Doomsday Device, but in the cyber age the same principle does not apply.
Cooperation is vital to situational awareness in cyber defense. By that I mean, it is costly to determine whether existing systems suffer from unauthorized access. Each firm, each home user, each government agency has (legal) access only to its own systems. With effort and expense, it is possible to monitor those systems for unauthorized access. But the level of access required to diagnose the status of those systems is not (legally) available to other firms and government agencies. We cannot assess our own security posture without extensive cooperation. We may not even be able to recognize ongoing cyber attacks until months after the fact without it.
In the nuclear age, deterrence rested on the ability to reataliate against state adversaries when we could recognize attacks quite literally from space. In the cyber age, we will not know the location or identity of the adversaries when military attacks begin. We may not recognize the effects of peacetime attacks for many months after they begin. And we will not be able to observe or respond to attacks without the cooperation of many countries and companies around the world.
Blanket threats of massive retaliation will serve primarily to poison international and public-private cooperation.
With all due respect to the Admiral, deterrence cannot work for cyber defense as it did for nuclear defense.