Can deterrence counter the threat of cyberweapons?

A professor from the Naval Postgraduate School suggests that deterrence is cybersecurity's next phase.

Image: cybrain, Getty Images/iStockphoto

"It's not a matter of if, but when," refers to many things, including, for example, an earthquake or an asteroid strike. However, nowhere does "not if but when" hold more truth than when considering the chance of being the victim of a cybersecurity incident.

"The number of cyber incidents reported by federal agencies jumped more than 1,300 percent, from 5,503 to 77,183, over the ten years through fiscal 2015," writes Washington Post columnist Joe Davidson. "Federal information security has been on the high-risk list of the Government Accountability Office (GAO) since 1997, and the situation has only grown worse."

SEE: Obama, Feds outline technical, spear phishing details, sanctions vs. Russia over cyber attacks (ZDNet)

Deterrence may be an answer

Dorothy Denning, distinguished professor of defense analysis at the Naval Postgraduate School, suggests applying the concept of deterrence to cybersecurity, writing in her essay for The Conversation Cybersecurity's next phase: Cyber-deterrence, "Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack."

Denning notes that deterrence results when the following principles cited in this NATO Review article are in place.

  • Denial: A way of convincing would-be attackers they cannot succeed, at least without enormous effort and cost beyond what they are willing to invest.
  • Punishment: A way of making sure adversaries know there will be a strong response causing more harm than they are willing to bear.

SEE: Governments and nation states are now officially training for cyberwarfare: An inside look (PDF download) (TechRepublic)

Nuclear weapons vs. cyberweapons

"For decades, deterrence has effectively countered the threat of nuclear weapons," Denning points out. She then poses the question, "Can we achieve similar results against cyber weapons?"

Cyberweapons do not cause doomsday events, Denning mentions in comparing cyberweapon deterrence to nuclear-weapon deterrence. Besides mass destruction giving everyone concerned pause, Denning offers the following additional differences; cyberweapons can be:

  • developed and sponsored by individuals, small groups, as well as nation states;
  • replicated and distributed across networks, reducing what Denning calls cyber nonproliferation; and
  • deployed under a cloak of anonymity, making it difficult to figure out who's responsible.

Knowing all that, Denning is still optimistic, saying cyberweapon deterrence is not destined to failure--we just need to improve security and develop deterrents that deny and punish the adversaries. To accomplish this Denning suggests the following.

1: Stepping up protection

All forms of cybersecurity are considered deterrents, though Denning is concerned that current security measures often introduce insecurities.

Denning is also worried about the massive proliferation of Internet of Things (IoT) devices that are vulnerable, saying, "Cybersecurity guru Bruce Schneier aptly characterizes the prevalence of insecure IoT devices as a market failure akin to pollution. Simply put, the market favors cheap insecure devices over ones that are more costly but secure."

Schneier suggests that IoT devices need to be regulated by forcing security standards on IoT device manufacturers, and possibly holding the companies liable if and when their products are involved in a cyberattack.

SEE: Here are the biggest IoT security threats facing the enterprise in 2017 (TechRepublic)

2: Active cyber defenses

Denning suggests that measures should be taken against proven adversaries in a manner similar to air-defense systems. Along with coauthor Bradley J. Strawser, Denning writes in the paper Active Cyber Defense: Applying Air Defense to the Cyber Domain (PDF), "Active cyber defense is direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets. Put another way, active defenses are direct measures taken against specific threats."

There is another benefit to active cyber defenses. "It can often unmask the people behind them, leading to punishment," writes Denning. "Non-government attackers can be shut down, arrested, and prosecuted; countries conducting or supporting cyber warfare can be sanctioned by the international community."

3: Setting international norms

It seems that Denning feels naming and shaming national governments can be a strong deterrent. As an example, Denning refers to a cyber incident between the US and China. "The U.S. brought charges in 2014 against five Chinese military hackers for targeting American companies," explains Denning. "A year later, the U.S. and China agreed not to steal nor exploit each other's corporate secrets for commercial advantage. In the wake of those events, cyber espionage from China plummeted."

SEE: Special report: Cyberwar and the future of cybersecurity (free ebook) (TechRepublic)

Not the full answer

Regardless of her enthusiasm for cyber deterrence, Denning is still a realist. "Cyber space will never be immune to attack--no more than our streets will be immune to crime," concludes Denning. "But with stronger cybersecurity, increased use of active cyber defenses, and international cyber norms, we can hope to at least keep a lid on the problem."

Also see