«Workshop held 9-10 January 2008 in Arlington, VA Prepared for US Strategic Command Global Innovation and Strategy Center (USSTRATCOM/GISC) Prepared ...»
Deterring VNSA in Cyberspace 3 Reevaluating Deterrence Theory & Concepts for Use in Cyberspace by Allison Astorino-Courtois, National Security Innovations, & Matthew Borda, Creighton University Introduction Twentieth century US deterrence thinking was founded in the logic of the Roman adage “si vis pacem, para bellum” (if you want peace, prepare for war). That is, the overwhelming threat of severe physical punishment or war will bring about the absence of war. Indeed, until September 11, 2001 a general policy consensus maintained that the overwhelming superiority of US forces, both conventional and nuclear, served as an effective deterrent against major attacks against the US or its interests and allies. After the terror attacks of that day however, the para bellum and state-centric underpinnings of deterrence policy appeared to many to have been violated, and in
fact were pronounced dead by President Bush a few months later:
“… new threats also require new thinking. Deterrence -- the promise of massive retaliation against nations -- means nothing against shadowy terrorist networks with no nation or citizens to defend. Containment is not possible when unbalanced dictators with weapons of mass destruction can deliver those weapons on missiles or secretly provide them to terrorist allies.”12 The concept of deterrence – preventing someone by threat of severe retaliation from doing something he would otherwise do – is as old as man. In the area of global affairs the notion of deterring one’s adversaries from acting also predates the nation-state centric models of mutual deterrence that evolved in the context of the Cold War, and with limited exception continues to inform deterrence thinking today. This section explores the conceptual bases of deterrence thinking with reference to two characteristics that genuinely distinguish the late 20th from the 21st century: the expanded abilities of non-state actors of all sizes to pose serious national security threats, and the expansion of cyberspace. Our main question is this: Do current models of deterrence apply to non-state actor cyber threats and cyber aggression?
Deterrence: Model & Concept
There exists an uncharacteristic degree of agreement in the voluminous literature on deterrence on a number of aspects of the basic concept. First, there is little debate that deterrence is “the use of threats of harm to prevent someone from doing something you don’t want them to do,” (Morgan, 1983: 17). Second, most agree that effective deterrence is a function of both good defenses and retaliatory capabilities, and that the two most critical components of any effective deterrent are the credibility and the potency of the threatened retaliation. In other words, Can the threatener actually do what he threatens? Will he do so? And, Will I be worse off if he actually acts on his threat? The point is not that these questions be answered with certainty by a deteree, 2002 graduation speech at the United States Military Academy, West Point Deterring VNSA in Cyberspace but that a successful deterrent must meet some threshold of sufficient credibility and potency in order to inhibit actions the adversary would otherwise have taken (George and Smoke, 1989).
Beyond this agreement there are various schools of thought regarding how the deterrence concept should be operationalized, studied and tested. The perspective that has dominated the US policy arena however, champions cost-benefit analysis-based “rational” deterrence models typically founded in expected utility and/or game theoretic methodologies.13 Without going into a discussion of math modeling and mechanics, it serves our purpose to note that as a category these models presume that an opponent will be deterred if, using backward induction, he calculates that the retaliation threatened by a defender is both credible and more costly than his failing to attack. That is, the net value of the losses he expects to suffer as a result of a threatened retaliatory action exceeds the total gain he expects from taking the action he is considering.
Supporting this model of deterrence is a set of six basic assumptions about the decision maker to be deterred, his environment and information flows: he/it is conceived as an identifiable, security-focused rational actor with a set of known and consistent preferences who operates in an environment of complete information about the probabilities of future events and the values of
both sides. Broken down, these are:
• Known adversary. The adversary is a readily identified nation-state, unitary actor (i.e., with physical assets, a population, etc. that can be held at risk). In fact, it is implicit in most rational models that retaliatory (deterrent) threats are directed at a specified enemy;
deterrence is by definition narrow in scope.
• Rational actor. The adversary is a “rational calculator” in the sense that his choices and actions are not random, but relative to a set of interests and objectives. He seeks to avoid loss or pain across a number of interests and a limited set of available courses of action and will never do something that he believes will result in a net loss for him.
• Identified Preferences. The adversary knows his own preferences over all possible outcomes of a situation in advance of circumstances. These preference ranks are not only known but are consistent and transitive (i.e., if ABC, CA).
• Probability Estimation. Both sides in a conflict can and do estimate nearly perfectly the probabilities of the expected outcomes of their decisions.
• Perfect Communication. There is communication between the sides such that the adversary hears, understands and believes threats as the communicator intends them and, that the communicator can detect that this is the case. There is also the presumption that each side understands the adversary’s own values and cost-benefit calculations as well as his willingness to take risks.
• Security Focus. Adversaries are singularly security focused. There is limited linkage between military and other domains, and the adversary is more concerned with security than other issues.
Again, in its most basic form, a rational deterrence model represents a strategic interaction “game” between two players: an opponent and a defender. Both players have complete An alternative set of deterrence models, neither as elegant nor as well-defined as rational models are those that incorporate cognitive limitations and incomplete information to explain deterrence effect (and failures.) In these models, Achen and Snidal (1989: 148) note, “deterrence is seen as a fundamentally psychological process, in which cognition failures, fear, or simple time pressures disrupt the rational calculations assumed by deterrence theory.” Deterring VNSA in Cyberspace knowledge of the choices available to the other as well as the other’s preferences over them. The defender prefers to avoid attack (or some other threatening behavior) by the opponent who begins the game either by attacking, for example, or not. The defender can choose to fight or to capitulate. The commodity that generates the defender’s ability to deter an attack in the first place is the opponent’s uncertainty about the defender’s ability and commitment to retaliate.
That is, successful deterrence depends on two things: the defender's credibility, and that the net utility the initiator expects to derive from attacking (benefit) is less than that of not attacking.
This sort of rational deterrence formulation has been a useful (and fruitful) basis for both theorizing and deterrence policy development. However, in reassessing “deterrence” for use in cyberspace it is important to recognize that much of our formal understanding of deterrence and deterrence policy is based on this relatively strict and simplifying set of assumptions.14 Put another way, these assumptions likely were and are sufficient to offer insight into strategic deterrence of physical invasion, land capture, or direct attack on US or allied territories by the former-Soviet Union and Peoples’ Republic of China: two large, extremely security-concerned, non-democratic nuclear nation-states. The question remains however as to whether they are too severely violated to be of use in designing means of deterring non-state actors operating in or through cyberspace. Before considering the implications of these assumptions and the deterrence policies that we have derived from them, we first should characterize the environment, threats and actors of concern.
Cyberspaces & Cyber Actors The Washington Post recently identified the official, extremely broad designation of cyberspace as contained in the January 2008 National Security Presidential Directive 54/Homeland Security
Presidential Directive 23 (NSPD 54/HSPD 23):
"Cyberspace means the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries".
Perhaps more useful for our purpose however, is Mitra’s (2002) unpacking of the “cyberspace” concept – what Whittaker (2004) points out is actually “a myriad of rapidly expanding cyberspaces” – into cyber “building blocks.” These building blocks are physical cyberspace, dataspace, and conceptual and social cyberspace as depicted below.
• Physical Cyberspace. Although cyberspace is most generally, “a metaphor for describing the non-physical terrain created by computer systems,” (Der Derian, 2000: 773), physical cyberspace refers to those physical components like computers, routers, hardware, power supplied and even in many cases, electricity necessary for use.
• Dataspace. Dataspace is the non-physical information and data storage sector where our websites, on-line newspapers, e-zines and other sources of information and education reside.
Note that the counter-intuitive implications of these models include the rationality of convincing your opponent that you are a bit crazy (e.g., Nixon’s efforts in the bombing of Laos and Cambodia at the end of the Vietnam War), why complete nuclear disarmament anti-first strike measures like ABM systems may have negative impacts on security, and the advantages of strategic parity with the Soviet Union.
Deterring VNSA in Cyberspace Social Cyberspace. It is most commonly “social cyberspace” that people mean when • referring to their interactions with the cyber world. This is the virtual space in which people communicate, play and interact via e-mail, blogs, and discovering virtual communities, etc.
Conceptual Cyberspace. Conceptual cyberspace refers to one’s perception of the cyber • realm as a “space”, a place to “go”. It is another complete, real but non-physical world with its own culture, rules and norms of behavior; that space that computer game designers work so hard to achieve.
Distinguishing among these four cyberspaces helps to us explore a vast array of potentially threatening cyber activities. Beginning with physical cyberspace, a first category of threats can be defined in terms of adversarial efforts to compromise, degrade or destroy US physical cyber assets. Kinetic attacks, including theft, on these assets and systems often can be mitigated by defensive measures such as hardening. They also are not conceptually distinct from other sorts of kinetic attack on physical assets that are more commonly the subject of deterrence thinking.
The second category of potential cyber threats are non-physical (e.g., virtual) efforts to compromise, degrade or destroy dataspace. These can range from relatively small-impact identity theft to compromise or manipulation of for example, military targeting packages or air traffic control systems.
A third class of threats relates to social cyberspace and the rapid, expansion of perspectives, communities and movements antithetical to US national interests. This is the part of the cyber world where we have seen the indoctrinating power of militant, radical Islamist ideas, and the sense of common purpose that lone or small groups of individuals can find with geographically distant groups. It is in social cyberspace where new cyber communities and cultures form, and it is a key arena in the so-called battle to “win” hearts and minds.
The fourth and perhaps most insidious class of cyber threat, are efforts to compromise, degrade or destroy others’ perceptions of reality by manipulating signals, sensors, communications and Deterring VNSA in Cyberspace other information that, for example, serve to guide US net-centric military operations, or the presence of incoming missiles.
Of course, equal to identifying of the types of cyber threats is the increasingly complex task of recognizing and distinguishing among the types of actors who may pose these threats. However, because the impact of cyberspace is a relatively new development and technology and innovation occur so rapidly, a thorough appreciation of all current and potential cyber adversaries is difficult to ascertain. One way to attempt to differentiate the various types of cyber actors -- and the magnitude of the threats they pose is in terms of three major characteristics: the type and size of the organization, its motives, and general or known level of violence. Crossing just these three characteristics produces sixty-eight relevant actor types. Even limiting our sample to those most likely to pose serious national security threats, namely, hyper-violent organizations motivated by ideological struggle, profit and a desire to injure or disrupt, produces twenty cyber adversary profiles. Do we seek to deter each type? Are we interested in all of them?
Reevaluating Rational Deterrence
During the Cold War period and since, deterrence policy has been indelibly linked to military force.15 Indeed, the idea of deterring aggressive activities simply by possessing a punitive retaliation capability is a parsimonious and very attractive proposition. It is also an area where the US has tended to hold the advantage. However, in the context of a greatly expanded number and variety of mobile, fleeting and/or unknown adversaries operating within a variety of cyberspaces, much of the assumptive foundation of that deterrence construct may become too restrictive to serve as the basis of policy.