«Workshop held 9-10 January 2008 in Arlington, VA Prepared for US Strategic Command Global Innovation and Strategy Center (USSTRATCOM/GISC) Prepared ...»
Assuming the continued emergence of adaptive adversaries, one of the key deficiencies of current thinking is its implicit state-centrism. The implication is a tendency to discount domestic or internal determinants and causes of behavior by assuming that actors are more significantly There certainly have been numerous attempts to influence, assure and persuade outside the military realm, but these have typically been identified as “diplomatic” rather than part of a deterrence policy.
Deterring VNSA in Cyberspace influenced by external factors like a deterrer’s threat (Morgan, 1983). Even retaining the rational actor assumption, albeit relaxed to allow for goal-directed gain “maximizers” with broader ranges of interests and goals, the luxury of this degree of analytic simplification may be too costly. We do not mean to suggest that cost imposition – if no longer mainly kinetic – and provision of benefits are no longer valid modes of influencing the behaviors of would-be cyber aggressors. Rather that, no longer assuming an adversary with a set of essentially static basic objectives (e.g., economic prosperity, territorial sovereignty and security, etc. derived from its identity as a nation-state) means more work and a radically increased demand for information about the opponent within his own (subjective) context.
Likewise, the presumption of complete or nearly complete information about the adversary’s core values, cost-benefit calculations and risk propensities – as we believed we possessed about the Soviet Union – may be a significant miscalculation. A cyber deterrence concept that required this quantity of context- and actor-specific information over a range of potential adversaries – to the extent that they are knowable – would be an enormous burden on national capabilities.
The bottom line is this: There appears to be level of generality problem in using our current rational deterrence thinking as the primary bases of security policy. That approach is a largely simplified model for assessing the strategic interactions between actors assumed to be singularlyfocused and with relatively few and simple options available to them. Security policy is generally most effective when it is tailored to address specific actors and actions in context;
actors that typically have a range of incremental options available to them spanning the space between conflict and cooperation. When the focus is shifted from identifiable state actors to possibly unknown adversaries in unknown locations both in cyber and physical space, this deficiency becomes more apparent.
It is clear that today’s policy planners and practitioners must confront a series of concepts most likely unconsidered by their mid- 20th century counterparts: cyberspace, cyber defense, cyber attack and cyber terrorism, and thus cyber deterrence. At the end of the day, the purpose of a cyber deterrence policy is to influence a range of moderate to extreme individuals, and influence a range of actions from tacit support of anti-Western activities to acts of enormous violence. US actions will need to be at times tailorable to target populations and specific undesirable behaviors. At other times, action will be necessary under extreme uncertainty regarding the exact adversary and his specific plans. A number of issues deserve careful consideration as US deterrence thinking is reshaped to serve as a policy guide for protecting US interests in the cybernetworked world.
Defining Concepts. One approach to assessing the nature of cyberspace has been presented • here, but there are certainly other ways to take a comprehensive and insight-generating look at the cyber realm. It is such a rapidly developing, and in many ways still untapped communication and interaction arena that overlooking its fundamental aspects risks forming an inaccurate understanding of its importance and influence as well as its limitations.
Similarly, a broader, less restrictive understanding of deterrence than currently is suggested in official publications is likely warranted. Does refining our deterrence concept as encompassing a range of actions including the ability to shape a potential adversary’s choice environment before negative intent is generated help reduce the problem of multiple potential threats in multiple cyberspaces? Is influencing opponents through international and cyber Deterring VNSA in Cyberspace community norms a valid approach to deterring the unknown threat? Does expanding the “deterrence” concept to include providing benefits as well as imposing costs help policy makers address the multiplicity of cyber threats?
Defining Thresholds. There is the critical issue of communicating to the adversary what • exactly is considered to be an “attack” as well as the thresholds between nuisance, disruption, serious security breach and acts of war. Does hacking into a system to make preparations for a future attack, for example, constitute an attack? Are all breaches to be treated the same way? Do those causing disruption but no damage or loss of life receive attention at all?
Setting these thresholds and the response principles (e.g., response in kind, proportional response, massive retaliation, flexible response, etc.) that will accompany them in the cyber realm should be the first order of business.
Attribution Capabilities. Precise and timely attribution of cyber activities is of critical • importance for a number of reasons. First, the more precisely we can identify the adversary the more information we can collect about his interests, goals and what he sees as the benefits of the actions we would seek to prevent. The more we understand these factors, the more closely US deterrent threats and actions can be tailored to that adversary. Second, a precise attribution capability will be required to demonstrate and maintain the credibility especially of cost imposition deterrent threats. The threat of retaliation can be perceived as inherently weak when an opponent lacks a fixed location and critical infrastructure to target.
If the adversary does not believe he can be seen, discovered or located he is not likely to fear threatened retaliation. Third, the ability to precisely attribute cyber aggressions is extremely important in avoiding the kinds of spoofing and deception in our conceptual cyberspace that could make us believe an attack was coming from somewhere other than where it is. This is the problem at the base of the threat of “catalytic warfare” where an actor successfully misrepresents its actions in order to prompt conflict between others. How precise do our attribution capabilities need to be?, and critically, how do we convince a potential adversary of a cyber capability without inviting counter-measures?
Second-order Effects. In the introduction to Beyond Nuclear Deterrence, Arbatov and • Dyorkin (2006) provide a cautionary tale of the effects on Russia security thinking of a US effort to deter terrorists and other adversaries. They cite Russian decision makers’ reactions to a US plan to build nuclear ‘bunker-buster’ warheads able to penetrate underground facilities in terrorist-held areas and rogue states. In fact, many Russians believed this effort was actually aimed at Russia’s own deeply-buried and hardened sites. They conclude with a quote from Defense Minister, Sergei Ivanov, who explained that,
In light of such thinking, how should deterrence policy be reconceived in order to capture and control this type of signaling – both material and communicated – or secondary effect?
Deterring VNSA in Cyberspace Are efforts to shape international cyber standards and ethics the issue here? How do we gauge the deterrent effects of US actions in cyber- and non-cyber spaces?
These are weighty and difficult questions and unfortunately we offer no simple solutions within this report, just a reference to Der Derian’s (2000) riff on Von Clausewitz where he asks whether “virtualization is the continuation of war (and politics) by other means?” Perhaps. It is certainly something to consider.
Deterring VNSA in Cyberspace 4 The Cyber-Physical Nexus: Movement between the Worlds: Non-State Actor’s Use of the Internet by Dr. S. K. Numrich, Institute for Defense Analyses Mazer then grew serious and said, “Ender Wiggin for the last months you have been the commander of our fleets. There were not games. The battles were real. Your only enemy was the enemy. You won every battle. And finally today you fought them at their home world, and you destroyed their world, their fleet, you destroyed them completely, and they’ll never come against us again. You did it. You.”(Carr, 1977) On that fateful day, Ender Wiggin, student in the flight academy, found himself quite unwittingly in the cyber-physical Nexus – the place where simulator space had become physical space.
Without his consent, Wiggin’s teachers, people we would probably call manipulators, enabled the student’s actions in cyber media to destroy people and places in his and their real world. The alternate reality and the physical reality met and physical reality was conquered.
The Nexus: A Vital Intersection
In the world of synthetic training, “Ender’s Game” has been the tacit ideal for developing synthetic worlds, worlds in cyberspace – worlds so real to the student that tactics, command and control and overall skills learned and practiced in the cyber world could translate immediately to the physical world. The cyber world today, like the simulator in Wiggin’s world, is becoming a critical tool in the hands of modern manipulators, terrorist organizations among others, and the most frightening consequences of cyber use emerge in the Nexus, where the cyber world intersects with the geophysical world in which we live.
The world of the Internet, developed in science and engineering laboratories to facilitate collaboration across facilities and delivered to the public by the Department of Defense through the ARPANET project, has subtly revolutionized today’s world as did prior technological developments of the printing press and industrial machines changed the world in their eras. The information highway that has given us direct communication capability through electronic mail and chat, online conferencing, a huge distributed library of data and information (everything from trash to the highest quality technical references) and virtually immediate global access has grown beyond the computer-based Internet to hand-held devices linked to the Internet via cellular communications. As the capability has grown, the cost of entry into cyberspace has decreased -- from the availability of low cost cellular devices to development of software that makes publishing simple for the novice. Once the domain of the technocrats, cyberspace is a domain where anyone can find a place, given access.
Our dependence on the cyber world for daily life has increased dramatically. As individuals we shop, bank, maintain records and contacts online. We depend upon cyber resources to control our air traffic, our “fast pass” toll capabilities on highways, our banking and other financial networks, our power grids, our dams, our traffic lights and trains. We depend on credit cards and Deterring VNSA in Cyberspace cash from automated teller machines to enable both our life at home and our travels abroad. Our understanding of the world around us comes through cyber media, not just the online press, but the images captured by the individual and posted to the Internet through which we feel we have both global presence and immediacy with events anywhere in the world.
The specter of cyber crime weighs heavily upon us simply because activity in cyberspace can and does impact the way we live our daily lives.
Terrorist Uses of Cyber Media – It’s More than the Internet On the international scene, the Internet was championed as a way of enabling the free exchange of ideas, as a means for organizations and individuals to communicate with each other, as a way of breaking down barriers and creating the opportunity to form the “global village”. But with the good has come the bad. The Internet has also enabled the spread of pornographic and violent content and the same facilities that fostered international business led to the use of the Internet by criminals of every sort, including terrorists. The attributes of the Internet – its decentralized structure, anonymity and ease of communication – align readily with the loosely networked structures and anonymity desired by criminal and terrorist groups. In examining the use of cyberspace by terrorists, Maura Conway (Conway, 2005) summarized current literature on the topic in the following table.
Conway chooses to categorize the use of cyberspace by terrorists as information provision, financing, networking, recruitment and information gathering, subsuming under these four all those listed in Table I. Weimann’s list, reiterated in his more recent book Terror on the Internet (Weimann, 2006), provides a somewhat more fruitful ground for examining the intersection of the cyber and physical worlds. The categories he uses in his book differ somewhat from those listed above.
The War of Minds and Hearts – Psychological Warfare
We often think of the war against terrorists and insurgents as a war to win the minds and hearts of the people. However in this context, it is relatively easy for the terrorist to gain the upper hand. Terrorists often engage in psychological warfare by using one or more incidents of physical damage to create a sense of fear and uncertainty that extends far beyond the original Deterring VNSA in Cyberspace physical act. The cyberspace is a wonderful medium for extending an incident in time and space.
Images of children killed and maimed by explosives, captives with eyes blindfolded beheaded by captors, and videos of people jumping from the collapsing World Trade Center broadcast and rebroadcast across the world with an immediacy hitherto unavailable brings acts of terror into the living room. By using and reusing such footage, the terrorist seeks to provoke a reaction disproportionate to the original act.