By John Cella —
The intrusion by unidentified Chinese hackers into Google’s networks in January is likely not an isolated incident, but part of the growing trend of state-sponsored acts of cyberwarfare. While Google is a private corporation, attacks against it and other American corporations have significant national security implications. Beyond the private harms inflicted by corporate espionage, such cyber-attacks have the possibility of stealing government secrets or corrupting government information. Indeed, the National Security Agency (NSA) recognized this danger when it partnered with Google shortly after the attacks to help the internet behemoth improve its cybersecurity.
Despite the best efforts of Google and its partners at NSA, improving cybersecurity to a level acceptable from a national security standpoint might be impossible in the near term. Analysts who measure the cost-effectiveness of defensive measures in cyberspace relative to the accelerating growth of new cyber attack methods suggest that the defending side in cyberspace is already at a severe disadvantage and that the offensive-defensive gap is widening. Thus, neither the NSA nor any other defense agency will be able to guarantee the complete integrity of Google’s networks. The CIA recently acknowledged that cyber-attacks have already caused multiple power failures in American facilities outside the United States and in 2009, allegations surfaced that Chinese or Russian hackers placed “logic bombs”–software that is harmless now but could be triggered in the future–in the U.S. electric grid.
The vulnerability of U.S. networks, both public and private, was highlighted on February 16 during a simulation by the Bipartisan Policy Center called “Cyber ShockWave.” Organized by former CIA Director, Gen. Michael Hayden, Cyber ShockWave simulated a malware attack on smart phones that escalated until it shut down financial markets and blacked-out New York, Philadelphia, and Washington, D.C. Prominent figures in the defense and intelligence establishments, including former Security of Homeland Security, Michael Chertoff, and former Director of National Intelligence, John Negroponte, took on roles in a mock cabinet attempting to discover the source of the attack and respond, but they were unable to prevent significant damage.
Ironically, the Cyber ShockWave simulation was held at the Mandarin Oriental hotel in Washington, likely an unintentional allusion to one of America’s principle cyber adversaries, China. Cyber terrorists acting without a flag present a significant threat and are perhaps capable of carrying out significant cyber-attacks, but analysts also believe that the cyber-attacks with the highest potential impact likely require the resources of a major power such as China. Besides its presumed capability, incidents like the Chinese Google attack, if U.S. reports are accurate, suggest that China possesses the intent to carry out such disruptions in cyberspace. Although the NSA did not definitively prove Chinese governmental involvement, it has traced the Google attack to computers in a prominent Chinese military academy. American officials, including Hillary Clinton, indicated their belief that the attack was the work of a state-actor, strongly suggesting China as the culprit. “States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” Clinton said, although she provided no further details about what the American response would be.
Given that defensive cybersecurity measures seem grossly inadequate and offensive cyber-capabilities are relatively cheap, officials seem to be thinking seriously about the possibility of some type of punitive response to deter cyber-meddlers like China, attempting to discourage attacks on U.S. networks with the threat of retaliatory action. However, just what that retaliatory action will look like remains a mystery. On the one hand, the United States might choose to deter cyber-attacks by threatening a kinetic response. Such a deterrence posture would frame cyber-attacks as acts of war worthy of conventional retaliatory force but for this reason, presents a risk of escalation that the United States might be unwilling to bear. On the other hand, the United States might respond through diplomatic means or by some form of economic sanction. This, however, might have the converse problem of under-deterring.
Another option that has already received considerable analysis is the deterrence of cyber-attacks by the threat of attacks in kind, through cyberspace. “Cyberdeterrence,” as defense intellectuals like Martin Libicki and Richard Kugler have referred to it, seeks to import the strategic deterrence framework from the Cold War nuclear era to cyberspace, where the weapons of mass destruction would consist of packets of data rather than nuclear payloads. Under such a policy, the United States would respond to any attack on its cyber assets with a calculated cyber-retaliation inflicting similar damage on the attacking state’s cyber networks. The retaliatory attack could be scaled to the severity of the initial attack, warding off both minor cyber-breaches and major cyber-catastrophes–the kind contemplated by Cyber ShockWave.
According to James Lewis, a cyber-expert at the Center for Strategic and International Studies, “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this.” Although the secrecy surrounding U.S. cyber-offenses and the lack of any publicly articulated deterrence policy leave the retaliatory threat an attacking state faces from the United States uncertain, Lewis’ statement that the United States receives almost no deterrent effect from cyber-weapons may be an overstatement. The presumed preeminence of U.S. cyber-offenses must force some caution on would-be attackers, even if it is difficult to measure. In some sense, a form of cyberdeterrence is unavoidable. Nonetheless, Lewis and others can point to fundamental challenges facing effective cyberdeterrence, relating to the structure of cyberspace itself. The virtual anonymity offered by cyber networks makes the attribution of any attack problematic, confounding the state trying to direct a retaliatory attack and therefore undercutting the threat to respond in the first place. Even beyond the attribution problem, the propensity for cyber-attacks to lead to unanticipated cascade effects creates the risk of unintended escalation for the retaliating state, making cyberdeterrence somewhat unpredictable.
Despite these and other difficulties, cyberdeterrence might be the best short-term option for protecting against massive cyber-attacks for which there are no adequate cyber-defense measures. Ultimately, effective and reliable attribution itself might be the best deterrence mechanism for potential attackers like China, whose economic interest in fostering growth and encouraging foreign investment will suffer if outsiders lose trust in its cyber networks. But even if the attribution problem is impossible to overcome in a technical sense, it might be resolved at least in part by a renewed emphasis on creative strategic thinking, such as that which occurred during the nuclear age. Particularly since cyber-capabilities are constantly evolving, the influence of deterrence logic will be especially important for shaping cyber-weapons to strategic realities in this formative stage of the cyberwar era.
Image courtesy of CBS News