Offensive Cyber Capabilities Need to be Built and Exposed Because of Deterrence

Tuesday, October 09, 2012

Jarno Limnéll


Within the next couple of years the world will experience more intentionally executed and demonstrated cyberattacks while the development of offensive cyberweapons will become fiercer and publicly more acceptable.

Today, cyber capabilities are essential for nation-states and armed forces that want to be treated as credible players. Cyberspace, the fifth dimension of warfare, has already become an important arena of world politics, especially since we are living in a time in which the lines between war and peace have  blurred. The digital world has become a domain where strategic advantage can be either lost or won.

To succeed in the cyber domain is not merely a question of defense, even if we would like to think of it that way – at least not for the nation-states. Naturally, defense capabilities have to be as preventive as possible in order to reduce the effectiveness of the adversary´s – whoever it might be –cyber attack. However, despite the best defensive efforts, intrusions will occur. In the cyber domain, you must also be resilient, i.e. have the ability to withstand attacks and failures, to mitigate harm, more so than what is needed in other domains. Creating cyber defense capabilities and resilience are fairly easy for the public to accept. But they are not enough. Deterrence is also needed, that is, the capabilities and policies to convince others not to launch a cyber attack against you. Deterrence will only be effective if you can build and demonstrate offensive cyber capabilities. To put it clearly: cyber offensive capabilities are an essential element for nation-states to succeed in the current and future reality of both international and security policies. Defense, resilience, and offense contribute to a country’s overall ability to protect itself. You need them all.

From nuclear to cyber deterrence

Deterrence theory was developed in the 1950s, primarily to address the new strategic challenges posed by nuclear weapons. During the Cold War, nuclear deterrence was able to keep the United States and the Soviet Union in check. Nuclear deterrence was the art of convincing an enemy not to take a specific action by threatening it with intolerable punishment or unacceptable failure. The theory worked well.

Based on that logic, cyber deterrence should play a similar role in the digitalized world. However, the anonymity, the advantage of attacks, and the global reach and interconnectedness greatly reduce the efficiency of cyber deterrence. At the same time, there are suspicion and rumors surrounding the kind of capabilities others have and how they are already using those capabilities.

In the kinetic world, it is much simpler to evaluate an opponent’s capabilities. It is typically quite easy to accurately estimate how many tanks, interceptors, or submarines a given country possesses. Countries also openly expose their arsenal, in military parades for example, or their operational skills,  by organizing large military exercises. In the logic of deterrence, even more important than having the actual capability is the perception of having that capability. 

Awareness prevents conflicts

Deterrence depends upon effective communication between a state and the entity it wishes to deter. You have to convince your enemy that if you’re attacked you have the capability and capacity to do something about it. This is also the case in the cyber domain. If a country wants to be a credible player in the cyber domain, it should openly declare its offensive policy and expose its offensive capabilities. The policy acts as rules for engagement. This is a trend some countries are already moving toward. For example, for the first time since World War II, Germany has publicly disclosed it is developing offensive weapons – cyber weapons. Also, in the latest Cyber Strategy of the United States, an offensive cyber policy is emphasized, and it has been said publicly that the U.S. Defense Advanced Research Projects Agency (DARPA) is focusing its research on offensive cyber capabilities. Many countries have also announced that the response to a cyber attack is not limited to the cyber domain.

The world’s nation-states need to start talking openly about their offensive cyber capabilities and their readiness levels – just as we discuss missile arsenals or submarine fleets. We talk about great military exercises happening in the kinetic world, but very seldom do we publicly address events happening in cyberspace. Today, countries are aware of and appreciate the kinetic capacities that others have. This is one reason why there are relatively few wars in the world. Awareness prevents conflicts, at least between nation-states, and raises the threshold to conduct an attack. The defense policy of many countries is based on this assumption – if you have a strong enough military capability and are able to reveal your strength to adversaries, the likelihood of your being attacked decreases.

The challenge of attribution

Much discussion lately has focused on the problem of attribution, which differentiates the logic of cyber warfare compared with other domains. Yes, attribution is difficult because it lacks the obviousness of a kinetic attack and leaves no physical evidence. Attacks can also be masked or routed through another country’s networks. Even if you know for sure an attack came from a computer in a certain country, you cannot be sure the government is behind it. It is hard to deter if you cannot punish, and you cannot punish without knowing who is behind an attack. Moreover, hitting back against the wrong target not only weakens the logic of deterrence but creates a new enemy. This allows totally new players— terrorists—to engage in warfare formerly undertaken only by nation-states. That being defined, cyber terrorists may take advantage of the situation where minimal offensive capabilities exist.

Attribution is difficult, but it is not impossible. It requires both technological solutions and diplomacy – in particular, deep international cooperation. Communication channels between countries should also be created for use when something extraordinary happens in the cyber domain. I am convinced that when countries start to discuss their cyber capabilities more openly and to admit offensive strategies (which, in any case, are the reality) international cooperation with regard to the rules and norms in the cyber domain will become politically easier to approach. Where there is a will there is a way.

At the same time, it is interesting to note that certain players, in order to achieve political advantage,  have deliberately started to claim responsibility for conducting cyber attacks. This has been the case with Stuxnet. The U.S. government has unofficially admitted the attack in order to take credit for it – before the presidential elections. By admitting Stuxnet, the United States also demonstrates that it has the capability and willingness to use an advanced cyber weapon against an adversary. This is a strong message of deterrence.

Offensive weaponry is needed for credibility and deterrence

A serious discussion on cyber offensive weaponry must be launched. As emphasized before, for armed forces and nation-states there is today no credible status without cyber capabilities and this includes offensive capability. The arms race is on and accelerating, even if we would like to turn a blind eye to it. However, right now the most heated race is for the recruitment of talented individuals because in the creation of cyber capabilities it is not simply about the number of people that you have. The U.S., China, Russia, and many other countries are actively recruiting promising hackers. But so are, in all likelihood, al-Qaeda and other terrorist organizations. The race is on for the most talented individuals who can create cyber capabilities.

In most countries it is not popular or even desirable to publicly talk about offensive cyber weaponry. However, it has now become necessary to explain the logic of offensive cyber capabilities to the general public. Naturally, this has to be done in different ways in different countries, due to varying cultural and national sensitivities. Regardless, the reasons why countries are developing offensive weapons and why they need them can be summarized in four points.

First, if you want be a credible player both on the military battlefield and in world politics, you must have offensive capabilities, just as you must have defensive capabilities and the ability to be resilient. You simply cannot have a credible cyber defense without offensive abilities.

Second, in order to achieve and raise your deterrence, you must possess offensive capabilities. The ability to act offensively includes a strong preventive message to others, provided they understand it and believe it. Offensive capabilities represent the key components of deterrence.

Third, offensive thinking and building weaponry are vital in order to create a stronger and credible defense. With only “defensive thinking” you will not succeed. You have to understand how an attacker acts and you must try to find all possible vulnerabilities in your defense. You must also develop your defensive potential, by testing your current defense and training your forces. All this becomes much more efficient if you can test it with your own capabilities. Without the ability to act as an attacker, no country can build an effective and credible cyber defense.

Fourth, agility and the concept of operations for smart defense are the reality in today´s warfare in most countries. Just by being defensive, you will never achieve your objectives, regardless of how comprehensive your grand defensive doctrine is. In some cases, as it has been in the past, attack is the best defense. You cannot stay in bunkers, you have to be an active defender and grab the initiative when it is needed. Passive defense alone will not work. In short, when the lights go off – how will you defend with kinetic weaponry against your non-kinetic adversary?

Disclosing offensive weaponry becomes more visible and includes great risks

One of the biggest challenges and threats today is that countries are secretly developing and using their offensive cyber capabilities. The trend is very worrisome. Offensive cyber weapons have already become so sophisticated that they are able to produce major disturbances by paralyzing the critical infrastructure of society. The end result is that people will die.

In every domain of warfare, you have the concept of deterrence, which consists of the real capabilities, the doctrine, and the awareness of others to understand your capabilities. Merely talking about offensive cyber weapons in general terms, without revealing or even demonstrating your capabilities, will not advance deterrence.

Currently, cyber warfare initiatives work by the rules of guerrilla warfare capabilities.
However, this aspect will change – soon. As four-star general James Cartwright has said: “We've got to step up the game; we've got to talk about our offensive capabilities and train to them, to make them credible so that people know there's a penalty to this." Just as with kinetic weapons, your adversaries must know the weaponry you possess. To show deterrence, nation-states must be able to show their capabilities without sacrificing the advantage that surprise delivers in defense and in offense.

In the next couple of years, nation-states will expose their offensive cyber capabilities more openly in order to enhance their deterrent effect. Nation-states will demonstrate their capabilities by organizing exercises and simulations which will be openly reported, and the effects of some offensive capabilities will be disclosed. However, in all likelihood this will not be enough.

Nation-states are forced to conduct cyber attacks in real situations and against real targets. This will mean attacks against terrorist or activist groups, industrial plants, or possibly even against other states. After these attacks, nations-states will claim responsibility in order to increase their cyber deterrence.  As an example, in May 2012 Secretary of State Hillary Clinton announced that U.S. cyber specialists attacked sites related to al-Qaeda which were trying to recruit new members. This was a strong political message of intent to use cyberweapons. It was a glimpse into the future of cyber warfare – and into building deterrence.

Naturally, the question of using cyberweapons is controversial. When nation-states and other players start to increase the use of their cyber offensive capabilities, there is always the possibility of escalation. One event can quickly lead to another, and a greater conflict can ensue, as history has shown us. There is also the serious question of unexpected side effects that may occur when releasing cyberweapons. The end result could be, in the worst case, total darkness of the unpredictable and interlinked digitalized world, even if that was not the original intent. Cyber deterrence within the area of operations may be very difficult to limit.

When nation-states think about the creation of cyber deterrence, they face these challenges. Something that is secret cannot be used as a deterrent. At the same time, too much detailed information can reveal vital information about what these weapons can do. That can then make it easier for adversaries to defend themselves by blocking the vulnerabilities that these weapons exploit. Being too open in discussing or demonstrating cyber capabilities is likely to accelerate the cyber arms race even more and in ways that might be self-defeating. However, if adversaries know that the digital infrastructure is resilient, that there is a credible threat detection and prevention system in place, and that the capability to conduct a counterattack is there, deterrence is much more viable.

Civilians on the front lines of the cyber battle

It is important to understand that cyber deterrence cannot be undertaken by a government or an army alone. The general public must also be involved. Civilians are on the front lines of the cyber battle – every day. For example, if a significant number of home computers in a country have no firewall or anti-virus software installed, attackers will exploit these vulnerabilities each day to secretly take over and remotely operate thousands of computers, turning them into botnets. This turns a nation into its own adversary.

The importance of the public is central in creating cyber deterrence, not only because of the need to raise the general awareness about cyber security, but also because actions must be taken on an individual level. Every one of us has a role to play when our country is trying to create more efficient cyber defense capabilities and to be more resilient as a society. This, in turn, could give rise to a new chapter in our nation-state’s economy and politics.

Countries are building offensive cyber capabilities and will begin to use them more openly. However, if the general public does not understand the significance of offense being part of defense, it will be much more difficult to use these weapons openly in order to strengthen a country’s cyber deterrence. If the public does come to understand the logic – and seriousness – of creating offensive cyber weapons, the threshold to use these weapons should rise because there will be a resulting understanding of their devastating consequences. Along with that understanding will come what is most urgently needed - deterrence.

Possibly Related Articles:
Information Security
Cyberwar Attacks Deterrence Attribution
Post Rating I Like this!
CP Constantine Wow.. just.. *headdesk*.

Look, while I can agree with disclosing capability as being in lockstep with the doctrine of deterrence through visibility of force, your talk of 'disclosing weapons' just tells me that you need to sit down and learn some basic programming skills, or learn why exploits are '0-day' for precisely ...Zero Days!

'cyberweapons' are not physical objects, they are digital, and thus, are just /ideas/.

'cyberwar' has /zero/ in common with 'weapons'. and plenty to do with espionage and sabotage.. *both of which only work when knowledge is limited*.

As a spy, you conceive a new 'spy weapon' to enable you to move information undetected through intensive searches by the border guards. So do you announce to the world how this method works to 'deter' them? No, even saying that you /have/ a method to get information past them would be unwise.

Likewise in sabotage (aka 'terrorism' today), even announcing that you have 'an undetectable way to get explosives past security' would be a ridiculous announcement (though it would certainly assist the 'terror' portion, it's not going to make blowing things up any easier).

So, by all means discuss that you have 'capability' (the world is used to such meaningless saber-rattling), but showing the world what you have today, is meaningless, because tomorrow it will be worthless anyway.

Stuxnet worked only because /it was used/.. Announcing its existence would be met with derision, and showing the world how it worked would have let to its obsolescence. To make the comparison to the nuclear deterrent, would that have worked so well if announcing the payload, meant that the enemy could immediately render that payload useless? Likewise, if the only way to prove that you possessed nuclear weaponry at all, was to drop a bomb on a neighboring nation? The nuclear deterrent would have been no such thing, only the acceleration of Armageddon.

Yet, that is the state of the playing field in this much-vaunted 'cyberwar', as pundits desperately try to map stagnant models of wars past onto new things, to try and stay relevant. The fact that an existing model (espionage and sabotage) fits the new territory quite adequately is not enough for people however, such subtleties are lost in the need to justify ourselves for having always been at war with Oceania.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.