NAVAL WAR COLLEGE

Newport, R.I.

Deterrence in the Cybered Age

by
Lieutenant Commander Guy M. Snodgrass, USN

A paper submitted to the Faculty of the Naval War College in partial satisfaction of the requirements
of the Mahan Scholars Advanced Research Program.
The contents of this paper reflect my own personal views and are not endorsed by the Naval War
College or the Department of the Navy.

01 February 2012

List of Abbreviations

3G

third generation of wireless handset technology for data transfer

APT

advanced persistent threat

ASEAN

Association of Southeast Asian Nations

C4ISR

command, control, communications, computers, intelligence, surveillance, and recon

COG

center of gravity

CNA

computer network attack

CND

computer network defense

CNE

computer network exploitation

CYBERCOM U.S. Cyber Command

DDOS

distributed denial-of-service, a common form of computer network attack

DHS

U.S. Department of Homeland Security

EMC

A multinational data storage corporation

EU

European Union

GPS

global positioning system

IP

intellectual property

IPv6

Internet Protocol version six

ITU

International Telegraph Union

NSA

U.S. National Security Agency

RSA

Security Division of EMC Corporation

SCADA

supervisory control and data acquisition

TTP

tactics, techniques, and procedures

Wi-Fi

wireless ethernet, short for wireless fidelity. IEEE 802.11a/b/g/n specification

WRM

war reserve mode

WTO

World Trade Organization

UN

United Nations

The Cybered Age

To secure to one's own people a disproportionate share of such benefits, every effort was made to exclude others, either
by the peaceful legislative methods of monopoly or prohibitory regulations, or, when these failed, by direct violence.
-- Alfred Thayer Mahan1

The United States (U.S.) finds itself firmly entrenched in a Cybered Age. This new age
presents the opportunity for unfettered access to the global commons, near instantaneous
communications potential, ability to access remote data from any location, and significant financial
rewards. These new opportunities, however, create a uniquely paradoxical relationship. While our
networked systems provide a heretofore-unprecedented ability to share information and collaborate
across the globe, our desire to increase our networked footprint has exponentially increased the risk
of exploitation or attack to our computerized systems.
RSA, the Security Division of EMC Corporation, announced in March of 2011 that their
security systems identified an extremely sophisticated cyber attack in progress against RSA.2
Undisclosed hackers used a phishing campaign against a small subset of employees to compromise
RSAs SecureID token, a two-factor authentication technology used to restrict access to sensitive
networked information.3 Lockheed Martin, a large aerospace defense contractor and RSA client,
followed suggested security protocols after the SecureID breach, only to succumb to hackers two
months later, prompting RSA to reissue security tokens for all their clients at a cost of more than
$66.3 million.4
Nine months later, in December of 2011, Iran made a surprise public announcement that it
had successfully captured a remotely piloted U.S. command, control, communication, computers,
intelligence, surveillance, and reconnaissance (C4ISR) aircraft, the stealthy RQ-170 Sentinel. 5 Iran

subsequently released a video of the alleged spy plane, which showed a largely undamaged aircraft in
excellent condition. The lack of significant damage to the aircraft led analysts to comment publically
that the aircraft was likely downed by a cyber attack or by spoofing the control signals or global
positioning system (GPS) used by the aircraft, rather than by hostile action or mechanical failure.6
Actions in cyberspace arent limited to espionage or spoofing. Destruction of critical U.S.
infrastructure is also possible through a networked cyber-attack. To demonstrate the vulnerability
inherent in the U.S. national power grid, the U.S. Department of Homeland Security (DHS)
conducted a targeted cyber-attack on a remote electrical power generator at the Idaho National
Laboratory in March of 2007, dubbed Project Aurora.7 The diesel generator, connected to an
isolated power grid, was hacked via the supervisory control and data acquisition (SCADA) interface.
Created to allow remote operation of industrial equipment, the SCADA system vulnerability allowed
the hacker to change the output frequency of the generated electricity, causing dangerous surges that
ultimately destroyed the $1 million generator.8 The test proved that the U.S. domestic power grid,
subdivided into three predominant zones, could be hacked and potentially crippled unless
additional security measures were implemented, leaving the U.S. at substantial risk of a debilitating
cyber attack.
Whether facing cyber-espionage, cyber-hacking, or cybercrime, the increasingly networked
architecture of the U.S. places it at greater risk for exploitation. Cyber espionage, in particular, levels
the playing field dramatically against technologically developed nations, creating a uniquely
asymmetric threat. Hacktivists with relatively limited means have proven they can successfully
exfiltrate intellectual property (IP) from corporations that required years to research and billions of
dollars to develop. Technologically advanced nations are at risk of losing their most valued asset,
their information, unless they develop the ability to defeat or deter such an adversary.

Carl von Clausewitz, a Prussian solider and classical German military theorist, postulated that
the major characteristics of belligerents form centers of gravity, which become the hub of all power
and movement, on which all depends.9 As nations have embraced an increasingly accessible world
through networked architecture, the Internet and the systems that access it have become a
significant center of gravity. This is especially disconcerting considering that hackers have routinely
demonstrated that advances in cyberspace, such as increasing the number of networked computers
or development of sophisticated exploitation techniques, are inherently destabilizing. Unlike
conventional weapons, in cyberspace the offensive action is consistently more powerful than the
defensive one, due to the rapid advances in technology and increasing numbers of networked
devices. Likewise, unless completely isolating a system from networked or remote access, no
defensive system can assure denial of an unrelenting attack by a skilled adversary.
The purpose of this paper is to review the current state of deterrence as it applies to state
actors in cyberspace, identifying key differences from the more traditional forms of deterrence used
when nuclear and conventional weapons are being considered. To highlight the differences between
conventional, nuclear, and cyber deterrence, it is necessary to discuss the general theory of
deterrence and its evolution throughout history.

Early Deterrence Theory

Deterrence theory first gained prominence during the Cold War standoff between the U.S.
and Union of Soviet Socialist Republics (USSR). In reality, the understanding of basic deterrence
theory has existed for thousands of years. Deterrence is, in the most general sense, the ability to
discourage (someone) from doing something, typically by instilling doubt or fear of the
consequences.10

In The Art of War, a seminal work attributed to Chinese General Sun Tzu () and

published in 200 B.C., several lessons are presented that touch on deterrence strategies. Sun Tzu
makes an argument that against those skilled in attack, an enemy does not know where to defend;
against the experts in defense, the enemy does not know where to attack.11 This suggests that in
deterrence calculus, a skilled defender should strive to confuse the attacker and hide any obvious
weak points (creating a strong case for assurance, to be discussed later). Several additional
statements from The Art of War demonstrate an early understanding of basic deterrence
concepts:
If we do not wish to fight all we need do is to throw something odd and

unaccountable in his way.12

Though the enemy be stronger in numbers, we may prevent him from fighting. Scheme

so as to discover his plans and the likelihood of their success.13

Rouse him, and learn the principle of his activity or inactivity. Force him to reveal

himself, so as to find out his vulnerable spots.14

Carl von Clausewitz discusses deterrence theory concepts, though not overtly, in his seminal
work On War. He argues that, in war, the value of the objective should be weighed heavily
against the ways and means required to achieve it. If there comes a time where the cost to achieve
the object outweighs its perceived benefit, pursuit of the object should cease.15 Clausewitz also
discusses a war by algebra, a critical analysis of the parties involved in a conflict (or potential
parties). If the net assessment indicates that a potential adversary has a military capacity that is equal
to or better than our own, we may be deterred from initiating a conflict. Likewise, if the potential

An argument exists that the text may have been published at any point during a fairly wide expanse of time, as Sun Tzu is assessed to have lived

sometime during the period of 722-221 B.C.

adversary can make us believe that their strength is greater, the better off they will be. While not
directly addressing deterrence, Clausewitzs work is the classical text discussing warfare between
nation-states. An important part of deterrence theory is convincing ones adversary that the
perceived benefits of taking a desired course of action are either too costly to pursue or will result in
failure to achieve the desired objective.
Both Sun Tzu and Clausewitz place a premium on taking the offensive, through either overt
or stealthy means. Clausewitz advances the discussion of offensive and defensive warfare, noting
that while attacking is the positive form of warfare, defense is the stronger form. This is because a
defender can use any absence of fighting to strengthen their position, while the attacker must
expend considerable time, energy, and effort to meet the defender at the chosen place of battle. Sun
Tzu and Clausewitz both agree, however, that defense is only a transitory position, to be maintained
only until strong enough to attack. This important distinction, and possible misunderstanding, of
their doctrine resulted in the use of trench warfare during World War I, the emphasis being placed
on offense. While establishing some basic principles that appear recognizable, neither theorist
espouses defense or deterrence as a fundamental strategy.

Deterrence Theory in the Nuclear Age

The detonation of two nuclear weapons to hasten the end of World War II abruptly altered
the calculus of war. The creation and use of a weapon capable of destroying an entire city required a
thorough re-evaluation of military strategies. More specifically, how should two or more nations
with a nuclear arms capability approach, and avoid, a direct confrontation with one another?

Several notable theorists, in their pursuit of answers to the nuclear question, rose to

prominence during this period. Two in particular, Bernard Brodie and Thomas Schelling, are
widely recognized for their contributions to deterrence theory. Brodie, a Ph.D and RAND
Corporation analyst, published two books that laid the initial foundations for nuclear deterrence:
The Absolute Weapon: Atomic Power and World Order and Strategy in the Missile Age.
In The Absolute Weapon, Brodie recognizes the shift from conventional warfare with his
now famous quote Thus far the chief purpose of our military establishment has been to win wars.
From now on its chief purpose must be to avert them. It can have no other useful purpose.16 He
advocated that due to its smaller size (compared to the USSR), the U.S. military should focus on a
strategy threatening the deployment of nuclear weapons. He theorized that the use of nuclear
weapons, even in a limited context, would prove inherently destabilizing since it provided the
Soviets a credible reason to use nuclear weapons in a first-strike capacity (having the numerically
superior conventional force). In Strategy in the Missile Age, Brodie notes that unlike previous
weapons throughout history, thermonuclear weapons are inherently strategic in nature, and should
therefore be treated differently.17 He continues with an analysis of other Nuclear Age theories, such
as preventive war, pre-emptive attack, and massive retaliation. Each is rejected because of the
catastrophic costs associated when miscalculating with nuclear weapons, and are supplanted by a
theory of mutual deterrence, where each actor retains a retaliatory strike capability.18
Where Brodie focused specifically on a theory of strategic deterrence, Schelling targeted the
more abstract. An economist and Nobel laureate, Schelling produced several works that espoused
the importance of understanding the effects of communication, perceived weakness, third party
participation, and the impact of explicit and tacit bargaining.19 His work stresses that in many

* Bernard

Brodie was also instrumental in creating the widely adopted English version of Clausewitzs On War with
the Princeton University Press, which undoubtedly influenced his views on deterrence theory.

situations, bargaining is strengthened by a perceived weakness, such as retaining the ability to receive
messages but being unable to transmit them. If the other party is aware of this weakness, they are
now placed in the position of having the responsibility to accept the weaker parties offer or
demand, knowing that they cannot receive a counter-offer. In particular, he stresses that in
bargaining, weakness may be strength.20 Deterrence is largely affected by equal parts of credibility
and uncertainty: that you have the capability and willingness to take a threatened action, and the
uncertainty by both parties that neither has total awareness of the situation, resulting in restraint.
This period of history represents one of transformational change for strategists.
Traditionally, as Clausewitz stated, defense was considered to be the strongest position in warfare.
With the advent of incredibly powerful nuclear weapons, strategists were faced with the specter of a
strike first mentality, where a nation could attempt to defeat its opponent with a swift nuclear
attack. Recognizing the inherent instability created by the strike first and massive retaliation
mentalities, and because of the massive potential for mistakes, U.S. nuclear strategists quickly settled
on a strategy of deterrence through a retaliatory strike capability, or mutually assured destruction.
This period also resulted in a strategy that largely fell along two lines: deterrence by denial, and
deterrence by punishment.
Deterrence by denial seeks to influence an adversary by convincing them that you can defeat
their endeavor, and deny them their objective. Deterrence by punishment, on the other hand,
convinces your adversary that you have the capability and resolve to punish them for their actions.
Both forms have largely framed the discussion of deterrence for the past few decades.

A Second Age of Conventional Deterrence

Despite the incredible destructive power of nuclear weapons, and the rapid technological
advancements that allowed them to be scaled down for tactical use, they were never employed
again after Hiroshima. In 1959, Lt. Gen. James Gavin stated his belief that nuclear weapons would

10

become part of the conventional inventory.21 Despite the best efforts of the Eisenhower
administration to retain nuclear weapons for isolated use, the global stigma surrounding the weapon
made this a non-starter. In his Nobel lecture, Thomas Schelling commented that [t]he most
spectacular event of the past half century is one that did not occur. We have enjoyed sixty years
without nuclear weapons exploded in anger.22
Several factors can explain this policy of non-use: the assessment of nuclear weapons as
unique and different from other types of weapons23, a global taboo regarding their use24, and the
belief that nuclear weapons are the ultimate weapon and therefore carry significant restrictions on
their use.25 Regardless of the specific reasons, of particular importance to our analysis of deterrence
theory is that the global population and decision makers believe the use of nuclear weapons to be
taboo that matters, not the taboo itself.
Michael Gerson notes that [t]he nuclear taboo reduces the credibility and therefore the
utility of nuclear weapons, especially against regimes not possessing nuclear weapons.26 In
particular, the nuclear taboo has existed for so long that many nations doubt the use of nuclear
weapons in a conflict is acceptable, and therefore not realistically plausible. On the other hand, the
United States has a large, well-trained conventional military force and has proven to be more than
willing to use it in regional conflicts as required throughout the world (Iraq, Afghanistan, and Libya
are but the most recent examples).
This neutralization of the primacy of nuclear weapons in deterring aggression signals a
significant change in deterrence theory. If conventional weapons are the greatest determinant of
peace through deterrence, Gerson writes, it is largely for three interrelated reasons. First, in
determining whether to initiate hostilities, nations assess the potential for limited conventional
strikes to achieve quick victories. Second, to deter an attack the defender needs to convince the
aggressor that his actions will be neither quick nor low-cost, raising the specter of a protracted, and

11

costly, conflict (deterrence by denial). Third, much like Clausewitzs war by algebra, the quantity
of conventional forces in the region will play a large role in determining whether or not an aggressor
chooses to initiate hostilities.27
This shift in deterrence theory in recent years signals a return to the bedrock principles of
deterrence writ large. The credibility of the involved nations, the capacity to act, and the ability to
deny success through the assumption of local superiority all remain critically important. Before
determining how to apply deterrence in cyberspace, it is important to identify what makes
cyberspace unique, and cyber-deterrence different.

What is Cyberspace?
Cyberspace is defined as the online world of computer networks and especially the
Internet.28 For the purposes of this discussion, cyberspace includes any networked electronic
system, such as home and business computers, cellphones, data storage centers, and the network
architecture itself. Any device that can communicate with another through a network is a part of
cyberspace and potentially accessible, and therefore at risk of cyber-crime, cyber-espionage, or
cyber-attack.
Cyberspace is unique in many ways, which can help to explain the difficulties in establishing
an effective deterrence strategy. As a tremendously large network of computerized devices,
cyberspace has a global reach and contains an unimaginable amount of information. When
discussing deterrence, putting aside the actual act of defending computer networks, understanding
what cyberspace is in a physical sense isnt necessarily as important as how the average user perceives
cyberspace. This perception of cyberspace will significantly affect the way that the U.S. formulates
and refines a successful deterrence strategy.
First, cyberspace is perceived as neither unique nor taboo. Quite the contrary, cyberspace is
an extension of decades of research into computers and electronic devices, providing a slow and

12

steady transition, facilitating widespread public acceptance. The use of networked devices and the
Internet has become so ingrained in everyday life that it is commonly treated as a continuously
available commodity, like electricity, telephone service, or even water. As former U.S. President Bill
Clinton put it in 2000, Advances in computer technology and the Internet have changed the way
America works, learns, and communicates. The Internet has become an integral part of America's
economic, political, and social life.29 Cyberspace is now considered to be a common and accepted
part of everyday life.
Second, people expect cyberspace to be easily and readily accessible. Twenty years ago, a
significant amount of skill was required for the average person to access the online services, typically
a loose consortium of electronic bulletin board systems. The switch from dial up modems to a
continuously available digital subscriber line (DSL) or cable modem has changed the way that people
create a connection to the Internet. Ten years ago, when modem use was prevalent, accessing
cyberspace required forethought and a conscious decision prior to initiating a temporary connection
into cyberspace. Now, with inexpensive, persistent, and pervasive options, a majority of users are
always connected to the Internet, substantially changing the way users view cyberspace access.
Even more importantly, people who have access to networked electronic devices expect to
retain this capability. Any possible attempt to bolster security or protect intellectual property, if it
suggests a possible restriction on that access, is met by stiff resistance. Two recent examples are the
stalled Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) legislative bills in the U.S. House
of Representatives and Senate, respectively.30 In an even more extreme example, an outage of a few
days in the Blackberry Messaging System is 2011 caused outrage and disbelief amongst its
customers.31 Users have quickly adapted to persistent Internet connections, and any loss is
immediately noticed and reacted to.

13

Third, users expect cyberspace to provide near-instantaneous global access. This signals an
expectation that the global data set is available for access from the users home area, and that when
traveling they will retain the same level of access. Users expect to have the capability to send
electronic mail to friends and colleagues around the world. Similarly, users also expect that when
they travel within their own country, or outside national borders to another country, that they will
have access to cyberspace. Today, with the prevalence of wireless ethernet (Wi-Fi), cellular data
(3G), Internet-capable handsets, and laptop computers, the Internet is typically expected to just
work. A subset of this perception is that users also expect that once information is sent to another
party, that it will arrive near-instantaneously and with a 100 percent success rate.
Fourth, users expect cyberspace to encompass a majority of the worlds known knowledge
base, and further believes that it is accurate. What began as a basic packet switching network
designed to share information between four academic institutions has now grown to encompass
hundreds of millions of devices.32 As cyberspace itself has grown, so has the sheer volume of
information and data available to users. Large data-aggregating sites like Wikipedia, Amazon, and
Google have made accessing the enormous volume of available information a manageable task. In a
speech in 2005, Eric Schmidt, the former Chief Executive Officer (CEO) of Google, stated that the
Internet was estimated to encompass five million terabytes of data, with Google accessing only a few
percent.33 Even if one can conceptualize the sheer size of cyberspace, it is still merely a reflection of
data accessible via a networked connection, largely excluding offline sources. In many instances it
can reflects opinion, not fact. Users, however, tend to believe that the data and knowledge is
inherently true.

14

Fifth, users expect cyberspace to be treated as public domain, with unrestricted and

unfettered access to information.

34 35

Most users presume that they will encounter minimal limits

on the amount or type of information they are able to access. While services like Google Books
pursues a searchable reference to a majority of published works, an unintended consequence is that
more and more users expect to have no-cost access to copyrighted works.36 Conducting research
for this paper reinforces this belief, with most references freely accessible on the Internet in some
form or fashion. Additionally, once electronic files have been released to the Internet (regardless of
classification), users expect they will be able access the information contained therein. Bradley
Mannings release of classified Department of Defense (DoD) and Department of State (DoS)
documents in 2010 as part of the WikiLeaks campaign is a recent example of such a phenomena.37
Sixth, cyberspace is not a physical entity. As such, there are limited physical or safety-related
*

consequences stemming from its use.

Cyberspace has the appearance of being limitless and

resilient, because information tends to reside in clusters of networks, and not on any one individual
*

computer.

The recent acknowledgement by Lockheed Martin that hackers exfiltrated

information related to sensitive national security related programs demonstrates this principle: the
stolen data is threatening to national security experts, but for most U.S. citizens, it was largely
regarded as business as usual. Where is the discernible effect? Except in rare instances of identity
theft, which can create financial distress for a user, there appears to be no significant personal or

*

Notwithstanding the obvious restrictions placed on access by several nations.

Issues like cyber-bullying are largely predicated on a users personal perception and reaction to cyberspace
information, rather than use of cyberspace itself.
**

***

A new norm established largely due to the work of companies like Akamai, which maintain regionalized data

centers to provide faster local access to information that would usually reside in a remote location. This technique
provides resiliency, speeds up access, and reduces network throughput to any one geographical area.

15

physical consequence in using cyberspace. This belief may also explain why users tend to share
more personal information about themselves online than they would in a room full of known
associates.
Finally, cyberspace has its own community, largely independent of national boundaries.
Users can play networked video games against multiple users around the world; what was once a
novelty, is now considered commonplace. Large communities of users spring up for a variety of
reasons. Millions of users around the world are actively involved in massively multiplayer online
games, or MMOGs. An Internet sensation, Myspace was the first widely accepted online portal for
users to share information about themselves in a public fashion. Since its inception, social media
sites like Twitter, Facebook, and LinkedIn have replicated this success. It is not outside the realm of
possibility that as the use of cyberspace continues, national boundaries might begin to blur to
accommodate online groups.
Knowing what cyberspace is, and understanding the limitations and vulnerabilities of the
networked systems connected to it are important, especially when discussing defense and security.
When discussing deterrence, however, it is more appropriate to understand how people perceive
cyberspace. For most, cyberspace is perceived as a social and communication medium disconnected
from reality, providing unprecedented opportunity for freedom of expression and access to nearly
limitless information on a continuously available and relatively secure basis.
Approaches to cyber deterrence should also be expected to change, as we are currently
experiencing a significant generational gap. Many of todays policymakers remember a time before
the pervasive, always on Internet, and stepping away from access is acceptable. For those born in
the 1990s, however, it is considered commonplace and normal to always be connected, and losing
the connection can be quite painful psychologically. One cannot overstate the complications this
may create in crafting a one size fits all deterrence strategy.

16

Deterrence in Cyberspace
The nuclear taboo and a return to a second age of conventional deterrence may yield
important details when creating a pathway for deterrence in the Cybered Age. Cyberspace
represents an entirely new domain that we dont entirely comprehend. As Eric Schmidt stated,
[t]he internet is the first thing that humanity has built that humanity doesnt understand, the largest
experiment in anarchy that we have ever had.38 This rapidly changing domain requires a new,
holistic approach to deterrence and quicky. During the release of his Cyberspace Policy Review in
2009, U.S. President Barack Obama declared that the cyber threat is one of the most serious
economic and national security challenges we face as a nation.39
One of the first problems to analyze is the efficacy of deterrence in cyberspace. In a lecture
at the University of Rhode Island campus, well-known cyber advocate Richard A. Clarke said that a
majority of nefarious actions in cyberspace can be split into four major areas: cyber warfare, cyber
crime, cyber hacking, and cyber-espionage.40 He further defines cyber warfare as actions by a
nation-state to penetrate another nations computers or networks for the purposes of causing
damage or disruption.41 From the four types of cyber activity listed above, cyber warfare has come
the closest in responding to traditional forms of deterrence, but why?
Cyber warfare is arguably the cyber activity most likely to result in permanent or semipermanent damage to a nation-state, either through physical damage or political repercussion.
Because of this, nations with the capacity to wage cyber war appear hesitant to employ cyber attack
techniques. To be sure, every cyber-capable nation is continually seeking to learn more about
possible avenues of approach in employing cyber weapons. This is to be expected given the concern
that cyber warfare will probably be used in concert with actual, or kinetic, warfare in future conflicts.
This was demonstrated recently in two separate instances: the 2007 cyber attacks on Estonia,42
which only included cyber attacks, and the cyber attacks on Georgia in 2008, which included

17

additional military intervention.43 Even now, years after the incidents, public attribution for the

attacks has been slow in coming, though most experts point the finger at Russian involvement.
Several national-level concerns make cyber warfare inherently self-limiting: fear of

attribution, an opponents ability to respond in kind, and exploitation of techniques, tactics, and
procedures (TTPs). While nations may desire to stockpile cyber techniques for future use, to use

them risks possible attribution and international admonishment. This could imperil ascendency
onto the global stage for nations seeking to increase their political strength. While not tied to
cyberspace activities, China recently experienced this type of negative press effect because of the
assessed lack of diplomatic skill displayed when handling the 2010 Senkaku Islands dispute with
Japan, as well as numerous ongoing disputes in the South China Sea.44 The end result has been a
recent resurgence of anti-Chinese sentiment in the Asia-Pacific region, emphasizing the importance
of remaining within international norms.
An opponents ability to respond in kind with a retaliatory cyber attack also serves as a
strong deterrent. Resilience of cyberspace capabilities may result in an ability to respond or even
escalate the attacks, causing more harm then the perceived value of the original attack. This second
strike capability threatens to raise the cost of a cyber attack above the threshold that a belligerent is
willing to pay. Much like a nuclear attack, first strike with cyber appears to hold the advantage,
resulting in a destabilizing situation. The downside is that if your adversary has the ability to
retaliate, you are likely going to be unable to parry the blow because of network vulnerabilities or

* Although experts have coalesced around Russia as the source of both attacks, it is unclear if it was a purely military
action, an action with outside support coordinated by the military, or a response undertaken by skilled civilian
nationalists.
* Attribution carries its own risks. In laying blame at the feet of another nation-state, the accuser risks identifying their
own forensic and intelligence capabilities, thereby potentially weakening their ability to detect future intrusions or
attacks.

18

constantly improving cyber techniques. This similarity to the principle of mutual deterrence may

explain the heretofore lack of nation-state cyber attacks on another nations critical infrastructure.
At the strategic, operational, and tactical levels, concern must also be paid to the possible

exploitation of a demonstrated cyber attack capability. Unlike nuclear or conventional attacks, once
a cyber attack has occurred and it is well understood, steps can be taken to close the vulnerability in
the attacked system. This truth significantly affects a nations calculus in using a cyber silver bullet
unless it is absolutely necessary to do so, because of the risk of losing access to the adversarys
vulnerability in the future.
This does not mean that an adversary cannot be expected to use low-level or fleeting cyber
attacks on a periodic basis. All reasonable efforts should be made to identify perceived system and
network vulnerabilities and correct them prior to an attack being launched. Cyber warfare receives
the preponderance of attention because, although less likely to occur than other cyber-related
activities, if successful it could have dire consequences. A cyber attack can target a nations military
command and control network, critical infrastructure, or networked services in a debilitating fashion.
At the macro level, nations are actively probing the defenses of every other networked
nation, seeking to develop a knowledge base of assessed weaknesses in case of future conflict.
Restraint in the employment of cyber warfare is largely a factor of concern over attribution: can we
be singled out for an act that can be perceived as threatening to the international community. Since
cyber warfare is a conflict fought between nations, and nations are likely to hesitate before
employing such tactics, deterrence should fall along similar lines as conventional and nuclear
weapons. It is therefore the other three activities that we should focus the majority of our efforts on

** A lack of cyber attacks by state actors might also be because of the absence of recent wars between the states that
possess advanced cyber capabilities. As previously noted, Russia has been attributed with responsibility for cyber attacks
emanating from within its national borders.

19

 the victimless crimes of the virtual world that nonetheless have significant strategic consequences
for the U.S.
For our purposes, cyber-crime is defined as criminal activity or a crime that involves the
Internet, a computer system, or computer technology, and can include cyber hacking and cyber
espionage.45 While separate in specificity, all three share similar traits in a discussion on cyber
deterrence. While cyber warfare risks permanent or semi-permanent damage in a potentially
physical sense, the same cannot be said about other illegal cyber activities. Cyber espionage is a
perfect example. People expect as a natural course of life for nations to spy on one another. The
difference in cyberspace is that the actor perpetrating the espionage risks far less than ever before.
At the height of the Cold War, an intelligence officer might risk their life to exfiltrate a few
documents that had been painstakingly removed from a corporate or government office or
computer. If they were caught stealing sensitive information, they might risk imprisonment or
death. Now, through the capabilities and reach of cyberspace, that same operative could remove
thousands of files from a remote location overseas, exposing themselves to little or no physical risk.
The same can be said for cyber hacking or cyber crime. Skilled hackers can be sitting in
front of a computer in a foreign country that enforces very few oversights, while creating a massive
botnet able to launch a distributed denial of service (DDOS) attack. Cyber criminals, such as those
engaged in piracy of illegal software or entertainment industry products, typically set up shop in hard
to prosecute locations, though a majority of their users might be in nations with strict anti-piracy
protections.
The problem is that unlike cyber warfare, which people tend to universally recognize as a
significant threat, cyber crime, espionage, and hacking is largely viewed with greater ambivalence.
Identity theft is an example of this psychological barrier. Although most of us have heard of the
potential horrors of having our identity stolen, followed by a malicious thief opening credit cards

20

and destroying our credit rating, a majority of us have never experienced such an event. As such, we
become used to the constant noise and adopt an it will never happen to me attitude. This problem
is only compounded because of how people perceive cyberspace, as a virtual world protected from a
majority of the dangers in the real one.
Cyber espionage is perhaps the greatest singular present-day risk to the U.S. and other
technologically advanced nations. One of the historical strengths of technologically advanced
nations is that they enjoy military, manufacturing, and quality of life advantages to the exclusion of
other, less technologically capable nations. U.S. President Barack Obama acknowledged as much
when he stated From now on, our digital infrastructure -- the networks and computers we depend
on every day -- will be treated as they should be: as a strategic national asset. Protecting this
infrastructure will be a national security priority.46 As previously mentioned, before the advent of a
heavily interconnected and networked world, to take information from a technologically superior
nation was to risk potential capture, condemnation, and imprisonment or death. Now, with
cyberspace, the barriers to entry have been significantly lowered, creating a pressing national security
concern.
In light of this problem, how can we impose deterrence in a cybered world against persistent
state actors? One of the first requirements is to establish and emphasize a rules-based international
norm regarding cyberspace and related cyber activities. Several initiatives are underway, with a
multitude of nations creating their own laws internal to national borders. International efforts are
slowly progressing, resulting in agreements like the European Convention on Cybercrime, which the
U.S. Congress has ratified.47 The United Nations General Assembly adopted Resolution 57/239 in
2003, which seeks to create a global culture of cybersecurity.48 The U.N., in particular, should take
the lead in creating and enforcing an international (and legally-binding) approach to cyber norms.

21

Comprised of 193 member states, the U.N. may represent the best opportunity to foster a sustained
international dialogue on cyber concerns.
Once international laws have been created, pathways for enforcement and tangible
punishment should also be put into place. No effort should be spared in calling public attention to a
nations cyber activities if they break the agreed upon cyberspace laws. Financial and political
repercussions should also be considered, through organizations like the World Trade Organization
(WTO), U.N., E.U, ASEAN, and other regional entities. A significant problem that currently exists
is the perceived (and actual) inability to enforce accountability. One way to hold a nation that breaks
the rules accountable is through timely reporting of the incident to the international media outlets.
In 2007, China conducted a test of a direct ascent anti-satellite weapon when it shot down its own
orbiting weather satellite.49 While not necessarily breaking the rules, they were unprepared for the
public backlash surrounding the creation of a large and potentially damaging debris cloud from the
impact, and changed their approach during subsequent actions. In a similar fashion, the media can
bring international attention to an action in cyberspace, damaging the offending nations reputation.
Dr. Chris Demchak, a professor at the U.S. Naval War College, has also proposed novel
approaches to deterrence in cyberspace, urging a Cyber-Westphalian approach.50 This approach
stresses the importance of erecting national cyberspace boundaries that mirror physical territorial
lines. If an electronic information gateway was used to direct the flow of information into and out
of a nation, along with widespread adoption of the IPv6 protocol, it would be easier to conduct
timely forensics of transmitted information. The IPv6 protocol is expected to permit the
assignment of a far greater number of Internet protocol addresses, improving assessment of package
origination and tracking. Nations should also be expected to effectively police their borders. For
example, if a Chinese non-state aligned nationalist conducted cyber espionage on a U.S. corporation,
China would be held accountable for the intrusion and expected to handle the nationalist internally.

22

This type of rules-based international approach, if enforced with accountability, could significantly
reduce cyber crime and espionage.
The U.S. should also enforce a whole of government approach to cyberspace issues. All
federal agencies should be actively involved in an ongoing discussion on the best practices in
deterring both cyber warfare and cyber crime. This approach will ensure that often disregarded
issues, like the cultural norms of other nations, are a part of the discussion of how to effectively
combat illicit cyber activities. An organization with representatives from all major federal agencies
can conduct regular war-games and exercise to test decision making, interagency communication
structures, and secure identified vulnerabilities.
A robust, worldwide public relations campaign is incredibly important in establishing the
strategic communication for deterrence in the Cybered Age. Altering the perceptions as they apply
to cyberspace will take time and a sustained effort, and in order to create deterrence against soft
cyber activities, it must be made relevant to users worldwide. Only by raising the level of awareness
of the risks that U.S. citizens face can we forge an acceptable cyber espionage and cyber crime
deterrence strategy.

Cyber Assurance (or Deterrence by Denial)

As previously discussed, deterring cyber warfare is closely related to the historic concept of
deterrence by punishment. Unlike conventional military actions, which permit a nation-state to
threaten physical defeat of an attacking force, cyber crime does not have a similar parallel.
Therefore, deterrence by denial is mainly a factor of what we traditionally regard as assurance. By
ensuring that we have a secure, resilient network, we can deny our adversaries the victories they seek
in the cyber domain.
The creation of real-time dashboards and common operating pictures representative of
network health is critical in communicating the status of our national cyber infrastructure. Even

23

more so, it is an important part in communicating this status to our senior decision makers, many of
whom might not be technologically experienced. The information presented should be thorough,
accurate, timely, and straightforward.
We should continue to enforce best-practices that ensure resilience of our networks,
ensuring that we retain enough distributed capability to ensure continued functioning of the network
and attached systems. If potential threats are aware that the U.S. has an incredibly robust cyberspace
network, they may be less likely to attempt to breach it, especially if coupled with a fear of
retribution.
When considering critical U.S. infrastructure, we should consider the isolation of control
systems from the worldwide cyberspace network. The only way to truly secure a system from an
attack or exploitation is to remove all access to it. While this is unrealistic in light of operational
requirements, reducing access via a smaller, proprietary network can reduce vulnerabilities that occur
with greater exposure to the entire World Wide Web.
The U.S. should also consider all available methods to provide protection from potentially
tainted supply chains. The outsourcing of a large amount of the U.S. manufacturing capability has
resulted in reduced oversight for the finished product. Current military, industrial, and consumer
technology includes computer chips that contain millions of transistors and software with over a
million lines of computer programming codes. Even the best analysts would find it nearly
impossible to guarantee that out software and hardware hasnt been altered to inject vulnerabilities
that could be made available to our potential adversaries. If we cannot physically secure the
manufacturing process, which is likely due to elevated cost structures, we should strive to develop
automated techniques that can verify the safety of imported electronic items.
Lastly, the U.S. should ensure that the design of cyberspace networks and devices
incorporate security as a primary, and not a secondary or tertiary, concern. Security is typically one

24

of the last elements incorporated because of the sheer pace of innovation it is easier to quickly
revise a products functions when the security element is inserted at the end. If we alter this process,
and incorporate network security techniques in the design phase of a product, we can decrease
vulnerabilities.
This is not an all-encompassing list of potential assurance measures. Instead, it is merely an
acknowledgement that in the cybered age, deterrence by denial is best affected through assurance,
which can be positively affected by thoughtful decision-making and an awareness of resiliency
requirements.

Immediate and Future Concerns

The pace of technological innovation will only continue to accelerate, complicating the issue
of deterrence in the Cybered Age. Cloud computing, which promises the flexibility to access your
remotely stored information anywhere at anytime, continues to remove the barriers of traditional
information assurance. As corporations, and their intellectual property, transition to the cloud, all
appropriate steps should be taken to ensure that the information is protected from exfiltration or
malicious modification.
Security strategists must also acknowledge that unintended consequences are likely given the
extremely unpredictable nature of actions in cyberspace. Cyberspace, an extension of millions of
computers and users, responds more like a large social network than it does a rigid machine.
Understanding this difference requires analysis of the psychological and sociological aspects of an
increasingly networked community. This greater understanding will help prepare for the feedback
generated by changing a users experience in cyberspace in the pursuit of increased security.
Security strategists should also be concerned about the potential for reverse engineering
STUXNET-like programs and similar public domain spillovers. For the wicked actors who seek
to disperse electronic payloads across cyberspace, the Internet serves as an unparalleled conduit.

25

Unfortunately, for cybersecurity personnel, they are responsible for guarding two fronts in this
scenario: containing the release of the original malicious code, while also preparing to respond to
additional attacks that might occur because of hijacked techniques. Once a program has been
released into cyberspace, it is part of the public domain and other wicked actors might be able to
acquire and modify it for other nefarious purposes.
From a security standpoint, as we continue to learn about deterrence in cyberspace, we
should establish appropriate means to measure normal cyberspace activity, to permit recognition of
potential escalation/de-escalation signals. By studying the patterns inherent in Internet traffic and
social networks, it will allow security personnel to make better informed decisions about the vector
of an ongoing cyber conflict.

Limitations
It would be difficult at best to cover the entirety of a cyber deterrence discussion in the
space allotted (Martin Libickis work on the same topic covers more than 200 pages).51 One
conscious decision made was to focus additional attention on cyber crime and espionage above
cyber warfare. Many people, especially in national defense circles, would likely say that cyber
warfare is the greatest threat to our nations security and prosperity. While I have no doubt that
cyber warfare could have potentially devastating effects, traditional forms of deterrence appear to be
effective in keeping potential adversaries in check. Cyber espionage, however, does not follow this
same deterrence structure and represents a far greater threat to our Nations prosperity and security
on a continuing basis.
Non-state actors were also largely disregarded in this paper, despite the fact that some might
argue they represent a greater threat than well-defined state actors. The decision to focus on nationstates was made because of the complexity of a deterrence discussion focused on cyberspace.
Additional work should continue into determining the differences between the actions of state and
non-state actors in cyberspace.
While I have advocated expediency in tackling cyber deterrence, there is undoubtedly good
reason to take a slow, measured approach to the creation of national and international laws
regulating cyberspace usage. Careful consideration of international opinion, possible unintended

26

consequences, and precedent will undoubtedly result in rules and laws that will better withstand the
test of time. The significant downfall is that cybercrime and espionage is ongoing, and the stakes
attributed to delays are incredibly high. Government agencies, multinational corporations, and
manufacturers are at continual risk of data exfiltration and loss of priceless intellectual property.
Each day of a delay in creating, and enforcing, international laws regarding cyberspace results in the
continual erosion of U.S. technological and information superiority.

Conclusion
Bernard Brodie demonstrated incredible foresight when he said the swift and tremendous
changes in the technology of war and a proper appreciation for the inadequacies of our analytical
tools reminds us of the basic danger in peacetime of miscalculating the nature of a future war.52
The U.S. must remain vigilant when assessing the changing landscape of deterrence, especially in
light of the rapid pace of technological innovation.
The focus of this paper was to trace the lineage of deterrence, finding points of intersection
that prove relevant to an approach in the cybered age. The traditional view of deterrence is skewed
because of the inherent differences that exist between the physical world and cyberspace.
Cyberspace is a massive substrate in both scope and scale, largely unregulated, and appears to
respond differently to instances of cyber attack and cyber espionage. While the threat of cyber
attack results in visions of damage to U.S. critical infrastructure, is the permissive nature of cyber
espionage that is currently causing the most harm and represents the greatest immediate threat to the
U.S.
Only through the careful study and analysis of international norms, and the understanding of
the perspective of cyberspace users, can we hope engender support from the American Public to
effectively defend our most precious national asset, our knowledge. Richard Clarke may have
provided the best strategy for a consistent deterrence strategy for cyberspace during his speech at
the University of Rhode Island in 2011:
1. Dont buy a computer.
2. If you have to buy a computer, dont turn it on.
3. If you have to buy a computer and absolutely have to use it, dont plug it into anything.

27

References

1

Alfred Thayer Mahan, The Influence of Seapower Upon History (Boston: Little, Brown, and Company, 1894), 1.

Art Coviello, Executive Chairman of RSA. Open Letter to RSA Customers. (Mar, 2007)
http://www.rsa.com/node.aspx?id=3872
2

Uri Rivner, "Anatomy of an Attack," Speaking of Security - The RSA Blog and Podcast. (Apr 1, 2011)

The New York Times article RSA Faces Angry Users After Breech. (June 7, 2011)

Scott Shane and David Sanger, Drone Crash in Iran Reveals Secret U.S. Surveillance Effort, New York Times.
(December 7, 2011). http://www.nytimes.com/2011/12/08/world/middleeast/drone-crash-in-iran-reveals-secret-ussurveillance-bid.html
5

Dave Majumdar, "Irans captured RQ-170: How bad is the damage?". Air Force Times. (Dec 9, 2011)

Jeanne Meserve, Sources: Staged cyber attack reveals vulnerability in power grid, CNN, (Sept 26, 2007)

Frank Saxton, Aurora Vulnerability White Paper. http://easyrider.easyrider.com/aurora_white_paper.htm

Carl von Clausewitz, On War (Princeton University Press, 1989). 703.

10

Sun Tzu (1971-09-15). The Art of War (Oxford University Press) (Kindle Locations 1593-1594). Oxford University
Press. Kindle Edition.
11

12

Sunzi (2009-10-04). The Art of War (Kindle Locations 913-914). Adams Media. Kindle Edition.

13

Sunzi (2009-10-04). The Art of War (Kindle Locations 957-958). Adams Media. Kindle Edition.

14

Sunzi (2009-10-04). The Art of War (Kindle Location 962). Adams Media. Kindle Edition.

15

Clausewitz, Carl von. On War. Princeton University Press. Princeton, NJ. 1989.

16

Brodie, Bernard. The Absolute Weapon: Atomic Power and World Order. (Harcourt, Brace and Company, 1946). p.76.

17

Brodie, Bernard, Strategy in the Missile Age, (Santa Monica: RAND, 1959). p.7.

18

Ibid, pp. vi-xi.

Schelling, Thomas C., Bargaining, Communication, and Limited War., Conflict Resolution, Vol. 1, No. 1 (Mar 1957), pp.
19-36.
19

20

Schelling, Thomas C., An Essay on Bargaining, The American Economic Review, Vol. 46, No. 3, p.306.

21

James M. Gavin, War and Peace in the Space Age (New York: Harper and Brothers, 1958), p. 265.

22

Schelling, Thomas C., An Astonishing Sixty Years: The Legacy of Hiroshima, Nobel Prize lecture, Dec 8, 2005.

23

Ibid.

28


Nina Tannenwald, Stigmatizing the Bomb: Origins of the Nuclear Taboo, International Security, Vol. 29, No. 4 (Spring
2005), pp. 5-10.
24

25

Ibid, p. 8.

26

Michael S. Gerson, Conventional Deterrence in the Second Nuclear Age, Parameters (Autumn 2009), p. 35.

27

Ibid., pp. 37-38.

28

Definition of cyberspace, Merriam-Webster Online Dictionary, http://www.merriam-webster.com.

29

U.S. President William J. Clinton, White House home page. http://clinton4.nara.gov/. July 21, 2000.

Wikipedia Blackout: 11 Huge Sites Protest SOPA, PIPA, The Huffington Post. Jan 18, 2012.
http://huffingtonpost.com/2012/01/17/wikipedia-blackout_n_1212096.html.
30

Christopher Williams, Compensation Calls as BlackBerry Breakdown Spreads to U.S., The Telegraph,
http://www.telegraph.co.uk/technology/blackberry/8822525/Compensation-calls-as-BlackBerry-breakdown-spreadsto-US.html, October 12, 2011.
31

32

Peter J. Denning, The ARPANET After Twenty Years, American Scientist, Vol. 77 (Nov-Dec 1989), p. 530.

Eric Schmidt, Technology is Making Marketing Accountable, speech given to the Association of National Advertisers,
October 8, 2005.
33

34

Internet Enemies, Reporters Without Borders, Paris, March 2011.

Boyle, James (2008). The Public Domain: Enclosing the Commons of the Mind. CSPD. pp. 38. ISBN 9780300137408.
http://www.google.com/books?id=Fn1Pl9Gv_EMC&dq=public+domain&source=gbs_navlinks_s.
35

Google Checks Out Library Books, Google press release dated December 14, 2004.
http://www.google.com/press/pressrel/print_library.html
36

Bill Sleeman, A Librarian Reacts to Wikileaks, Center for Journalism Ethics, University of Wisconsin-Madison,
http://ethics.journalism.wisc.edu/2011/01/24/a-librarian-reacts-to-wikileaks/.
37

38

Eric Schmidt quote, date unknown.

U.S. President Barack Obama, Remarks by the President On Securing Our Nations Cyber Infrastructure, East Room of the
White House, May 29, 2009.
39

40

Richard A. Clarke lecture, University of Rhode Island (Kingston), November 29, 2011.

41

Richard A. Clarke, Cyberwar, Harper Collins, p. 6.

42

Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, The Guardian, May 17, 2007.

43

John Swaine, Georgia: Russia Conducting Cyber War, The Telegraph, Aug 11, 2008.

Dean Cheng, ChinaJapan Confrontation at Sea: Senkaku Islands Issue Wont Go Away, The Heritage Foundation. (Sep
24, 2010). http://www.heritage.org/research/reports/2010/09/china-japan-confrontation-at-sea-senkaku-islands-issuewont-go-away
44

29


45

Definition of cybercrime, Dictionary.com, http://dictionary.reference.com/browse/cybercrime.

U.S. President Barack Obama, Remarks by the President On Securing Our Nations Cyber Infrastructure, East Room of the
White House, May 29, 2009.
46

47

Nate Anderson, "World's Worst Internet Law" ratified by Senate, ArsTechnica. (Aug 4, 2006).

U.N. Resolution 57/239, Creation of a Global Culture of Cybersecurity, U.N. General Assembly. http://www.itu.int/ITUD/cyb/cybersecurity/docs/UN_resolution_57_239.pdf
48

Leonard David, Chinas Anti-Satellite Test: Worrisome Debris Cloud Circles Earth, Space.com. Feb 2, 2007.
http://www.space.com/3415-china-anti-satellite-test-worrisome-debris-cloud-circles-earth.html
49

50

Chris Demchak, Rise of a Cybered Westphalian Age, Strategic Studies Quarterly, Mar 1, 2011.

Martin Libicki, Cyberdeterrence and Cyberwar. (Santa Monica: RAND).

http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf
51

52

Quote attributed to Bernard Brodie, citation not available.

30