Thus far, there has been no confirmed retaliatory cyber strikes conducted by a victimized government against a suspected aggressor state. There has been some speculation that after the Sony Pictures attack, the United States “knocked” North Korea off the Internet for a brief period of time, although this has never been corroborated. Despite being a cyber power, the United States has demonstrated restraint in punishing against those transgressor states it believes to have been orchestrators of cyber attacks against its interests, preferring to level sanctions as a punitive alternative.
The question that governments ask is how to deter hostile acts in cyberspace? And while an important question to raise, perhaps the reality is that there is no viable answer. There is a reason why international efforts continually fail when trying to gain consensus on cyber norms, Internet governance, and the legalities and criteria of hacking back – there is lack of a fundamental desire to actually find a solution. Governments willing to agree to the standards and principles of any of these issues are stating their willingness to abide by them, and while that may fit the current situation, the dynamism of cyberspace has proven unpredictable. Being cuffed to such an agreement that no longer has relevance while other governments operate without constraints is not an ideal situation. Therefore, without an agreement in place, the status quo remains.
At present, fear of escalation may be the most practical contribution to cyber deterrence. The majority of suspected state-driven or state-conducted offensive cyber activity has been cyber espionage – stealing intellectual property or other sensitive information from targets, or else gaining unauthorized access to maintain a presence on the system. There has been fewer incidents of actual destruction of information systems and/or the information resident on them. Some of the more prevalent suspected state-backed attacks – the 2010 Stuxnet, the 2012 Saudi Aramco, alleged China cyber espionage, for example – have not yielded retaliatory cyber-strikes by victim governments. Even in the aftermath of the Russia’s hacking against the U.S. presidential election, the Obama Administration instructed officials to “stand down” and not retaliate with cyber attacks of its own.
There is much in cyberspace that remains new and untested. As more and more governments (including smaller nations) seek to acquire an offensive cyber capability, launching attacks against a state can prove detrimental, particularly if it remains uncertain how that state may react. Escalation is a potentially dangerous and very real outcome that could lead to unintended consequences, particularly if the attacker perceives the active cyber defense response as disproportionate to the initial attack. Indeed, the United States’ Cyber Command has been given new authorities to conduct cyber operations as part of its “forward defense” strategy, which have some experts worried about escalation. While the U.S. has demonstrated restraint thus far, other more reactionary governments may not follow suit, as launching cyber attacks is an inexpensive proposition that can convey state displeasure without committing kinetic resources.
Deterring hostile cyber activity is a worthwhile goal but one that may never truly come to fruition, at least not for the near future. Ultimately, states will always pursue paths that serve their national interests. And while it may be impossible to deter states from conducting all offensive acts like espionage, deterrence of more destructive attacks is an obvious goal for any state. Given how geopolitical issues and tensions are catalysts for some cyber activity, one might expect more destructive attacks to transpire. Thankfully, that doesn’t always happen. Until those elusive cyber norms are established and agreed to that will help avoid cyber crises from materializing, deterring attacks does not always have to be about carrying a bigger stick than your opponent. Being able to demonstrate the ability to repel cyber attacks can have a similar effect. In this way, states are better served developing and acquiring offensive capabilities in tandem with improving and hardening defenses, with an emphasis on the latter, as developing/possessing offensive cyber capabilities is not the same as using them.
This is a guest post by Emilio Iasiello