Fear of a “cyber-Pearl Harbor” first appeared in the 1990s and, over the past two decades, policymakers have worried that hackers could blow up oil pipelines, contaminate water supplies, open floodgates and send airplanes on collision courses by hacking air traffic control systems. In 2012, then-US secretary of defense Leon Panetta warned that hackers could “shut down the power grid across large parts of the country.”
None of these catastrophic scenarios has occurred, but they certainly cannot be ruled out. At a more modest level, hackers were able to destroy a blast furnace at a German steel mill last year.
So the security question is straightforward: Can such destructive actions be deterred?
Illustration: Yusha
It is sometimes said that deterrence is not an effective strategy in cyberspace because of the difficulties in attributing the source of an attack and because of the large and diverse number of state and non-state actors involved. It is often difficult to be sure whose assets can be held at risk and for how long.
Attribution is, indeed, a serious problem. How can you retaliate when there is no return address?
Nuclear attribution is not perfect, but there are only nine states with nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and non-state actors face high entry barriers.
None of this is true in cyberspace, where a weapon can consist of a few lines of code that can be invented — or purchased on the so-called “dark Web” — by any number of state or non-state actors. A sophisticated attacker can hide the point of origin behind the false flags of several remote servers.
While forensics can handle many “hops” among servers, it often takes time. For example, an attack last year in which 76 million client addresses were stolen from JPMorgan Chase was widely attributed to Russia. However, this year the US Department of Justice identified the perpetrators as a sophisticated criminal gang led by two Israelis and a US citizen who lives in Moscow and Tel Aviv.
Attribution is a matter of degree. Despite the dangers of false flags and the difficulty of obtaining prompt, high-quality attribution that would stand up in a court of law, there is often enough attribution to enable deterrence.
For example, in last year’s attack on Sony Pictures Entertainment, the US initially tried to avoid full disclosure of the means by which it attributed the attack to North Korea and encountered widespread skepticism as a result.
Within weeks, a media leak revealed that the US had access to North Korean networks. Skepticism diminished, but at the cost of revealing a sensitive source of intelligence.
Prompt, high-quality attribution is often difficult and costly, but not impossible. Not only are governments improving their capabilities, but many private-sector companies are entering the game, and their participation reduces the costs to governments of having to disclose sensitive sources. Many situations are matters of degree, and as technology improves the forensics of attribution, the strength of deterrence might increase.
Moreover, analysts should not limit themselves to the classic instruments of punishment and denial as they assess cyberdeterrence.
Attention should also be paid to deterrence by economic entanglement and by norms.
Economic entanglement can alter the cost-benefit calculation of a major state like China, where the blowback of an attack on, for example, the US power grid could hurt the Chinese economy.
Entanglement probably has little effect on a state like North Korea, which is weakly linked to the international economy.
It is not clear how much entanglement affects non-state actors. Some might be like parasites that suffer if they kill their host, but others could be indifferent to such effects.
As for norms, major states have agreed that cyberwar would be limited by the law of armed conflict, which requires discrimination between military and civilian targets and proportionality in terms of consequences.
In July last year, a UN Group of Governmental Experts recommended excluding civilian targets from cyberattacks and that norm was endorsed at last month’s G20 summit.
It has been suggested that one reason why cyberweapons have not been used more in war thus far stems precisely from uncertainty about the effects on civilian targets and unpredictable consequences. Such norms might have deterred the use of cyberweapons in US actions against Iraqi and Libyan air defenses. And the use of cyberinstruments in Russia’s “hybrid” wars in Georgia and Ukraine has been relatively limited.
The relationship among the variables in cyberdeterrence is a dynamic one that is likely to be affected by technology and learning, with innovation occurring at a faster pace than was true of nuclear weapons.
For example, better attribution forensics could enhance the role of punishment, and better defenses through encryption might increase deterrence by denial.
As a result, the current advantage of offense over defense could change over time.
Cyberlearning is also important. As states and organizations come to understand better the importance of the Internet to their economic wellbeing, cost-benefit calculations of the utility of cyberwarfare might change, just as learning over time altered the understanding of the costs of nuclear warfare.
Unlike the nuclear age, when it comes to deterrence in the cyber era, one size does not fit all, or is the world the prisoner of an overly simple image of the past? After all, when nuclear punishment seemed too draconian to be credible, the US adopted a conventional flexible response to add an element of denial in its effort to deter a Soviet invasion of western Europe.
While the US never agreed to a formal norm of “no first use of nuclear weapons,” eventually such a taboo evolved, at least among the major states.
Deterrence in the cyber era might not be what it used to be, but maybe it never was.
Joseph Nye Jr, a former US assistant secretary of defense and chairman of the US National Intelligence Council, is university distinguished service professor at Harvard University.
Copyright: Project Syndicate
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
The past few months have seen tremendous strides in India’s journey to develop a vibrant semiconductor and electronics ecosystem. The nation’s established prowess in information technology (IT) has earned it much-needed revenue and prestige across the globe. Now, through the convergence of engineering talent, supportive government policies, an expanding market and technologically adaptive entrepreneurship, India is striving to become part of global electronics and semiconductor supply chains. Indian Prime Minister Narendra Modi’s Vision of “Make in India” and “Design in India” has been the guiding force behind the government’s incentive schemes that span skilling, design, fabrication, assembly, testing and packaging, and
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.