{"id":22972,"date":"2015-10-20T11:00:32","date_gmt":"2015-10-20T00:00:32","guid":{"rendered":"http:\/\/www.aspistrategist.ru\/?p=22972"},"modified":"2015-10-20T11:00:32","modified_gmt":"2015-10-20T00:00:32","slug":"cyber-stability-why-retaliation-wont-deter","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/","title":{"rendered":"Cyber stability: why retaliation won\u2019t deter"},"content":{"rendered":"

\"3085157011_4560528e9e_z\"<\/a><\/p>\n

Nuclear deterrence theory is often seen<\/a> as the go-to solution to cyber instability. After suffering a sequence of alleged Chinese hacks on its corporations<\/a> and government departments<\/a>, the US prepared a suite of potential economic sanctions<\/a> for China in the hope of bringing Xi Jinping to the negotiating table and deterring future attacks. This move came in the wake of public commentary citing the need<\/a> for a \u2018cyber equivalent of a nuclear deterrent\u2019 and a US shift towards a more offensive cyber posture, as seen in the Department of Defences\u2019 April Cyber Strategy<\/em><\/a> that outlines the importance of \u2018effective response capabilities to deter an adversary from initiating an attack.\u2019<\/p>\n

That language is a clear attempt to apply nuclear deterrence theory to international cyber relations. Deterrence by punishment uses the threat of an unacceptable cost to make an attacker\u2019s perceived reward no longer justifiable. This strategy prevented the Cold War from turning \u2018hot\u2019 and some hope this stabilising affect can be brought to bear in cyberspace. The threat of sanctions may have helped facilitate the Sino\u2013US \u2018common understanding<\/a>\u2019 in Washington last month, which has been interpreted as an \u2018historic<\/a>\u2019 shift in relations. This was followed soon after by news that Chinese police recently arrested hackers<\/a> at the request of the US government. Unfortunately, the Washington agreement lacks tangible enforcement measures<\/a> and the arrests, likely an attempt to ease tensions in the weeks leading up to Xi\u2019s trip, weren\u2019t the first time<\/a> China has obliged the US in this way. The lingering threat of US punishment is unlikely to be a successful deterrent in the long-term, with experts expecting hacks to continue unabated<\/a>. Such attempts to apply nuclear deterrence theory to cyberspace will likely generate no lasting change for three reasons.<\/p>\n

First, in order for an adversary to be deterred from taking an unwanted action, the deterring state must be able to identify and articulate the behavioural red line past which the adversary will be punished. The binary nature of nuclear weapons makes this simple. However, it\u2019s far more challenging to establish a threshold for retaliation in cyberspace due to the continuous spectrum<\/a> of actions possible and absence of a \u2018red button\u2019.<\/p>\n

This challenge is visible in the US\u2019 current deliberations over how to respond to China\u2019s alleged hacking of the Office of Personnel Management<\/a> (OPM) in June this year. The former Director of both the CIA and the NSA, Michael Hayden, argued<\/a> that the OPM breach represented a \u2018legitimate foreign intelligence target\u2019. However, other US officials are divided over whether the sheer size of that intrusion changes things. Normative behaviour in cyberspace is still yet to be determined and entrenched so the credibility of a deterrence threat is undermined, as there\u2019s no confidence in what behaviour will or won\u2019t be punished. As The Diplomat\u2019s <\/em>headline put it: \u2018America Can\u2019t Deter What It Can\u2019t Define in Cyberspace\u2019.<\/p>\n

Second, low detection levels of the majority of hacks pose another obstacle to deterrence. A threat is only effective if the perpetrator believes they will be caught. <\/strong>This isn\u2019t an issue for nuclear deterrence, thanks to missile trajectory analysis<\/a> and the limited number of potential culprits. However, high frequency\/low intensity cyber intrusions often slip under the radar\u201435<\/a>\u00ad\u00ad-70%<\/a> of all hacks go undetected. These hacks are individually insignificant, however in aggregate they represent a persistent syphoning of intellectual property and government data through a salami-slicing tactic<\/a>. So, even if an adversary was convinced of the credibility of a threat, it may fail as a deterrent if they think that they can succeed unnoticed.<\/p>\n

Third, the difficulty and desirability of the attribution process undermines deterrent threats. Network technologies weren\u2019t designed with identity in mind, and as a result it\u2019s challenging to determine<\/a> the specific computer that launched the attack, let alone who was operating that computer. Adversaries aren\u2019t discouraged by a threat if they don\u2019t expect to be identified. For example, ISIS was thought to be responsible for the highly sophisticated hack of TV5 Monde<\/a> earlier this year, and it\u2019s only recently been discovered that it was in fact the work of a Russian group<\/a> called APT28. Attribution is a risky business: misinformed retaliation<\/a> could translate into an attack on an innocent party, the creation of a new enemy and an escalation of conflict.<\/p>\n

Moreover, even if a perpetrator could be accurately identified, attributing blame may be a pyrrhic victory<\/a>. In the rules-based international order, a state may have to expose valuable data resources, detection capabilities or assets in order to prove the guilt of the party on whom they are enacting punishment. Revealing those capacities may compromise ongoing operations<\/a> and capabilities, resulting in a tactical win but a strategic loss.<\/p>\n

Cyber retaliation is all well and good if the end is punishment itself, however if a state is seeking to establish a deterrent, this approach is likely to leave them disappointed. Governments must be cautious of pursuing a policy that\u2019s not only unlikely to work, but also risks escalating tensions and exposing vital intelligence assets. As former Deputy Secretary of Defense William Lynn foreshadowed<\/a> in 2010, the unique qualities of cyberspace necessitate that cyber deterrence \u2018be based more on denying any benefit to attackers than on imposing costs through retaliation.\u2019<\/p>\n","protected":false},"excerpt":{"rendered":"

Nuclear deterrence theory is often seen as the go-to solution to cyber instability. After suffering a sequence of alleged Chinese hacks on its corporations and government departments, the US prepared a suite of potential economic …<\/p>\n","protected":false},"author":390,"featured_media":22973,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[52,391,95,116,31],"class_list":["post-22972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-china","tag-cyber","tag-cyber-security","tag-nuclear-deterrence","tag-united-states"],"acf":[],"yoast_head":"\nCyber stability: why retaliation won\u2019t deter | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber stability: why retaliation won\u2019t deter | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Nuclear deterrence theory is often seen as the go-to solution to cyber instability. After suffering a sequence of alleged Chinese hacks on its corporations and government departments, the US prepared a suite of potential economic ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2015-10-20T00:00:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"427\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Zoe Hawkins\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zoe Hawkins\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg\",\"width\":640,\"height\":427},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/\",\"name\":\"Cyber stability: why retaliation won\u2019t deter | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#primaryimage\"},\"datePublished\":\"2015-10-20T00:00:32+00:00\",\"dateModified\":\"2015-10-20T00:00:32+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber stability: why retaliation won\u2019t deter\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701\",\"name\":\"Zoe Hawkins\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g\",\"caption\":\"Zoe Hawkins\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/zoe-hawkins\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber stability: why retaliation won\u2019t deter | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/","og_locale":"en_US","og_type":"article","og_title":"Cyber stability: why retaliation won\u2019t deter | The Strategist","og_description":"Nuclear deterrence theory is often seen as the go-to solution to cyber instability. After suffering a sequence of alleged Chinese hacks on its corporations and government departments, the US prepared a suite of potential economic ...","og_url":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2015-10-20T00:00:32+00:00","og_image":[{"width":640,"height":427,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg","type":"image\/jpeg"}],"author":"Zoe Hawkins","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Zoe Hawkins","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2015\/10\/3085157011_4560528e9e_z.jpg","width":640,"height":427},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/","url":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/","name":"Cyber stability: why retaliation won\u2019t deter | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#primaryimage"},"datePublished":"2015-10-20T00:00:32+00:00","dateModified":"2015-10-20T00:00:32+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/cyber-stability-why-retaliation-wont-deter\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Cyber stability: why retaliation won\u2019t deter"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701","name":"Zoe Hawkins","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g","caption":"Zoe Hawkins"},"url":"https:\/\/www.aspistrategist.ru\/author\/zoe-hawkins\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/22972"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/390"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=22972"}],"version-history":[{"count":2,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/22972\/revisions"}],"predecessor-version":[{"id":22975,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/22972\/revisions\/22975"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/22973"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=22972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=22972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=22972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}