Deterrence Fails
Attribution problems means deterrence fails.
Trujillo, USAF lieutenant colonel, 2014
(Clorinda, “The Limits of Cyberspace Deterrence”, 9-30, http://ndupress.ndu.edu/Media/News/NewsArticleView/tabid/7849/Article/577560/jfq-75-the-limits-of-cyberspace-deterrence.aspx)
Cyberspace characteristically provides limitations to many of the proposed cyberspace deterrent options. The first of these is the attribution challenge compounded by the speed of the domain. In 2012, then–Secretary of Defense Leon Panetta stated, “Potential aggressors should be aware that the U.S. has the capacity to locate them and to hold them accountable for their actions.”26 Nothing could be further from the truth. In 2007, Estonia was the target of “large and sustained distributed denial-of-service attacks flooding networks or websites . . . many of which came from Russia,”27 but who was responsible? Although the attacks appeared to come from network addresses within Russia, it was never confirmed whether this was a state-sponsored or nonstate effort. Some authors argue that an obvious deterrent to attacks, espionage, or criminal activity in cyberspace is to identify publicly the countries where these efforts originated, thereby leading others to regard that nation as a risky place to do business.28 Nations could also pursue sanctions against those harboring these actors.29 Unfortunately, many countries, including the United States, do not have the resources or the legal standing to validate the identity of the attackers or to take actions against them. The difficulty of attribution is also a significant challenge to a cyberspace response. Any rapid counterstrike is likely to hit the wrong target, but hesitation could lead to increased vulnerability and exploitation.
Can’t dissuade first strikes in cyber space.
Trujillo, USAF lieutenant colonel, 2014
(Clorinda, “The Limits of Cyberspace Deterrence”, 9-30, http://ndupress.ndu.edu/Media/News/NewsArticleView/tabid/7849/Article/577560/jfq-75-the-limits-of-cyberspace-deterrence.aspx)
A second limitation to cyberspace deterrence is that the first-strike advantage cannot be deterred. Sun Tzu wrote, “Know the enemy and know yourself,”30 but in cyberspace, many vulnerabilities are unknown. In 2007, both American and British government agencies detected a series of attacks codenamed “Titan Rain.”31 These attacks, reportedly one of the largest scale infiltrations known at the time, had allegedly been going on undetected since 2002.32 This is only one example, but it demonstrates how the complexities of the domain make it impossible to be aware of all vulnerabilities or to monitor all systems. Existing cyberspace capabilities, defenses, and forces (both law enforcement and military) also fail to deter opponents. In 2012, Symantec, a cybersecurity company, identified a 58 percent increase in mobile malware and over 74,000 new malicious Web domains.33 Moreover, there is a healthy market for zero-day exploits with prices ranging from $5,000 to $250,000.34 In a related study on the cost of cybercrime, the Ponemon Institute found a 42 percent increase in successful cyber attacks on companies in 2012—a number that continues to move upward, although this trend could be attributed to businesses being more forthcoming on criminal activity.35 Both Symantec and McAfee have provided estimates on the annual cost of worldwide cybercrime ranging from $110 billion to $1 trillion,36 though determining accurate costs is difficult as many companies do not want to report incidents due to possible business repercussions, and others may not be aware of criminal activity. Accordingly, it is difficult to show where deterrent actions deny either state or nonstate actors benefits. Third, there is a risk of asymmetric vulnerability to attack in cyberspace—that is, the threat that the use of a capability could backfire. As one actor develops offensive and defensive capabilities, other actors will strive to improve their offensive and defensive skills as well. This continuous endeavor could push a model that leads to a cyber “arms race.”37 In 1998, the Central Intelligence Agency (CIA) director announced the United States was developing computer programs to attack the infrastructure of other countries.38 By then, the U.S. Government Accountability Office estimated over 120 state and nonstate actors had or were developing information warfare systems.39 Information on exploiting vulnerabilities and attacking networks is readily available on the Internet,40 and with American dependency on cyberspace being greater than most, the United States is taking a risk by developing advanced cyberspace capabilities.
Too difficult to establish credibility
Trujillo, USAF lieutenant colonel, 2014
(Clorinda, “The Limits of Cyberspace Deterrence”, 9-30, http://ndupress.ndu.edu/Media/News/NewsArticleView/tabid/7849/Article/577560/jfq-75-the-limits-of-cyberspace-deterrence.aspx)
Credibility is also a significant issue in cyberspace. Credibility is dependent on proof, but attacks that work today may not work tomorrow. Even though the United States has “pre-eminent offensive cyberspace capabilities, it obtains little or no deterrent effect”41 from them for two reasons. First, claiming to put a specific target at risk from a cyber attack will likely result in that asset receiving additional protection or being moved offline and placed out of risk.42 Second, secrecy may be working against American interests. General James Cartwright, USMC, stated, “You can’t have something that’s secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you.”43 Once introduced, cyberspace weapons become public property, which quickly renders the capability useless.44 Stuxnet, the malware that destroyed centrifuges in Iranian nuclear facilities, is a perfect example. After its identification, responses resulted in two separate reactions: companies patched vulnerabilities in their software exploited by Stuxnet, and variants of the malware began to appear. Unlike kinetic weapons, cyber weapons, once released, can be analyzed, understood, and modified by other actors, thereby eliminating the deterrent element of the cyberspace capability. Credibility is also dependent on action. However, the United States has a poor track record of responding to cyberspace incidents due to delayed detection, inability of attribution, and limited, if any, action45 as the boundaries of proportionality are still evolving. In 2009, then–Major General William Lord, commander of the Air Force Cyber Command (Provisional), noted, “It’s easier for us to get approval to do a kinetic strike with a 2,000-pound bomb than it is for us to do a non-kinetic cyber activity.”46 Even though President Obama, through the International Strategy for Cyberspace, has stated the United States reserves the right to respond to hostile acts in cyberspace with any instrument of national power, and the Pentagon has declared that a computer attack from a foreign nation could be considered an act of war, both have left unclear what the response would be.47 The U.S. Government, its citizens, and private organizations are on the receiving end of millions of cyber intrusions per day, but the United States has established a precedent of limited action to and tolerance of these incidents. The 2007 Estonia incident also depicts one aspect of this credibility challenge. As a result of the alleged Russian cyber attacks, Estonia declared its security threatened and sought support from the North Atlantic Treaty Organization.48 However, many Alliance members, including the United States, did not share this perspective. There had been no physical violence, casualties, or territorial invasion, and Russia did not claim responsibility for the incidents. Tolerance to crime, espionage, and other cyberspace acts has established a high threshold preventing the use of force in domains other than cyberspace to date. Lastly, cyberspace actors have a different risk tolerance than those acting in a physical domain due to their perceived anonymity, invulnerability, and global flexibility. Neither policy nor legal recourse is sufficient to deter state or nonstate actors from their objectives. For example, no one has officially claimed responsibility for the development and deployment of Stuxnet. Additionally, last year, the Federal Bureau of Investigation published a Cyber Most Wanted list.49 Although there are Federal arrest warrants on these people, it is likely none of them are in the country or committed their crimes while in it. In many cases, the actors’ goals are to defy authority or gain prestige.50 Existing guidance is neither credible nor enforceable and antiquated legal procedures have not kept up with technological advances to meet this challenge. Then-commander of U.S. Cyber Command, General Keith Alexander, USA, stated in 2012, “Last year we saw new prominence for cyber activist groups, like Anonymous and Lulz Security that were encouraging hackers to work in unison to harass selected organizations and individuals.”51 Besides being insufficient to deter state and nonstate actors, U.S. or international cyberspace policy challenges American interests. Washington wants to maintain freedom of action in cyberspace, which includes the ability to conduct espionage and exploitation for diplomatic and military reasons. Pursuing partnerships, especially in the international commons, challenges this desire. In December 2012, the International Telecommunications Union revised governing agreements with a negotiated global telecommunications treaty. On the day before the scheduled signing, the United States rejected it for two reasons: the interrelationship between telecommunications and the Internet,52 and an expansion of the United Nations’ role in Internet governance.53 Even though the agreement would not have been legally binding, the United States believed the former reason could have led to restrictions on free speech and the latter would drive a government-led model for Internet oversight. Instead, the United States prefers the multi-stakeholder model in place today that allows for government, commercial entities, academia, and others to deliberate and establish Internet standards. If Washington is serious about international partnerships in cyberspace, it needs to find a way to overcome its realist angst in this domain. The impetus to maintain cyberspace freedom of action limits the option to hold a nation accountable for cyber activities within its borders. These barriers to deterrence delineate problems with attribution, signaling, and credibility—all characteristics of active deterrence. Moreover, the technology and architecture of the cyberspace domain—the complexity, vulnerability, and attribution problems—limit the success of credible response options for deterrence as well. However, even though the cyberspace domain is not 100 percent defensible, latent deterrence options through cyber defense do provide a viable option for use in cyberspace.
Norms Better Than Retal
Working to establish norms on how to deal with cyber-attacks is more stabilizing than a policy of retaliation.
van der Meer, Clingendael research fellow, 2015
(Sico, “US Deterrence against Chinese Cyber Espionage”, September, http://www.clingendael.nl/sites/default/files/Deterrence%20against%20Chinese%20Cyber%20Espionage%20policy%20brief%20-%20Clingendael%20September%202015.pdf)
A more credible strategy of cyber deterrence, which could be extended to US allies and thus strengthen the alliance system, would result from a greater focus on how the United States deals with the issues of attribution and norms. At the moment, either the US government has no reliable evidence that China is behind the OPM thefts, or it does have such evidence but it cannot disclose this without damaging the intelligence instruments with which the evidence was collected. In the latter case, the United States should at least say so and build up a track record of making credible statements on suspected cyber attackers, which should be supported by publicly available evidence as soon as possible. Moreover, if the US government no longer promoted the notion that foreign intelligence-gathering for national security purposes is legitimate (and at least scaled down its intelligence operations against foreign governments), it would become easier to take action in instances such as the OPM breach. While the danger of escalation would still be there, this would open the way for the United States to take overt rather than covert measures against China (assuming that the Chinese government is indeed responsible and that the United States has evidence of this). At first sight, the costs of such a course of action may seem high, given the benefits that Western intelligence communities have long enjoyed because of their superior technological and financial resources. Yet the United States and its allies should ask themselves whether, in a world in which cyber attacks and cyber espionage are becoming ever more damaging and within closer reach of new actors, their national security interests are better served by a proliferation of state-sponsored espionage and covert cyber operations, or by norms that aim at limiting such activities. 5. Conclusion The OPM case perfectly shows the problems that are involved in deterring large-scale, anonymous cyber attacks. Although various options for retaliation are available, none of them is perfect. They all carry the risk of escalation or, if not, they have too little value as a deterrent. For the US government, a covert cyber operation against China may appear to be the most attractive option, and this may therefore be the most likely course of action that Washington is currently contemplating or preparing. Yet beyond the obvious danger of escalation into a Sino–US conflict, there is also the risk that covert retaliation against foreign governments that are suspected of being behind cyber attacks becomes a norm in international relations. The fact that even the United States, the leading major power, finds it hard to respond to a major breach of its cyber security shows that less powerful states will have even more problems in deterring and retaliating against cyber attacks. Countries such as the Netherlands, which to an important degree depend on the United States for their security, should urge Washington to refrain from seeking cyber deterrence through retaliation as long as the United States itself conducts similar cyber-espionage operations against China and other nations. Instead, these countries should work with the United States towards establishing norms that halt the proliferation of state-sponsored espionage and covert cyber operations across borders. Only with such norms in place can a strategy of deterrence against state-sponsored cyber attacks be effective.
Restraint Good
Restraint is key-otherwise security dilemmas will cause escalation.
Healey, CSM columnist, 2015
(Jason, “Opinion: Restraint is the best weapon against Chinese hacks”, 9-9, http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0909/Opinion-Restraint-is-the-best-weapon-against-Chinese-hacks)
So, instead of sanctioning Chinese entities suspected of cyberattacks or any other kind of retaliation over the OPM hack, Obama should use the Chinese visit to broker a strategic deal with Xi. First, Obama can highlight the exceptional restraint of US cyberoperations, stressing that those campaigns are conducted under tight command, control, and legal review; carried out according to approved requirements; and subject to independent oversight by other government branches. Significant disruptive attacks require the president’s personal approval. The US has recently proposed cyberoperation norms that include not attacking computer emergency response teams or critical infrastructure out of wartime. Regardless of any Chinese actions, Obama should emphasize that the US will abide by these norms: It's simply what great powers do. Second, the president could offer other areas where the US will exercise restraint such as cyberattacks on nuclear power plants or electrical transmission and distribution systems – all of which are incredibly escalatory. The only reason to intrude into such systems is to take them down during wartime. Going after Chinese financial targets is perhaps similarly unwise (though surely tempting). As some in Washington argue, perhaps the OPM hack was so aggressive that it exceeds acceptable norms when it comes to retaliation over cyberattacks. Still, for Beijing to suppress these kinds of intrusions, the US may need to agree to dampen its own offensive cyberoperations aimed at China. Without international laws governing espionage, informal agreements can exist to maintain stability between nations. During the cold war, the Soviet Union and the US agreed not to kill the other side's spies. Violations were met with swift reciprocation. These are the "unwritten practice of civilized relations between special services," as expressed by one (Russian) participant. To some US hardliners, these options may seem like naïveté or surrender. With our national manliness challenged, they say now is the time to attack, not show restraint. Unfortunately, the history of cyberconflict shows that such aggression worsens national security. There are few examples of nations backing down after an attack. Rather, adversaries improve capabilities and counterattack. But in this case, if Washington tries to coerce Beijing with threats or punishment, expect China to respond in kind, continuing the escalatory spiraling of a classic security dilemma. Obama should work to reduce digital tensions. If that fails, then both Xi and the international community will recognize that the US retaliated only after seeking the peaceful option. The US has far more interests in common with China today than it did with the Soviet Union during the cold war. The two presidents may never have a better opportunity to find comity to improve stability in cyberspace and decrease the chances of escalation in the interests of both nations.
Credibility Theory False
Credibility theory is false—logic and history prove
Ganesh Sitaraman 15, Assistant Professor of Law at Vanderbilt Law School and a Senior Fellow at the Center for American Progress, JAN 15, 2014, "Credibility and War Powers", 127 Harv. L. Rev. F. 123, harvardlawreview.org/2014/01/credibility-and-war-powers/
B. THE LOGICAL LIMITS OF CREDIBILITY ARGUMENTS
In the context of military threats and the use of force, credibility arguments suffer from some important limitations. First, because both past actions and reputation are based on audience interpretations, a country can have multiple reputations and a single action can create different reputations among different audiences.17 To some, following through on a threat demonstrates resolve; to others, foolishness. Second, action in one context might not migrate into reputation in another.18 If the United States sets a “red line” on a fishing issue for Micronesia and then backs down, it is unlikely to send a signal to Iran that all American “red lines” are bluffs. The Iranians may ignore the Micronesian case because it is fundamentally different from their own.
Third, if we assume that credibility matters, then both sides know that it matters, and both sides can take it into account. Social scientists call the resulting problem recursion,19 but we generally know it as the “if she knows that I know that she knows . . .” problem. Take Syria.20 If we assume Assad is simpleminded, and the United States backs down, then Assad will think he can use chemical weapons again. But if Assad also knows that credibility is important, and the United States backs down, then Assad knows President Obama has paid a reputation cost in bluffing. Perhaps some in the United States will even say “never again!” If Assad then uses chemical weapons again, it will be harder for Obama to bluff a second time. As a result, backing down the first time actually makes any future threat by Obama more credible. And Assad knows this. Now take it one step further. If Assad knows that Obama knows this, then Assad will reason that Obama’s threat is a bluff because Obama knows Assad will think Obama’s action is more credible. “Keeping the logic straight is difficult,” as Jonathan Mercer puts it, “but it is also irrelevant: no one knows how many rounds the game will go on, for there is no logical place to stop.”21 Credibility arguments are self-defeating because if we assume they matter, everyone else knows they matter too — and can account for them. Because the recursion game goes on ad infinitum, it is impossible to determine what policy to pursue.
C. EVIDENCE FROM HISTORY
Credibility arguments could also be justified with real world evidence. For example, data could shed light on the manner of leaders’ credibility determinations: Do they actually pay attention to the disposition of the opponent based on their past actions? Or do they undertake a current calculus and focus on interests, capabilities, and the immediate situational context?
In a series of qualitative studies, political scientists have shown that past actions and reputation theories of credibility have little historical basis for support.22 When leaders evaluate their opponents, they assess threats based on current calculations, not on past actions. And when leaders have justified conflicts based on preserving a reputation for resolve, others have not always interpreted their actions as was intended. Note that these studies are limited to the context of military threats and international crises. Scholars hypothesize that military threats might differ from other contexts because the stakes are so high that leaders analyze the situation instead of using heuristics like reputation.23 These findings therefore do not extend to all international issues.24
Credibility theory is false—the historical record prove countries ignore their opponent’s record of carrying out past threats when making decisions
Benjamin H. Friedman 14, a Research Fellow in Defense and Homeland Security Studies at the Cato Institute, August 11, 2014, "The Credibility Debate in U.S. Foreign Policy", The National Interest, nationalinterest.org/feature/the-credibility-debate-us-foreign-policy-11049
Last Tuesday’s Washington Post featured an op-ed by Senator Bob Corker (R-Tenn) blasting President Obama for his shaky support for those we are helping in Syria, Libya and Ukraine. Corker worries that the president’s unreliability undermines U.S. credibility to defend U.S. partners and allies everywhere. It’s true; President Obama offers far more rhetorical than actual support for his preferred side in those conflicts. Pretty much everything else in the op-ed is wrong. Because Corker’s argument is so common in Washington, especially in the Post, yet theoretically confused and historically bunk, it’s worth occasionally refuting. The basic reason Corker is wrong is that talk is cheap, and everyone knows it. In U.S. foreign policy, presidents typically drum up support for even minor actions with soaring talk about its strategic and moral importance. But most people, especially statesmen, understand that interests vary across time and circumstances, even if rhetoric is similar. Historical studies show that leaders deciding whether to defy foreign threats focus on the balance of military power and the material interests of the threatening state, not on its opponent’s record of carrying out past threats. Credibility doesn’t travel well. That is why the domino theory was wrong. Neither the West Europeans we were defending during the Cold War, nor their Warsaw Pact adversaries believed that U.S. withdrawal in Vietnam would mean U.S. abandonment of Europe’s defense. The same goes for other U.S. military actions in the last several decades that ended badly—for example, the Marine deployment to Lebanon under President Reagan and the recent war in Iraq. Presidents initially offered big talk about goals. Later, we quit without having reached those goals. Contrary to claims of credibility hawks, other U.S. allies did not lose faith in American military power or come under attack from emboldened foes. Instead, new supplicants continued to ask for our help. Often, when it was not forthcoming, or too limited for U.S. hawks, they insisted that we would lose credibility if we did not do more. They always proved wrong.
Share with your friends: |