Nearly two years ago, North Korea launched a cyberattack against Sony that nearly crippled the movie giant. The U.S. responded by imposing yet another round of feckless sanctions against the Hermit dynasty.
But ironically, if members of the North Korean army had landed in Los Angeles and blown up Sony’s studios with dynamite, they would actually have done less damage to the company—but there likely would have been a greater outcry in the U.S. for a more forceful response.
Cyberattacks are incredibly destructive, but because they are subtle, they often attract far less attention than overt attacks.
North Korea’s attack against Sony, along with a host of other state-sponsored cyberattacks, raises important questions for U.S. policymakers. How should we deter cyberattacks? And how should we respond when our deterrence fails?
Unlike the early days of the Cold War, we do not have a modern-day George Kennan (who wrote the strategically vital article “Sources of Soviet Conduct“) or a Paul Nitze (the primary author of the influential NSC-68) for the cyber age. Instead, we are left with the strategic equivalent of trying to pour old wine into new recyclable water bottles.
In order to develop a cyberdeterrence doctrine, we need to unpack what is necessary in order for deterrence to be successful—and how to respond when deterrence fails.
One of the most difficult hurdles to overcome is defining what constitutes a cyberattack. Several federal agencies disagree over what is, and is not, a cyberattack.
An informal consensus is contained in a report issued by RAND Corp. in 2009, which defined a cyberattack as “the deliberate disruption or corruption by one state of a system of interest to another state.” (Spying is not considered to be a cyberattack because it does not deny users access to a system, even though spying may be a prelude to an attack.)
At first glance, this is a reasonable definition. It doesn’t account, however, for one group of people: nonstate actors.
If a group such as the Islamic State, al-Qaeda, or Hezbollah were to disrupt the electrical grids in the United States or Israel, surely this would count as a cyberattack, would it not?
This brings us to the second problem: attribution—that is, correctly identifying where a cyberattack has come from.
It is fairly straightforward to determine who fired a gunshot or a rocket. However, when it comes to cyberattacks, attribution is a critical component of deterrence. Without attribution, we do not know who to retaliate against.
In the 2008 war between Russia and Georgia, hackers operating from Russian soil launched cyberattacks against Georgian installations. However, there was little evidence to directly tie then-Prime Minister Vladimir Putin’s Kremlin to the attacks.
While the attacks benefited Russia’s military efforts, there was no proof that Putin or then-President Dmitry Medvedev had hit the “enter” key—or created the code.
This lack of proof complicates efforts at the third problem: retaliation.
In order for deterrence to be credible, states not only have to be able to attribute attacks, they have to be able to retaliate. States may deter in one of two ways: deterrence by denial and deterrence by punishment.
We can think of deterrence by denial as erecting a large fence where cyberattacks would be deflected (or, building a wall that is so tall, enemies would not bother to attack it in the first place).
Deterrence by punishment, on the other hand, means retaliation. It is in essence saying to the enemy, “If you kill my mainframe, I’ll melt every one of your servers.”
These two options are not necessarily mutually exclusive. States can build cyberdefenses that protect against attacks by making the costs of attack exceed any of the benefits. States can also adopt retaliatory postures in response to attacks, provided they can determine who was responsible for an attack.
This leads us to the next issue: proportionality.
In his classic book “Strategies of Containment,” historian John Lewis Gaddis differentiated between two types of containment: symmetrical and asymmetrical.
Symmetrical containment emphasized maintaining the balance of power between the U.S. and the Soviet Union. It also suggested that if the Soviets attempted to breach our sphere of influence, we should respond proportionately.
This was the strategy adopted by the Truman, Kennedy, Johnson, and Carter administrations.
By contrast, asymmetrical containment suggested the U.S. climb the ladder of escalation in response to Soviet provocation.
In order to make Soviet expansion costly, the U.S. should push the Soviets behind the “Iron Curtain”—the term coined by Winston Churchill to describe the dividing line between the free states of Western Europe and the Soviet-dominated member nations of the Warsaw Pact. Presidents Ike Eisenhower, Richard Nixon, Gerald Ford, and Ronald Reagan all adopted this posture.
While retaliation against cyberattacks is necessary, whatever posture we adopt, the key question we need to ask ourselves is: “What next after retaliation?” Our hope, of course, is that with a symmetrical posture, our enemies will learn their lesson.
But, what if they don’t? What if they see a symmetrical posture as a sign of weakness, a lack of resolve, or a sign of low capabilities?
Similarly, the aim of an asymmetrical posture is to demonstrate our resolve while increasing the costs of cyberconflict for our opponents. But what if we are facing an opponent like Saddam Hussein, who lacked the ability to update his beliefs in the face of discrepant information, and any retaliation on our part is not taken seriously?
Or, what if we face a defensively motivated opponent whose intentions are not nefarious, but are driven by an interest in national security? Here, an asymmetric posture could lead to an unnecessary spiral of conflict.
Furthermore, we need to discuss whether our responses should be restricted to the cyber domain or include more conventional means of retaliation, such as economic sanctions or military strikes.
Some pundits and scholars have written of a “new” strategic triad: space, nuclear, and cyber. To be successful, it is necessary to develop a doctrine for cyberdeterrence that defines what a cyberattack is, how to attribute attacks from state-based and nonstate actors, and the appropriate degree of retaliation.
Before we develop a new cyber doctrine by the seat of our pants, it is worth allowing our cyber experts and decision-makers to take a breath and sift through the laborious conceptual work that is needed to make cyber-deterrence successful in the 20th century.