The National Academies of Science functions in part to provide independent scientific advice to the US government. In that capacity, the office of the Director of National Intelligence contracted with the NAS to look into the prospects of developing cyberwarfare capabilities that are sufficient to deter an attack on its national infrastructure. The NAS has recently submitted a progress report on its efforts, and the dry text of the introductory letter (the report is termed, "The first deliverable for Contract Number HHM-402-05-D- 0011") obscures a sometimes fascinating look into how the cold-war thinking that drove the development of the concept of nuclear deterrence fails to scale to the networked world.
That may seem like a statement of the obvious, but the report points out that deterrence was actually a fully fleshed-out conceptual framework, and there is a significant parallel between cyber and nuclear weapons that's a major component of this framework: it's much easier to engage in offense than defense. "Passive defensive measures must succeed every time an adversary conducts a hostile action, whereas the adversary’s action need succeed only once," the text notes, and recent history is replete with evidence that hostile actions can easily succeed far more often than once.
So, the prospect of mutually assured cyberdestruction might seem to offer the possibility of a framework that's at least similar to the one that governed the world of nuclear weapons. The body of the report, however, focuses on the various reasons it probably doesn't.
Perhaps the biggest reason is that, for deterrence to work, we and our adversaries have to have a rough idea of each other's offensive capabilities. "Classical deterrence theory bears many similarities to neoclassical economics, especially in its assumptions about the availability of near-perfect information (perfect in the economic sense) about all actors," as the report notes. Leaving aside the shortcomings of these assumptions in neoclassical economics, this simply doesn't describe the current reality.
Right now, the US has chosen to keep its offensive cyber weaponry entirely classified and, since there's no launch infrastructure or physical indications of testing (hallmarks of nuclear weaponry), nobody is likely to develop a complete picture of what we can do. The US is unlikely to disclose its capabilities because, in contrast to nuclear weaponry, knowing these capabilities may help adversaries plan defenses. It may be somewhat effective as a deterrent—it's generally assumed that the US has the most potent capabilities around. But it leaves the US in a situation where it is counting on everyone to assume it has the weapons.
To actually engage in effective deterrence, you also have to be able to recognize when you're under attack, and that's not exactly a simple thing. "A nuclear explosion on US territory is an unambiguously large and significant event, and there is little difficulty in identifying the fact of such an explosion," the report notes. "But US computer and communications systems and networks are under constant cyberintrusion from many different parties, and against this background noise, the United States would have to notice that critical systems and networks were being attacked and damaged."
In the same manner, figuring out the source of a nuclear attack is pretty straightforward. A limited number of nations possess the capacity, a lot of those are unlikely to attack the US, and the weapons themselves have generally required easy-to-trace means of delivery. In contrast, reasonably potent cyberattacks can be launched from commodity hardware that's both expendable and priced within the range of nonstate actors (via botnets, the attacks can also be launched from nations that aren't involved in hostilities). There have also been cases where some branches of a state have pursued foreign activities independently of their central government's policy, such as Iran's Revolutionary Guards during the Khatami years.
Even in the US, the issue of non-state actors should be viewed as a significant factor. "It would be highly unusual for a major corporation, for example, to be the specific target of a nuclear weapon," the report notes. "By contrast, major corporations are subject to cyberattacks and cyber exploitations on a daily basis." In the same way, if everyone at Google spent their 20 percent time developing cyberweaponry, chances are good that the company would end up with resources beyond the reach of most nations.
But the report also suggests that nuclear deterrence isn't the only model we should consider. Although the development of bioweaponry also requires fewer resources and is easy to hide, most nations have avoided developing bioweapons, and they've never been used on a significant scale. This, the report suggests, has been because an international consensus has been fostered that views bioweaponry as unethical. It might be possible to promote that view for things like medical IT, but it seems like it's a bit late for that when it comes to cyberweaponry.
The document is intended to serve as a progress report, and its authors indicate that they'll be focusing on whether it's possible to develop a theoretical model for cyberdeterrence that can guide the formulation of policy, operational planning, and international efforts over the course of the coming year. We'll continue to monitor their progress to see what they come up with.
Copyright 2013 © Godem Online Inc. | Web and server solutions by NewTech Solutions.