Beat back the hack: Cyber-deterrence is a difficult task with huge potential


Cyberattackers pose many threats to a wide range of targets. Russia, for example, was accused of hacking Democratic Party computers throughout the year, interfering with the U.S. presidential election. Then there was the unknown attacker who, on a single October day, used thousands of internet-connected devices, such as digital video recorders and cameras compromised by Mirai malware, to take down several high-profile websites, including Twitter.

From 2005 to 2015, federal agencies reported a 1,300 percent jump in cybersecurity incidents. Clearly, we need better ways of addressing this broad category of threats. Some of us in the cybersecurity field are asking whether cyber deterrence might help.

Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack. There are two main principles of deterrence. The first, denial, involves convincing would-be attackers that they won’t succeed, at least without enormous effort and cost beyond what they are willing to invest. The second is punishment: Making sure the adversaries know there will be a strong response that might inflict more harm than they are willing to bear.

For decades, deterrence has effectively countered the threat of nuclear weapons. Can we achieve similar results against cyber weapons?

Why cyber deterrence is hard

Nuclear deterrence works because few countries have nuclear weapons or the significant resources needed to invest in them. Those that do have them recognize that launching a first strike risks a devastating nuclear response. Further, the international community has established institutions, such as the International Atomic Energy Agency, and agreements, such as the Treaty on the Non-Proliferation of Nuclear Weapons, to counter the catastrophic threat nuclear weapons pose.

Cyber weapons are nothing like nuclear ones. They are readily developed and deployed by individuals and small groups as well as states. They are easily replicated and distributed across networks, rendering impossible the hope of anything that might be called “cyber nonproliferation.” Cyber weapons are often deployed under a cloak of anonymity, making it difficult to figure out who is really responsible. And cyberattacks can achieve a broad range of effects, most of which are disruptive and costly, but not catastrophic.

This does not mean cyber deterrence is doomed to failure. The sheer scale of cyberattacks demands that we do better to defend against them.

There are three things we can do to strengthen cyber deterrence: Improve cybersecurity, employ active defenses and establish international norms for cyberspace. The first two of these measures will significantly improve our cyber defenses so that even if an attack is not deterred, it will not succeed.

Stepping up protection

Cybersecurity aids deterrence primarily through the principle of denial. It stops attacks before they can achieve their goals. This includes beefing up login security, encrypting data and communications, fighting viruses and other malware, and keeping software updated to patch weaknesses when they’re found.

But even more important is developing products that have few if any security vulnerabilities when they are shipped and installed. The Mirai botnet, capable of generating massive data floods that overload internet servers, takes over devices that have gaping security holes, including default passwords hardcoded into firmware that users can’t change. While some companies such as Microsoft invest heavily in product security, others, including many Internet-of-Things vendors, do not.

This article was sourced from