Enhancing Cyber Deterrence Strategies in the Modern Age
The current state of cyberspace reveals persistent threats targeting the U.S., emphasizing the need for effective deterrence strategies. Calls for a comprehensive cyber deterrence framework have been made by key committees, highlighting the urgency to develop response options, denial strategies, and cost-imposition measures. Understanding the similarities and differences between classical and cyber deterrence is crucial for enhancing cybersecurity in today's digital landscape.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Jonathan Welburn Justin Grana Karen Schwindt Cyber Deterrence or: How We Learned to Stop Worrying and Love The Signal Prepared for the Office of the Secretary of Defense by the RAND National Security Research Division presented to the SMA General Speaker Series 1
The current state of cyberspace Nation-state and non-state actors continue to target the U.S. through cyber means Targeting is no longer contained to cyberspace and threatens key institutions and critical infrastructure Cyber security best practices have yet to halt increased aggression U.S. actions in cyberspace have not deterred cyber attacks There is a lack of supporting policies, authorities 2
The need for deterrence Deterrence a policy aiming to dissuade adversaries from attack under the threat of consequence should be employed when defense is not sufficient A cyber deterrence framework should be developed to deter attacks that enhanced security protocols can not The need for cyber deterrence has drawn key attention The supreme art of war is to subdue the enemy without fighting. Sun Tzu, The Art of War 3
Calls for cyber deterrence SASC comments on FY19 NDAA, Sec 1621: The committee has also placed a strong emphasis on the need for developing a comprehensive cyber deterrence strategy. Unfortunately, the committee believes the responses to those requests have been insufficient hitherto and incommensurate with the threat we face in the cyber domain. 4
Calls for cyber deterrence NDAA Sec 1636: It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests Sec 1636 (b)-(e) call for a need to determine Response options Denial options Cost-imposition options Multi-prong response options 5
Classical v. cyber deterrence Similarities Differences Require attribution, thresholds, credibility, capability Superiority of offense over defense Strategic and tactical use of weapons Preserved second-strike Potential for unintended consequences, cascading effects No MAD in cyberspace Barriers to entry Non-state actors threaten stability risks in escalation No need for existing military conflict Imperfect attribution Certainty of cost imposition is not guaranteed Difficulties in signaling, demonstrating capabilities 6
The ambiguities of cyber deterrence stand in stark contrast with the clarities of nuclear deterrence. attribution signaling 7
Imperfect attribution does not prevent at least some degree of deterrence by punishment in cyberspace. Deterrence by denial likely will be the anchor of a cyber deterrence strategy. 8
Defender strategy space Deception Interdiction Patching Denial Resilience Public attribution Retaliation Punishment 9
Defender strategy space: retaliation Within domain Covert Cross domain Retaliation Within domain Non- military Public Cross domain Military 10
Benefits and risks of each strategic option Within-domain Cross-domain Minimize exposure of false attribution Reduce exposure of cyber capability Minimize exposure of false attribution. No exposure of cyber capability. Covert Potential low impact. May not be attributed by adversary. Potential low impact. Potential for escalation. Public naming of adversary attack, means, and methods. No exposure of cyber capability. Public naming of adversary attack, means, and methods. Guaranteed adversary attribution. Overt Potential low impact of sanctions High escalation risk of kinetic. Loss of intel. False attribution embarrassment. Global exposure of capability. Loss of intel. False attribution embarrassment. 11
Elucidate conditions for cyber deterrence effectiveness Objective Characterize attacker behavior and defender deterrence mechanisms Build attacker-defender game to reveal best strategies Approach 12
A note on current literature Baliga, Sandeep, Ethan Bueno de Mesquita, and Alexander Wolitzky. 2019. Deterrence with Imperfect Attribution." Working Paper. One defender, many attackers. Attackers don't know defender's retaliatory capability. One attacker is selected at random and chooses whether or not to attack. Defender does not observe attacker's decision but a signal that is correlated with the attacker's signal. Defender chooses whether or not to retaliate against a specific actor. 13
A note on current literature Baliga, Sandeep, Ethan Bueno de Mesquita, and Alexander Wolitzky. 2019. Deterrence with Imperfect Attribution." Working Paper. Result: In some cases, being able to detect more attacks without improving attribution can degrade deterrence. Question: Would the ability to signal cyber-capability lead to coordination on a peaceful equilibrium, or to perverse incentives leading to conflict? 14
Designing a deterrence game Description We model the strategic interactions of deterrence as a game between a single attacker and a single defender as a sequential move Bayesian game Players Attacker Defender Strategy sets Attacker: attack (don t attack) Defender: signal (don t signal), retaliate (don t retaliate) Imperfect Information The attacker lacks perfect knowledge on the defender s capability to punish by retaliation (signaling) The defender lacks perfect knowledge of the attack s occurrence and origin (attribution) 15
Attackers incentives The attacker receives a reward if it attacks If the attacker attacks and is retaliated against, it receives a punishment If the attacker doesn t attack and is retaliated against, it still receives a punishment In general, the attacker wants to attack as often as possible without being retaliated against 16
Defenders incentives The defender incurs a cost every time the attacker chooses to attack The defender accrues a reward if it successfully retaliates The defender incurs a cost if it incorrectly retaliates In general, the defender wants to limit the number of attacks, minimize the false alarm rate and retaliate against the attacker when it attacks 17
The attacker moves first by choosing whether or not to attack the defender. 18
The defender moves next; first it observes a signal that is (not perfectly) correlated with the attack. 19
Then, the defender chooses whether or not to retaliate. 20
Finally, each players payoffs are determined by the outcome of the game 21
First, the defender is randomly assigned a capability. 25
Then, the defender chooses its signal, which can depend on the capability. 26
Next, the attacker and defender play the attribution game 27
The attacker chooses to attack not knowing which of two games it is playing 28
Key findings Defenders should be deceptive on true capability Defenders should signal deceptively High attribution improves deterrence Increasing the cost of correct retaliation relative to incorrect improves deterrence 29
Appear weak when you are strong and strong when you are weak Sun Tzu 30
Appear strong weak when you are strong and strong sometimeswhen you are weak Sun Tzu 31
Towards a national cyber deterrence policy Contrary to the findings from previous work, we believe cyber deterrence is possible Deterrence by denial (patching, resilience) is best However, DoD can improve deterrence through an adversary specific retaliation strategy This should use deception and signaling DoD should also consider possible uses of antideterrence 32
jwelburn@rand.org https://www.rand.org/pubs/working_papers/WR1294.html 33