CYBER DETERRENCE
Methods & Effectiveness
Author: Don Eijndhoven
Company: Argent Consulting
Date: November 2, 2010
Version: 1.1
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Table of Contents
Table of Contents
Executive Summary
Issue Statement
Background
Cyber Deterrence – Methods and Effectiveness
Infeasibility
Futility
Fear of Retaliation
Conclusion
Future Developments
References
2
3
4
5
8
8
9
10
12
13
14
2
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Executive Summary
Cyberspace as a warfighting domain contains ‘natural laws’ unlike any other
environment we’ve seen so far, which presents unique issues to doing
combat. Cyber Weapons are virtually impossible to regulate, as they consist
out of programs that can be written anywhere, on any system, by anyone
with skills that are legal to obtain and taught in virtually every country. Also,
Cyber Weapons can be perfectly legal until the intent of the user changes;
many of these are applications originally designed to test for security
vulnerabilities.
Cyber Warfare is highly asynchronous, meaning that a small force can do
large damage, and is cheap enough in resources that it can be waged by any
person or entity with the intent to do so. Parallels can be drawn with
Deterrence Theory as applied in Nuclear and Bio Weapon Deterrence, but the
‘natural laws’ of the cyber environment cause them to miss the mark when it
comes to effectiveness.
Deterrence breaks into three categories: Infeasibility, Futility and Fear of
Retribution. Deterrence through Infeasibility, which relies on raising the
cost/effort of an attack to become more expensive than the gains returned
by success, fails because cyber weapons are cheap and manpower may be
free (depending on motivation).
Deterrence through Futility relies on defenses being so strong that the object
becomes impervious to attack, but this fails because defenses are based on
code, and code is susceptible to human error, thus all defenses will have
flaws.
Deterrence through Retribution, which is what the Mutually Assured
Destruction (MAD) Deterrence Strategy during the Cold War was based on,
relies on attacker being deterred by possibility of retaliation by the target.
This strategy fails because origins of cyber attacks can be obscured or even
falsely indicate an innocent third party, rendering all threat (through any
sanction) moot.
3
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Issue Statement
Cyberspace is the first entirely manmade warfighting domain. Its ‘natural
laws’ are unlike anything we’ve ever seen before and create the need for an
entirely new array of weaponry and tactics. Due to the flexible and
interconnected nature of cyberspace, which was designed around the
premise of redundancy rather than security, many online resources are
shared between government and private entities. This raises the potential for
collateral damages to such an extent that many nations, especially those who
depend on the internet for much of their critical services, are looking into
trying to deter cyber attacks.
In this regard, the following questions arise:



What deterrence methods are there?
Are there other deterrence models that may offer clues as to what
works?
How effective would those measures be in the cyber warfare context?
It should be noted that Cyber Deterrence is a broad concept with much more
depth than what can be covered in this research assignment and still stay in
the allotted amount of pages. For this reason, some of the deeper aspects
will be out of the scope of this paper.
4
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Background
“The only difference between a cyber weapon and a security or capacity
testing tool is the intent of the individual using it.” Kevin Coleman,
Technolytics
At the moment of writing, it is still heavily debated what the definition of
“Cyber Warfare” truly is. At his confirmation hearing for the new Cyber
Commander post, US Lt. General Keith Alexander couldn’t define the term
when asked to do so. Richard Clarke1 defined Cyber Warfare as "actions by a
nation-state to penetrate another nation's computers or networks for the
purposes of causing damage or disruption." in his book Cyber War2, but this
is an incomplete definition, not covering other aspects of warfare such as
intelligence gathering. Nevertheless I think we can all agree that at least to
an extent it involves the exploitation of interconnected systems, thus
overlapping with other trades such as ethical hacking and cyber crime. The
software and skill used is often the same; security consultants and
penetration testers often use the exact same tools as the people they are
trying to keep out of their systems. The only real difference is –as Mr.
Coleman says- a matter of motive.
The Theatre
To understand the topic of Deterrence in Cyber Warfare, we must first
establish where it is fought. As covered in the issue statement, it is fought in
the first entirely manmade domain that we call cyberspace. But what exactly
is cyberspace? According to Wikipedia:
Cyberspace is the electronic medium of computer networks, in which online communication
takes place. It is the domain of electromagnetics readily identified with the interconnected
information technology required to achieve the wide range of system capabilities associated
with the transport of communication and control products and services. Current technology
integrates a number of capabilities (sensors, signals, connections, transmissions, processors,
and controllers) sufficient to generate a virtual interactive experience accessible regardless of
a geographic location.
Cyberspace is the dynamic realization of electromagnetic energy through the application of
communication and control technology. In pragmatic terms, operations within this global
domain allow an interdependent network of information technology infrastructures (ITI),
telecommunications networks, and computer processing systems, integrated sensors, system
control networks, embedded processors and controllers common to global control and
communications across the electro-magnetic environment.
1
2
Richard A. Clarke, US Government security expert
Clarke, Richard A. Cyber War, HarperCollins (2010)
5
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
The article goes on to describe the social experience of the internet, but the
truth is that as a civilization we have yet to truly grasp the ramifications of
having such immense interconnectivity between information and services.
This same lack of comprehension is likely at the very core of Lt. General
Alexander's problem with describing cyber warfare. For the purpose of this
research paper the Wikipedia definition of cyberspace will suffice.
The Weapons
The distribution of such software, or “proliferation of cyber weapons” in
military parlance, is widespread and often public. In many cases the software
is freely downloadable. A few simple Google searches can give you access to
the digital equivalent of your local gun store. For more malicious purposes
such as identity theft or creditcard fraud there are entire black markets
where the latest zero-day exploits3 can be bought for relatively small
amounts of money. There are groups that can have your malicious code
modified and tested to evade the top 10 antivirus software suites for a
nominal fee. There’s even an auction system for zero-day exploits on
Twitter.4 Companies specializing in security consulting and penetration
testing can opt to buy subscriptions to exploit code through state of the art
delivery platforms such as Core Impact Pro5, Immunity Canvas6 or the wellknown Metasploit Framework7 that is freely available.
All these options are available to the general public, and all of these options
can be used in furtherance of cyber warfare. It is good to note that since
nations tend to have more resources than individuals and commercial
entities; this also gives them the option to have their cyber weapons
developed in-house by specialists. Another option, one that is generally
considered to only be in reach for individual nations for their resources, is
the ability to infiltrate an adversary’s electronics supply chain and corrupt it
from the inside. This sort of attack could contain a hardware engineering
aspect as well as a software aspect.
3
Software aimed at exploiting vulnerabilities for which a patch has not yet been developed.
http://twitter.com/0daybid
5
http://www.coresecurity.com/content/core-impact-overview
6
http://www.immunitysec.com/products-canvas.shtml
7
http://www.metasploit.com
4
6
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
The Players
An estimated 100+ countries8 have already started to develop Cyber Warfare
programs to deal with this potential threat, but they are hardly the only
players when it comes to cyber warfare. With a technology as prevalent as
the Internet, this potential battlefield is accessible to all layers of society.
Furthermore it is important to note that cyber warfare is very asymmetrical.
Resources don´t necessarily guarantee the upper hand in a conflict, as a
single person with a single exploit can potentially inflict as much damage as a
whole battalion using supercomputers. Everything depends on the particular
environment, the quality of the exploit and the skills of the attacker. As
such, we should count everyone that has the motivation to make itself felt.
This would include players such as terrorists, religious extremists, outfits of
organized crime, ideological radicals, mercenaries et cetera. This is relevant
information because each deterrence tactic will carry a different effect from
one group to the next.
8
The numbers vary. The Air Force Law Review estimates 120 countries in their article in the winter of
2009, Spy-Ops says 140 in a 2008 article in Outside The Beltway.
7
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Cyber Deterrence – Methods and Effectiveness
Deterrence is a theory taken from behavioral psychology about preventing or
controlling actions or behavior through fear of punishment or retribution. We
see it in use every day as part of our legal system, but it is also relevant in
warfare. Deterrence Theory was especially relevant during the Cold War with
regard to the use of nuclear weapons and sprouted strategies such as
Mutually Assured Destruction (MAD). This revolved around there being too
many nuclear missile launch points to take out in a single strike, thus
ensuring severe retribution by the aggrieved party.
As to deterrence methods, there are really only three that come into play;
1. Infeasibility – “Getting the required resources to perform an attack is
too hard.”
2. Futility – “I know that my attack will have no effect on my target.”
3. Fear of Retaliation – “Damage done to me in return is too high a price
to pay.”
Infeasibility
The concept of Infeasibility as it pertains to Cyber Deterrence revolves
around curtailing the flow or proliferation of the means by which attacks can
be executed (e.g. cyber weapons). When compared to other deterrence
strategies such as the ones used with Nuclear or Biological Warfare, the most
important difference is the physical aspect; Cyber Weapons have none.
Nuclear or biological weapons can be regulated because its base materials
such as weapons-grade uranium or a strain of Y. Pestis are difficult to make
(or control, in case of diseases). The only requirement for building a cyber
weapon is a computer to write the code on, and until (and likely after) it is
actually used to write malicious code it is undistinguishable from any other.
Also, programming malicious code does not make high demands on the
hardware of said computer. The cheapest current system will probably
suffice. The rest is a matter of intelligence and skill. With the prevalence of
internet access worldwide and the amount of knowledge on the subject that
is thus readily accessible, the required intelligence and skill is reduced
severely.
With so few resources necessary and their availability so high, it is highly
unlikely that the proliferation of cyber weapons can be halted successfully.
8
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Futility
Making the attacker believe an attack would have no effect requires the
attacker to believe your defenses are insurmountable. In the physical realm
this could be achieved by placing ones’ defensive works in plain view for all
adversaries to see. There are castles and fortifications all over Europe that
have never been attacked because they were deemed impregnable.
However, it is likely that the defenses will be tested by the attacker
regardless of how strong they look. This is especially true in cyberspace,
where exploit code is freely available for virtually all network-capable
software and Operating Systems, and automation makes even the most
arduous and repetitive tasks (such as brute-forcing passwords) potentially
viable. Another key ingredient here is Anonymity. It is relatively easy to
route attacking traffic through systems that don’t log anything, thus
obscuring the trail back to the attacker and making attribution difficult (if not
impossible). This lack of attribution will be discussed in greater detail later.
Finally it is important to note that all software is eventually written by
humans, and thus vulnerable to human error. Though the numbers vary
wildly due to influence of Quality Control processes and programmer skill, it
is commonly assumed 9 that the Industry Average is 15 – 50 errors per 1000
lines of code. This means that virtually every OS or program will contain
errors, and a percentage of these will compromise its security. When these
bugs find their way to products that are sold to the public, they may be
found and exploited. Therefore, any product that is considered safe today
may not be safe tomorrow.
Regardless of how much effort is put into building ones’ network defenses;
they are invisible to the attacker until he explores or attacks them. Even
then, it is entirely uncertain any attacker won’t press on his attack simply
because he does not know he has been detected, believes himself
anonymous or feels himself immune to prosecution.
9
Source: Code Complete, 2nd edition by Steve McConnell
9
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Fear of Retaliation
By facing the risk of losing more in a retaliatory strike than there is to gain
from attacking, an attacker may be effectively deterred. This has been the
main theory during the Cold War, where the Mutually Assured Destruction
strategy effectively staved off a nuclear war between the US and Russia. A
comparison between Nuclear Deterrence and Cyber Deterrence is often
made, but there are a great many downsides to this strategy in cyberspace.
Firstly, as stated previously, it is very easy to obscure one’s identity as an
attacker. Malicious traffic can be routed through a multitude of anonymous
(e.g. non-logging) routers, obfuscating the origin of the packets.
Furthermore, we can only (theoretically) trace attacks back to the system
that sent it, and still not be able to determine the person who launched it. If
a foreign operative launches an attack from an internet café in a third nation,
this may implicate guilt where there is none and may cause retribution to
damage an innocent party.
Second, cyber attacks differ from kinetic attacks in that the damage (or even
success) of an attack need not be obvious. Successful cyber attacks have
been known to go unnoticed for months. Also, attacks may not have to be
aimed at causing destruction or disruption. Instead, it may intend to corrupt
data and be specifically designed to stay hidden for longer periods of time.
Third, retaliation may not be in the best interest of the aggrieved. Retaliation
indicates that an attack has at least taken place (successful or not), which
may not be desirable. It is generally assumed that the severity of retaliation
is an indication of how successful an attack was. Will response be in kind, or
escalatory? Will retaliation be public, or sub-rosa? Public perception is a very
important political factor, so proportionality is an issue as well. Also, what is
the threshold for retaliation? Is that a public threshold, or has no official
declaration of intent been given? These are all very relevant questions that
must be answered.
Fourth, retaliation may not be possible. The attacker’s defenses may be
strong enough to withstand retaliation. Also, retaliation may not be
successful when it is attempted. As stated previously, the retaliation may not
even be detected when it is successful, and is most likely not detected when
it fails. Even when an attack is both successful and detected, it may not be
distinguishable from the swathe of automated attacks that usually plague
government websites10, and so is not recognized as retaliation. One possible
solution for that is using the same attack as the original attacker used, but of
10
US Defense Secretary Robert Gates stated that the US government experiences cyber attacks on their
network daily and constantly. See ZDNet article.
10
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
course odds are good that the attacker fixed this vulnerability in his own
network as soon as it was discovered. Timing is also very important. If
retaliation comes months after the initial attack, it may be perceived as an
original attack rather than a retaliatory strike. Inaction -or worse,
incompetence- may make the retaliator seem blind, weak or incapable, which
lowers the level of deterrence.
Research11 indicates that the certainty of punishment is a greater
deterrent than the severity of the punishment (or retaliation in this
case). Unfortunately, the attribution problem makes the likelihood of
getting caught seem very low. Even when the aggrieved party decides
to retaliate, it is not always perceived by the target. This makes
Retaliation as a deterrence strategy in Cyber Warfare a tricky one at
best and a dangerous one if it hits the wrong target due to faulty
attribution.
11
Source: The book “Criminology” by Larry J. Siegel
11
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Conclusion
It is clear that cyberspace as a warfighting domain does not lend itself well to
conventional weapons and tactics. Many concepts will be far less effective,
completely ineffective or even counterproductive because the rules of the
game are fundamentally different. The lack of a physical dimension is
probably the most fundamental; it wreaks havoc with establishing network
boundaries or attribution. A bullet fired in anger is comparatively easy to
trace because of physical evidence. It is far easier to determine who fired it,
what his or her affiliations are, what his or her motives are and whether or
not the attack is part of a larger attack. The damage done by the bullet is
also usually visible and obvious.
The same can not be said for cyberspace. In cyberspace, an attack may
succeed or fail without the attacker knowing what the status of his attack is.
When the attack fails, it is usually not even noticed. It may not be noticed
even if it does succeed. When an attack succeeds, the damage (if there is
any) may not be obvious, either by design (when the intent is corruption of
data) or because the attack simply did not behave as intended. The system
from which the attack was launched may never be found, nor its operator.
The attackers’ involvement may never be proven, and the intent of the
attack may never be established. It is also far easier for any attacker to plant
false evidence to involve an innocent third party than it is in physical space.
Essentially there is uncertainty in every relevant aspect of the situation, and
very little –if anything- can be controlled in a fashion that alleviates the
problems. Until the technology and the rules of the environment solidify in a
way that changes these circumstances which -given the nature of cyberspace
and the behavior demonstrated thus far- may never happen, it will remain
unsuited for traditional forms of deterrence.
12
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
Future Developments
It is my belief that in the future we will see a greater development in privatesector Intelligence endeavors through HUMINT, SIGINT, OSINT and perhaps
even MASINT, aimed at providing intelligence about impending attacks, the
players involved and the motives behind the attacks. This could serve as
(potentially circumstantial) evidence after the fact as well as giving advanced
warning prior to attacks, giving targeted entities the crucial time needed to
shore up their defenses. A prime example is Project Grey Goose, whose
members provided a wealth of information about the cyber attacks against
Estonia in 2007, detailing the most likely players and their motives.
Another trend I expect (and hope) to see continuing is the collaboration and
cooperation of nations in the area of cyber crime. Large scale botnet
takedown operations are tricky because the criminals involved do not respect
national borders, and the various police forces need to cooperate with each
other to bring offenders to justice. Though this does not directly relate to
Cyber Warfare, an international sharing of discovered malicious code could
have an interesting effect on the various cyber warfare commands around
the globe.
As to Cyber Deterrence, I believe that the practice will cease to be relevant,
and the term will be discarded in favor of less general terms such as Cyber
Defenses, Cyber Intelligence et cetera.
13
RESEARCH PAPER: Cyber Deterrence – Methods &
Effectiveness
By Don Eijndhoven, Argent Consulting
References
1. Richard A. Clarke, US Government security expert
2. Richard A. Clarke, Cyber War, HarperCollins (2010)
3. Software aimed at exploiting vulnerabilities for which a patch has not yet
been developed.
4. http://twitter.com/0daybid
5. http://www.coresecurity.com/content/core-impact-overview
6. http://www.immunitysec.com/products-canvas.shtml
7. http://www.metasploit.com
8. The numbers vary. The Air Force Law Review estimates 120 countries in
their article in the winter of 2009, Spy-Ops says 140 in a 2008 article in
Outside The Beltway.
9. Source: Code Complete, 2nd edition by Steve McConnell
10. US Defense Secretary Robert Gates stated that the US government
experiences cyber attacks on their network daily and constantly. See ZDNet
article.
11. Source: The book “Criminology” by Larry J. Siegel
14