Old Wine in a New Old Wine in a New Bottle Application of Bottle Application of

Deterrence Doctrine to Deterrence Doctrine to CyberspaceCyberspace

Dr. Shmuel Bar

CEO IntuView

The ProblemThe Problem Governments and the private sector in the developed world

are increasingly dependent on “cyber”. Hence, threats in cyberspace are increasingly strategic in nature.

Cyberspace is inherently asymmetric: Capabilities are widely available but attackers undeveloped or non-state entities are less vulnerable.

This asymmetry motivates attackers to employ cyber attacks, similar to the motivation to employ terrorism in the past.

The constraints in Western countries – particularly post-Snowden - on intrusive surveillance will facilitate the task of the cyber-attacker and put a heavier burden on the targets in the private sector

2

Criteria for Taxonomy of the ProblemCriteria for Taxonomy of the Problem

The identity, affiliation and location of the attacker (state, non-state or other, penetration from outside or internal).

The identity and affiliation of the target (government, private).

The type of attack and the damage: from limited scams to attacks on industrial control systems (ICS), hybrid kinetic-cyber attacks, disruption of government, financial and media services or lethal attacks on infrastructure.

Attacks may be directly visible and may be multiple sleeper Trojan Horses to be activated by will.

Norms, principles, institutions and conditions that can constrain or mitigate courses of action for response.

3

Potential AggressorsPotential Aggressors

Official state entities (military, security services - very rare).

Non-state “ad hoc” sub-contractors; e.g. “black ops” companies, intel assets (e.g. the “Cuckoos Egg” case), hacking groups.

Non-state proxy/surrogate organizations of states (e.g. Hezbollah, Korean organizations in Japan).

Non-state or quasi-state terrorist organizations (e.g. hactivists, Wikileaks, ISIS, al-Qaeda).

Independent ideologically motivated hacking groups or individuals..

Corporate organizations in foreign countries for financial motivation.

Ideologically or financially motivated individuals

4

Targets of Cyber-AggressionTargets of Cyber-Aggression

State targets – military, political and infrastructure targets, recognized agencies of the state, facilities owned by it and parts of a country’s assets or infrastructure, even if they are privately owned (e.g. corporate entities that are critical for a state such as telecommunications, airlines, electric grids).

Non-state actors include private sector companies, civil society organizations, humanitarian institutions, (e.g. hospitals, universities, and individuals).

Individuals as targets of criminal organizations for the sake of extortion, coercion etc.

5

Anything New Under the Sun? Cyber-Anything New Under the Sun? Cyber-Aggression and TerrorismAggression and Terrorism (1) (1)

Both are a form of sub-conventional warfare. The goal is to cause damage and to occupy the enemy, create chaos and undermine confidence in government without provoking a conventional or non-conventional response.

Both – even when initiated by a state - are generally executed by proxies and non-state actors to provide plausible deniability.

Both are applicable to tactical, operational and strategic spheres.

With both – attribution is difficult and if achieved not sufficient for legal prosecution or international action.

Both are on the border between criminal actions and international aggression, with constraints on responses imposed by the former category.

Both may succeed beyond the expectations of the perpetrator and result in escalation to the level of a full-scale response.

6

As in the case of terrorism, protection of citizens and entities of a state against cyber-aggression must be recognized as the duty of the government both to prevent and to compensate.

As in terrorism, the demand is to prevent all threats and in fact, this is impossible.

As in terrorism, legal frameworks do not suffice. Actions may be attributable through intelligence but not enough for legal action.

As in terrorism, recourse to the “international community” is limited to “coalitions of the (like-minded) willing”. The UNSC (with China on board) is not an option.

7

Anything New Under the Sun? Cyber-Anything New Under the Sun? Cyber-Aggression and Terrorism (2)Aggression and Terrorism (2)

Cyber-Aggression and Terrorism – Cyber-Aggression and Terrorism – DifferencesDifferences The raison d'être of terrorism is to be widely publicized. Cyber-

aggression can share this goal, but also may have more of an affinity with espionage: once revealed, it not only looses its efficacy but may even be turned around against the initiator.

Terrorism is generally ideologically motivated. Cyber-aggression combines ideological and economic motivations.

Terrorist organizations can recruit from wide sectors; cyber-aggression – like espionage – depends on certain skill sets or accessibility.

The damage of terrorism is palpable and therefore justifies extreme measures that cyber-damage may not.

A civilized state cannot deter terrorism by threat of retaliation with terrorism; it can deter cyber-attacks with threats of retaliation in kind.

8

Goals of Counter-Cyber-AggressionGoals of Counter-Cyber-Aggression

Establishing a level of protection that renders and attack frustrating and non-productive – essentially – deterrence by denial.

Proactive Intelligence – identifying patterns, networks, paths, contents of potential cyber-attacks.

Regulating obligatory levels of defence of the private sector to reduce risks.

Development of defensive tools in collaboration with the private sector.

Government insuring or regulation of insuring of the private sector for damages in case of a successful attack.

9

Application of CT Deterrence Doctrine to Application of CT Deterrence Doctrine to Cyber AggressionCyber Aggression

A highly developed cyber- aggressor is susceptible to cyber-retaliation and hence to cyber-deterrence. For a non-developed aggressor, “cyber-reprisal” will not suffice and deterrence by threat of kinetic retaliation must be considered.

A state cyber-aggressor – like a state patron of terrorism - will rarely act through identifiable state entities. Therefore “pre-emptive attribution” for deterring the “aggressor” should allow leeway for “cui bono” attribution, consider the level of intimacy between an identified proxy aggressor and the state, clarify in advance that the patron state will be held responsible and that certain acts will be deemed casus belli.

The current level of cyber threats implies that a strategy of compellence is called for and not merely deterrence.

Ambiguity is a two-edged sword; a threat of punishment of unknown proportions may loom larger than a well-defined threat but may also be perceived as lack of resolve. A declared ladder of responses to corresponding threats must be defined – if not publicly declared.  However, declarations that are not fulfilled generate “negative deterrence”.

Deterrence by denial has yet to succeed in relation to sub-conventional threats. 10

Some QuestionsSome Questions

What are the necessary conditions of government commitment for the private sector to build a counter-cyber-aggression strategy?

Building on that – what are the priorities and duties of the private sector in dealing with cyber-protection and preparing for contingencies?

In absence of clear government policy, can the private sector create norms and cross-cutting cooperative standards?

How can private organizations actively counter cyber threats without crossing the line of breaking the law? 11

Thank youThank you