Skeptics that a U.S. deterrence policy can be extended to cyberspace typically cite the difficulties in attribution as the reason. Without a culprit, you cannot punish. If you think you know but are unsure, the risks of retaliating incorrectly plus the difficulty of proving to others that retaliation was not arbitrarily aimed may inhibit retaliation. If potential attackers believe that U.S. retaliation is sufficiently unlikely, they will not be deterred from attack.
In light of such arguments, U.S. officials have strained to improve their ability—and reliability in international decision-making—to attribute. Projecting confidence implies that no difficulties in attribution would prevent a response to a cyberattack. Thus, in late 2012 then-Secretary of Defense Leon Panetta proclaimed that attribution was improving; some estimated that two of three attacks could be traced. Former NSA General Counsel Stewart Baker talked of a “revolution in attribution.” In mid-2014, the United States indicted several People’s Liberation Army officers for penetrating U.S. networks. Later that year, the United States, for the first time, pointed the finger at a country, North Korea, for a cyberattack against Sony. In early 2015, the Director of National Intelligence did the same for another country, Iran, for a similar cyberattack on Las Vegas Sands Corporation. Even in the event that the United States attributed wrongly, the public statement at least signaled that the United States deemed the risk of being wrong sufficiently low that doubts about attribution would not inhibit naming and shaming. Putatively, it would not inhibit a serious U.S. response, either.
With that, let us leave the world of fact and launch towards the world of conjecture, where attribution for attacks on the United States is perfect. Would the United States benefit from a deterrence posture that is distinctly more precise, detailed, and explicit than today’s policy (which fails to delineate the severity threshold of an incident to merit response)? To wit, can cyberdeterrence work?
Clearly, cyberdeterrence would work better if attribution were better. But the real question is whether perfect attribution could be good enough to make a detailed and explicit policy work. Here the answer is not so obvious.
Deterrence exists in the enemy’s head (assurance exists in the heads of one’s friends). Even if the United States knew it had the capability, will, and knowledge to punish a cyberattack, it would matter only if the other side knew as much and used such knowledge to refrain from cyberattack. Furthermore, a serious cyber deterrence policy matters only if it inhibits the attacker more than current U.S. policy—vague as it is—already does. And mere inhibition is not all: effective deterrence demonstrates a threat of legitimate and appropriate retaliation and with consequential effect.
Let’s contemplate will and thresholds first, assuming perfect attribution.
Consider a high level cyberattack as devastating as the terrorist attacks of September 11—something like a widespread and destructive attack on the power grid. Would any rational country carry out such an attack and not expect to see the United States react disproportionately (or, colloquially, go non-linear)? This is not an unreasonable expectation for a country with its reactions to September 11 and Pearl Harbor in its history. A country blind to the prospects of such a reaction would probably not pick up on, say, a formal declaration of intent. So there’s no advantage to deterrence at the high level.
What about a low-level cyberattack? Many intrusions into networks are crimes and the willingness of the United States to prosecute crimes is longstanding. The United States pursued the Russians who hacked Citibank in the mid-1990s, extradited a Russian hacker from the Maldives in 2014, and has put a substantial award out for arrest and conviction of the progenitor of the GameOverZeus malware. Russia has shown an uncomfortable tendency to protect its hackers, but any American attempt to raise the stakes with Russia faces the question of what more it could do (absent the use of force) that it was not already doing to persuade Russia to withdraw from Ukraine. So, there’s probably no advantage at the lower level of cyberattack (more appropriately: cybercrime) to a more forceful deterrence posture, either.
That leaves the middle as a place where U.S. will to respond to a cyberattack can affect the calculations of would-be attackers—lest any declaration to get tough on cyberattacks be seen as mere wind. The basic problem is that unless potential attackers impute to the United States both the will to respond and the (approximate) threshold at which the United States would respond, they have no reason to factor a U.S. response as an important consideration in their planning.
Perhaps to that end, the United States took a stand over the Sony attack, justified by the attack’s impact on Sony’s freedom of speech and the fact that computers were wiped (hence destroyed). Unfortunately, this attack was a questionable place to make a stand. First, any justification that stands on two legs raises questions about what behavior it was trying to warn others away from: the first, the second, a third entirely, or some combination. Second, Sony’s right to make whatever movies it wants to (the First Amendment only protects against U.S. government censorship or punishment) is an element in commercial, not personal, speech. The perfectly legal threat of a lawsuit (were, say, Kim Jong-un replaced by an American media mogul) could have led—and, in fact, often leads—to similar adjustments. Third, Sony is a Japanese company (even if its moviemaking subsidiary is headquartered in the United States); the losses, such as they were, fell on Sony’s shareholders, most of which were not U.S. citizens. Fourth, the movie’s distribution to theaters was cancelled only after major movie chains pulled out in the face of a physical threat to moviegoers—so was it cyber-terrorism or good old-fashioned terrorism to which the United States was responding? Fifth, the United States did not respond to the Las Vegas Sands hack of early 2014, which was both destructive and implicated Las Vegas Sands Chairman and CEO Sheldon Adelson’s right to free speech. Sixth, when the final accounting is done, Sony may ultimately have made money from the hack. Early estimates of $100 million dollars in damage now look exaggerated; Sony’s current estimate (to the U.S. Security and Exchange Commission) is $35 million, and the film managed to garner $47 million in sales (as of early March 2015) despite a lack of major U.S. release. (Not to say Sony would gladly have this occur again; many reputations inside the company were damaged as a result of the hack).
Furthermore, until the United States actually does retaliate and with consequence, the will to take the kind of risks that retaliation entails can be questioned. To date, apart from the (re-)imposition of sanctions on a handful of North Koreans, there has been little publicly known response. Indeed, the United States took pains to declare that it was not responsible for the one event that looked like retaliation (the day-long shutdown of North Korea’s access to the Internet). A response that is not obvious to the public may create deterrence in the minds of North Koreans, but unless the latter announce their pain to others, these others will have no reason to be sure that the United States will respond. And what if potential attackers with the capacity to inflict painful counter-retaliation deem that North Korea was retaliated against because it was weak rather than wrong? If so, these more powerful attackers could conclude that the United States lacked the will to retaliate against them—or at least not until they had carried out a more consequential attack. Here too, the North Koreans are a particularly tough case. They do not depend on the Internet. Indeed, inasmuch as President Obama has declared that the Internet would ultimately be the death of the Kim regime, anything that would reduce North Korea’s increasing dependence on the Internet would not serve (declared) U.S. interests. There are very few sanctions left to apply to that benighted country. Finally, violent options are off the table, given North Korea’s constant threat to South Korea (e.g., the thousands of artillery tubes pointed at Seoul). In that respect, as well, the United States is limited in using the hack on Sony to establish its will to retaliate.
Legitimacy is another concern. To be sure, it was less of a concern with nuclear deterrence: rational leaders pull back from acting in ways that risk nuclear annihilation whether or not such annihilation was deemed fairly applied. But in lesser matters, human cussedness and the need to maintain a nation’s prerogatives may come to the fore. For instance, the United States’ ability to deter China from carrying out its aggressive campaigns of economically motivated cyber-espionage may be deemed illegitimate by China and, hence, not particularly productive. The United States has an active cyber-espionage program of its own, albeit for national-security reasons, and has apparently not convinced China that economic motivations for cyber-espionage are less legitimate than national security motivations. Similarly, from Iran’s perspective, its many attacks in recent years (against Saudi Aramco, U.S. e-banking sites, Las Vegas Sands) only begin to even the score for the Stuxnet attack, which was discovered in June 2010. Thus, a U.S. response might be deemed unfair, but pulling back as a result would be to yield to injustice. Or, returning to North Korea, a major motion picture that may incite an assassination against its Dear Leader could, in their mind, provide more than enough justification to dox Sony’s leadership. What appears to the United States a justified reprisal in the service of deterrence may seem to other countries an attempt to prevent the imposition of fairness on their part—an action to be opposed vigorously. Granted, the United States may be correct in all three cases, but that fact may be irrelevant in the question of whether a given act of retaliation establishes deterrence in their minds.
So, if the United States is to establish deterrence, good and convincing attribution is a sine qua non. But even in a (hypothetical) world where such attribution is an established fact, establishing deterrence is still an uphill climb.