Is Taiwan the Next Hong Kong?
China Tests the Limits of Impunity
In late December, Washington accused North Korea of being “centrally involved” in a cyberattack against Sony Pictures Entertainment. Agents associated with North Korean leader Kim Jong Un’s regime, U.S. officials said, gained access to Sony’s computer network and released troves of sensitive files. The leak was followed by threats that North Korea would attack any theaters that ran The Interview, a satirical film that pokes fun at Kim. In response, many theaters refused to show the movie, and Sony pulled it (Sony later backpedaled, opting for a limited release). In turn, another film has been scrapped because it was set in North Korea, and Fox Studios decided that it would not risk distributing it. In both cases, the North Korean regime influenced decision makers by threatening punishment. This is deterrence at work.
Unfortunately, deterrence has not worked nearly as well when it comes to cyberattacks against U.S. interests. Colleges, businesses, government agencies, and not-for-profit groups have all suffered, some severely. Few, if any, of the responsible criminals have paid a price for their actions. In fact, cyberattackers, especially those sponsored by states, operate with virtual impunity. If that doesn’t change, cyberattacks will continue to increase in severity. To reverse the trend, the United States needs to establish deterrence in cyberspace.
One way to establish deterrence is to deny the enemy success. In cyberspace, this means establishing defenses to blunt attacks. Many institutions are not devoting sufficient resources to protecting their information, and many people are not adopting best practices to stop hackers from cracking their accounts. Much more can be done to defend networks at relatively low cost—including two-factor identification, complex passwords, access control, automatic patching, and multi-layered firewalls. But people must first take cyberthreats seriously, and many do not.
Nevertheless, defense cannot be the whole answer. In cyberspace, constructing an impenetrable defense is practically impossible. Eventually, the attackers will find a weakness and exploit it. This is especially true with state-sponsored attackers, as states have sufficient resources to be patient and persistent. In cyberspace, the cost of defense is much higher than the cost of offense, so the United States needs other options for influencing an attacker’s calculus.
One set of options involves the use of offensive force. The Cold War theorist Thomas Schelling showed how force is linked to deterrence. In his landmark book Arms and Influence, Schelling explained that force serves two purposes. First, it has the power to destroy; to break and maim and kill. Second, because it has the power to destroy, force can also cause great pain, and the other side knows this. Insofar as the opponent wishes to avoid pain, force has the ability to coerce: to convince the opponent to take action, or choose inaction, in ways favorable to our side. The essence of deterrence by punishment, therefore, is for the United States to communicate a credible threat that is sufficiently painful that the opponent will choose to forgo attacks rather than endure the punishment.
The fundamental problem with deterring state actors in cyberspace is that a credible threat of punishment has not yet been communicated. This is why state actors choose to conduct thousands of attacks per day against U.S. institutions, allies, and interests. This will continue, and worsen, until a credible threat is established.
There is a natural inclination to assume the threat of punishment must come through cyberspace. Counterattacks may involve destroying digital pathways, releasing files, overwhelming services, assuming control of systems, or altering data in insidious ways.
Although such cyberretaliation can cause considerable pain, there are several reasons why it is not well suited for deterring future attacks. First, just as the United States has difficulty attributing a cyberattack to an adversary, adversaries face the same challenge unless the United States announces its retaliation. It is usually not in the United States’ best interest, however, to draw attention to cyberattacks because that would alert the adversary that the United States has gained access to its systems. In addition, retaliatory attacks in cyberspace could result in significant collateral damage. It is difficult to predict the second- and third-order consequences of an attack, especially as systems become increasingly connected. Furthermore, some adversaries perceive themselves as less dependent on cyberspace than the United States, and therefore, they may not think that the cost of cyberretaliation would outweigh the gain of a cyberattack. Finally, many across the world mistakenly believe that attacks in cyberspace are more virtual than real and, therefore, do not take them as seriously.
Given these limitations, it would be difficult to deter cyberattacks through the threat of retaliation in cyberspace. The United States could, however, transfer the threat of punishment from the virtual space to the physical world. State-sponsored cyberagencies have physical infrastructure—buildings, communications hubs, server farms, and so on—as do the decision-makers that direct these agencies. This infrastructure is vulnerable to physical attack, and the resulting loss would be quite painful. If the United States credibly communicated this threat, it may be enough to deter a great number of would-be cyberattackers.
Moving from the virtual to the physical world would allow the United States to shift competition from the cyberdomain, where it suffers from a competitive disadvantage (because it has much more to defend), to the physical domain, where it enjoys considerable advantages. Linking the virtual to the physical would also show how seriously the United States takes cyberattacks. It may only require one or two demonstrations of this seriousness to establish deterrence. Although some nations have concluded that they can attack the United States with impunity in cyberspace, no nation could be certain that it could defend against a physical attack by U.S. forces.
As with any policy choice, there are risks with using physical force to deter virtual attacks, including the challenges of hitting the wrong target or generating collateral damage. The biggest risk, however, involves escalation. A physical response could provoke a dangerous game of brinksmanship between the sides. No one wants a relatively low-level exchange in cyberspace to escalate to the point of superpower confrontation. This means that any physical retaliation must be roughly proportional to the initial cyberattack. Furthermore, any prospective threat of punishment cannot be perceived as being vastly out of proportion to the original provocation, as such a threat would not be credible. This is difficult to accomplish, because attacks using physical force, especially by one sovereign state against another, are perceived as inherently much more serious than cyberattacks.
There may be a way to walk the fine line. Non-lethal technologies could offer a proportional answer for a cyberattack. One possibility involves the use of high-power microwave (HPM) weapons, which generate a powerful electric pulse that enters electronic systems through unshielded wires and circuits, overloading these systems. The pulse disrupts computers and communications without destroying buildings or harming people. HPM weapons could be used to threaten would-be cyberattackers with significant punishment while keeping the threat proportional to the provocation: cyberattackers face the risk of having their equipment destroyed.
No weapon is risk-free, and it is possible HPM weapons could damage sensitive systems such as medical equipment or pacemakers. The effective radius of HPM weapons is relatively limited, however, and there are many isolated infrastructure targets where the risk of unintended damage would be minimal.
As a country, the United States might decide that the attack on Sony does not meet the threshold required for a vigorous response along these lines. But an attack that does is coming. It will not be long before a state uses a cyberattack to crash U.S. ATM networks, disable utilities systems, or degrade traffic control systems. Worse, adversaries could use cyber threats to coerce Washington. For the vast majority who use the Internet for peaceful purposes, it would be better to establish the threat of retaliation against the would-be cyberattackers now, before they go too far.