Cybersecurity’s next phase: Cyber deterrence

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Dorothy Denning
 

Connecting state and local government leaders

By Dorothy Denning

|

We can strengthen cyber deterrence by improving cybersecurity, employing active defenses and establishing international norms for cyberspace.

This article was originally published on The Conversation.

The Conversation

Cyberattackers pose many threats to a wide range of targets. Russia, for example, was accused of hacking Democratic Party computers throughout the year, interfering with the U.S. presidential election. Then there was the unknown attacker who, on a single October day, used thousands of internet-connected devices, such as digital video recorders and cameras compromised by Mirai malware, to take down several high-profile websites, including Twitter.

From 2005 to 2015, federal agencies reported a 1,300 percent jump in cybersecurity incidents. Clearly, we need better ways of addressing this broad category of threats. Some of us in the cybersecurity field are asking whether cyber deterrence might help.

Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack. There are two main principles of deterrence. The first, denial, involves convincing would-be attackers that they won’t succeed, at least without enormous effort and cost beyond what they are willing to invest. The second is punishment: Making sure the adversaries know there will be a strong response that might inflict more harm than they are willing to bear.

For decades, deterrence has effectively countered the threat of nuclear weapons. Can we achieve similar results against cyber weapons?

Why cyber deterrence is hard

Nuclear deterrence works because few countries have nuclear weapons or the significant resources needed to invest in them. Those that do have them recognize that launching a first strike risks a devastating nuclear response. Further, the international community has established institutions, such as the International Atomic Energy Agency, and agreements, such as the Treaty on the Non-Proliferation of Nuclear Weapons, to counter the catastrophic threat nuclear weapons pose.

Cyber weapons are nothing like nuclear ones. They are readily developed and deployed by individuals and small groups as well as states. They are easily replicated and distributed across networks, rendering impossible the hope of anything that might be called “cyber nonproliferation.” Cyber weapons are often deployed under a cloak of anonymity, making it difficult to figure out who is really responsible. And cyberattacks can achieve a broad range of effects, most of which are disruptive and costly, but not catastrophic.

This does not mean cyber deterrence is doomed to failure. The sheer scale of cyberattacks demands that we do better to defend against them.

There are three things we can do to strengthen cyber deterrence: Improve cybersecurity, employ active defenses and establish international norms for cyberspace. The first two of these measures will significantly improve our cyber defenses so that even if an attack is not deterred, it will not succeed.

Stepping up protection

Cybersecurity aids deterrence primarily through the principle of denial. It stops attacks before they can achieve their goals. This includes beefing up login security, encrypting data and communications, fighting viruses and other malware and keeping software updated to patch weaknesses when they’re found.

But even more important is developing products that have few if any security vulnerabilities when they are shipped and installed. The Mirai botnet, capable of generating massive data floods that overload internet servers, takes over devices that have gaping security holes, including default passwords hardcoded into firmware that users can’t change. While some companies such as Microsoft invest heavily in product security, others, including many Internet-of-Things vendors, do not.

Cybersecurity guru Bruce Schneier aptly characterizes the prevalence of insecure Internet-of-Things devices as a market failure akin to pollution. Simply put, the market favors cheap insecure devices over ones that are more costly but secure. His solution? Regulation, either by imposing basic security standards on manufacturers, or by holding them liable when their products are used in attacks.

Active defenses

When it comes to taking action against attackers, there are many ways to monitor, identify and counter adversary cyberattacks. These active cyber defenses are similar to air defense systems that monitor the sky for hostile aircraft and shoot down incoming missiles. Network monitors that watch for and block (“shoot down”) hostile packets are one example, as are honeypots that attract or deflect adversary packets into safe areas. There, they do not harm the targeted network, and can even be studied to reveal attackers’ techniques.

Another set of active defenses involves collecting, analyzing and sharing information about potential threats so that network operators can respond to the latest developments. For example, operators could regularly scan their systems looking for devices vulnerable to or compromised by the Mirai botnet or other malware. If they found some, they could disconnect the devices from the network and alert the devices’ owners to the danger.

Active cyber defense does more than just deny attackers opportunities. It can often unmask the people behind them, leading to punishment. Nongovernment attackers can be shut down, arrested and prosecuted; countries conducting or supporting cyberwarfare can be sanctioned by the international community.

Currently, however, the private sector is reluctant to employ many active defenses because of legal uncertainties. The Center for Cyber and Homeland Security at George Washington University recommends several actions that the government and the private sector could take to enable more widespread use of active defenses, including clarifying regulations.

Setting international norms

Finally, international norms for cyberspace can aid deterrence if national governments believe they would be named and shamed within the international community for conducting a cyberattack. The United States brought charges in 2014 against five Chinese military hackers for targeting American companies. A year later, the U.S. and China agreed to not steal and exploit each other’s corporate secrets for commercial advantage. In the wake of those events, cyber espionage from China plummeted.

Also in 2015, a  group of United Nations experts recommended banning cyberattacks against critical infrastructure, including a country’s computer emergency response teams. And later that year, the G20 issued a statement opposing the theft of intellectual property to benefit commercial entities. These norms might deter governments from conducting such attacks.

Cyberspace will never be immune to attack -- no more than our streets will be immune to crime. But with stronger cybersecurity, increased use of active cyber defenses and international cyber norms, we can hope to at least keep a lid on the problem.

NEXT STORY: 3 ways to strengthen security with software supply-chain automation

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.