OPTIMIZING CYBERDETERRENCE
OPTIMIZING
CYBERDETERRENCE
A COMPREHENSIVE STRATEGY FOR
PREVENTING FOREIGN CYBERATTACKS
ROBERT MANDEL
2017 Georgetown University Press. All rights reserved. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system, without permission in writing from the publisher.
The publisher is not responsible for third-party websites or their content. URL links were active at time of publication.
Library of Congress Cataloging-in-Publication Data
Names: Mandel, Robert, 1949 author.
Title: Optimizing Cyberdeterrence : A Comprehensive Strategy for
Preventing Foreign Cyberattacks / Robert Mandel.
Description: Washington, DC : Georgetown University Press, 2017. |
Includes bibliographical references and index.
Identifiers: LCCN 2016024168 (print) | LCCN 2016040085 (ebook) | ISBN 9781626164123 (hc : alk. paper) | ISBN 9781626164130 (pb : alk. paper) | ISBN 9781626164147 (eb)
Subjects: LCSH: CyberterrorismPrevention.
Classification: LCC HV6773 .M355 2017 (print) | LCC HV6773 (ebook) |
DDC
363.325dc23
LC record available at https://lccn.loc.gov/2016024168
This book is printed on acid-free paper meeting the requirements of the American National Standard for Permanence in Paper for Printed Library Materials.
18 179 8 7 6 5 4 3 2 First printing
Printed in the United States of America
Cover design by Connie Gabbert
The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards.
Gene Spafford, Purdue University computer science professor
and leading cybersecurity expert
Contrary to what the security industry now messages, prevention is not a failed strategy.
Anup Ghosh, chief executive officer and founder
of cybersecurity firm Invincea
Contents
Acknowledgments
O ptimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacksmy thirteenth bookhas utterly captured my imagination, for it deals with a human-constructed global security threat that in theory should be susceptible to man-made solutions yet in practice appears at least on the surface to defy every remedy. Ever since high school, I have been deeply fascinated with computer hardware and software and the opportunities and dangers embedded in the digital age. Because figuring out how to make cyberdeterrence work better requires a deep and wide integrated understanding of both technical and strategic issues, this investigation was extremely intellectually challenging. I am deeply indebted to my student research assistant Katherine Keller for her hard work and incredibly probing insights and to Don Jacobs of Georgetown University Press for his adept expert shepherding of this project to its completion. I also appreciate the ideas I received from academic colleagues in international relations and computer science and from government defense and intelligence officials. However, I alone take responsibility for any errors found here.
This book is dedicated to the British trio of Charles Babbage, George Boole, and Alan Turing for their role as the earliest computer science pioneers, as well as to those today in the public and private sectors who are tasked with the safety of sensitive data and systems and are struggling with ever-changing threats and technological challenges. This books aspiration is not only to give the public a glimmer of optimism about the protection of their digital assets but also to assist security officials in their quest to thwart efforts of adversaries who wish to steal, corrupt, or make inaccessible critical data. The best people currently working on cyber protection have to be amazingly creative and nimble in their thinking, and they deserve unbridled admiration and support from the rest of us.
Introduction
O ptimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacks presents a distinctive strategic vision for cyberdeterrence to restrain foreign-based cyberattacks. This challenge is particularly daunting because traditional, narrow, direct deterrence (such as Cold War nuclear deterrence) is a poor match for the cyber realm. This book promotes a broader, more inclusive cyberdeterrence designed to alter the cyberattackers decision calculus. To accomplish this end through this means, Optimizing Cyberdeterrence contends that the potential targets of cyberattack need a fluid, integrated mix of strategies that is sensitive to differing circumstances. These strategies encompass (1) moving from just increasing cyberattackers losses to decreasing any prospects of cyberattackers gains, both maximizing certainty about high costs and minimizing certainty about high benefits (accounting for culturally different irrational adversaries); (2) moving from just national governments making decisions about restraining cyberattackers to including expanded private sector contributions, combining state officials input with that of private businesses and citizens; (3) moving from just perfecting past and ongoing standard, straightforward cyberattacker countermeasures to developing alternative cyberattacker countermeasures, combining direct, tangible orthodox restraints and indirect, intangible unorthodox restraints; (4) moving from just responding to cyberattackers in kind on the same playing field to adding cross-domain methods on other playing fieldsthat is, combining cyberspace and real-world responsesand (5) moving from just engaging in draconian intimidation of cyberattackers to finding sensible ways to convince cyberattackers to restrain themselves by combining fear-based physical prevention and hope-based perceptual persuasion.
This books uniqueness lies in its focus on (1) cyberthreat in the context of other security dangers, considering the relationship of cyberdeterrence with other security policies; (2) comprehensive coverage of twenty-first-century global cyberattack case studies with major security implications; (3) state and non-state threats and responses; (4) improvements in cyberdeterrence planning and execution strategies that combine maximizing high-cost certainty with minimizing high-benefit certainty countermeasures; public and private initiators; direct, tangible orthodox and indirect, intangible unorthodox restraints; cyberspace and real-world responses; and fear-based prevention and hope-based persuasion; (5) identification of conditions where preferred strategies work best; and (6) cyberdeterrence legitimacy and ethics dilemmas. The underlying aspiration is to provide a conceptually probing, empirically rich, and policy-relevant analysis that serves as a springboard from which to spur dramatic improvement in cyberdeterrence.
Exploring cyberdeterrence raises major thorny questions linked to the broader security and strategic studies literature. These issues include (1) the security impacts of technological diffusion, (2) the leveling of the global power hierarchy; (3) the challenges to dominant global values and security norms; (4) the increasingly non-transparent security transactions and indirect means of transnational influence (including social media); (5) the elusive threat initiation and outcome identification; (6) the growing state use of plausible deniability; (7) the increasingly hollow government promises or threats, erosion of state authority, and rising private sector responsibility; (8) the offensive-defensive strategic interrelationships; (9) the long-term stability problems through boomerang effects, action-reaction cycles, and conflict contagion; and (10) the societally divisive trade-offs between openness and secrecy, freedom and stability, safety and justice, fear and hope, and dependence and vulnerability. The common tendency to isolate cyberdeterrence policy from other defense issues thus needs to be overcome.
