Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack

Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic about cyber deterrence. The attribution problem appears to make retaliatory punishment, contrasted with defensive denial, particularly ineffective. Yet observable deterrence failures against targets of lower value tell us little about the ability to deter attacks against higher value targets, where defenders may be more willing and able to pay the costs of attribution and punishment. Counterintuitively, costs of attribution and response may decline with scale. Reliance on deception is a double-edged sword that provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders. Many of the properties of cybersecurity assumed to be determined by technology, such as the advantage of offense over defense, the difficulty of attribution, and the inefficacy of deterrence, are in fact consequences of political factors like the value of the target and the scale-dependent costs of exploitation and retaliation. Assumptions about attribution can be incorporated into traditional international relations concepts of uncertainty and credibility, even as attribution involves uncertainty about the identity of the opponent, not just interests and capabilities. This article uses a formal model to explain why there are many low-value anonymous attacks but few high-value ones, showing how different assumptions about the scaling of exploitation and retaliation costs lead to different degrees of coverage and effectiveness for deterrence by denial and punishment. Deterrence works where it is needed most, yet it usually fails everywhere else.

[1]  G. Weimann Cyberterrorism: The Sum of All Fears? , 2005 .

[2]  Van Evera,et al.  The Causes of War , 2021, Encyclopedia of Evolutionary Psychological Science.

[3]  Frank J. Stech,et al.  Active cyber defense with denial and deception: A cyber-wargame experiment , 2013, Comput. Secur..

[4]  Emilio Iasiello,et al.  Is Cyber Deterrence an Illusory Course of Action , 2014 .

[5]  Branislav L. Slantchev Military Threats: The Costs of Coercion and the Price of Peace , 2011 .

[6]  Kenneth N. Waltz,et al.  Theory of International Politics , 1979 .

[7]  T. Schelling,et al.  The Strategy of Conflict. , 1961 .

[8]  S. Kalyvas,et al.  The logic of violence in civil war , 2011 .

[9]  Nigel Inkster Cyber Attacks in La-La Land , 2015 .

[10]  Johan Eriksson,et al.  The Information Revolution, Security, and International Relations: (IR)relevant Theory? , 2006 .

[11]  J. Lindsay,et al.  Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace , 2015 .

[12]  Adam P. Liff Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War , 2012 .

[13]  Jon R. Lindsay,et al.  The Impact of China on Cybersecurity: Fiction and Friction , 2015, International Security.

[14]  John Arquilla,et al.  In Athena's Camp: Preparing for Conflict in the Information Age , 1997 .

[15]  Richard Bejtlich,et al.  The Practice of Network Security Monitoring: Understanding Incident Detection and Response , 2013 .

[16]  Robert Powell,et al.  The Inefficient Use of Power: Costly Conflict with Complete Information , 2004, American Political Science Review.

[17]  A. F. Pollard,et al.  The Balance of Power , 1923 .

[18]  David J. Betz Cyberpower in Strategic Affairs: Neither Unthinkable nor Blessed , 2012 .

[19]  Jon R. Lindsay,et al.  Stuxnet and the Limits of Cyber Warfare , 2013 .

[20]  R. Jervis Cooperation under the Security Dilemma , 1978, World Politics.

[21]  B. Valeriano,et al.  The Dynamics of Cyber Conflict Between Rival Antagonists , 2015 .

[22]  Timothy J. Junio How Probable is Cyber War? Bringing IR Theory Back In to the Cyber Conflict Debate , 2013 .

[23]  Martin C. Libicki Cyberdeterrence and Cyberwar , 2009 .

[24]  D. Denning Rethinking the Cyber Domain and Deterrence , 2015 .

[25]  Robert O. Keohane,et al.  After Hegemony , 2005 .

[26]  Branislav L. Slantchev,et al.  Mutual Optimism as a Rationalist Explanation of War , 2010 .

[27]  Erik Gartzke,et al.  War Is in the Error Term , 1999, International Organization.

[28]  David Elliott Deterring Strategic Cyberattack , 2011, IEEE Security & Privacy.

[29]  Vincenzo A. Sainato,et al.  Cyber War Will Not Take Place , 2012 .

[30]  Amir Lupovici The “Attribution Problem” and the Social Construction of “Violence”: Taking Cyber Deterrence Literature a Step Forward , 2014 .

[31]  Dale Peterson,et al.  Offensive Cyber Weapons: Construction, Development, and Employment , 2013 .

[32]  Paul Cornish,et al.  On Cyber Warfare , 2011 .

[33]  Johanna Weiss,et al.  Conquest In Cyberspace National Security And Information Warfare , 2016 .

[34]  Jon R. Lindsay,et al.  North Korea and the Sony hack : exporting instability through cyberspace , 2015 .

[35]  R. Powell War as a Commitment Problem , 2004, International Organization.

[36]  L. Winner Autonomous Technology: Technics-out-of-Control as a Theme in Political Thought , 1977 .

[37]  Martin C. Libicki,et al.  Cyber Warfare and Sino-American Crisis Instability , 2014 .

[38]  C. Demchak Wars of Disruption and Resilience: Cybered Conflict, Power, and National Security , 2011 .

[39]  Myriam Dunn Cavelty Cyber-Terror—Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate , 2008 .

[40]  B. Buchanan,et al.  Attributing Cyber Attacks , 2015 .

[41]  N. Choucri Cyberpolitics in International Relations , 2012 .

[42]  D. Benson,et al.  Why the Internet Is Not Increasing Terrorism , 2014 .

[43]  Lucas Kello The Meaning of the Cyber Revolution: Perils to Theory and Statecraft , 2013, International Security.

[44]  Branislav L. Slantchev,et al.  The Armed Peace: A Punctuated Equilibrium Theory of War , 2007 .

[45]  J. Keegan,et al.  A History of Warfare. , 1995 .

[46]  David E. Nye,et al.  Technology Matters: Questions to Live With , 2006 .

[47]  J. Fearon Rationalist explanations for war , 1995, International Organization.

[48]  K. Menninger On war. , 1973, Bulletin of the Menninger Clinic.

[49]  Derek S. Reveron,et al.  China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain , 2015 .

[50]  William J. Lynn,et al.  Defending a New Domain: The Pentagon's Cyberstrategy , 2010 .

[51]  J. Solomon Cyberdeterrence Between Nation-States: Plausible Strategy Or A Pipe Dream? , 2011 .

[52]  Charles L. Glaser Rational Theory of International Politics: The Logic of Competition and Cooperation , 2010 .

[53]  J. Fearon Signaling Foreign Policy Interests , 1997 .

[54]  Branislav L. Slantchev Feigning Weakness , 2010, International Organization.

[55]  Kenneth Waltz’s Bargaining and War , 2008 .

[56]  H. Besser,et al.  : In Athena's Camp: Preparing for Conflict in the Information Age , 2000 .

[57]  Charles L. Glaser Realists as Optimists: Cooperation as Self-Help , 1994 .

[58]  Erik Gartzke,et al.  The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth , 2013, International Security.

[59]  Dorothy E. Denning,et al.  Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques , 2006 .

[60]  Cormac Herley When Does Targeting Make Sense for an Attacker? , 2013, IEEE Security & Privacy.

[61]  Douglas S. Robertson,et al.  The Information Revolution , 1990 .

[62]  John E. Gudgel Cyber War versus Cyber Realities: Cyber Conflict in the International System , 2016 .

[63]  Glenn Herald Snyder,et al.  Deterrence and defense : toward a theory of national security , 1962 .

[64]  P. Latey The balance of , 1997 .

[65]  Paul R. Pillar Negotiating Peace: War Termination as a Bargaining Process , 1983 .

[66]  James R. Clapper Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community, Senate Armed Services Committee, James R. Clapper, Director of National Intelligence, February 26, 2015 , 2015 .