On the Use of Offensive Cyber Capabilities - Belfer Center for ...
On the Use of Offensive Cyber Capabilities - Belfer Center for ...
On the Use of Offensive Cyber Capabilities - Belfer Center for ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Deterrence and Defense“To <strong>the</strong> issue <strong>of</strong> where we're going in <strong>the</strong> future and deterrence-type strategies associated withcyber and <strong>the</strong>n how <strong>the</strong>y're incorporated into larger deterrence strategies, today we have anetwork that is essentially constructed around point defenses. In o<strong>the</strong>r words, you go buy afirewall and some sort <strong>of</strong> virus protection, you put it on your computer. That's a point defense. Ittends to be <strong>the</strong> most inefficient defense <strong>the</strong>re is, because you're static; in any attack on you, you'rejust always <strong>the</strong>re. [As an Attacker] you just keep [attacking] as <strong>of</strong>ten as you want, and <strong>the</strong>re'sreally no penalty <strong>for</strong> doing it.” 30 -General James Cartwright<strong>On</strong>e final area worth clarifying is <strong>the</strong> difference between deterrence anddefense. Substantial ambiguity and confusion exists in <strong>the</strong> current literature on<strong>the</strong> relationship between deterrence and defense. 31 It is essential that thisdistinction is clear in order to have a productive policy discussion. In this work,we follow <strong>the</strong> definition <strong>of</strong> deterrence found in JP 1-2 <strong>of</strong> “<strong>the</strong> prevention <strong>of</strong> actionby <strong>the</strong> existence <strong>of</strong> a credible threat <strong>of</strong> unacceptable counteraction.” This we term activedeterrence.Defense protects systems, directly increasing <strong>the</strong> cost to conduct a successfulattack. Deterrence increases <strong>the</strong> cost should an attack succeed ei<strong>the</strong>r throughthreatened retaliatory action or entanglement (passive deterrence). Given <strong>the</strong>valuable in<strong>for</strong>mation stored in cyberspace and <strong>the</strong> high cost <strong>of</strong> defending thisin<strong>for</strong>mation, we agree with <strong>the</strong> analysis <strong>of</strong> retired General Cartwright 32 thatorganizations which only defend and do not deter against cyber attacks arecertain to be <strong>the</strong> victims <strong>of</strong> cyber attacks as long as <strong>the</strong>y use in<strong>for</strong>mation systems.All deterrence is inherently achieved through creating a system whereadversaries believe that a successful attack will imposes additional costs on <strong>the</strong>mthat exceed <strong>the</strong> benefits <strong>of</strong> an attack. This is generally achieved through30 (Lynn & Cartwright, 2011)31 For example, see (Gourley, 2008)32 (Nakashima, 2011)25