I love to repeat myself:
In light of the most recent “op-ed by someone who ostensibly should know better”, I had a few thoughts (beyond my op-ed specific ones) on the persistent incoherence related to cyber operations that seems to pervade any discussion wherein the idea of deterrence rears it’s head these days.
While the fundamental concepts of deterrence as a psychological phenomenon and the components of proportionality, reciprocity, and (coercive) credibility remain viable outside of discussions about use of nuclear weapons, deterrence theory itself is intrinsically linked to the Cold War experience that was defined by the global sword of Damocles that was a potential US-USSR nuclear exchange. When the idea of deterrence is invoked today, those invoking it — consciously or otherwise — tend to be doing so in a context shaped by the dynamics surrounding nuclear weapons. When talking about deterring anything aside from the use of force (nuclear or otherwise), most peoples’ frame of reference is still grounded in that “use of force” experience.
It’s when you try to apply a concept purely incubated in discussions about the use of force, especially overwhelming force, to threats that don’t necessarily involve the use of force (like intelligence activities) that the concept becomes functionally incoherent but retains rhetorical value because it just sounds comforting.
State-nexus cyber operations — including computer network exploitation (CNE; aka cyber espionage) and non-kinetic computer network attack (CNA; aka cyberattack) — do not fit the same basic characteristics of nuclear weapons usage. But because such malicious cyber activity, like terrorism or nuclear weapons exchange before it, is the “pervasive threat of the moment”, everyone seems to rush to try and apply the comforting framework of deterrence (especially deterrence by punishment) to it just because it’s there and is easily understood by most people. But in application to state-mounted cyber operations, its flawed to say the least.
Primarily, it ignores that cyber espionage is now and will remain an intrinsic part of how intelligence collection is conducted. You shouldn’t try to “deter” CNE any more than you try and deter HUMINT or SIGINT. It’s just going to happen, and everyone who is capable of it should be expected to try it. You can and should take measures to forestall, complicate, impede, degrade, and even disrupt it — running the gamut from basic security hygiene to offensive counterintelligence — but you will not be able to deter it in the total sense that it feels like we constantly hear called for in op-eds and interviews.
The obvious counterpoint to this argument is that CNE is a necessary, and sometimes sufficient, condition for CNA. That is absolutely true. But that doesn’t mean that all CNE is necessarily conducted for the purpose of CNA objectives and thus should be treated as such. That lets fear of the worst-cast scenario dictate your threat perceptions, which is not practical or realistic. If you take the time to understand how state-nexus adversaries (and the entities that task them) actually conceive, plan, and execute cyber operations then you realize that there are significant observables in network activity that can help you to differentiate between collection- versus attack-oriented CNE activity. (As the U.S. government apparently has been able to with regard to recently reported activity.) And understanding how CNA is actually conducted can help you absorb the reality that generating substantive effects via CNA is not necessarily as simple as it might appear.
I do not believe CNE is deterrable via punishment. We must learn to treat it with nuance in regards to its potential to CNA delivery, but otherwise accept that it’s here to stay as a fixture of intelligence collection enterprises the world over. I believe CNE can only be deterred via denial insomuch as the defensive bar can be raised to impede an actor from achieving their objectives against a given target or actor efforts can be degraded via offensive counterintelligence to reduce either their capacity or will to engage in a particular action. This appears to be the operative logic of Defend Forward/Persistent Engagement, albeit widely misunderstood.
In the vast majority of discussions where cyber espionage (under whatever misnomer) and deterrence are referenced together, it appears to be based on the idea of deterrence via punishment to effect a substantial — if not total — reduction in such activity. In my opinion, this is a fantasy and so my casual take is and has been that “CNE cannot be deterred”.
Insomuch as CNE is necessary for CNA, and implant staging without execution is already an apparently common practice by relevant actors, I do not think that operational preparation of the environment (OPE) for CNA can be effectively deterred in any sense approaching totality. To me, CNA OPE falls into the same space with CNE: it can be impeded via denial or degradation, but we cannot prevent the phenomenon entirely. It is my opinion that there are likely mechanisms of both punishment (latent or immediate) and denial that (A) exist and (B) have been used to deter the delivery of CNA effects/action-on-objectives. I imagine these mechanisms and incidents are classified, are unlikely to be made public anytime soon, and include incidents far below the “critical infrastructure” target scope that everyone is always riled up about; think about how offensive counterintelligence or covert action could take the form of highly discrete CNA operations.
Thus, my sound-byte answer on the “is CNA deterrable?” question is that I believe that CNA delivery/actions-on-objectives can be imperfectly deterred.
Finally, I believe that the people we see making vague calls for what sounds suspiciously like deterrence via punishment are the same people who would get very upset at the U.S. government for “tipping it’s hand” if those CNA deterrence mechanisms I alluded to above were to be disclosed. And if a public act of punishment were to ever generate blowback, those people would also be the first to say “That’s not what I meant by doing something to deter threat actors!”.
