Deterrence Can Protect Our Critical Infrastructure from Cyberattack
A sophisticated computer virus swept through Ukraine in June, wreaking havoc on systems serving the private sector and shutting down critical civil infrastructure – locking several government ministries out of their files, forcing the closure of a metro system and an airport, affecting banks and ATMs, and blacking-out power stations – before spreading across the globe. Far from an isolated incident, the attack followed on the heels of several others affecting civilian targets over the past few years, in countries ranging from Ukraine to the United Kingdom and the United States. These hacks are troubling reminders of the extent to which modern society has become reliant upon, and can be seriously impacted by disruption of, often-vulnerable computer networks. Preparing to defend against them is not enough; vulnerable countries such as the United States can and must take active measures to deter the cyber-targeting of critical national infrastructure.
Hackers, often working for or with state actors, have increasingly been targeting the systems responsible for normal civilian life. The disruption of services such as power, water, banking, or transportation – all connected to the online world – would cause social, political, and economic upheaval for an unprepared public. Engaging in such disruption is asymmetrically advantageous for actors that lack the economic, diplomatic, or military strength to compete with more powerful nations through traditional means, especially during times of tension or war.
Governments, such as the United States,’ have recognized this and taken steps toward guarding against attacks on critical infrastructure, but many experts doubt that enough has been done – or is even doable – to properly protect and respond. Meanwhile, international agreements intended to address the problems of hacking and attacks on critical infrastructure have had limited impact. And, while the practice of cyber information sharing is a valuable foundation for addressing future attacks, few governments are routinely engaged in it.
Considering this, aggressive steps must be taken toward employing an active deterrence strategy against future attacks on critical infrastructure. Some notions in deterrence theory, such as “mutually assured destruction,” are applicable in the cyber realm and may deter the group decision-makers who sign off on critical infrastructure attacks – and the individuals who work in hand with them – from doing so.
To that end, countries, such as the United States, affected by or vulnerable to cyberattacks on critical infrastructure, must demonstrate a more overt willingness and capability to retaliate against any (though not necessarily every) cyberattack, from any source under any circumstances. Such capability would be borne by cyber operations of their own, implanting code in the networks of countries suspected of hacking. This would allow, or at least signal the ability for, retaliation against any sort of hostile cyber activity. Ensuring “mutual destruction” of computer networks through responsive cyber means would change the strategic calculus for actors that currently benefit from targeting critical infrastructure.
As with all “arms races,” these actions run the risk of unintended escalation between competing cyber actors. Policymakers must be cognizant that deterrence in the cyber realm – which requires addressing a wide range of threats, unknown capabilities, and potential for escalation – is different than nuclear deterrence. Decisions of whom and what to target, and to what degree, must be weighed carefully and be responsive to evolving geopolitical circumstances.
A possible approach to limiting cyber escalation would be the intentional “signaling” to malicious actors that a retaliatory strike is possible. These signals would come either through greater public transparency of the cyber capabilities of the retaliating state, or by implanting easily detectable and non-activated code in important systems that hint at the capacity to knock them out. Some suggest that such signaling would weaken or nullify a capability to conduct a retaliatory strike, as it would give competitors tactical intelligence of weaknesses in their defenses. However, as signaling avoids tangible damage to competitors’ systems, it can inform hostile decision-makers of intent to protect against hacks, without forcing their hand to retaliate and escalate in response to pressure from their public or military.
Leveling the cyber playing field is needed to change the strategic calculus driving cyberattacks against critical infrastructure. Reports suggest the United States has already begun to conduct such cyber operations against Russian networks, which is an encouraging step that the United States and its partners should embrace. Peace and cooperation in the cyber realm is an important goal that world leaders should strive for; yet until the international community comes to an enforceable agreement or code of conduct, active and offensive measures to deter adversaries are the most effective means of protection available.
Cody Knipfer is the Technology & Cybersecurity Fellow at Young Professionals in Foreign Policy (YPFP). He has experience working with space and aerospace trade associations, as well as a space policy consultancy. Cody expects to receive his MA in International Science and Technology Policy in 2018 from George Washington University’s Space Policy Institute.