Posted on April 5, 2012  by Jon Diamond

From the earliest conceptual and theoretical work on cyber conflict, the problem of attribution, or “the return address problem,” has loomed large, undermining efforts to construct a credible deterrent against cyber attacks. The United States Department of Defense (DoD), in a 2011 policy report, recognized as much and identified the development of advanced forensics capabilities as a key component of national cyber strategy.[i] Yet in constructing its cyber deterrence policy, the DoD has failed to address the fundamental ambiguity between state and non-state cyber attacks and how it will discriminate between and respond to each. While DoD’s threat of kinetic—or physical—response may be a credible deterrent as far as states are concerned, the reality is that states have thus far not engaged in cyber conflict as states, nor indeed do they have much incentive to do so.[ii] Instead, they operate as non-state actors, taking advantage of the ambiguities of cyberspace. Given the inherent asymmetry and decentralization of cyber conflict, policymakers may be well advised to take a counterterrorism-style approach to cyber deterrence. Coupled with strong intelligence and forensics capabilities, a counterterrorism-based deterrent strategy may hold the key to mitigating the attribution problem.

Despite a great deal of concern and what some would describe as fear-mongering over the threat of “cyber war,” much of the literature rightly recognizes that a war in cyberspace has not yet occurred.[iii] What the United States presently faces is rather a high volume of low-level activity such as hacktivism, cyber crime, as well as military and economic espionage. None of these constitute war as defined by the great military strategist Carl von Clausewitz: “an act of force to compel our enemy to do our will…a continuation of politics by other means.”[iv] Today’s cyber “attacks”—if they may be called such—cannot compel the United States to submit to another state’s political will first and foremost because we cannot divine with any real certainty whose will that might be. Until a state casts off the cloak of plausible deniability and unilaterally claims responsibility for a cyber attack, we may safely assume that imperfect attribution will remain an integral feature of cyber conflict.

We may likewise reasonably assume that states will not reveal their actions in cyberspace unless they are prepared to shoulder the costs. Whereas the costs of covert aggression are few to none, a target state is highly likely to impose some penalty–be it political, economic, or military–on any state engaging in open cyber attacks against it. The only real benefit that could outweigh these costs would be unambiguous coercion,[v] and here we return to Clausewitz. Again, if target states are to submit to an attacker’s will, they must have some notion of whose will that is. Thus with politics and political will reintroduced to the equation, intentions become clearer and deterrent strategies more practicable.[vi] In this case at least, equivalent response is a sound doctrine. To acts of cyber espionage on one hand, a state might “expel an attaché or demarche the guilty party;”[vii] to a strike on critical infrastructure, meanwhile, a state might consider more extreme measures, e.g. sanctions or perhaps military action. In the 2011 update of his 1999 paper on the use of force in cyber conflict, Michael Schmitt includes in his criteria for attack assessment the factor of responsibility, positing that “the closer the nexus between a state and the operations, the more likely other states will be inclined to characterize them as uses of force”[viii]—and thus eligible for the use of force in retaliation. States will therefore seek to distance themselves as much as possible from their operations in cyberspace.

Having established the fact the states are unlikely to engage in cyber attacks as states, we must look to other means of identification: the “forensics capabilities” cited by the 2011 policy report.[ix] Whereas Cold War era attribution was built on both human intelligence and sophisticated early warning systems,[x] cyber attribution must rely to a greater extent on the former. The extreme multipolarity of cyberspace, advanced techniques of concealment, and the light speed of attack combine to hamper the effectiveness of monitoring systems in determining the origin of an attack—at least in real time. Instead, digital forensics, or the interpretation of digital evidence in order to “[reconstruct] events found to be criminal, or [help] to anticipate unauthorized actions,”[xi] must take the lead. This reliance on ex post facto techniques of identification in some ways parallels current thinking on attribution in the case of nuclear terrorism.[xii] The diffuse nature of the threat at hand thus gives vigilance a new meaning.

It is worth noting, however, that digital forensics are inevitably probabilistic at best. Even if an attack can be traced to a certain geographical location, state sponsorship is nearly impossible to prove, especially as states are likely to “incite civilian groups within their borders to commit cyber attacks and then hide behind a, however sheer, veil of plausible deniability.”[xiii] Thus states have an incentive to engage in cyber conflict in a manner not dissimilar to insurgents, and cyber conflict comes to look like state-sponsored terrorism, or a proxy war.[xiv] In order to discriminate between self-motivated “patriotic hackers” and mere proxies of the state, accurate intelligence is needed not only of attack origin but also of enemy capabilities, modi operandi, and command hierarchies. Capabilities and modi operandi provide two crucial variables for the construction of the “behavior-based algorithms” described in the 2011 Policy Report,[xv] yet it is the ability to prove a link between states and non-state proxies that will move attribution from probability to credibility.

Credible deterrence of cyber attacks, therefore, must be built on accurate digital forensics coupled with a thorough intelligence of enemy capabilities, modi operandi, and chains of command. The United States must convince potential aggressors not only that it can withstand cyber attack but also that it can reliably identify its attackers. With these capabilities in hand, the United States would be best advised to confront the highly diffuse nature of cyber conflict from the standpoint of counterterrorism. On the one hand, this might mean holding states accountable for the actions of hackers within their borders, on the basis of Nicaragua v. United States [xvi] or the Bush Doctrine.[xvii] On the other hand, it means equivalent response. Though the current policy leaves open the possibility of kinetic retaliation, the United States should above all aim to “pay back the sponsors [of cyber attacks] in their own coin.”[xviii] Response should be commensurate not simply in effect but also in modality and openness. To small-scale, covert cyber attacks, the United States should likewise adopt a small-scale, covert response. Even if the attack proves destructive enough to merit the DoD’s full kinetic wrath, if it is conducted anonymously and by digital means, so should our act of retaliation come in 1s and 0s, without any public acknowledgment.

By fighting cyber with cyber, the United States may interdict an enemy’s ability to conduct further attacks with relatively little risk to American lives, financial resources, and international standing. Even the issue of misattribution is in some sense mitigated by the United States’ acting under cyber anonymity: if we attribute correctly, the attacker will likely know they were caught; if not, the risk of identification and retaliation is relatively low. This notion of risk is key. If it is to deter the low-risk tactics with which it is targeted, the United States must take a similarly low-risk posture in defending against them. Such a posture may have more nuanced implications with regard to counterintelligence operations and network architecture, but as a general rule of thumb, it is indispensable. Thus, rather than the current catch-all, state-centric approach, future U.S. cyber security policy should be built upon strong, reliable intelligence and a smart, incisive counterterrorism-style deterrence.

[i] Department of Defense. Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934. November 2011.
[ii] Scott Applegate, “Cybermilitias and Political Hackers: Use of Irregular Forces in Cyberwarfare,” Security & Privacy, IEEE (2011): 16-22.
[iii] Lewis, James A. “The Cyber War Has Not Begun.” Unpublished manuscript, 2000. Available at: http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf.
[iv] Carl von Clausewitz, On War, ed. and trans. Michael Howard and Peter Paret (Princeton, N.J.: Princeton University Press, 1976), 75.
[v] Martin C Libicki, “Cyberdeterrence and Cyberwar,” Santa Monica, CA: RAND Corporation, 2009. Available at: http://www.rand.org/pubs/monographs/MG877.
[vi] Thomas C. Schelling, Arms and Influence (New Haven: Yale University Press, 1966.)
[vii] James A. Lewis, “The ‘Korean’ Cyber Attacks and Their Implications for Cyber Conflict.” Unpublished manuscript, 2009: 2. Available at: http://csis.org/files/publication/091023_Korean_Cyber_Attacks_and_Their_Implications_for_Cyber_Conflict.pdf.
[viii] Michael N. Schmitt, “Cyber Operations and the Jus Ad Bellum Revisited,” Villanova Law Review 56 (2011): 577.
[ix] Department of Defense, 4.
[x] Michael McConnell, “Mike McConnell on how to win the cyber war we’re losing.” The Washington Post, February 28, 2010. Accessed at: http://www.cyberdialogue.ca/wp-content/uploads/2011/03/Mike-McConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf
[xi] Gary Palmer, “A Road Map for Digital Forensic Research,” Report from the First Digital Forensic Research Workshop (DFRWS), Utica, New York, August 7-8, 2001, 16.
[xii] See Caitlin Talmadge, “Deterring a Nuclear 9/11,” The Washington Quarterly 30 (2007): 21-34.
[xiii] Scott J. Shackelford and Richard B. Andres. “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem,” Georgetown Journal of International Law 42 (2011): 971-1016.
[xiv] Samuel Liles, “Cyber Warfare: As a Form of Low-Intensity Conflict and Insurgency,” Proceedings of Conference on Cyber Conflict Proceedings, Tallinn, Estonia, 2010: 47-57.
[xv] Department of Defense, 4.
[xvi] Scott J. Shackelford, “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law,” Berkeley Journal of International Law 27 (2008):191-251.
[xvii] Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,” The Wall Street Journal, May 30, 2011 (http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html)
[xviii] Lacqueur, Walter. “Reflections on Terrorism,” Foreign Affairs 65 (1986): 98.

References
Applegate, Scott. “Cybermilitias and Political Hackers: Use of Irregular Forces in Cyberwarfare,” Security & Privacy, IEEE (2011): 16-22.

Clausewitz, Carl von. On War, ed. and trans. Michael Howard and Peter Paret (Princeton, N.J.: Princeton University Press, 1976).

Department of Defense. Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934. November 2011.

Gorman, Siobhan and Julian E. Barnes, “Cyber Combat: Act of War,” The Wall Street Journal, May 30, 2011 (http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html)

Lacqueur, Walter. “Reflections on Terrorism,” Foreign Affairs 65 (1986): 86-100.

Lewis, James A. “The ‘Korean’ Cyber Attacks and Their Implications for Cyber Conflict.” Unpublished manuscript, 2009. Available at: http://csis.org/files/publication/091023_Korean_Cyber_Attacks_and_Their_Implications_for_Cyber_Conflict.pdf.

Lewis, James A. “The Cyber War Has Not Begun.” Unpublished manuscript, 2000. Available at: http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf.

Libicki, Martin C. “Cyberdeterrence and Cyberwar,” Santa Monica, CA: RAND Corporation, 2009. Available at: http://www.rand.org/pubs/monographs/MG877.

Liles, Samuel. “Cyber Warfare: As a Form of Low-Intensity Conflict and Insurgency,” Proceedings of Conference on Cyber Conflict Proceedings, Tallinn, Estonia, 2010: 47-57.

McConnell, Michael. “Mike McConnell on how to win the cyber war we’re losing.” The Washington Post, February 28, 2010. Accessed at: http://www.cyberdialogue.ca/wp-content/uploads/2011/03/Mike-McConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf

Palmer, Gary. “A Road Map for Digital Forensic Research,” Report from the First Digital Forensic Research Workshop (DFRWS), Utica, New York, August 7-8, 2001.

Shackelford, Scott J. “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law,” Berkeley Journal of International Law 27 (2008):191-251.

Shackelford, Scott J. and Richard B. Andres. “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem,” Georgetown Journal of International Law 42 (2011): 971-1016.

Schelling, Thomas C. Arms and Influence (New Haven: Yale University Press, 1966.)

Schmitt, Michael N. “Cyber Operations and the Jus Ad Bellum Revisited,” Villanova Law Review 56 (2011): 569-606.

Talmadge, Caitlin. “Deterring a Nuclear 9/11,” The Washington Quarterly 30 (2007):21-34

About Jon Diamond

Jon Diamond is a junior at the University of Pennsylvania double-majoring in international relations and linguistics. His research interests in the field of international relations include conflict management and power sharing, state-sponsored terrorism, and cyber security. Jon's senior thesis seeks to analyze state response to cyber attack, using a Bayesian game theoretic framework to model conditions of high and low attribution. After graduation, Jon hopes to utilize his linguistic skills and background in foreign policy issues in a career with the U.S. Foreign Service.