Having established the credentials for warfighting for deterrence, this paper will now assess whether such an approach is suitable for cyber deterrence. In the first instance, we must deal with the issue of whether warfighting language makes any sense in the cyber domain. Martin Libicki (2009, 328-330, 2012) bemoans the use of military metaphors for operations in the cyber domain. He argues that so-called cyber warriors do not fight. Rather, they reverse engineer. Consequently, he thinks it more appropriate to talk in engineering, architecture and administrative terms. In contrast, General Shaw, then UK Assistant Chief of Defence Staff, discusses offensive operations in terms of manoeuvre. He calls for full integration of cyber operations into the joint environment, noting that emphasis should be placed on the effect, not the means of delivery: ‘[cyber] is merely the latest medium though which to achieve effect.’ (House of Commons Defence Committee 2012). Additionally, in their critique of cyber deterrence, Harknett, Callaghan and Kauffman (2010) call for a warfighting approach to cyber strategy, placing emphasis on the offence-defence dynamic.
In conceptual terms, much of the existing discourse on warfighting somewhat misses the mark. Warfighting is not restricted to tactical and operational details. Although both are required to fight in cyberspace, warfighting is really about strategy. It is about threatening and using force in a controlled manner in the pursuit of rational policy objectives. To reiterate, it is an approach to deterrence that rejects the emptiness of existential forms. Instead, it provides a deterrence posture with purpose, both in terms of credibility and the post-deterrence environment.
Let us now take the key issues raised earlier, and establish their suitability for the cyber domain.
Enhancing Cyber Deterrence Credibility
Without a clear understanding of how the threat will be operationalised, deterrence lacks credibility. Does this apply in cyberspace? Following strategic logic, the answer must be yes. Having the forces, plans, and command and control arrangements in place must enhance the credibility of a threat. The problem for cyber deterrence is communicating this to the enemy. Credible deterrence requires ownership of the capabilities to fulfil the threat, and the will to do just that. These two components must then be clearly communicated to the enemy. As Stone (2012, 117) notes, in sociological terms this is referred to as technology’s ‘interpretative flexibility’, whereby the effects produced by a form of technology are constructed in a social context.
In the physical domain, forces can be displayed during parades or on military exercises. Additionally, military prowess and commitment may be evidenced from conflicts in the recent past. At first glance, these forms of communication appear not to fit with the virtual domain. After all, a May Day parade of malware is unlikely to attract the crowds or global media. And yet, cyber warfighting capability can be displayed. The establishment of Cyber Command in the USA and the UK’s Defence Cyber Operations Group (DCOG) and the Joint Cyber Unit are evidence of increased cyber competence. On the defensive front, enemy probes of networks will reveal the strength of cyber defences. In addition, cyber exercises, such as Cyber Storm in the USA, which are designed to test the potency of cyber security, are an excellent means to communicate the strength of cyber defence, and in this way contribute to the potency of deterrence by denial.
Communicating the potency of cyber offensive capability brings its own challenges and solutions. Some cyber attacks use one-shot weapons that exploit zero-day vulnerabilities (Soloman 2011, 19). This means they are non-repeatable, because once altered the enemy can patch the vulnerability. In these circumstances, it is difficult to communicate a substantial ongoing threat. In which case, the punishment component of warfighting is more challenging in cyber attack. (Lindsay, 2015a, 54) Nonetheless, the scale of the cyber threat is well understood. As a means of offence, malware is an incredibly adaptive and relatively inexpensive form of weapon. A virus may contain as little as 125 lines of code. In contrast, security software uses over 10 million lines of code (Singer and Friedman 2014, 154). Add to that the fact that malware is often designed to evolve as it spreads, and we get a significant asymmetry in the offence defence relationship. (Geers 2011, 118; Harknett et al. 2010) Moreover, some attacks, especially Denial of Service (DoS), do not require fixable vulnerabilities. Rather, they rely upon the basic functions of the target system. None of this is designed to suggest that offence has an overwhelming advantage in cyberspace. Indeed, some analysts (Libicki 2009) argue the opposite. Rather, it is to suggest that the competitive dynamic will function in the cyber domain (Luttwak 1987). In which case, we can conclude that the offensive potential of cyber attack for warfighting deterrence is reasonably well established.
In some ways, it might be easier to signal capability and will in cyber attack. For obvious reasons, physical weapons cannot actually be used against the enemy without causing the conflict the deterrent threat is designed to prevent. Not so for cyber weapons. Malware can be inserted into a system to display capability and intent, without actually causing any harm. At present, it is not clear whether this would breach state sovereignty or constitute an armed attack under international humanitarian law (Schmitt 2013; Waxman 2011).
Finally, it can be argued that offensive cyber warfighting capability is a more credible form of deterrence than many physical expressions of power—especially nuclear weapons. Although generally non-violent, cyber attack could lead to civilian casualties. It is certainly the case that widespread disruptive attack (WDA) would lead to negative effects on the standard of living. Moreover, in the cyber age, we must consider the moral value of informational objects and the potential for cyberharm (Dipert 2010; Taddeo 2014; Miller, 2016). Nonetheless, and despite melodramatic predictions from the likes of Richard Clark and Mike McConnell, who predict social breakdown and nuclear conflict levels of effects (The Economist 2010), it is likely that cyber attack would produce significantly less death and destruction than physical expressions of power. (Geers 2011, 118) In which case, a state is more likely to prosecute its deterrent threat (Libicki 2009, 72), and thereby the credibility of deterrence is enhanced. This is not a universally accepted position. Some commentators (Lindsay, 2015a, 57) argue that the possibility of civilian casualties and blowback from cyber attack will create self-deterrence, making policy makers wary of using the cyber instrument. As a result, denial is a more effective form of deterrence than punishment in the cyber domain (Denning 2015, 12). As will be argued in the third section of this paper, the most effective warfighting for deterrence posture would use both forms of deterrence.
The flipside of this argument is that if little damage were caused by cyber attack, then why would the enemy be deterred? A similar concern is evident in conventional deterrence. Relative to the guaranteed levels of destruction in nuclear retaliation, the ability of conventional response to inflict sufficient damage is open to question (Gerson 2009, 43). Doubts are even greater in the cyber domain. In this respect, there is a serious question mark hanging over the strategic efficacy of cyber attack. The most significant cyber attacks to date: Stuxnet, Wiper, Shamoon and Bronze Soldier, although technically and tactically impressive, did not produce lasting strategic impact (Valeriano & Maness 2015). This particular challenge to the deterrence efficacy of cyber attack can be countered, to some degree, by the same means identified earlier in relation to nuclear strategy. The limited effects of cyber attack make the threat more plausible, but the potency of the threat comes from the possibility of escalation to physical forms of conflict.
It has already been established that damage limitation is a moral and strategic responsibility for the state. Those in charge of strategy must plan for the possibility of deterrence failure. At the same time, an effective damage limitation capability enhances cyber deterrence, both through denial and by making resort to force more likely. As in the ideal form of nuclear warfighting, cyber damage limitation is best achieved with active and passive defences alongside offensive capabilities. However, in the cyber variant, defences are given priority.
Much of what follows should be read as an addition to the discussion above concerning the advantages and limitations of cyber attack. For the most part, then, the bulk of the effort for cyber damage limitation falls on defensive measures, although there are some limited offensive counterforce options available. ‘Search and destroy’ and ‘offensive security’ are emerging capabilities, whereby attackers are identified, tracked and then neutralised with DoS attacks or malware (Informationweek 2013). More complete offensive options are also appearing: ‘Such capabilities may operate in a number of valuable ways, including conducting reconnaissance and surveillance, intercepting communications, denying resources and access, compromising systems, undermining integrity, disabling or destroying assets, and manipulating, impeding, or demoralising an opponent.’ (Rosenquist 2015) These offensive damage limitation approaches are controversial, primarily because those who benefit from to the free flow of information would have to restrict it in certain circumstances. Yet, they do offer the possibility of disabling enemy offensive capabilities that could cause harm to the state.
An important general concern raised about offensive cyber capabilities is whether they can cause enough predictable harm to the enemy to act as an effective deterrent (Libicki 2009, 53) and/or an instrument of damage limitation. One possible response is cross-domain action. In this way, we should not regard cyber capabilities as stand-alone tools. Rather, they are but one option within a range of possible responses. This is certainly the option taken by the US (Department of Defense 2015). Physical attack options could be used to eliminate the sources of enemy cyber attacks. Of course, as with so many issues in cyber security, we run into the problem of attribution. However, this particular problem may have been oversold somewhat. Cyber intelligence capabilities are improving (Rid & Buchanan 2014) and the anonymity of large-scale attacks is difficult to maintain (Lindsay, 2015a, b, 56).
When discussing deterrence in general terms (although not perhaps for nuclear strategy), defensive measures are often preferred over offensive punishment actions. This is because, as Freedman (2004, 39) notes, denial is more reliable because it is subject to greater levels of control. Whether or not the enemy is deterred by threats of punishment is largely his decision. Whereas, one has a degree of control over how effective defensive options are – with the caveat that the enemy may develop a clever counter. The same principle can be applied to cyber deterrence warfighting capabilities (Singer and Friedman, 2014; Lindsay, 2015a, 54). Therefore, cyber damage limitation relies primarily on the elements of good cyber security. These include efforts at the individual or business level, such as educational programmes to improve cyber hygiene, in addition to state-level actions to provide fight through resiliency and redundancy for the economy and critical infrastructures (Soloman 2011, 21).
Theory of Victory
What does victory look like in a cyber conflict? How should it be pursued? The answers to these questions are largely dependent upon context. Strategy should always be conducted with the policy objectives and the nature of the enemy clearly in mind. Only when these two factors are understood can a legitimate theory of victory be identified. Context is everything. If the object of war is to impose our will on the enemy, then we must seek to understand what the enemy values, where is his centre of gravity? Once this is understood, the campaign can be planned and targets chosen. During the Cold War, US targeting policies increasingly focused on the Communist Party’s instruments of political control, which included decision-making centres and their military and security services (Gray 1984). As previously noted, these more nuanced forms of posture have increasingly come to the fore in tailored deterrence.
In the contemporary cyber security environment China poses the most prominent threat to the US and its allies. It has an active cyber espionage programme for industrial and military advantage, regards cyber attack as a means to deter the US from interference in its affairs, has a doctrine of first strike (Pollpeter 2015, 139–153), but suffers from a degree of chaos in its cyber security efforts (Lindsay 2015b, 8). On this evidence, it would seem that a warfighting approach would serve the interests of the US well. Bearing in mind the nature of the Chinese state, the US would be well placed to focus its efforts on information control. In contrast to the West, which values the free flow of information, the Chinese government seeks to control information flow in order to prevent challenges to its authority (Lindsay 2015b, 10).
This sounds like a sensible approach. And yet, in terms of a theory of victory it is difficult to gauge the strategic impact of information manipulation. Despite claims of a long and distinguished history, accurately identifying direct policy casual effect from information manipulation is difficult (Barnett and Lord 1989). The information environment is dynamic and extremely competitive, and the target (in this case the political culture of a state) is ethereal. Thus, the results of a campaign are uncertain, and cannot be relied upon to provide direct attainment of most policy objectives.
The same cautious conclusion can be made with regards to more aggressive forms of cyber attack against critical infrastructure and specific targets. As has already been noted, the largest attacks to date have not proven especially effective in the pursuit of policy. To add a little detail to support the analysis, the attack on the Iranian nuclear programme, Stuxnet, provides a case in point. Strategically, the results of Stuxnet were somewhat muted. According to Sanger, Stuxnet destroyed 984 centrifuges (11.5% of the capacity at the facility). That sounds impressive, until you learn that the IAEA estimates normal failure rate at 10%. The IAEA also reports that the slack was taken-up elsewhere in the system, thereby minimising impact on the Iranian nuclear programme (Valeriano and Maness 2015, 153–154). Stuxnet was not cheap either. Reportedly, it cost approximately $300 million to develop (Valeriano and Maness 2015, 151). This is significant, especially when one learns that it was ‘quickly and effectively disarmed.’ (Farwell and Rohozinski 2011, 27).
The unavoidable conclusion from this analysis is that effective theories of victory are difficult to clearly identify in cyber attack. Yet, theories of victory must be developed. They enhance credibility and provide a legitimate strategic focus if deterrence fails. It is to be remembered that victory was unlikely in nuclear war. However, a theory of victory was essential, otherwise strategy would cease to function just when you need it most: when the fighting has begun. Moreover, we should note that victory can take many different forms. It may be that the primary policy objective, as in the case of UK cyber security strategy, is to defend British cyber activity, making ‘the UK one of the most secure places in the world to do business in cyberspace’ and ‘to make the UK more resilient to cyber attack and better able to protect our interests in cyberspace’. (Cabinet Office 2011) Alternatively, cyber victory may entail making an effective contribution to a joint campaign. This was evident, for example, in the 2007 Israeli attack on the Syrian nuclear facility at Kibar. Prior to the air assault the Syrian air defence network was hacked, leaving Israeli jets a free run to their targets (Singer and Friedman 2014, 127).
The Failure of Cyber Deterrence?
The potency of cyber deterrence is difficult to judge. This is partly because there exists no consensus on what constitutes an act of sufficient cyber aggression. Therefore, it is not entirely clear what is to be deterred. Where exactly the threshold for response should be will be discussed in section three of this paper. For now, we can state that low-level nuisance attacks are a daily occurrence. For example, U.S. military networks are probed and scanned millions of times each day (Work 2015, 1). Similarly, acts of cyber espionage are reasonably common. However, what is also evident is the lack of major cyber attacks. For a while, Stuxnet, Wiper, Shamoon and Bronze Soldier appeared to signal the rise of cyber attack as a potent new instrument of policy. However, medium to large-scale attacks have essentially dried-up. Indeed, reflecting the empirical evidence, and marking a shift in tone, in his September 2015 testimony to the Senate Armed Services Committee, Director of National Intelligence, James Clapper, talked down the possibility of an ‘electronic Pearl Harbor’. Instead, he focused on ongoing ‘low-to-moderate’ level threats (Clapper 2015, 2).
What does this all tell us? Is deterrence working? If one considers low-to-moderate threats as deterrable, then the answer would seem to be no. From this perspective, and according to some policy makers, deterrence is already failing. In a 2015 Senate Armed Services Committee Hearing, Chairman John McCain was scathing in his assessment: ‘Our adversaries view our response ... as timid and ineffectual. Put simply, the problem is a lack of deterrence. The administration has not demonstrated to our adversaries that the consequence of continued cyber attacks against us outweigh the benefit.’ (Takala 2015) However, if we take the view that cyber deterrence should really concern itself only with large-scale attacks, the picture is more positive. Indeed, Valeriano and Maness (2015) have identified considerable levels of restraint in state cyber behaviour. This could be due to a lack of confidence in the strategic utility of cyber attack. It may also reflect the development of norms against aggressive forms of cyber behaviour and the efficacy of deterrence. Indeed, norms increasingly form part of ‘complex deterrence’, within which military and non-military elements operate together. In cyberspace, although a settled understanding of universal rules of behaviour is still lacking, norms appear to be crystalising around acceptable forms of intrusion rather than a blanket non-use position (Stevens 2012, 25). This may explain the continuance of low-level probes whilst large attacks have trailed off.
Overall, it is reasonable to conclude that despite the absence of large-scale cyber attacks, offensive cyber operations are too prevalent. This is especially the case in relation to espionage incidents. Senator McCain may be right; deterrence is failing at some level. This is perhaps because the US does not observably have an adequate post-deterrence posture in place. Although elements of it can be identified, a comprehensive cyber strategy is still missing in action. One glaring omission from that strategy is an effective cyber warfighting capability.
Just War Cyber Ethics
It has been established that warfighting for deterrence has a strong moral component. By providing the means for a controlled rational use of force in a post-deterrence environment, warfighting offers the possibility of doing more good than harm (relative to the use of force devoid of plans); fighting a campaign characterised by discrimination and proportionality; and with a greater chance of success. The question we must address in this section is whether warfighting for cyber deterrence possesses these qualities. The answer to this question is complex because cyber warfare demands a new ethical framework, fashioned by merging traditional Just War with Information Ethics (Taddeo 2012). From an ethical perspective cyber deterrence is paradoxical (Arquilla 2016, viii). It appears to offer bloodless means and threats to pursue policy, and therefore has enhanced credibility (Dipert 2016, 64) and less impact on the physical and psychological wellbeing of those involved. On the other hand, it may lack discrimination, produce novel forms of harm, and produce a more expansive form of conflict, leading to more instances of fighting amongst states and other actors. In line with the warfighting framework presented earlier, this section will now discuss warfighting for cyber deterrence in relation to three issues: providing a better outcome; discrimination and violence; and proportionality. Whether cyber war promotes the possibility of success has already been discussed.
War always produces pain and suffering. The Just War tradition recognises this, and therefore demands that the post-conflict outcome be superior to that had the conflict not been fought. One means to achieve this is to minimise destruction in war. Warfighting for cyber deterrence appears to offer a preferable means to maximise post-conflict social wellbeing should deterrence fail. By offering a rational controlled use of cyber power in the event of war, cyber warfighting offers a form of attack that is largely non-destructive and often immediately reversible in its effects (Dipert 2010, 392). With these characteristics it may be possible for critical infrastructure to survive a conflict intact. Once the fighting stops, society and the economy can quickly return to pre-conflict conditions. Moreover, a strong cyber defence (including resilience), which must be an integral part of a warfighting strategy, further shores-up the continued functioning of critical infrastructure.
The above presents an ideal vision of cyber conflict. However, it is important to note the areas were cyber attack could cause harm to social wellbeing. First, the idea that cyber attack is controlled and limited is open to question. The mechanisms by which cyber weapons operate are not well understood (Barrett 2013, 10). Once malware is released, it often spreads beyond the initial target. Thus, the effects on critical infrastructure, and therefore social wellbeing, are uncertain. Indeed, one can go further and note that coercive forms of cyber attack are often aimed against infrastructure ‘and can inflict serious damage to contemporary information societies’ (Taddeo 2014, 37). Attacks against infrastructure are the means by which the public will is targeted and pressure put on decision makers. Finally, we have to consider the issue of cyberharm. It is no longer sufficient to assess suffering purely on a physical basis. Increasingly, the virtual domain and its objects are afforded moral value (Taddeo 2014). The Internet is essential for modern life (Canetti et al. 2016, 165), and thus a sustained, or even a temporary (Barrett 2013, 6), interruption of that service must be included in calculations of harm.
With its propensity for non-violence, cyber conflict has been described as an ideal form of war (Jenkins, 2016, 89). It takes the protection of non-combatants to another level. This positive tendency is magnified by the possibility of extreme discrimination in targeting. As George Lucas notes, Stuxnet is illustrative of this: ‘Unless you happen to be running a large array of exactly 984 Siemens centrifuges simultaneously, you have nothing to fear from this worm.’ (Singer & Friedman 2014, 119). It is because of non-violence and discrimination that Stuxnet, as a harbinger of things to come, has been described as the ‘first purely ethical weapon’ (Lucas 2016, 28). We see here a massive shift from nuclear deterrence. In the event of nuclear deterrence failure, a warfighting approach will seek to control and limit damage, but would still likely result in millions of casualties. In contrast, warfighting for cyber deterrence promises zero casualties in the event of deterrence failure.
This rosy outlook is once again tempered if we consider that cyber attack can produce casualties, potentially on a large-scale. Disrupting power supplies could affect vulnerable members of society (the elderly and those in hospital, for example). Attacking nuclear power plants or air traffic control would have obvious consequences for the civilian population. Moreover, as already indicated, the difficulty of controlling certain forms of cyber attack could lead to serious breaches of the discrimination criteria (Rowe 2007). A cyber campaign could also create new targets for physical reprisal. IT workers, who are often civilians contracted to the military, could become legitimate targets if they directly participate in hostilities (Henschke & Lin 2014; Dunlap 2012), even if those hostilities are themselves non-violent. Moreover, we should not overlook cyberharm and its effects on the population, or indeed the psychological harm that results from social dislocation (Canetti et al. 2016, 158).
To be just, the use of force has to be proportionate to the issue at hand and military requirements. For this to occur, force must be driven by a rational and controlled process. Warfighting for cyber deterrence promises just that by placing limits on the use of force and its consequences. Virtual incursions, although open to some discussion regarding their legal status, are not on the same scale as physical breaches of state sovereignty. The less-invasive character of cyber actions (Lucas 2016, 13), added to the reversibility of effect, suggests that political fallout will be more limited, as will the dangers of conflict escalation. The generally non-violent nature of cyber conflict adds further to this positive effect, and means cyber deterrence threats are less drastic.
And yet, the potential for unpredictability in cyber attack suggests a degree of caution is required. Furthermore, one of the greatest dangers of action in the cyber domain is that it could lower the threshold of conflict (Jenkins 2016, 108). The cyber variants of crime, espionage, sabotage and war share such similarities at the tactical and operational levels, that the distinctions amongst them are blurred. Thus, there exists the danger of rising tensions in international politics and greater propensity for conflict, with the danger of escalation to the physical realm. In this way, limited cyber actions could have wildly disproportionate results. This danger is exacerbated by the fact that cyber attack undermines neutrality and trust (Rowe 2007; Schmitt 2013). The attribution problem, alongside the practice of routing attacks through numerous states, risks spreading suspicion and tensions throughout the international system (Barrett 2013, 9). These features also complicate the application of international law. Moreover, if cyber attack is considered a casus belli, states may find themselves increasingly at war with a range of non-state actors who operate in and through cyberspace (Eberle 2013, 60).
We can conclude from an ethics perspective that warfighting for cyber deterrence is somewhat of a mixed bag. It offers the promise of non-violent, proportionate and discriminating threats and use of force. However, this promise may be undone by the unpredictability of cyber attack, new forms of harm, and the fact that it potentially lowers the threshold of conflict. And yet, once again we must conclude that this is still preferable to not having a developed warfighting capability. In the absence of the latter, a failure of deterrence is likely to lead to even greater levels of unpredictability and harm.