Deterrence in cyberspace

It’s difficult, but not impossible, to maintain deterrence in cyberspace

Deterrence in cyberspace

Deterrence is the process of persuading someone to refrain from doing something by convincing them that the costs will outweigh the expected benefits. Understanding deterrence in cyberspace is often challenging because many people are still influenced by a Cold War-era notion of deterrence. A comparison to nuclear deterrence, however, is deceptive because the goal of nuclear weapons is ultimate prevention. Deterrence in cyberspace is more similar to crime prevention: governments can only do it imperfectly.

The threat of punishment, denial through defence, entanglement and normative taboos are four primary techniques for reducing and preventing undesirable behaviour in cyberspace. None of the four are ideal, but taken together, they show the breadth of options available for reducing the possibility of harmful activity. Despite the challenge of attribution, these approaches can complement one another in influencing players’ views of the costs and rewards of specific actions. While attribution is necessary for punishment, it is not necessary for deterrence through denial or entanglement.

The United States and some other countries have claimed that laws of armed conflict apply in cyberspace. The effects of a cyber-operation, not the instruments utilised, determine whether it is to be classified as an armed attack. As a result, attacks that do not achieve the equivalence are more difficult to deter. As US Special Counsel Robert Mueller’s report revealed, Russia’s hybrid warfare in Ukraine, as well as its interference in the US presidential election, fell in a grey area.

Although attribution problems for cyber-attacks and the multiplicity of enemies in cyberspace do not rule out deterrence and dissuasion, they do suggest that punishment must play a smaller role. Both states and criminals can be punished, but the deterrent effect is reduced and dulled when an assailant cannot be detected quickly.

As per the report of the Identity Theft Resource Centre (2021), the total number of data breaches in 2021 was 1,291 compared to 1,108 breaches in 2020. Cyber security experts predict that global cybercrime will cost $10.5 trillion per year by 2025. To minimise cyber threats, states must establish efficient and robust procedures to maintain effective deterrence.

The threat of a Cyber Pearl Harbour can be directly traced to the development of the World Wide Web (WWW) in the 1990s. Cyber Pearl Harbour is described by Sean Lawson and Michael K Middleton (2019) as “catastrophic physical repercussions from cyber-attacks on key infrastructure.” As governments are threatened with innovative dimensions of warfare, terms like “cyber wars,” “cyber-attacks,” and “cyber-intrusions” have spread into the state security discourse.

As a subject of national security, cyber-attacks are at the centre of high-level diplomatic debates. At a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of 16 US vital infrastructure targets that need to be protected from cyber-attacks.

A Cyber Pearl Harbour is still a farfetched possibility. Low-stakes cyber operations by states and non-state actors and high-stakes cyber operations involving major countries are, however, commonplace.

As a subject of national security, cyber-attacks are at the centre of high-level diplomatic debates. At a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of 16 US vital infrastructure targets that need to be protected from cyber-attacks. Energy, nuclear power, healthcare, chemicals, information technology, and the defence industrial sector were among the industries on the list.

The conference reflected the United States’ national security worries as well as its vulnerability, as it occurred shortly after a large cyber-attack on the Colonial Pipeline in May 2021.

Deterrence in cyberspace is a challenging task. In his article, Deterrence and Dissuasion in Cyberspace, Joseph Nye explains that deterrence by denial will be more successful than deterrence by punishment because both governments and non-state actors have access to cyber weapons. He cited a cyber-attack on the JPMorgan Chase bank in 2012, which led to the compromise of personally identifiable information (PII) from 76 million households and seven million organisations.

Russia was blamed for the incident. The attackers, however, were recognised by the US Justice Department in 2015 as a sophisticated criminal ring headed by two Israelis and a US citizen.

The issue of attribution in cyberspace frequently leads to a blame game between governments. In 2021, the United States accused China of being “the world’s leading source of cyber-attacks.“ China responded by accusing the United States of being “the world’s largest source of cyber-attacks.” Western governments use terms like “very likely” to accuse their rivals of cyber-attacks without presenting solid proof.

As a result of the ambiguity surrounding attribution, nations resort to deterrence through denial. The effectiveness of deterrence through denial on its own is a key question for policymakers. Maintaining excellent cyber health and a strong cyber infrastructure can help shield against cyber-attacks from both states and non-state entities. However, it cannot completely eliminate the possibility of cyber-attacks.

In the Global Cyber security Index, Pakistan is ranked 79th. Some recent large cyber assaults in Pakistan have targetted financial and energy systems including K-Electric, the Federal Board of Revenue (FBR) and the National Bank of Pakistan (NBP).

There have also been reports of foreign security agencies indulging in cyber warfare. In 2020, the ISPR alleged that Indian intelligence agencies were involved in cybercrime against Pakistani government officials and military members.

Amnesty International reported in 2021 that India had employed Pegasus spyware against Pakistan. In November of last year, Global Times published an article about how an Indian hacker group had waged cyber-attacks on government and security departments in Pakistan and China.

Retaliator

In the event of an attack on Pakistan’s critical infrastructure, retaliatory actions are envisaged in Pakistan’s National Cyber Security Policy 2021. “[It] will regard a cyber-attack on Pakistan CI/CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures.” Hence, the policy’s primary deterrence strategy is the denial of benefits to the attacker. This is inadequate to maintain total cyber warfare.

An effective defence may be required for an asymmetric cyber-attack, but to discourage a large-scale symmetric cyber-attack, a cyber defence combined with non-cyber means of retribution would provide a more effective deterrent. As a result, states’ cyber-security strategies and nuclear doctrines include retaliation measures.

The 2018 Cyber Strategy of the United States Department of Defence, is offensive and calls for the creation of a deadly joint force to combat malevolent cyber attackers.

It’s difficult, but not impossible, to maintain deterrence in cyberspace. To reduce cyber vulnerabilities, one needs a strong cyber-security infrastructure. Along with policy implementation and regulatory system strengthening, more investments in emerging technologies is needed. This will aid in bolstering cyber defences, developing an effective deterrent posture, and improving Pakistan’s indigenous cyber capacity.

Deterrence in cyberspace