Flexible Options for Cyber Deterrence: Terrorism, Problem of Attribution, Cyber Attack, Espionage, Defense, Nation State Peer Competitors, China Conflict, SCADA, Network Equipment

This excellent report has been professionally converted for accurate flowing-text e-book format reproduction. This paper describes options for cyber deterrence to address both asymmetric threats from terrorists and the intimidation associated with nation-state peer competitors in the cyber domain. It presents recent National Security Strategy interests and demonstrates a lack of focus upon cyber infrastructure. The paper will examine challenges associated with legal aspects in the cyber domain as well as the issue of attribution. It will analyze terrorist and nation-state usage of cyberspace and potential threats aimed at the United States related to each. Finally, the paper concludes with several recommendations for tailored cyber deterrence focused on terrorists and peer nation-states.

The idea of deterrence has existed since the beginning of humanity. Lawrence Freedman in his book Deterrence uses the biblical tale of Adam, Eve, and the forbidden fruit as an example of deterrence. Webster defines deterrence as "maintenance of military power for the purpose of discouraging attack." The threat of war has always been a tool used by leaders to influence foreign powers to avoid acts of aggression. Ultimately, deterrence became synonymous with American Cold War strategic thinking and foreign policy.
Mutually assured destruction was a classic adoption of deterrence through punishment. However, deterrence through punishment requires the demonstration of offensive capabilities. The highly classified nature of the United States cyber-based offensive tools makes this approach unlikely. In addition, deterrence by punishment does not work without identification and attribution. Lastly, any assumption of rationality demonstrates the fallacy of Cold War deterrence applied to the cyber domain.

Today's multi-polar world provides multiple threats aimed at the United States in the cyber domain. From cyber terrorists to sophisticated nation-states, adversaries are increasing their cyber capabilities on a daily basis. Some argue for an offensive cyber doctrine of preemption, but as demonstrated in Iraq, preemption can be destabilizing. Acts of war may justify an offensive response, but conventional or nuclear deterrence is more appropriate when attempting to deter aggression defined by war. Complicating cyberspace deterrence is the lack of attribution, no traditional constraints associated with rational behavior of extremists, and a deficient United States cyber national strategy.

The next chapter of this paper reviews recent United States strategies and critical cyber infrastructure, attribution in the cyber domain, and cyber espionage. Chapter three provides analysis of cyber terrorism and nation-state operations in the cyber domain. Chapter four describes cyber deterrence recommendations aimed at countering terrorists as well as United States peer competitors. The final chapter presents conclusions.

Contents * Biography * Introduction * Background * National Security Strategy and Critical Infrastructure * The Problem of Attribution * Privacy and Attribution * Espionage versus Cyber-attack * Analysis * Cyber Terrorism: Does it Exist? * Terrorist Tactics and the Internet * Nation State Peer Competitors * Recommendations * Cyber Deterrence of Terrorism * Peer Competitors and Cyber Deterrence * Diplomatic and Economic Engagement as a Cyber Deterrent Option * Cyber Defense, More than Passwords * Conclusion * Bibliography