THE ARTS This PDF document was made available CHILD POLICY from www.rand.org as a public service of CIVIL JUSTICE the RAND Corporation. EDUCATION ENERGY AND ENVIRONMENT Jump down to document6 HEALTH AND HEALTH CARE INTERNATIONAL AFFAIRS The RAND Corporation is a nonprofit NATIONAL SECURITY research organization providing POPULATION AND AGING PUBLIC SAFETY objective analysis and effective SCIENCE AND TECHNOLOGY solutions that address the challenges SUBSTANCE ABUSE facing the public and private sectors TERRORISM AND HOMELAND SECURITY around the world. TRANSPORTATION AND INFRASTRUCTURE Support RAND WORKFORCE AND WORKPLACE Purchase this document Browse Books & Publications Make a charitable contribution For More Information Visit RAND at www.rand.org Explore RAND Project AIR FORCE View document details Limited Electronic Distribution Rights This document and trademark(s) contained herein are protected by law as indicated in a notice appearing later in this work. This electronic representation of RAND intellectual property is provided for non-commercial use only. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please see RAND Permissions. This product is part of the RAND Corporation monograph series. RAND monographs present major research findings that address the challenges facing the public and private sectors. All RAND mono- graphs undergo rigorous peer review to ensure high standards for research quality and objectivity. CYBERDETERRENCE AND CYBERWAR MARTIN C. LIBICKI Prepared for the United States Air Force Approved for public release; distribution unlimited PROJECT AIR FORCE The research described in this report was sponsored by the United States Air Force under Contract FA7014-06-C-0001. Further information may be obtained from the Strategic Planning Division, Directorate of Plans, Hq USAF. Library of Congress Cataloging-in-Publication Data Libicki, Martin C. Cyberdeterrence and cyberwar / Martin C. Libicki. p. cm. Includes bibliographical references. ISBN 978-0-8330-4734-2 (pbk. : alk. paper) 1. Information warfare—United States. 2. Cyberterrorism—United States— Prevention. 3. Cyberspace—Security measures. 4. Computer networks—Security measures—United States. 5. Civil defense—United States. I. Title. U163.L539 2009 355.3'43—dc22 2009030055 The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. R® is a registered trademark. Cover design by Carol Earnest. Associated Press photo with overlay. © Copyright 2009 RAND Corporation Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND documents to a non-RAND Web site is prohibited. RAND documents are protected under copyright law. For information on reprint and linking permissions, please visit the RAND permissions page (http://www.rand.org/publications/permissions.html). Published 2009 by the RAND Corporation 1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138 1200 South Hayes Street, Arlington, VA 22202-5050 4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665 RAND URL: http://www.rand.org To order RAND documents or to obtain additional information, contact Distribution Services: Telephone: (310) 451-7002; Fax: (310) 451-6915; Email: [email protected] Preface This monograph presents the results of a fiscal year 2008 study, “Defin- ing and Implementing Cyber Command and Cyber Warfare.” It dis- cusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.” The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabili- ties. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. This monograph is an attempt to start this rethinking. The research described in this monograph was sponsored by Lt Gen Robert Elder, Jr., Commander, Eighth Air Force (8AF/CC), and Joint Functional Component Commander for Space and Global Strike, United States Strategic Command. The work was conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE. It should be of interest to the decisionmakers and policy researchers associated with cyberwarfare, as well as to the Air Force planning community. iii iv Cyberdeterrence and Cyberwar RAND Project AIR FORCE RAND Project AIR FORCE (PAF), a division of the RAND Cor- poration, is the U.S. Air Force’s federally funded research and devel- opment center for studies and analyses. PAF provides the Air Force with independent analyses of policy alternatives affecting the devel- opment, employment, combat readiness, and support of current and future aerospace forces. Research is conducted in four programs: Force Modernization and Employment; Manpower, Personnel, and Train- ing; Resource Management; and Strategy and Doctrine. Additional information about PAF is available on our Web site: http://www.rand.org/paf/ Contents Preface ............................................................................. iii Figures ............................................................................. ix Tables .............................................................................. xi Summary .........................................................................xiii Acknowledgements ............................................................. xxi Abbreviations .................................................................. xxiii CHAPTER ONE Introduction ....................................................................... 1 Purpose .............................................................................. 5 Basic Concepts and Monograph Organization ................................. 6 CHAPTER TWO A Conceptual Framework ......................................................11 The Mechanisms of Cyberspace .................................................12 External Threats ...................................................................13 Internal Threats ................................................................... 20 Insiders .......................................................................... 20 Supply Chain ....................................................................21 In Sum .......................................................................... 22 Defining Cyberattack ............................................................ 23 Defining Cyberdeterrence ....................................................... 27 CHAPTER THREE Why Cyberdeterrence Is Different ............................................39 Do We Know Who Did It? ......................................................41 v vi Cyberdeterrence and Cyberwar Can We Hold Their Assets at Risk? .............................................52 Can We Do So Repeatedly? .................................................... 56 If Retaliation Does Not Deter, Can It at Least Disarm? .....................59 Will Third Parties Join the Fight? ...............................................62 Does Retaliation Send the Right Message to Our Own Side?.............. 64 Do We Have a Threshold for Response? .......................................65 Can We Avoid Escalation? .......................................................69 What If the Attacker Has Little Worth Hitting? ..............................70 Yet the Will to Retaliate Is More Credible for Cyberspace ..................71 A Good Defense Adds Further Credibility ....................................73 CHAPTER FOUR Why the Purpose of the Original Cyberattack Matters ..................75 Error ................................................................................76 Oops ..............................................................................76 No, You Started It ............................................................. 77 Rogue Operators ................................................................78 The Command-and-Control Problem ........................................78 Coercion ............................................................................79 Force ................................................................................82 Other .............................................................................. 86 Implications ....................................................................... 90 CHAPTER FIVE A Strategy of Response ..........................................................91 Should the Target Reveal the Cyberattack?