Comparative Strategy ISSN: 0149-5933 (Print) 1521-0448 (Online) Journal homepage: http://www.tandfonline.com/loi/ucst20 Cyber deterrence and critical-infrastructure protection: Expectation, application, and limitation Alex Wilner To cite this article: Alex Wilner (2017) Cyber deterrence and critical-infrastructure protection: Expectation, application, and limitation, Comparative Strategy, 36:4, 309-318 To link to this article: http://dx.doi.org/10.1080/01495933.2017.1361202 Published online: 01 Nov 2017. Submit your article to this journal View related articles View Crossmark data Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=ucst20 Download by: [134.117.239.71] Date: 01 November 2017, At: 12:26 COMPARATIVE STRATEGY , VOL. , NO. , – https://doi.org/./.. Cyber deterrence and critical-infrastructure protection: Expectation, application, and limitation Alex Wilner Norman Paterson School of International Affairs, Carleton University, Ottawa, Canada ABSTRACT Linking deterrence theory to cybersecurity policy and critical-infrastructure protection is easier said than done. Recent cybersecurity incidents involving the United States, China, Russia, and North Korea illustrate the yawning gap between cyber deterrence expectations, applications, and results. This arti- cle draws on classical deterrence theory to illustrate how the logic of deter- rence applies to cybersecurity policy and strategy. By differentiating between physical and digital critical infrastructure protection, the article explores the promises and pitfalls of cyber deterrence in practice. Seven limitations are explored in detail, including: denying digital access, commanding cyber retal- iation, observing deterrence failure, thwarting cyber misfits, addressing the cyber power of weakness, attributing cyber attacks, and solidifying red lines. On November 21, 2016, U.S. President-elect Donald J. Trump took to YouTube to release a three-minute video detailing his ambitions for the coming months. The video provided Trump with an opportunity to describe a “list of executive actions” that he would pursue on “day one” of his presidency. On national security, Trump explained that he would develop “a comprehensive plan to protect American’s vital infrastructure against cyberattacks and all other forms of attack.”1 Cybersecurity was an issue Trump returned to often during the 2016 presidential election. His website dedicated an entire subsection to the issue, where, among other things, it stated Trump’s intention to “develop the offensive cyber capabilities we [the U.S. Government] need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”2 Given current trends, there is little doubt that cybersecurity will help define the Trump presidency, perhaps as much as international terrorism has helped define both the George W. Downloaded by [134.117.239.71] at 12:26 01 November 2017 Bush and Barack Obama administrations. Unfortunately for President Trump, linking deterrence theory to cybersecurity policy and critical infrastructure protection is easier said than done. Deterrence theory has come a long way since the hey- days of the Cold War, but in both theory and practice cyber deterrence is not yet well understood. Nor is cyber deterrence properly theorized. All processes of deterrence, new and old, are based on several theo- retical and logical prerequisites that help dictate how deterrence is put into practice. Deterrence does not just happen; it is something that you do to an adversary in order to change its behavior to your liking. What follows is an exploration of the promises and pitfalls of cyber deterrence as it relates to contem- porary critical infrastructure protection. The article begins with a brief discussion of the nuts and bolts of deterrence theory and practice. It then makes the distinction between hardware and software in think- ing though the application of deterrence to infrastructure protection. Seven dilemmas, or limitations, to applying deterrence to cyber infrastructure protection are then explored. CONTACT Alex Wilner [email protected] © Taylor & Francis 310 A. WILNER Deterrence theory: Logical prerequisites and practical dimensions From the literature on classical deterrence, four central prerequisites present themselves.3 First, deter- rence prompts voluntary changes in behavior. The goal is not to force an adversary to act in a certain way by destroying its ability to act any other way. There is a distinction between what deterrence scholars call brute force—which is destroying an adversary such that he cannot harm you—and deterrence—which isaboutconvincingacapableadversarynottoharmyou.Deterrenceinvolvesachoice;itisnotabout incapacitation.4 Second, for deterrence to work, adversaries must be sufficiently influenced by the costs and benefits of their actions, such that some form of threat will alter their behavior. Political scientists and economists alike call this rationality. Only rational actors that weigh the costs and benefits of their actions can be coerced. Third, deterrence involves at least two actors: the defender—the actor doing the deterrence and pro- tecting itself from aggression—and the challenger—the actor contemplating an aggressive move.5 For deterrence to work, the defender must define unwanted behaviors to the challenger, and communicate or signal a willingness to punish violations. If states want to defend their interests and assets by practicing deterrence, they must tell their adversaries how they will respond to different types of aggression. Red lines must be drawn, communicated, and defended. Deterrence communication hinges on a capability to act as promised, to punish or deny as threatened. States need to show resolve to carry out their threats. Finally, deterrence is best practiced against a known or suspected adversary. Who is it precisely we are trying to deter? In cases where the identities of adversaries are unknown or purposefully obfuscated, coercive threats may miss their mark. To practice deterrence, it helps a great deal to have someone or something to hold accountable and threaten appropriately. From theory, we can move to practice. Deterrence rests on convincing an adversary that the costs of taking a particular action outweigh the potential benefits. Deterrence is fundamentally about manipu- lating another’s behavior in ways that suit your own goals. It is about influencing what economists call the cost-benefit calculus of decision making. The deterrence most familiar to casual observers is deter- rence by punishment, or deterrence by retaliation.6 This type of deterrence was the basis for the Cold War. Here, a defender threatens to retaliate against an aggressor in the event the aggressor carries out an unwanted action: If you strike me, I will strike you back, tit for tat. The threat carries with it a cost to the aggressor. Mutual Assured Destruction—or MAD—relied on the threat of a U.S. nuclear exchange with Soviet Russia in order to deter Russia’s use of nuclear weapons against the United States and its allies in the first place. Threatening nuclear annihilation is taking deterrence to an obvious extreme, but the larger point is that actors can use a combination of threats, like conventional or nuclear attack, military intervention, economic sanctions, and diplomatic pressure to shape an adversary’s behavior. Deterrence does not only involve punishment, however. The flip side of retaliation is denial. Deter- rence by denial shapes an adversary’s behavior by threatening it with failure. Actors usually weigh both the costs and the benefits of an action. Punishment adds to the cost, but denial subtracts from the benefits. Downloaded by [134.117.239.71] at 12:26 01 November 2017 Both manipulate behavior but from different ends. With deterrence by denial, when an action becomes too difficult or too risky to conduct, an opponent may choose not to act in the first place. Here, thepre- sumed benefits of an action are lower than the costs, influencing behavior. For illustration, city-wide Green Zones, like those built in Iraq, and bulwarks around certain buildings, like embassies, restrict easy access to certain targets. This makes some types of attack more difficult to conduct, and potentially less likely to happen as a result. In this example, the primary intent is defense, but the subsequent effect on adversarial decision-making is denial. Another version of denial involves resilience. Resilience is the ability to bounce back, to mitigate the effects of an attack, to recover quickly after getting hit. A resilient power grid, for example, redistributes electricity even if certain nodes within the system are shut down. Resilience is primarily about recov- ery, but from a deterrence standpoint it also robs would-be aggressors of their objectives and strategic success. When even tactically successful attacks barely harm or disrupt a victim—the attack’s presumed intention—payoff to the aggressor is diminished, potentially altering its calculus and behavior. In sum- mary, deterrence by punishment or retaliation threatens harm, adding costs to certain behavior; deter- rence by denial or resilience threatens failure, subtracting benefits from certain behavior. COMPARATIVE STRATEGY 311 Protecting critical infrastructure: Hardware and software With the discussion of deterrence theory and practice serving as a backdrop, we can turn next to explor- ing the particularities of critical infrastructure