brandishing cyberattack

7/30/2019 Brandishing Cyberattack

1/48

For More InformationVisit RAND atwww.rand.org

Explore the RAND National Deense Research Institute

Viewdocument details

Support RANDBrowse Reports & Bookstore

Make a charitable contribution

Limited Electronic Distribution RightsTis document and trademark(s) contained herein are protected by law as indicated in a notice appearinglater in this work. Tis electronic representation o RAND intellectual property is provided or non-commercial use only. Unauthorized posting o RAND electronic documents to a non-RAND website iprohibited. RAND electronic documents are protected under copyright law. Permission is required romRAND to reproduce, or reuse in another orm, any o our research documents or commercial use. Foinormation on reprint and linking permissions, please see RAND Permissions.

Skip all ront matter:Jump to Page 16

Te RAND Corporation is a nonproft institution that helps improve policy and

decisionmaking through research and analysis.

Tis electronic document was made available romwww.rand.orgas a public service

o the RAND Corporation.

CHILDREN AND FAMILIES

EDUCATION AND THE ARTS

ENERGY AND ENVIRONMENT

HEALTH AND HEALTH CARE

INFRASTRUCTURE AND

TRANSPORTATION

INTERNATIONAL AFFAIRS

LAW AND BUSINESS

NATIONAL SECURITY

POPULATION AND AGING

PUBLIC SAFETY

SCIENCE AND TECHNOLOGY

TERRORISM AND

HOMELAND SECURITY
http://www.rand.org/pdfrd/http://www.rand.org/pdfrd/nsrd/ndri.htmlhttp://www.rand.org/pdfrd/pubs/research_reports/RR175.htmlhttp://www.rand.org/pdfrd/pubs/online.htmlhttp://www.rand.org/pdfrd/giving/contribute.htmlhttp://www.rand.org/pdfrd/publications/permissions.htmlhttp://www.rand.org/pdfrd/http://www.rand.org/pdfrd/topics/children-and-families.htmlhttp://www.rand.org/pdfrd/topics/education-and-the-arts.htmlhttp://www.rand.org/pdfrd/topics/energy-and-environment.htmlhttp://www.rand.org/pdfrd/topics/health-and-health-care.htmlhttp://www.rand.org/pdfrd/topics/infrastructure-and-transportation.htmlhttp://www.rand.org/pdfrd/topics/infrastructure-and-transportation.htmlhttp://www.rand.org/pdfrd/topics/international-affairs.htmlhttp://www.rand.org/pdfrd/topics/law-and-business.htmlhttp://www.rand.org/pdfrd/topics/national-security.htmlhttp://www.rand.org/pdfrd/topics/population-and-aging.htmlhttp://www.rand.org/pdfrd/topics/public-safety.htmlhttp://www.rand.org/pdfrd/topics/science-and-technology.htmlhttp://www.rand.org/pdfrd/topics/terrorism-and-homeland-security.htmlhttp://www.rand.org/pdfrd/topics/terrorism-and-homeland-security.htmlhttp://www.rand.org/pdfrd/topics/terrorism-and-homeland-security.htmlhttp://www.rand.org/pdfrd/topics/science-and-technology.htmlhttp://www.rand.org/pdfrd/topics/public-safety.htmlhttp://www.rand.org/pdfrd/topics/population-and-aging.htmlhttp://www.rand.org/pdfrd/topics/national-security.htmlhttp://www.rand.org/pdfrd/topics/law-and-business.htmlhttp://www.rand.org/pdfrd/topics/international-affairs.htmlhttp://www.rand.org/pdfrd/topics/infrastructure-and-transportation.htmlhttp://www.rand.org/pdfrd/topics/health-and-health-care.htmlhttp://www.rand.org/pdfrd/topics/energy-and-environment.htmlhttp://www.rand.org/pdfrd/topics/education-and-the-arts.htmlhttp://www.rand.org/pdfrd/topics/children-and-families.htmlhttp://www.rand.org/pdfrd/http://www.rand.org/pdfrd/publications/permissions.htmlhttp://www.rand.org/pdfrd/giving/contribute.htmlhttp://www.rand.org/pdfrd/pubs/online.htmlhttp://www.rand.org/pdfrd/pubs/research_reports/RR175.htmlhttp://www.rand.org/pdfrd/nsrd/ndri.htmlhttp://www.rand.org/pdfrd/http://www.rand.org/pdfrd/nsrd/ndri.html


2/48

Tis report is part o the RAND Corporation research report series. RAND reports

present research fndings and objective analysis that address the challenges acing the

public and private sectors. All RAND reports undergo rigorous peer review to ensure

high standards or research quality and objectivity.


3/48

NATIONAL DEFENSE RESE ARCH INSTITUTE

Brandishing CyberattackCapabilities

Martin C. Libicki

Prepared for the Office of the Secretary of DefenseApproved for public release; distribution unlimited


4/48

The RAND Corporation is a nonprofit institution that helps improve policy anddecisionmaking through research and analysis. RANDs publications do not necessarilyreflect the opinions of its research clients and sponsors.

R is a registered trademark.

Copyright 2013 RAND Corporation

Permission is given to duplicate this document for personal use only, as long as itis unaltered and complete. Copies may not be duplicated for commercial purposes.Unauthorized posting of RAND documents to a non-RAND website is prohibited. RANDdocuments are protected under copyright law. For information on reprint and linkingpermissions, please visit the RAND permissions page (http://www.rand.org/publications/permissions.html).

Published 2013 by the RAND Corporation1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138

1200 South Hayes Street, Arlington, VA 22202-5050

4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665

RAND URL: http://www.rand.org

To order RAND documents or to obtain additional information, contact

Distribution Services: Telephone: (310) 451-7002;

Fax: (310) 451-6915; Email: [email protected]

The research described in this report was prepared for the Office of the Secretary ofDefense (OSD). The research was conducted within the RAND National Defense ResearchInstitute, a federally funded research and development center sponsored by OSD, theJoint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense

agencies, and the defense Intelligence Community under Contract W74V8H-06-C-0002.
http://www.rand.org/publications/permissions.htmlhttp://www.rand.org/publications/permissions.htmlhttp://www.rand.org/mailto:[email protected]:[email protected]://www.rand.org/http://www.rand.org/publications/permissions.htmlhttp://www.rand.org/publications/permissions.html


5/48

iii

Preface

Te U.S. military exists not just to ght and win wars but also to deter them and even dissuadeothers rom preparing or them. Deterrence is possible only when others have a good idea owhat the U.S. military can do. Such acknowledgment is at the heart o U.S. nuclear deterrencestrategy and, to a lesser extent, our maintaining strong mobile conventional orces that canintervene almost anywhere on the globe. Cyberattack capabilities, however, resist such demon-stration, or many reasons, not least o which is that their eects are very specic to details o atarget systems sotware, architecture, and management. But the act that cyberattack capabili-

ties cannot easily be used to shape the behavior o others does not mean they cannot be usedat all. Tis report explores ways that cyberattack capabilities can be brandished. It then goeson to examine the obstacles to doing so and sketches some realistic limits on our expectations.

Tis research was sponsored by the Ofce o the Secretary o Deense and conductedwithin the International Security and Deense Policy Center o the RAND National DeenseResearch Institute, a ederally unded research and development center sponsored by the Ofceo the Secretary o Deense, the Joint Sta, the Unied Combatant Commands, the Navy, theMarine Corps, the deense agencies, and the deense Intelligence Community.

For more inormation on the R AND International Security and Deense Policy Center,see http://www.rand.org/nsrd/ndri/centers/isdp.html or contact the director (contact inorma-tion is provided on the web page).
http://www.rand.org/nsrd/ndri/centers/isdp.htmlhttp://www.rand.org/nsrd/ndri/centers/isdp.html


6/48


7/48

v

Contents

Pac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Smmay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Ackoldgms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

ChAPter One

no May Day Paads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Background and Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What Is Brandishing?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Brandishing and Deterrence: A Cautionary Note. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Organization o Tis Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

ChAPter twO

T Boad efcs o Badisig Cybaack Capabiliis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What Role or Brandishing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Would a Successul Penetration Say Enough About What Cyberwar Can Do? . . . . . . . . . . . . . . . . . . . . . . . . . 6

Inducing Fear, Uncertainty, and Doubt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Would Such a Strategy Work with Russia and China? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How the Fear o Penetration Might Aect Enemy Operational Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10How Fears o Penetration Might Aect Deense Investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Te Algebra o Direct Intimidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Paradoxes o Intimidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

U.S. Policy and the Legitimization o Cyberwar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

ChAPter three

Badisig Cybaack i a ncla Cooaio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

wo-Party Conrontations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Disabling a Capability Versus Twarting a Treat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Te Rogue State Might ry to Discredit the Cyberwar Blu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Can Cyberattack Brandishing Forestall Unilateral Nuclear Use or Treat o Use? . . . . . . . . . . . . . . . . . . . . .25Friendly Tird Parties Add Complications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Summation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

ChAPter FOur

Coclsios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

rcs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


8/48


9/48

vii

Summary

Background and Purpose

Te U.S. military exists not just to ght and win wars but also to deter them, that is, to persuadeothers not to start them (or even prepare or them). Deterrence is possible only when othersknow or at least have good indications o what the U.S. military can do. Such acknowledgmentis at the heart o U.S. nuclear deterrence strategy and, to a lesser extent, the U.S. maintaining

strong mobile conventional orces that can intervene almost anywhere on the globe.Cyberattack capabilities resist such demonstration. No one knows exactly or even approx-

imately what would happen i a country suered a ull-edged cyberattack, despite the pleth-ora o hostile activity in cyberspace. For one thing, there has never been a cyberwarattackswith destruction and casualties comparable to physical war. Teory also works against dem-onstration. Flaws in target systems enable cyberattacks. o reveal which aws enable attack isto inorm others how to x the aws and hence neutralize them. It is no wonder that nationalcyberwar capabilities are a closely guarded secret.

Tat cyberattack capabilities cannot easilybe used to shape the behavior o others doesnot mean they cannot be used at all. Tis report explores ways that cyberattack capabilities canbe brandished and the circumstances under which some deterrence eect can be achieved.1

It then goes on to examine the obstacles to realizing such achievement and sketches out somerealistic limits on the expectations.

As a matter o policy, the United States has never said that it would use cyberattacks, butneither has it said that it would not. It has also not vigorously disputed the notion that it hadsome hand in the Stuxnet attacks on the Iranian nuclear acility.

The Broad Effects of Brandishing Cyber Capabilities

Any state that would discourage other states rom aggression in the physical or cyber world bybrandishing cyberattack capabilities should rst ask itsel whether the point o doing so is to

look powerul or to make others look powerless. Although both aims are useul, the need toconcentrate on one message in a strategic communications campaign suggests the useulness omaking a choice. Emphasizing ones power has the advantage o inducing caution in all actualor potential opponents and deects predators to easier prey. It may also reect well on other

1 Note that the usage obrandishinghere is intended to invoke the imagery o warriors displaying their weapons (andhence their capabilities) beore battle, by way o warning, rather than that o a criminal displaying a gun to threaten avictim.


10/48

viii Bdisig Cybck Cbiliis

sources o national power. But trumpeting the weaknesses o others deters troublesome statesby reminding them o their vulnerabilities. It also deects the accusations o sel-promotion byturning the ocus toward potential victims.

A bigger challenge is howto demonstrate cyberwar capabilities. Te most obvious way todemonstrate the ability to hack into an enemys system is to actually do it, leave a calling card,

and hope it is passed orward to national decisionmakers. I the attack can be repeated at willor i the penetration can be made persistent, the target will be orced to believe in the attackersability to pop into his system at any time. Tis should orce the target to recalculate its correla-tion o orces against the attacker.

But as with many things in cyberspace, it sounds simpler than it is. Hinting at outrightsuccess is difcult without conceding ones participation in mischie in the rst place andhence cyberwars legitimacy as a tool o statecrat, something countries only started acknowl-edging in mid-2012. argets o little value tend to be easy, but penetrating them is unimpres-sive. argets o some value are, or that reason, much harder, oten because they are electroni-cally isolated. Finally, the ability to penetrate a system does not necessarily prove the ability tobreaka system. Te latter requires not only breaking into sufciently privileged levels but also

guring out how to induce a system to ail and keep on ailing. But penetration may be su-ciently scary in itsel i the target leadership cannot discern the dierence between breakinginto and breaking.

Breaking a system is more hostile and more difcult than breaking into one. It requiresan understanding o what makes the system ail. Getting the desired results also requires shap-ing the attack so that those who administer the system cannot detect the attack and repair thedamage quickly. Conveying to others the ability to bring their systems down and keep themdown is not easy. Intended audiences o such demonstrations may subsequently identiy theaw that would allow such an attack and x it. I so, or brandishing to work, cyberattackcapabilities may require repeated demonstration. Alternatively, a less hostile demonstrationcould be to manipulate the system but not to the point o harming it, a ne line.

Can brandishing help dissuade other states rom pursuing a network-centric high-technology orce to counter U.S. military capabilities? Te best way to demonstrate the risk onetwork-centricity is to hack into military systems to show their ragility (claiming responsibil-ity is unnecessary; the point is to emphasize not U.S. power but the vulnerability o the ene-mys network-centric systems). In other circumstances, making what is vulnerable clear may beunnecessary, perhaps unwise. Every hack leads to xes that make the next exploitation muchharder. But the hint o an attack that leaves no specic trace leaves nothing specic to x. Tepoint is to convince others that they cannot protect their systems even ater paying close atten-tion to their security. Te vulnerability o less sophisticated states to unseen manipulation maybe higher when the target does not really understand the technology behind its own weaponsystems. Oten, the targets lack o access to others source code and not having built any o its

own complicates guring out what went wrong and how to x it.Not all states will throw up their hands, though. Some may reason that, because the eects

o cyberattacks are temporary and difcult, their systems can survive the initial exchange andrecover or subsequent rounds. So, they pursue high technology and ignore the demonstratedpossibility that high-technology military campaigns might last days rather than months oryears. A subtler counterstrategy is to network warghting machines (congured not to touchthe Internet) and orget about networking people; isolation avoids some o the pesky vulner-abilities arising rom human error (notably those associated with authentication, such as pass-


11/48

Smmy ix

words and tokens). Or they simply renounce network-centric warare and conclude that theyavoided the pitalls o depending on technology.

It is unclear whether brandishing cyberattack capabilities can curb the enthusiasm opotential oes or war. Some states may eel they have little choice. Others may eel that theycan succeed even i their high-technology systems ail. Yet others may discount the possibil-

ity entirely, believing their systemswhen called on or warwould be disconnected romthe rest o the world. Last, the target may simply not believe its own vulnerability, not duringpeacetime and certainly not when the war drums sound. Going to war requires surmountinga great many ears; digital ghosts may simply be another.

Te unwanted eects o making even some third parties believe that we have invaded theirsystems warrants note.Allother militaries may also shy away rom oreign sources or logic-processing devices (whether sotware or hardware) and may redouble their eorts to increasetheir indigenous production capability or, alternatively, pressure their suppliers to hand oversource code with their systems, a negative i their supplier is a U.S. corporation. Te problemdoes not go away i the threat turns out not to work. Countries certain that their militarysystems have been invaded may blame the United States or any military ailures even with

no evidence o U.S. involvement. Conversely, the United States may be accused o complicitywith a rogue state whenever its equipment does notail because this could only mean that theUnited States condoned the rogues actions.

Brandishing Cyberattack Capabilities in a Nuclear Confrontation

Are there circumstances in which the United States might useully hint that it could intererewith a rogue states nuclear weapons and thereby deuse a nuclear conrontation? Posit a roguestate with dozens o weapons capable o hurting neighbors but not the United States. Assumeurther the United States has a robust cyberwar capability rom which the rogue states nuclear

arsenal is not provably immune. o the extent that the rogue state is ar more willing to go tothe brink than the United States is, it may not be completely deterred by the U.S. promise oa devastating reaction to its nuclear use. Te rogue nuclear state, we urther posit, threatensthat, i the United States crosses its red line, it could or would respond with a nuclear shot.

We rst model a two-state conrontation and then introduce a riendly third state onwhose behal the United States is acting.

Te question is, which is more implacable: the United States determined to cross thered line or the rogue state equally determined to respond with nuclear weapons? I one sidecan communicate enough condence in its willingness to keep pressing, the other side mayeel that the rst side will not back down and would thus logically recognize that the choiceis between yielding and catastrophe. Te more that the other side indicates it might yield, the

greater the impetus or the rst side to stand rm, making it seem even more implacable to theother side.Te purpose o brandishing a cyberwar weapon is to threaten the other sides ability

use its nuclear capability in a crisis. Tis purpose is less to make the other side doubt its ownnuclear capabilityalthough that can helpbut to project a belie that the United States willpress on either because the rogue states weapons will not work or because the rogue state willrespond to the brandishers condence (underwritten, o course, by its deterrence capability)and back down. Note that the logic works even i the target state believes that the brandishers


12/48

x Bdisig Cybck Cbiliis

condence has no basis in reality (i.e., its own nuclear command and control is rock solid).Te rogue state needs only to believe that the brandisherbelieves it can act with impunity toconclude that the choice is between disaster and backing down. o be sure, because a cyber-war capability cannot be tested in the same way that an antimissile capability can be tested,the rogue state may conclude that the brandishers condence is unwarranted and thereore

that such condence should not exist and hence does notexist. But that could also be wishulthinking on the rogue states part.I brandishing a cyberthreat created a use-it-or-lose-it dilemma or the rogue state lead-

ing to nuclear use, brandishing could backre on the United States. But it should not, largelybecause it is not a threat o what willhappen but what has alreadyhappened: Te aw hasalready been exploited. However, brandishing a cyberwar capability, particularly i specic,makes it harder to usesuch a capability because brandishing is likely to persuade the target toredouble its eorts either to nd or route around the exploited aw (the one that enabled theUnited States to neutralize its nuclear threat). Brandishing capabilities sacrices the ability tomanage a war in exchange or the ability to manage a crisis.

One possible component o the brandishing process is to convey that a nuclear shot that

ailed will be noticedand responded toeven i the ailure would be invisible to outsideobservers. Otherwise, the rogue state may reason that ailure is costless and that success, whilepotentially very costly, at least demonstrates that the rogue state is serious. But i the inducedailure is not obvious (e.g., the button is pushed and nothing happens), can the United Statesretaliate against an attempted action that only the United States saw?

Once third parties are in a position to veto U.S. military actions, they can complicate theuse o brandishing. Although third parties may have greater animus against the nuclear-armedstate and, correspondingly, a greater willingness to see it humiliated, and certainly deterred,they may well blanch at the cyberwar-backed blu. First, they and their citizens are likely to beat greater risk by dint o sitting within range o the rogue states nuclear weapons. Second, theywould know little about U.S. cyberwar capabilities and may thus have less condence that such

capabilities would work than the United States (supposedly) has. Te rogue state may gurethat it need not stare down the United States i it can scare the third party whose concurrenceis needed or U.S. actions.

Te United States may need options to convince the third party that it can stand astbecause, among other things, its cyberwar capabilities will neutralize the nuclear threat. Itcould say, trust me on this or else. But a U.S. response that goes beyond asking or trust mayhave to reveal much more about the details o U.S. cyberwar capabilities than the United Statesseems comortable doing today. A crisis makes revelation problematic: Even though steadast-ness requires pro-U.S. orces to project aith in the U.S. ability to nulliy a nuclear threat, thosenervous o taking such a huge risk, skeptics o cyberwars power, or opponents o the UnitedStates within the government have every incentive to cast doubt on the proposition or even leak

the inormation entrusted to them. (Incidentally, a similar logic applies i the riendly thirdparty is domestic, such as the U.S. Congress, opinion makers, and the public.) It may be to therogue states advantage to imply that cyberwar capabilities (rather than the condence in thedeterrence eect o its nuclear weapons) are the primarybasis or the rm stance the UnitedStates has adopted. Tis could pressure the United States to demonstrate what it can do.


13/48

Smmy xi

Conclusions

Brandishing a cyberattack capability would do three things: declare a capability, suggest thepossibility o its use in a particular circumstance, and indicate that such use would really hurt.In the era o the U.S.-Soviet nuclear stando, the suggestion o use was the most relevant.Possession was obvious, and its consequences were well understood. Te same does not holdtrue or cyberweapons. Possession is likely not obvious, and the ability to inict serious harmis debatable. Even i demonstrated, what worked yesterday may not work today. But difcultdoes not mean impossible.

Advertising cyberwar capabilities may be helpul. It may back up a deterrence strategy.It might dissuade other states rom conventional mischie or even rom investing in mischie-making capabilities. It may reduce the other sides condence in the reliability o its inorma-tion, command and control, or weapon systems. In a nuclear conrontation, it may help buildthe edge that persuades other states that the brandisher will stay the course, thereby persuadingthem to yield.

Yet proving such capability is not easy, even i it exists. Cyber capabilities exist only inrelationship to a specic target, which must be scoped to be understood. Cyber warriors canillustrate their ability to penetrate systems, but penetration is not the same as getting them toail in useul ways. Since cyberattacks are essentially single-use weapons, they are diminishedin the showing. It can be hard to persuade your riends that you have such capabilities whenskepticism is in their interest.

Furthermore, brandishing may backre. outing an ability to strike back in cyberspacemay communicate a tendency to shy rom violence. Claiming the power to alter reality mayconvince others to blame the claimant when reality is disagreeable. Interering with otherscommand and control may allow them to justiy rules o engagement that abdicate their ownresponsibility over subordinates. And asserting an ability to nulliy opposing nuclear systemsmay spur them to call what they perceive as a blu.

Should the United States put the world on notice that it has cyber capabilities and knowshow to use them? Te wisdom o that course is not obvious. Evidence is scant that others actbecause they do not believe the United States has or can develop cyber capabilities. Conversely,the gains rom brandishing such capabilities depend on the context and can be problematiceven then.

Tere is both promise and risk in cyber brandishing, in both the conventional and nuclearcases. It would not hurt to give serious thought to ways in which the United States can enhanceits ability to leverage what others believe are national capabilities. Stuxnet has certainly con-vinced many others that the United States can do many sophisticated things in cyberspace(regardless o what, i anything, the United States actually contributed to Stuxnet). Tis eortwill take considerable analysis and imagination, inasmuch as none o the various options pre-

sented here are obvious winners. Tat said, brandishing is an option that may also not work.It is no panacea, and it is unlikely to make a deterrence posture succeed i the other elementso deterrence (e.g., the will to wage war or, or red lines drawn in cyberspace, the ability toattribute) are weak.


14/48


15/48

xiii

Acknowledgments

Te author would like to acknowledge the valuable contribution to the analysis contained inthis report made by Roger C. Molander, who passed away on March 25, 2012. Dr. Molan-der spent a ull career working to analyze and illuminate the complex dimensions o strategicnuclear deterrence. More recently, he had applied the same analytic rigor to questions raised bycyber operations, particularly the interaction o technical and operational actors with politicalincentives. He made innovative contributions to understanding the difcult questions posed

by large nuclear weapons holdings and by powerul cyber operations capabilities. Te latterormed an important part o the intellectual oundation or the material presented in thisreport, notably Chapter Tree, which arose rom conversations he initiated.

Te author also acknowledges the generously provided and very useul commentary romStuart Johnson, James Dobbins, Forrest Morgan, and the ormal reviews o David C. Gompertand James . Quinlivan. Finally, the U.S. Naval War College sponsored production o an earlyversion o the material in Chapter wo.


16/48


17/48

1

Chapter One

No May Day Parades

Background and Purpose

Marching warghters and weaponry down urban thoroughares has been a time-honored wayor states to hint at their ability to carry out war. Cyberwar capabilities, to be sure, resist suchpresentation. Cadres o computer geeks advancing with laptops in their rucksacks somehow donot inspire the same awe.

Te inability to display power points to a larger dilemma o cyberwar. Te U.S. militaryexists not just to ght and win wars but also to deter them, that is, to persuade others not tostart them (or even prepare or them). o do this, it helps to demonstrate that the U.S. militaryis and always will be likely to ruin those who would ght itwhether the ruin be a crushedmilitary or a damaged society. By so doing, the United States may hope to deter others romattacking it or its vital interestseither kinetically or via cyberspace. It may even hope to dis-suade states rom developing digitized capabilities that are particularly vulnerable to cyberat-tack. Although May Day parades are a bit o a caricature, a state would rationally examine theability o its potential adversaries beore pursuing its politicomilitary strategies. But cyberwarcapabilities are hard to examine.

Why so? No one doubts what would happen i a nuclear-armed power dropped its big

weapon on a city, even though no city has been hit by a nuclear bomb since 1945. Te phys-ics are clear, and they work anywhere. But no one knows exactly or even approximately whatwould happen i a country suered a ull-edged cyberattack, despite the plethora o hostileactivity in cyberspace that shows no signs o abating. For one thing, there has never been suchan attack.

Teory also discourages good a priori expectations. First, systems are vulnerable only tothe extent that they have exploitable errors that their owners do not know about or have simplyignored. Second, even i a cyberattack works, the damage it wreaks tends to be proportionalto the time required to recover the attacked system, something neither the deender nor theattacker can easily predict. Tird, national cyberwar capabilities are a closely guarded secret.

Having spent much time and trouble developing cyberwar capabilities, states thus have

nothing to show or their eorts until and unless they go to cyberwar. Although some o thecapabilities needed or cyberwar are the same ones used or cyberespionage, some are not.Bringing systems down requires eort to understand their ailure modes; keeping them downrequires being able to insert code into the target networks and system in ways that make it di-cult to eradicate. Furthermore, systems targeted by espionage (e.g., email networks) are verydierent rom the harder systems that run critical inrastructure or war machines.


18/48

2 Bdisig Cybck Cbiliis

Tat cyberattack capabilities cannot easilyand credibly be brandished does not meanthey cannot be brandished at all. Tis report explores ways that cyberwar capabilities can beso used, obstacles to doing so well, some uses o doing so, some risks involved, and limits onour expectations.

What Is Brandishing?

Brandishing a weapon communicates what it is and suggests how it would be used.1 Brandish-ing can be implicit, leaving it to others to determine the implications o its use. Or it can beexplicit, with the owner choosing the context and timing or signaling something.2

Capabilities are generally brandished to shape or at least reinorce other states estimateso the risks they ace by opposing the brandisher. For cyberspace, estimates vary greatly. Cyber-attack capabilities are always capabilities against specic systems, and states vary in what sys-tems they have, how important they are, and how secure they are.

Because no state where news about Stuxnet has penetrated can seriously believe the

United States lacksoensive cyberattack capabilities and because so many argue or the pri-macy o oense therein,3 U.S. cyberwar capabilities may already be discouraging others rommischie today.4 Weapons alone can do this. In 1932 (beore Germany had a Lutwae),Stanley Baldwin persuaded the British Parliament not to intervene too hastily in Europeanaairs by arguing that a serious adversary could use airpower to do great damage to GreatBritain: Te bomber will always get through.5

Why brandish cyberattack capabilities at all?

One reason is simply to make a threat, either specically (do this and we will carry out acyberattack) or generally (do this, and we will respondwith capabilities that includea possible cyberattack).

1 Note that the usage obrandishinghere is intended to invoke the imagery o warriors displaying their weapons (andhence their capabilities) beore battle, by way o warning, rather than that o a criminal displaying a gun to threaten avictim.

2 Te explicitness o the threat does not necessarily conorm to how openly a capability is declared. It is possible to bevery open about having a capability without drawing red lines. (A red line is a limit a state establishes beyond which iteels obliged to take action.) With somewhat more difculty, one can make an explicit threat based on a coyly presentedcapability.

3 Among the many sources that argue that oense is dominant in cyberspace are Jonathan Masters, Conronting theCyber Treat, New York: Council on Foreign Relations, May 23, 2011; Richard J. Harknett, John P. Callaghan, and RudiKauman, Leaving Deterrence Behind: War-Fighting and National Cybersecurity, Journal o Homeland Security andEmergency Management, Vol. 7, No. 1, November 11, 2010; and Eric Sterner, Stuxnet and the Pentagons Cyber Strategy,

Arlington, Va.: George C. Marshall Institute, October 13, 2010.4 Nevertheless, when asked whether the United States had ever demonstrated capabilities in cyberspace in a way that

would lead to deterrence o potential adversaries, General Alexander responded, Not in any signicant way. Keith Alex-ander, Advance Questions or Lieutenant General Keith Alexander, USA, Nominee or Commander, United States CyberCommand, statement to the U.S. Senate Committee on Armed Services, April 15, 2010, p. 21.

5 George H. Quester, Deterrence Beore Hiroshima, Piscataway, N.J.: ransaction Publishers, 1986. Note that Baldwin wasspeaking over a dozen years and many generations o aircrat ater the last use o airpower against a sophisticated oe. Yet asthe Battle o Britain later proved, once countries aced real bombers, damage was less than eared, and they did not alwaysget through.


19/48

no My Dy pds 3

Another is to counter a threat, whether explicit or implicit. Tis is similar to announcinga capability or ballistic missile deense ater the other side has announced a ballistic mis-sile capabilitywith cyberwar playing the role o a weapon aimed at the missiles com-mand and control. Such an announcement may be made to downplay the threat, assuringonesel and allies and thereby weakening the threats deterrent power. I the underlying

threat is itsel a counterdeterrent (i you launch a missile, we will launch one back),the cyberattack capability can be brandished to reinorce the original deterrent (yes, butyour missile will ail, and so we will ignore your threat). Such brandishing helps projectcondence.

Brandishing a cyberattack capability can warn others against pursuing capabilities thatdepend on digital systems in general and networks in particular. A variant o that threatis to hint that the inormation that potential oes use to make operational or even strate-gic decisions may be corrupted and is thereore unreliable. Te threat need not be proac-tive (i you do this . . . ); the brandisher can hint that a corruption attack has alreadyreached its target, meaning that even existing data cannot be trusted.

Te credibility o the cyberattack threat will depend on a states track record in cyberspacecoupled with its general reputation at military technology and the likelihood that it would usesuch capabilities when called on. Finally, as the technologies o cyberspace and the targetedstates dependence on cyberspace evolve, so too will the eectiveness o such threats.

Brandishing and Deterrence: A Cautionary Note

One reason or a state to say or hint that it has oensive cyberwar capabilities is to give teethto a deterrence policy.6 As a general rule, the greater a states capabilities to strike, the greaterthe consequences o other states o crossing the lines it lays down, and thus the lower the likeli-hood that other states will cross the lines (at least up to the point at which other states ear ortheir sovereignty and try to cut the state down to size because it is so threatening). Tat noted,deterrence also requires some clarity on where the red lines are and how willing such a state isto carry out its threat and by what means. Absent such clarity, brandishing may have an eectopposite rom the one intended.

Much depends, thereore, on what other states conclude about the motive or brandishinga cyberwar capability and the timing o the brandishing. I the threatening state is explicit thatit will use cyber means to retaliate or crossing certain red lines (presumably, but not neces-sarily, in cyberspace), the role o brandishing is airly clear: to give substance to a threat. Butthe timing may raise questions, especially i other states do not learn anything new about thethreatening states capabilities (which they always assumed existed) but were uncertain about

why the threatening state believed the point had to be made explicit. Context would matter.Brandishing a capability to reinorce a threat that has just been made (or a red line that has justbeen laid down or redrawn) may raise a ew questions o timing, but brandishing a capabilityout o the blue might raise more. Some may view it as a blu, an attempt to put a brave ace

6 Consistent with the authors previous report on deterrence (Martin C. Libicki, Cyberdeterrence and Cyberwar, SantaMonica, Cali.: RAND Corporation, MG-877-AF, 2009), the word deterrencereers only to deterrence by punishment anddoes not include deterrence by denial.


20/48


on the discovery that cyber capabilities are not impressing others or the good reason that theyare notall that impressive.

I the threatening state, however, has not stated or strongly hinted that its choice o retal-iatory weapon sits in cyberspace, other states may wonder why it is emphasizing its retaliatorycapabilities in that domain. rue, the answer may be innocent: A bureaucratic struggle may

have been resolved, or a new cyberattack capability may be deemed mature. But states notprivy to such explanations may conclude that brandishing a cyberattack capability was meantto signal that more violent responses are o the table. States that do not ear cyber capabilities(maybe because their militaries or economies are not all that digitized) may thereore concludethat they can relax and may thereore be lessdeterred.

Organization of This Report

With these cautions out o the way, the remainder o the report examines the consequenceso brandishing cyberattack capabilities. I examine our separate goals or brandishing cyber-

attack capabilities: to discourage military operations; to dissuade countries rom investing innetwork capabilities; to permit the United States to ace down nuclear-armed rogue states; andto inhibit unprovoked nuclear aggression.

Chapter wo is a general treatment o brandishing: whether and how states can prove orat least back up claims that they have such a capability and against whom, how it might beused to reduce the desire o other states to carry out operations or even invest in certain opera-tional capabilities, and the calculus and paradox o intimidation.

Chapter Tree specically treats how cyberweapons may be brandished in a nuclear con-rontation. Clearly, when acing obliteration, the threat o being hacked is unlikely to registervery high. However, the operational use o cyberwar to thwart an opponents nuclear com-mand-and-control cycle may play a more interesting role.

Chapter Four wraps up the key insights.


21/48

5

Chapter twO

The Broad Effects of Brandishing Cyberattack Capabilities

Brandishing a capability that cannot be displayed or inspection and cannot be demonstratedin any detail without rapidly nulliying it is more than a little challenging. In this chap-ter, I examine various ways o addressing the challenge, concluding that, while each has itsmerits, none is altogether satisactory. In sequence, thereore, the chapter discusses how systempenetration may allude to cyberattack capabilities, how the ear that penetration has alreadyoccurred may be created and sustained, and how ears o penetration may eect an adversarys

operational behavior or even its deense investments. It then examines some consequences oemploying cyberattacks as a coercive device, discusses ways in which brandishing may backre,and concludes by touching on current policies associated with the legitimization o cyberwar.1

What Role for Brandishing?

Because the potential or cyberattacks arises rom the targets vulnerabilities coupledwith theattackers ability to exploit them, is the desired eect o brandishing cyberattack capabilities tolook powerul or to make the other side look powerless? O course, the answer could be both,and both may be useul, but i the brandishing is part o an overall strategic communications

campaign, it may help to decide what to emphasize in such a campaign.Looking powerul is the more efcient option. It induces caution in actual or potential

opponents. Te demonstration does not have to be repeated or each one. Looking large alsoserves to deect potential attackers away rom one state toward others. Finally, there is glory init; success reects well on other sources o national power.

But concentrating instead on exposing another states weaknesses also has its virtues. Itserves to deter troublesome states by reminding them o their vulnerabilities. It also deectsthe accusations o sel-promotion (look at how powerul I am) by turning the ocus towardothers. Ater all, a state shown to be vulnerable to one attacker in cyberspace may be presumedvulnerable to others. Even i the state retaliates, its systems will still be vulnerable and per-ceived as such.

For the United States, a urther goal may perhaps be to discourage attacks on anyone. Ina globalized economy, a severe cyberattack against oreign institutions may hurt the UnitedStates in its pocketbook: directly, i the U.S. economy relies on their inormation services, and

1 An early version o the core argument o this chapter can be ound in the authors Wringing Deterrence rom CyberwarCapabilities, in Richmond M. Lloyd, ed., Economics and Security: Resourcing National Priorities, proceedings o a workshopsponsored by the William B. Ruger Chair o National Security Economics, Newport, R.I.: Naval War College, May 1921,2010, pp. 259272.


22/48


indirectly, through the eects on export prices and availability. Such an attack may have politi-cal ramications. Cyberwar erodes trust; successul attacks conound the rule o law. A postureto inhibit cyberwar in general, rather than just on the United States, ts with the current U.S.policy narrative that todays security problems are the results o rogue action by rogue states.

Would a Successful Penetration Say Enough About What Cyberwar Can Do?

Te most obvious way o demonstrating the ability to hack into someone elses system is toactually do it and leave a calling card (e.g., Kilroy was here). Te eect need not be obvi-ous to the public, but it must at least be obvious to system administrators. I the attack canbe repeated at will or i the penetration can be made ineradicable, the target may be orced tobelieve that the perpetrators ability to pop into the targets system at will is a act. Tis orcesthe target to recalculate its correlation o orces against the perpetrator.

Tis sounds simple. As with most things in cyberspace, it is not. Te rst problem iswhether the calling card would be read and its existence transmitted to the leadership. I it

is simply let or someone to stumble over, the answer may be no. Ironically, the more pen-etrable the system is, the less astute its administrators are, all else being equal. Tus, the oddso having the penetration discovered and transmitted up the line go down. For this reason,any calling card may have to be more obvious. Perhaps it can email itsel, so to speak, to thesystems administrators in the hopes that they will tell the leadership. I the target system isconnected to the rest o worlda bigior sensitive systemsit can email itsel directly to thetargets leadership. Tat should work (unless the leaders get it into their heads that it was a trickby their own cyberwar proponents to gain more resources or cyber security). Te opposite isalso possible. I acknowledging a penetration is embarrassing and puts jobs and, in some coun-tries, lives at risk, such hints may be erased by embarrassed system administrators. Revealing asecret that could only have been stolen rom such a system eliminates the problem o post hoc

erasure but introduces the question o whether the inormation could have come only romsystem penetration (rather than, say, spies).Te next difculty is proving that the ability to penetrate a system at will is something

that matters. I, as noted, a proven penetration is a one-time event, the target may convinceitsel that it can take measures to ensure that a repeat perormance will be impossible. Or thevictim may tolerate the attackers ability to stay on the system precisely because it nds pen-etration less intolerable than the cost o hitting a systemic reset button. Such an assessmentautomatically puts an upper limit on the demonstration eect o the cyberattack. Furthermore,the eectiveness o the penetration has everything to do with the sensitivity o the system beingpenetrated. Tis requires understanding which systems are critical to the target and whosepenetration would be impressive. I the targets political power relies on the correct operation o

systems that are not only electronically isolated but also hidden, penetration into lesser systemsmay leave little impression on the target. Note that penetrating a system and persisting withinit require similar skill sets but dierent technologies. Penetration requires knowledge o vulner-abilities; persistence requires knowing how to evade intrusion and anomaly detection systems.

Does the ability to break into a system prove the ability to break a system? From a tech-nical perspective, no. Contrary to some assertions, the ability to read les does not imply theability to write to them, hence to alter them, just as the ability to watch Netix videos on alaptop does not imply the laptops ability to edit such videos. Breaking a system requires not


23/48

t Bod effcs of Bdisig Cybck Cbiliis 7

only breaking into administrator (or otherwise privileged) accounts but also guring out howto induce a system to ail and keep ailing despite many eatures designed to prevent that. Butrom a psychological perspective, perhaps the ability to break into a system does prove the abil-ity to break a systemespecially i the target leadership cannot discern the dierence betweenbreaking into and breaking. I the penetrationa violation, as it werecomes as a shock,

the prospect o urther implications may startle the leadershipregardless o how technicallyunounded such implications are.Breaking a system, however, is a more hostile, and more difcult, act than breaking into a

system. It requires understanding the characteristic ailure modes o the system. Creating nec-essary eects also requires shaping the attack so that the targets system administrators cannotdetect and repair the system very quickly, with the denition o very quickly being neces-sarily specic to the context. An attack on a logistics system might have to last days or weeksbeore crippling its user population. An attack on surace-to-air missile systems, however, onlyhas to disable the systems or the ew minutes that attack aircrat are overhead. Nevertheless, itis unclear how ast recovery can be: Te history o cyberattacks that require urgent xes is thin,and documentation rom victims o such attacks is even thinner. Perhaps cyberattackers (here

and elsewhere) have endeavored to estimate adversary responses by simulating attacks on theirown systems and testing their own system administrators ability to recover their unctionality.Even i so, the challenge o conveying to othersthat their attacks can keep their systems downor long periods o time is not easy. Te intended audiences o such a demonstration may beable to determine what aw allowed such an attack, x the aw, and recover some condencein their own systems. I so, or brandishing to work, such cyberattack capabilities must bedemonstrated repeatedly.

Furthermore, the line between brandishing a capability and employing it can becomevery thin. Supposedly, the purpose o brandishing is to reduce the other sides willingness tochallenge the possessor o cyberattack capabilities. But employing a capability tends to have theopposite eect: It increases the other sides desire to challenge the possessor. It is human nature

to hit back. In cyberspace, as with other modes o conict, brandishing can backre.One possible way out o this dilemma is to demonstrate the ability to crash another per-sons system by demonstrating the ability to manipulate it in ways that, i continued or carriedout in other contexts, could demonstrably break it. For example, the demonstrated ability toput a blank spot on a radar during normal operations implies the ability to put one there whenthe radar is tracking a hostile object. Te ability to raise the temperature o someone elseschemical process by one degree may imply the ability to raise the temperature enough to causeserious damage, including destruction o the equipment. Inducing a random blank spot or jig-gling the temperature may be hostile attacks but not acts o war. Yet they may sufce to suggestthat intererence with operations or destroying a chemical acilitywhich may well be acts owarare within the attackers capability. Te usual caveats apply. Such demonstrations have

to be conveyed to leaders, and such demonstrations are sel-limiting i they induce correctionswithin target systems that complicate repetition. For some systems, jiggling one parameterslightly may not imply the ability to do so dangerously i saeguards exist.


24/48


Inducing Fear, Uncertainty, and Doubt

Nuclear arms ostered ear, but there was not a great deal o doubt or uncertainty about theirapplications.2Cyber may be the oppositeincapable o inducing real ear directly, it may becapable o raising the specter o doubt and uncertainty, especially in the minds o those whomight wonder i their military systems and hence their military would work when needed. Tiswould cause queasiness i they had to use orce o dubious reliability. Te target state need notbelieve that it will lose a war it otherwise would have won were it not or such implanted logicbombs. o echo Mearsheimers argument on conventional deterrence,3 it sufces i the poten-tial attacker believes that its odds o winning quickly are not good enough because its systemshave been compromised.

An uncertainty-and-doubt strategy may work to the U.S. advantage by persuading otherstates to be very careul in pursuing a network-centric high-technology orce to counter U.S.military capabilities. Tis means it may be dissuasive. A lot depends on how other states reactto the idea that hackers have penetrated their military systems and let behind implants, which,when triggered, could generate rogue messages, alter sensor data, create network dropouts, andeven make weapons ail.4 It is possible to conclude that, i the target state believes that (1) it hasbeen so hacked, (2) has no alternative but the systems and equipment it has, (3) its estimate owars outcomes are decidedly worse as a result, and (4) it has a choice on whether to go to war,the states desire to go to war would decrease.

How might such doubt and uncertainty be induced? Te most straightorward way is tohack into such systems and then make it obvious that they have indeed been hacked. Claimingresponsibility is unnecessary because the point is to emphasize not U.S. power but the vulner-ability o targeted systems to cyberattacks in a way that leaves their owners doubting their ownsystems. But i the point is not to provide proo but to instill uncertainty, making the resultobvious beorehand is unnecessary. In act, it may be unwise i the rst demonstration makesthe next one harder to accomplish. Tus, proving a system was, is, and will stay hacked maybe impossible. However, the hint o an attack leaves no specic trace and hence no specic x.Even i system owners react to rumors by making general xes, such as selective disconnectionor the installation o anti-malware guards, there will be nothing that suggests which o thesegeneral xes worked.

In some cases, rumor can be more powerul than act. Ater all, it takes, on average, twiceas long to nd nothing in a room as to nd something there. Worse, i nding something isconclusive but sweeping and nding nothing is inconclusive, it takes ar longer than twiceas long to know that one has ound nothing than to nd something. System owners may be

2 Astute readers may see the term, ear, uncertainty, and doubt, a phrase Gene Amdahl coined a ter leaving IBM, todescribe the eect that IBM people instill[ed] in the minds o potential customers who might be considering Amdahl

products.3 John J. Mearsheimer, Conventional Deterrence, Ithaca, N.Y.: Cornell University Press, 1985.

4 Although the psychological eects o a cyberwar attack are speculative, it may well exceed its real eects. For example,i one just counts the number o centriuges that destroyed themselves, Stuxnet can account or only a ew months delay inIrans nuclear program. But, to get a bomb, Iran must commit to enriching uranium rom 3 percent (U-235) to 90 percent.During the months required to do this, Western militaries may well react with alarm and orce. I Iran cannot convinceitsel that Stuxnet has not been eradicated, it may conceivably ear that its centriuges may be ordered to break down inthose critical months, exposing Iran to retribution without gaining a bomb or its painsthereby giving it pause whencontemplating going ahead.


25/48


unable to rest assured that, having ound supposedly rogue code will solve the problem becausethere is no proo that what was ound was the rogue code that rumors reerred to; such codecould be a glitch unrelated to any malevolent actor or could have been placed there by a thirdparty.

A great deal depends on what others are predisposed to believe about U.S. capabilities

with technology in general. U.S. cyberwarriors need never reveal the techniques o this or thatmanipulation but just ensure there are enough hints out there that say they do have the requi-site skills. Subjecting that belie to a test could lead to ailure and break the spell they may beunder. It cannot be overemphasized that the target o the attack is not the system itsel but con-dence in that system and any other system an adversary depends on.

What helps is the ability to convince others that they cannot protect their systems evenater painstaking attention to their security. Tey may have checked everything three times.Yet the cyberwarriors nd their way in. Te eect is necessarily prospective rather than ret-rospective; it is rare these days that people are attacked; the attack makes the news; and yetthere is no good idea how the attack was carried out or at least what vulnerability was exploitedto enable the attack.5 Many o the instruments o the attack remain with the target system,

nestled in its log les, or even in the malware itsel. Even i the targets o the attack (e.g.,the Iranians) cannot gure out what was done or how it was done (e.g., Stuxnet), there maybe others who can (e.g., the Belarus rm, VirusBlokAda). Te number o prominent attackswhose workings, notably penetration and propagation methods, remain a mystery is small,perhaps zero. o be sure, certain attack methods, notably distributed denial o service, containno prospective, let alone retrospective, mystery as to how they work; they rely primarily onbrute orce. Furthermore, anyone who ollows the news will understand the ubiquity o hack-ing. It is no great exaggeration to posit that any inormation o interest to a sophisticated statesitting on a system connected to the Internet has long ago escaped. At this juncture, there aretoo many vulnerabilities associated with web scripting (e.g., Java) and document-presentationprograms to eel very secure.

Te vulnerability o less-sophisticated states to the possibility that others are inside theirsystems is enhanced when the target does not really understand the technology behind its ownweapon systems. Although sophisticated states can be counted on to know military hardwarebetter than unsophisticated states do, the dierence is usually a matter o degree. Sophisticatedmilitaries get more rom their equipment: An F-16 is likely to be more eective in the handso an American pilot than in the hands o a typical third-world pilot. Advanced militaries alsomaintain their equipment better. Still, even an inexpertly own and indierently maintainedF-16 is a war machine.

An inormation system, though, may have a negative value in the hands o users unso-phisticated or indierent about security. Poorly deended systems may, under pressure, leakinormation, buckle unexpectedly, or provide bad data to warghters and other decisionmak-

ers. In cyberwar, a great hacker can be orders o magnitude more efcacious than a merelygood one in ways that do not characterize the dierence between a great hardware repairmanand a merely good hardware repairman. Te difculty that less-advanced countries have in

5 When attack code is encrypted, the decryption process may be very slow i even possible. Part o Stuxnet was encryptedbut later broken. As o mid-August 2012, Kaspersky, a major security rm, was unable to break the encryption in the Gaussmalware and issued a public call or assistance (Je Goldman, Kaspersky Seeks Help Decrypting Gauss Malware Payload,eSecurity Planet, August 15, 2012).


26/48


generating impressive cyberattack capabilities may be attributed to poorer educational acilitiesand a less well-educated recruitment base. Yet their lack o access to others source code or theirnot having built any o their own and having ew among them who have ever built any opera-tional source code helps ensure their military systems are ar more vulnerable to cyberattackthan comparable systems o sophisticated states. Tird-world nations with turnkey systems are

also more likely to be using standard congurations and operating procedures, making attackson them more predictable than attacks on those who understand their systems well enough totune them to their unique circumstances. Unless such countries are under ofcial U.S. sanc-tion, their systems could very well be maintained by U.S. rms. I cloud computing comes tomatch the current enthusiasm o its vendors, critical components o domestic control systemsmay be stored in other countries and be operated by other entities, o which U.S. rms nowappear the most likely hosts.

Would Such a Strategy Work with Russia and China?

With Russia, the answer is almost certainly not. First, Russian capabilities at cyberwarare arevery advanced, as bets a state so devoted to maskirovkaand blessed with a sureit o world-class mathematicians.6 Russians may ear U.S. military capabilities, particularly in electronics,but are unlikely to regard them as particularly puzzling (especially i electronics are not parto the cyberwar package). Second, Russias military long suit is not the systems integration ocomplex electronics and networks. It is precisely because they lack condence in their conven-tional military that they lean so heavily on their nuclear arsenal. Tus, it is unlikely that theirinvestment strategy would be diverted by the U.S. development o cyberweapons.

With China, the answer is probably not. China has certainly shown enthusiasm or cyber-war. It appears in their doctrine and in the great volume o intrusions people attribute to them.Chinese talents in cyberspace lean more toward quantity, as bets a ocus on cyberespionage

(and deep pools o well-trained but cheap labor), than toward the sort o quality required toget into hardened military systems. Furthermore, Chinas military investment strategy is quitedierent rom Russias. Te Chinese have less interest in achieving nuclear parity and moreinterest in pursuing anti-access strategies that rely on sensors, surveillance, and missiles, whichnormally require high levels o systems integration, hence networking.7 Tese actors leavesomebut only somescope or a U.S. dissuasion posture based on using cyberwar capabili-ties against China.

How the Fear of Penetration Might Affect Enemy Operational Behavior

One purpose in demonstrating cyberwar capabilities is to orce states to take the potential orsystem ailure and consequential embarrassment into account and curb their enthusiasm or

6 Makirovkais a Russian term meaning disguise, camouage, concealment.

7 See M. aylor Fravel and Evan S. Medeiros, Chinas Search or Assured Retaliation: Te Evolution o Chinese NuclearStrategy and Force Structure, International Security, Vol. 35, No. 2, Fall 2010, pp. 4887, and Roger Cli, Mark Burles,Michael S. Chase, Derek Eaton, and Kevin L. Pollpeter, Entering the Dragons Lair: Chinese Antiaccess Strategies and TeirImplications or the United States, Santa Monica, Cali.: RAND Corporation, MG-524-AF, 2007.


27/48


war. But would it? Perhaps not. First, when it comes to war, nearly all deenders and a surpris-ing percentage o attackers believe that they have been put into a position where they have nochoice but to wage war because the alternative is worse, e.g., ghting later would put them ata greater disadvantageso the Japanese believed in 1941 or the Germans in 1914. Fear hasalready ailed to deter them. Second, how badly do countries contemplating such actions need

high-technology systems to succeed? Many high-technology systems (e.g., electronic warare)are needed only against similarly sophisticated opponents, not, say, guerillas. A threat thatlooks big in peacetime (when systems are vulnerable by dint o being connected) may looksmaller in wartime (when systems are congured or survival, in part by being disconnectedrom the outside world). Finally, the target may simply not believe that U.S. cyber capabilitiesare good enough to stymie military orces completelynot during peacetime and certainlynot when the war drums sound. Going to war requires surmounting a great many ears; theear o penetration may simply be another.

Persuading third parties that there is a ready-to-go gremlin in their systems carries otherrisks. At a minimum, i they keep their wits, they will likely pay more attention to operationalsecurity ater U.S. cyberattack capabilities have been brandished. Any belie that the vector

into their systems is a spy will induce them to practice more personnel security. I the winds oalliance shit and the United States has to ght together with such countries, hints o penetra-tion may make it difcult or the United States to work with new partners. Previously benignliaisons with a target country may become more difcult i the partner suspects that interact-ing with U.S. orces reveals how its systems are operated and networked and thus where andhow the United States could implant malware in them to the best eect.

Once other states think the United States is behind their ears, reality may be second-ary. Countries that are certain that their militaries have been attacked may be less inclined toblame their neighbors, whom they may not credit with enough sophistication to pull o suchan attack, and more apt to blame a technologically advanced country, such as the UnitedStates or Israel. Indeed, the spread o cyberattack capabilities makes it easy or such countries

to hold the United States responsible or anyailure in military equipment, even or accidentsor human error. Te instinct to blame others predates cyberspace: Egypt convinced itsel, ora ew days in June 1967, that the Israelis could not have destroyed its air orces, so the Ameri-cans had to have done it. Militaries that can give themselves a pass rom their public by usingsuch an excuse may be insulated rom the eects o their own mistakes and may maintaintheir inuence and power longer than they should. Alternatively, to the extent that such lead-ers themselves come to believe their excuses, they may ail to learn rom their own mistakes,which may actually help the United States.

arget militaries may also conclude that depending on oreign sources or logic-processing devices is dangerous. Tis could spur them to build more indigenous productioncapability or, alternatively, to pressure their suppliers to hand over the source code with the

systems. Both can be negatives or the United States to the extent that they are currently beingsupplied by U.S. corporations. Te same suspicions may color the targets agenda toward civil-ian gear, such as routers, used in their networks. In response, they may pursue indigenization,more-transparent source code, and better cyberdeense training. I they convince themselvesthat adherence to the Windows/Intel standard is the root o the U.S. ability to hack their sys-tems, they may lean toward more-open operating systems or make common cause with other


28/48


countries, such as China, that are striving to build a oundational layer rom components andcode not believed to be controlled by U.S. companies.8

Te problem does not go away i the hints that other systems have been penetrated turnout to be baseless. Assume that the United States has convinced others that it can interere withanyones military equipment. Ten a war breaks out and no equipment ails in an unexplained

way. Observers will conclude that the United States chose notto disrupt the sophisticated sys-tems o one side. I only one sides equipment works, others may assume this to be proo thatthe United States must have played avorites and even blame the United States or atrocitiesassociated with such military equipment. Tey may not pay attention to counterarguments:Te United States hinted might not would; it cannot aord to get into everyones equip-ment; some equipment is inaccessible to the outside; other equipment, such as AK-47s, simplyhas no electronics to get into. Until the hints started ying, no one could imagine that mili-tary equipment could be remotely disabledbut aterward, no one could imagine the UnitedStates notbeing able to do it.

How Fears of Penetration Might Affect Defense Investments

A state araid o penetration could pursue compensatory strategies. It may observe that theeects o cyberattacks are temporary and difcult to repeat. It then maintains its investmentstrategy ater convincing itsel that, even i its weapons do not work when rst used, it cansurvive the initial exchange and regain efcacy or later rounds o conict. Such a perspectivewould have to overlook the ability o high-technology militaries to conclude successul conven-tional campaigns over the course o days rather than months or years. Tat is, there may not bea second round. A sophisticated system owner may be able to nd and patch a newly exploitedvulnerability within hours or days ater it has been discovered, especially with outside help. Butcan an unsophisticated system owner on the outs with the developed world and countering a

sophisticated U.S. cyberattack count on so quick a recovery? Te state may also realize that,once a system has become ill, warghters may not want to bet their lives on it until it has beenprovably cured, a lengthier process than simply having its symptoms relieved.

I states anticipate that their networked systems may be penetrated, they may oreswearnetwork-centric warare. Why try to ace oes with weapons that may well ail spectacularlywhen used? Conversely, or the United States, i it really can deeat the other sides network-centric military capabilities, why would it want to dissuade them rom building and depend-ing on them? One reason might be that the United States cannot be certain it can deeat suchcapabilities but wants to persuade others it can. Another may be that it may want to dissuade amilitary buildup because it would lead to a more-aggressive security policy and thereore leadit to start or carry on a conict when U.S. security would be better served by its not trying to

use such capabilities rather than by its subsequent deeat when it did. However, i the United

8 Iran is even going so ar as to disconnect its Internet rom the rest o the worlds. From Christopher Rhoads and FarnazFassihi, Iran Vows to Unplug Internet, Wall Street Journal, May 28, 2011:

On Friday, new reports emerged in the local press that Iran also intended to roll out its own computer operating system in

coming months to replace Microsot Corp.s Windows. Te development, which could not be independently conrmed,

was attr ibuted to Reza aghipour, Irans communication minister.

See also Iran to Unveil National OS Soon, PressV, January 4, 2011.


29/48


States believed that the other side would go ahead anyhow, it may be better o keeping quietabout its condence that it can deeat such capabilities.

Te targets counterstrategy may be to rely on lower-tech weapons that are robust againstcyberattack because they are never connected to anything. So, i U.S. adversaries orgo net-working, is an uncertainty-and-doubt strategy thereby deeated or has it triumphed? Would

success in dissuading a potential adversary rom a high-technology challenge be in the bestU.S. interest? Much depends on the kind o wars the United States is worried about. I the goalis to make it very difcult to use conventional orces to deend against invasion or coercion(rather than ght an insurgency), low-technology orces are no match or the United States.Sacricing quality may provide others the means to pursue quantity, but, so ar, the trade-oor others has not been particularly good; quality usually triumphs.

A more subtle counterstrategy is to network warghting machines that stay o the Weband orget about networking people. Tis has the advantages o permitting air-gapping asa deense strategy and avoids some o the vulnerabilities arising rom human error (notablythose associated with authentication, such as passwords and tokens). I networking warght-ers is oversold, states that orgo it may be doing themselves a avor. Or they can network their

equipment together but snip their links to the rest o the world. Perhaps a sel-denial-o-servicepolicy reduces their militarys ability to learn rom others and, to some extent, itsel. Yet, manymilitaries are so sel-contained that, even in the absence o cyberwar, they are apt to discountthe experience o others rom whom they might learn something.

The Algebra of Direct Intimidation

I announcing oensive capabilities ails to deter or dissuade, might a demonstration be worth-while to create a coercive capability?9 One dilemma lies in how ar to take credit or any dem-onstration. Consider the ollowing algebra. Assume that, i an attacker, call it state Z, reveals

itsel unambiguously through its cyberattack, it loses more rom retaliation than it gains incoercion. I it hides itsel absolutely, it gets no benet rom coercion (the damage might easilyhave been an accident). It would seem that intermediate levels o assurance yield linear netnegative benets. For instance, i the target thinks that the odds that the attacker was state Zare 50:50, the coercive benets are hal o what they would have been were the target certain.10Similarly, the odds o retaliationand thus the expected cost o bearing such retaliationare

9 One method o demonstrating cyberattack capabilities is to attack a state that clearly deserves it and use its ate as alesson or others. Such a state should be one that relies on some inrastructure and is not very good at protecting it. It helpsi the target state is generally not sympathetic and has no good option or responding without escalating matters more thanit is prepared to handle. Overall, however, there are more than enough reasons to recommend against trying this. Te eectrequires some attribution, at least implicit, on the attacking states partotherwise the only thing being demonstrated isthat some states build inrastructures they cannot deend. But such a policy makes the attacker look like a bully. It alsolegitimizes cyberwarare. Other states may be impressed by the attackers chutzpah but not necessarily its acumen. It is tooeasy or those one would impress to counter that they are hardly as vulnerable as the state that was attacked. I the attack ispermitted by a weakness that others shared, they may take the results o the attack more seriouslybut only long enoughto x similar vulnerabilities o their own.

10 I the target state thinks that the odds that state Z would carry out a second, perhaps more consequential, cyberattack inresponse to something it might do are 50:50 (that is, precisely equal to the odds that it thinks state Z carried out the cyber-attack), it would weigh the expected cost to itsel o a reaction rom state Z should it go ahead and do so hal as heavily asit would have i it were certain state Z carried out the cyberattack.


30/48


hal o what they would be were the target certain. Tus, rom state Zs perspective, both thebenets o coercion and the expected cost o retaliation are halved. Tis still leaves a net nega-tive. So, it appears that it cannot win.

But are the odds o retaliation really the same as the perceived likelihood that Z was theattacker? In more-specic terms, are the odds o retaliation a 50:50 proposition i the target

thinks the odds are only 50:50 that Z was the attacker? A great deal depends on how risk-aversethe target is. I the target ears the consequences o not retaliating against the true attacker(the wimp actor) more than it ears the consequences o retaliating against an innocent state(the blunder actor), it does not need much condence in its attribution to convince itsel to hitback. What seems more likely is that the target ears the blunder actor more than the wimpactor, and a 50:50 condence level will not be enough to persuade it to retaliate. In that case,the odds that the target will retaliate when it is only hal sure that state Z did it would be lessthan 50:50.11

I so, the coercive orce o a cyberattack when the target thinks state Z might have doneitand thus the benet o coercion to state Zmay be greater than the expected cost o retali-ation. Te benets o coercion scale with the degree o condence the target has that state Z

did it. Yet the cost o retaliation only has to be taken into account when attribution is suf-ciently clear that the target thinks the odds o making a mistake are sufciently low.Te broader lesson is that an attack that might be but also might not be attributable may

be worthwhile or the attacker, even when a more obvious attack is not. Te target state, orits part, may do its best to exaggerate its likelihood o retaliating, the better to throw o theattackers calculations. Yet, given the nature o crises and the natural ambiguities o cyberspace,the attacker is likely already dealing with much ambiguous inormation.

I the attackers coercive objectives are more general and do not depend so much on whothe target thinks the attacker is, its net gain is even larger. elling another do what I wantwithout identiying I is hardbut not impossible. Suppose a country (e.g., an Islamic state)has allied its interests with a larger communitys (e.g., the ummas), particularly one with pow-

erul nonstate actors. I so, some correlation can be made between the timing and nature othe attack (e.g., ollowing action against Islamic individuals) and the behavior required o thetarget (e.g., stop attacking Islam) without necessarily indicting the attacking state. A stateaccused o a cyberattack could plead that it has riends that it cannot control but whose righ-teous ire should be acknowledged. So-called patriotic hackers may be citizens o an accusedstate without that state appearing hypocritical as long as it makes a credible attempt to bringthem under ostensible control. Alternatively, the state can take satisaction in cyberattacks thatpunish behavior that contravenes the communitys interests. At the same time, it need notadmit to the support, much less to the protection or even sponsorship, o such attacks. Teattacks coercive potential may be limited to the values held by the communitynormally justone among its overall interests (e.g., what may be good or taking action against a common

enemy may not be so good or asserting particular interests, such as water rights). But that maybe enough.

11 o illustrate as much, assume the target thinks that the attacker is as likely to be state Y as it is state Z (but does notbelieve that Y and Z colluded). I it retaliates against one, why not against the other? Te only way that could be justiedis i the target believes the consequences o hitting an innocent state Y are worse than those o letting state Z get away withan attack.


31/48


Would the behavior o the target state ever evolve in the direction the attacker desires as aresult o coercion (a question relevant to kinetic threats)? Assume two things. First, attacks thatyield less pain than some sensitivity threshold are too weak to coerce the target state. Second,attacks that yield more pain than some response threshold induce the target state to hit back orat least turn less cooperative (at least overall, i not necessarily on the point at issue). I the sen-

sitivity threshold is less than the response threshold, there may well be a zone in between wherethe target yields to the attackers will. But i the two are reversed, no attack, however careullycalibrated, will change the targets policy in the desired direction. Te attack will be either tooweak to be sufciently coercive or too strong to be absorbed without responseand maybeboth. Te United States has dramatically demonstrated at least twice that it reacts harshly tobeing attacked, in response to both Pearl Harbor and the September 11, 2001, hijackings.12Granted, the rst may not have been an act o coercion (since Japan believed it was going tohave to ght the United States sooner or later anyway), and the second may have been carriedout to goad the United States into intervening in Aghanistan. Yet, such distinctions aside, theUnited States proved that coercing it may not be particularly useul when the targets responsethreshold is lower than its sensitivity threshold. A large body o literature on coercion shows

how difcult it is to compel states to comply with demands, even with kinetic weapons.13

It ishard to argue that cyberweapons, with all their uncertainties, would do a better job.Te attacker could carry out a covert coercion campaign usingsubrosaattacks. Tat is,

it can go ater systems whose ailure or corruption may be costly to the target government butwhose eects are not obvious to the public. By doing so, the attacker gambles that the positionso policymakers sensitivity and response thresholds dier rom those o the public. Policymak-ers, eeling pain and unorced by public opinion, may be reer to yield to coercion, especially iyielding is also invisible to the public.

Direct intimidation may work better i a cyberattack is clearly structured to damagemuch less than it could have.14All attempts at coercion evoke in its victim a mix o anger orhaving been hit and ear o the next hit. I the initial attack is mild, the anger component may

be assuaged by the act that, while the insult is clear, the injury is not. Te ear component,however, is just as great with a pulled punch as with a ully ormed punchas long as thetarget understands that the punch was, in act, pulled (although in the ambiguities o cyber-space, the clarity o that message could be lost).

12 Te United States even reacts harshly when it thinks it has been attacked, even i later acts suggest otherwise. Te Span-ish ound this out ater the USS Mainewas sunk in 1898by what is now believed to have been an accident and not a mine.Tat noted, a harsh response is not a guarantee, as the lack o response to the 1968 capture o the USS Pueblo and the Iraqimissile attack on the USS Starkshowed.

13 Among those who have made similar arguments are Robert Pape (in Robert A. Pape, Bombing to Win: Air Power andCoercion in War, Ithaca, N.Y.: Cornell University Press, 1996); David Johnson (in David E. Johnson, Karl P. Mueller, and

William H. at, Conventional Coercion Across the Spectrum o Operations: Te Utility o U.S. Military Forces in the EmergingSecurity Environment, Santa Monica, Cali.: RAND Corporation, MR-1494-A, 2003); Karl Mueller (in Karl P. Mueller,

Jasen J. Castillo, Forrest E. Morgan, Negeen Pegahi, and Brian Rosen, Striking First: Preemptive and Preventive Attack inU.S. National Security Policy, Santa Monica, Cali.: RAND Corporation, MG-403-AF, 2006), Daniel Byman (in DanielByman, Matthew Waxman, and Eric V. Larson, Air Power as a Coercive Instrument, Santa Monica, Cali.: RAND Cor-poration, MR-1061-AF, 1999); and Forrest Morgan (in Forrest E. Morgan, Karl P. Mueller, Evan S. Medeiros, Kevin L.Pollpeter, and Roger Cli, Dangerous Tresholds: Managing Escalation in the 21st Century, Santa Monica, Cali.: RANDCorporation, MG-614-AF, 2008).

14 See, or instance, Tomas C. Schelling,Arms and Infuence, New Haven, Conn.: Yale University Press, 1966, notablyChapter Tree.


32/48


Paradoxes of Intimidation

Are the short-term gains rom this sort o intimidation, even i latent, worth the long-termdiscomort rom accelerating the evolution o a particular class o weaponry? In the nuclearrace between the United States and the Soviet Union, Khrushchev would boast that his coun-try could turn out missiles like sausages. Te United States reacted by accelerating its ownmissile program. By 1961a year beore the Cuban Missile Crisisthe United States knewit had a strategic edge in nuclear delivery systems, notably missiles. Similar Soviet perceptionspersuaded them to ship missiles to Cuba to adjust the strategic balance. Te Soviet reaction tohaving to back down in Cuba was to accelerate its own programs to achieve parity, which theydid, thus setting the stage or the Strategic Arms Limitation alks. Perhaps, had neither sideaunted its capabilities, the same parity and negotiations might have arrived at roughly thesame time but at much lower levels. Te missile race is hardly unique, as the preWorld War IAnglo-German shipbuilding rivalry demonstrated.

Nevertheless, a cyber arms race is not the most likely course o events. In great contrastto most military weapons, the damage rom a cyberattack tends to reect the characteristicso the target more than the characteristics o the weapon. So the competition to reduce vul-nerabilities may overshadow the competition to nd and exploit them. Even were this not so,either sides cyberweapons capabilities are a matter o serious disputean observation thatundergirds this whole discussion. Te sorts o numbers that inorm the balance o missiles ordreadnoughts (World War Iera battleships) have no meaningul equivalents in cyberspace.

U.S. Policy and the Legitimization of Cyberwar

Te current U.S. posture on cyberweapons is coy; it stands between U.S. posture on nuclearweapons

brandishing cyberattack

Documents