Analysis & Opinions - War on the Rocks
Swaggering in Cyberspace: Busting the Conventional Wisdom on Cyber Coercion
Given increases in the ability and willingness of various actors to target a nation’s critical infrastructure, David Gompert and Hans Binnendijk have argued that the United States should use cyber operations to “amp up the power to coerce.” This is a reasonable objective, but it ignores the conventional wisdom about cyber coercion that says it doesn’t work. A major component of successful coercion is detailing the pain your enemy may endure. Communicating that capability in the cyber realm is likely to induce your enemy to “patch” the vulnerability you were hoping to exploit. How can actors ever coerce targets with cyber weapons if threatening them effectively neutralizes their utility?
We propose one possible way of resolving this problem: selectively revealing an individual cyber tactic to your opponent. Exploiting the “perishable” nature of certain cyber weapons helps to address some of the problems with cyber coercion, though many problems will remain. This is true in at least three ways. First, it can reduce the uncertainty surrounding your capabilities by hinting at the breadth or depth of your remaining cyber arsenal. Second, because these weapons can be costly to develop, burning a tactic or vulnerability can serve as a “sunk cost” signal of resolve. Third, since some cyber weapons may be more damaging than others, the choice of which vulnerability to burn can communicate your level of interest in the dispute.
While much attention has been paid to cyber deterrence and defending U.S. SCADA networks and infrastructure, we propose one way of beefing up cyber’s offensive potential. The 2015 Department of Defense Cyber Strategy seeks ways to “build and maintain viable cyber options [to] shape the conflict environment at all stages.” Our hope is to begin filling this gap by examining prospective ways states may use cyber threats to impose their will.
To do so, we will review the problem of coercion in cyberspace, outline our proposed solution, and touch on some of the advantages and disadvantages associated with this method. It is also worth noting up front that the primary focus of our piece — use of zero-day exploits — constitutes a small (but growing) fraction of cyberspace operations. Indeed, some reports rightly recognize that zero-days receive a disproportionate amount of attention given that most cyberattacks don’t rely on them. Nevertheless, to the extent that zero-days still represent an important tactic in a state’s cyber arsenal — or to the extent that our logic generalizes to other domains — the prescriptions contained below should still be of interest to policymakers. Generally speaking, this logic should hold for any secret and costly technique that generates an opening in a target’s system. This could be an intrinsic defect in the code (the zero-day vulnerabilities discussed above) or even a back door left behind through social engineering of humans (spear phishing)...
Continue reading: http://warontherocks.com/2016/06/swaggering-in-cyberspace-busting-the-conventional-wisdom-on-cyber-coercion/
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Neuman, Craig and Michael Poznansky.“Swaggering in Cyberspace: Busting the Conventional Wisdom on Cyber Coercion.” War on the Rocks, June 28, 2016.
The Authors
Michael Poznansky
- Former Research Fellow, International Security Program, 2015–2016
Craig Neuman
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Journal Article
- Texas National Security Review
Book Review Roundtable: Tempting Fate
Analysis & Opinions
- Belfer Center for Science and International Affairs, Harvard Kennedy School
The Urgent Need for a National Biosecurity Initiative
In the Spotlight
Most Viewed
Policy Brief
- Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
Given increases in the ability and willingness of various actors to target a nation’s critical infrastructure, David Gompert and Hans Binnendijk have argued that the United States should use cyber operations to “amp up the power to coerce.” This is a reasonable objective, but it ignores the conventional wisdom about cyber coercion that says it doesn’t work. A major component of successful coercion is detailing the pain your enemy may endure. Communicating that capability in the cyber realm is likely to induce your enemy to “patch” the vulnerability you were hoping to exploit. How can actors ever coerce targets with cyber weapons if threatening them effectively neutralizes their utility?
We propose one possible way of resolving this problem: selectively revealing an individual cyber tactic to your opponent. Exploiting the “perishable” nature of certain cyber weapons helps to address some of the problems with cyber coercion, though many problems will remain. This is true in at least three ways. First, it can reduce the uncertainty surrounding your capabilities by hinting at the breadth or depth of your remaining cyber arsenal. Second, because these weapons can be costly to develop, burning a tactic or vulnerability can serve as a “sunk cost” signal of resolve. Third, since some cyber weapons may be more damaging than others, the choice of which vulnerability to burn can communicate your level of interest in the dispute.
While much attention has been paid to cyber deterrence and defending U.S. SCADA networks and infrastructure, we propose one way of beefing up cyber’s offensive potential. The 2015 Department of Defense Cyber Strategy seeks ways to “build and maintain viable cyber options [to] shape the conflict environment at all stages.” Our hope is to begin filling this gap by examining prospective ways states may use cyber threats to impose their will.
To do so, we will review the problem of coercion in cyberspace, outline our proposed solution, and touch on some of the advantages and disadvantages associated with this method. It is also worth noting up front that the primary focus of our piece — use of zero-day exploits — constitutes a small (but growing) fraction of cyberspace operations. Indeed, some reports rightly recognize that zero-days receive a disproportionate amount of attention given that most cyberattacks don’t rely on them. Nevertheless, to the extent that zero-days still represent an important tactic in a state’s cyber arsenal — or to the extent that our logic generalizes to other domains — the prescriptions contained below should still be of interest to policymakers. Generally speaking, this logic should hold for any secret and costly technique that generates an opening in a target’s system. This could be an intrinsic defect in the code (the zero-day vulnerabilities discussed above) or even a back door left behind through social engineering of humans (spear phishing)...
Continue reading: http://warontherocks.com/2016/06/swaggering-in-cyberspace-busting-the-conventional-wisdom-on-cyber-coercion/
The Authors
Michael Poznansky
- Former Research Fellow, International Security Program, 2015–2016
Craig Neuman
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Journal Article - Texas National Security Review
Book Review Roundtable: Tempting Fate
Analysis & Opinions - Belfer Center for Science and International Affairs, Harvard Kennedy School
The Urgent Need for a National Biosecurity Initiative
In the Spotlight
Most Viewed
Policy Brief - Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
