Swaggering in Cyberspace: Busting the Conventional Wisdom on Cyber Coercion

Given increases in the ability and willingness of various actors to target a nation’s critical infrastructure, David Gompert and Hans Binnendijk have argued that the United States should use cyber operations to “amp up the power to coerce.” This is a reasonable objective, but it ignores the conventional wisdom about cyber coercion that says it doesn’t work. A major component of successful coercion is detailing the pain your enemy may endure. Communicating that capability in the cyber realm is likely to induce your enemy to “patch” the vulnerability you were hoping to exploit. How can actors ever coerce targets with cyber weapons if threatening them effectively neutralizes their utility?

We propose one possible way of resolving this problem: selectively revealing an individual cyber tactic to your opponent. Exploiting the “perishable” nature of certain cyber weapons helps to address some of the problems with cyber coercion, though many problems will remain. This is true in at least three ways. First, it can reduce the uncertainty surrounding your capabilities by hinting at the breadth or depth of your remaining cyber arsenal. Second, because these weapons can be costly to develop, burning a tactic or vulnerability can serve as a “sunk cost” signal of resolve. Third, since some cyber weapons may be more damaging than others, the choice of which vulnerability to burn can communicate your level of interest in the dispute.

While much attention has been paid to cyber deterrence and defending U.S. SCADA networks and infrastructure, we propose one way of beefing up cyber’s offensive potential. The 2015 Department of Defense Cyber Strategy seeks ways to “build and maintain viable cyber options [to] shape the conflict environment at all stages.” Our hope is to begin filling this gap by examining prospective ways states may use cyber threats to impose their will.

To do so, we will review the problem of coercion in cyberspace, outline our proposed solution, and touch on some of the advantages and disadvantages associated with this method. It is also worth noting up front that the primary focus of our piece — use of zero-day exploits — constitutes a small (but growing) fraction of cyberspace operations. Indeed, some reports rightly recognize that zero-days receive a disproportionate amount of attention given that most cyberattacks don’t rely on them. Nevertheless, to the extent that zero-days still represent an important tactic in a state’s cyber arsenal — or to the extent that our logic generalizes to other domains — the prescriptions contained below should still be of interest to policymakers. Generally speaking, this logic should hold for any secret and costly technique that generates an opening in a target’s system. This could be an intrinsic defect in the code (the zero-day vulnerabilities discussed above) or even a back door left behind through social engineering of humans (spear phishing)...

Continue reading: http://warontherocks.com/2016/06/swaggering-in-cyberspace-busting-the-conventional-wisdom-on-cyber-coercion/