A Grave New World

(1)

A Grave New World

Deterrence in Cyberspace

Final Version

MASTER THESIS

By: Martijn Paalman S1640992

M.Paalman@student.rug.nl

Supervised by: C.K. Lamont

C.K.Lamont@rug.nl

(2)

(3)

Index

INTRODUCTION 5

CHAPTER 1 9

FIGHTING IN THE FIFTH DOMAIN: CYBER WARFARE AND ITS CHARACTERISTICS

DEFINING CYBER WARFARE 9

FIGHTING CYBER WARS: BASHING KEYBOARDS AND CLICKING MOUSSES 12 BACK TO BASICS: UNDERSTANDING SOFTWARE 13 WEAPONS OF CYBER WARRIORS: MALWARE EXPLAINED 14 VIRUSES AND WORMS 14 EFFECTS OF VIRUSES AND WORMS. 15 TROJAN HORSE 15 LOGIC BOMB 16 DEFENSE AGAINST MALWARE 16 APPLICATION OF MALWARE IN CYBER WARFARE 17 DDOS: FLOODING THE GATES 19 POSITIVE CHARACTERISTICS OF CYBER WARFARE 21 MORE EFFECTIVE AND EFFICIENT WEAPONRY 21 A CHEAP FORM OF CONDUCTING WARFARE 21 NEGATIVE ASPECTS OF CYBER WARFARE 22 ANONYMOUS WARFARE 22 HYPERPROLIFERATION 22 DEFENSE IS DIFFICULT AT BEST 23 SUMMARY 23 CHAPTER TWO 24 DETERRENCE THEORY EXPLAINED WHAT IS DETERRENCE? 24 ESSENCE OF DETERRENCE 26 CORE PREMISES 26 ASSUMPTIONS OF DETERRENCE 27 DIFFERENT FORMS OF DETERRENCE 29

CONSTRUCTING THREATS IN STRATEGIC DETERRENCE 31

EVOLUTION OF DETERRENCE THEORY 33

MOVING TOWARDS COMPLEX DETERRENCE 34

MEASURING SUCCESS 36

SUMMARY 36

(4)

CHAPTER THREE 37

THE APPLICABILITY OF DETERRENCE THEORY

CYBER DETERRENCE 37

INTRODUCING THE TEST CASE: WEB WAR ONE 38

APPLYING DETERRENCE TO CYBER WARFARE 39 REQUIREMENT FOR CYBER DETERRENCE: DETECTION 40 REQUIREMENT FOR CYBER DETERRENCE: SOURCE IDENTIFICATION 40 REQUIREMENT FOR CYBER DETERRENCE: INFLICTING UNACCEPTABLE HIGH COSTS 42 REQUIREMENT FOR CYBER DETERRENCE: COMMUNICATION OF POLITICAL WILL 43 BEYOND THE TEST CASE: THE POSSIBILITY OF CYBER DETERRENCE IN GENERAL 43 ALL FORMS OF DETERRENCE APPLIED TO CYBER WARFARE 46 SUMMARY 48 CHAPTER FOUR 49 BEYOND DETERRENCE 2 PROBLEMS WITH CYBER DETERRENCE 49 DEALING WITH THE PROBLEM OF VISIBILITY 50 IMPROVING CYBER DEFENSES 50 INCREASING PRIVATE‐PUBLIC SECTOR COOPERATION 53 REDUCE VULNERABILITY AND IT DEPENDENCY. 55 DEALING WITH THE PROBLEM OF ATTRIBUTION 56 INTERNATIONAL LAW 57

ESTABLISH WORLD WIDE WATCHDOG (WWW) 59

SUMMARY 61

CONCLUSIONS 62

(5)

Introduction

Most people view their computer as both their friend and foe. Although they may not always work the way you want them to, the use of computers in work, study and leisure has grown exponentially over the past 15 years.1 Typing a document, calculating figures and automatizing processes with computers have made our work faster, more efficient and (mostly) easier. Furthermore, with the invention of the internet many public and private computers are now interlinked. This World Wide Web creates many possibilities for the facilitation of global communications and trade.

The combination of a computer and an internet connection can also be used with lesser intentions. Criminals have discovered the potential of the internet and fill the World Wide Web with spam hoping to find someone unfortunate enough to click on a bad link. In 2010, roughly 90% of all e-mail traffic was spam, with over 50 billion spam messages sent in the first quarter of 2010.2 There is, however, a more serious threat to the internet then just filling up your spam folders. States too have seen the potential of the internet in the way they conduct politics. Not only has information technology given us smart bombs that can hit a target with high precision, unmanned aerial vehicles (UAV’s) that can take out enemy targets with no risk to the nation’s own soldiers and better intelligence to oversee the battlefield, information technology can also be used as a means on its own. Computer programs can be designed to take out certain defensive mechanisms, they can be used to steal valuable information or erase data without leaving a trace. The use of so called ‘cyber tools’ has proliferated greatly and the conduct of warfare has now entered a new domain: the fifth.3 After land, sea, air and space, cyber attacks take place in a new uncharted, unregulated and ungoverned domain: cyberspace.

This dissertation argues that use of cyber weapons fundamentally changes the way states perceive their security. Although relatively new, more and more attention is being given to cyber warfare: the act of using cyber weapons instead of or in conjunction with conventional warfare. After the cyber attacks on Estonia in 20074 and Georgia in 20085, the

1

In 1997 only 18% of US households had a computer with internet connection at home. In 2009 the number has risen to 68.7% Source: US Census Bureau, Current Population Survey 1984-2009 (February 2010).

http://www.census.gov/population/www/socdemo/computer/2009.html

2

SecurityWeek News, Top Five Malware and Spam Trends Worldwide (May 18th, 2010).

http://www.securityweek.com/top-five-malware-and-spam-trends-worldwide-mcafee-q1-2010-threats-report

3

The Economist, Cyberwar. It is time for countries to start talking about arms control on the internet (03-07-2010) p. 9. The conventional domains of warfare are generally considered to be land, sea, air and space.

4

(6)

potential and the threat cyber warfare can pose is now more vivid. In response to this emergent security challenge NATO opened a Center of Excellence for Cooperative Cyber Defense in Tallinn6 and is devising new methods to deal with cyber warfare in their Strategic Concept.7 Also, the United States appointed a new strategic command for cyberspace, USCYBERCOM.8 Indeed, the world’s most powerful nations such as China, Russia and the United States are building up cyber capabilities and even Israel, North Korea and Iran claim to have substantial cyber warfare capabilities of their own.9 Although states at first paid little attention to the domain of cyberspace, recent events have caused states to take this threat more seriously. The Stuxnet virus released in July last year is one of many examples.10

Cyber warfare changes thinking about security. Although some believe the world will become safer if digital bombs are used instead of kinetic ones, this dissertation begs to differ. To be sure, the use of cyber weapons can limit military casualties through the deployment of unmanned, radio-controlled vehicles, but it can also increase casualties by triggering the destruction of nuclear power plants.11 The main point is that cyber warfare transforms the battlefield. Attacks are executed in real-time without proper means of defending against it. Digital bombs can take down targets without so much as leaving a trace, leaving the attacked with no adversary against which to retaliate. Given the fact that cyberspace changes the battlefield, this dissertation poses the question of whether conventional concepts of security still apply within this new security environment?

Conventional security concepts evolved during the Cold War within a strategic environment where security thinking was rather straight-forward. Both Cold War superpowers, the US and the Soviet Union, had large stockpiles of nuclear weapons. Both sides knew that launching a first strike would lead to a ‘mutual assured destruction’, since the other side had enough time to retaliate. Even if one side launched a massive nuclear assault

5

Carr, Inside Cyber Warfare p. 183-185.

6

NATO opens new centre of excellence on cyber defense. http://www.nato.int/docu/update/2008/05-may/e0514a.html; http://www.ccdcoe.org/; Clarke, R.A. and R.K. Knake, Cyber War. The next threat to

National Security and what to do about it. (New York 2010) p. 17.

7

North Atlantic Treaty Organization, Strategic Concept for the Defense and Security of the members of the

North Atlantic Treaty Organization (20-11-2010) p. 11, 16-17.

8

The Guardian, US appoints first cyber warfare general (23-05-2010)

http://www.guardian.co.uk/world/2010/may/23/us-appoints-cyber-warfare-general

9

Clarke and Knake, Cyber War p. 63-64.

10

BBC News, Stuxnet virus targets and spread revealed (15-02-2011)

http://www.bbc.co.uk/news/technology-12465688; Chen, T.M., ‘Stuxnet, the Real Start of Cyber Warfare?’ in:

IEEE Network (Vol.24 Iss. 6, 2010) p. 2-3.

11

(7)

against its adversary, it could never prevent a counter strike because launch platforms were scattered all over the world. Mobile launch platforms and nuclear submarines could launch their deadly payload from anywhere on the globe, thus assuring a destructive counter attack.12 This created certain stability, since both sides were deterred from using their nuclear weapons.

Deterrence theory proved an important asset in Cold War thinking about security13 and helped explain state behavior during the Cold War.14 Even in 2011, deterrence theory can be used to explain behavior of states that are not nuclear powers.15 When the costs of a conventional attack are likely to be high and the threat of retaliation is credible, deterrence theory suggests states may be deterred from engaging in conflict. Deterrence theory can help us understand events and predict their outcomes.

This dissertation will contribute to deterrence literature through an exploration on the extent to which cyber warfare affects deterrence theory. Since cyberspace is a whole new domain, does the conventional thinking about deterrence still apply to this new form of warfare? For example, can an unknown adversary be deterred? Cyber attacks can come out of nowhere, hence diminishing the ability of a state to rely upon a threatened retaliatory strike to deter an adversary.

Deterrence theory also proposes that adversaries are deterred by the number of conventional weapons a state possesses. Yet cyber weapons are practically invisible. Nuclear deterrence theory also assumes that states that go first will face mutually assured destruction.16 With cyber warfare it is possible to shut down enemy communications, disable defense systems and cause a massive power blackout taking away the opponent’s ability to respond.

Given the extent to which cyber warfare has transformed the strategic environment, there is a pressing need to understand the parameters and strategic logic of this new form of warfare. This dissertation will bring more clarity to the subject of cyber warfare. Since there remains a lacuna of policy and scholarly understanding of the subject, it will explain what exactly cyber warfare is and provide examples of successful cyber attacks. Chapter One will

12

Schelling, T., Arms and Influence (New Haven, 1966) p. 232-234.

13

Long, A. G., From Cold War to Long War. Lessons from Six Decades of RAND Deterrence Research (Santa Monica 2008) p. 5.

14

Freedman, L., Deterrence (Malden 2004) p. 1; Morgan, P.M., Deterrence Now (Cambridge 2003) p. 4.

15

‘Conventional Deterrence’ versus ‘Nuclear Deterrence’. Adler, E., ‘Complex Deterrence in the Asymmetric-Warfare Era’ in: T.V. Paul, P.M. Morgan and J.J. Wirtz (editors) Complex Deterrence Strategy in the Global

Age (London 2009) p. 85-108 there p. 88-90.

16

(8)

define cyber warfare and a distinction will be made between cyber crime, cyber terrorism and cyber warfare. The most important cyber weapons will be described and explanations will be given as to how they work. The Chapter will then conclude with the positive and negative aspects of these new cyber tools for conducting warfare and puts cyber warfare into perspective. Examples will be used to show how this affects state security.

Chapter Two will focus on the theory of deterrence and explain its use during the Cold War. Conventional strategic thinking remains influenced by deterrence theory. Deterrence theory had a significant influence on US foreign policy and security thinking in general after World War Two. Since the end of the Cold War deterrence theory has lost some of its original popularity but continues to influence academic and policy debates in the post-Cold War period.17

Chapter Three will put theory into practice and demonstrate how cyber warfare impacts the applicability of deterrence theory. Recent developments and the test case Estonia (2007) will be taken as case studies to examine to what extent deterrence theory can be applied to these new kind of wars.

Lastly, Chapter Four will take the discussion beyond deterrence and examines to what extent deterrence can be substituted in theory and practice. To what extent does deterrence still apply on cyber warfare and how can we otherwise limit the threats cyber warfare poses?

These four chapters will help to answer this dissertation’s principal research question: To what extent do cyber warfare and its recent developments diminish the applicability of deterrence theory on conventional security thinking? And, assuming that it changes, to what extent can a theoretical and policy substitute for deterrence be found? This paper assumes that cyber warfare changes our thinking on deterrence and will examine threats posed by cyber warfare. Since understanding the threat is step one, this paper will also contribute to academic debate and provide several recommendations about how to defend against this new development through legal, political, and technological means. For example, can international law provide a basis for security or is a new international treaty perhaps necessary? The Convention on Cyber Crime of 2001 by the Council of Europe provides a starting point for analysis.

Lastly, this paper will refrain from too much jargon. Instead, it will try to describe only the most important technological aspects in a clear and reader-friendly way.

17

(9)

Chapter 1

Fighting in the fifth domain: cyber warfare and its characteristics Cyber war has only recently emerged as a source of concern for policymakers and academics. Indeed, cyber attacks are reported ever more frequently in the media. In public discourse the terms cyber warfare, cyber terrorism, information warfare and cyber crime are used interchangeably. There is however a significant difference. This Chapter will first lay out the difference between the concepts and define the term ‘cyber warfare’. After defining the scope of study this Chapter will present an overview of cyber weapons. Their use and effects will be described, as well as possible defenses. Finally, a summary of the positive and negative characteristics of cyber warfare will be given so as to give the reader a clear empirical grounding for Chapter Two’s discussion of deterrence theory.

Defining Cyber Warfare

The concept of cyber warfare is not new in itself. The term ‘information warfare’18 was first coined by Dr. Thomas Rona in a report titled ‘weapons systems and information war’ in 1976.19 Rona argued that the information infrastructure was becoming more important for the US economy and was therefore a valuable target for potential adversaries to exploit. The US military picked up Rona’s line of thought, and in 1996 the Department of Defense (DOD) published its Joint Pub 3-13.1 Doctrine for Command and Control Warfare.20 This document defined information warfare (IW) as:

Actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one’s own information, information-based processes, information systems, and computer-based networks.21

18

Please note that the concepts ‘cyber warfare’ and ‘information warfare’ will be used interchangeable and are used to address the same concept.

19

Lin, A.C., Comparison of the Information Warfare Capabilities of the ROC and PRC (27-12-2000)

http://cryptome.org/cn2-infowar.htm

20

Lin, Comparison of the Information Warfare Capabilities.

21

Department of Defense, Joint Doctrine for Command and Control Warfare (C2W) (7-02-1996) p. I-3.

(10)

The DoD defined IW in a military context and pointed to the need for the US to achieve information superiority. Information superiority was defined as ‘that degree of dominance in the information domain which permits the conduct of operations without effective opposition.’22 The document emphasized IW’s military dimension and was replete with military terminology. Therefore, it does not meet the requirements for an adequate definition of cyber warfare, because nowadays the concept of cyber war covers a broad range of conflicts with political, economic, criminal, security, civilian and military dimensions.23

On the other hand, Alger provides a definition that does cover these multiple dimensions. Alger argued IW constituted ‘the actions intended to protect, exploit, corrupt, deny, or destroy information or information resources in order to achieve a significant advantage, objective, or victory over an adversary.24 This definition has merit because it puts emphasis on the methods used and the goal of the actions: the exploitation of bugs in software, the corruption or complete destruction of files by means of viruses and worms with the goal of setting back the adversary. However, this definition says nothing about the actors or their intentions.

Janczewski and Colarik define IW as ‘a planned attack by nations or their agents against information and computer systems, computer programs, and data that results in enemy losses.’25 Here emphasis is put on the actor (states) and their intentions (planned attacks). Yet not all attacks are planned for in advance and it is often very difficult to prove state involvement. As we will see in Chapter Three, the cyber attacks on Estonia (2007) were not planned for in advance and it was difficult to attribute these attacks to the Russian state with absolute certainty. In this particular conflict ‘youth hacktivists’ performed the cyber attacks on Estonia while the Russian government denied instructing them to do so. A thorough definition needs to include state involvement even when attribution cannot be proven with absolute certainty. Otherwise states could use third parties to perform their attacks while denying control over them and thus escaping the scope of the definition.

Richard Clarke, former White House official in charge of cyber security, has created a cyber warfare definition which seems to deal with the criticism as stated above:

22

Department of Defense, Joint Doctrine p. GL-8.

23

Knapp, K.J. and W.R. Boulton, ‘Ten Information Warfare Trends’ in: L.J. Janczewski and A.M. Colarik,

Cyber Warfare and Cyber Terrorism (New York 2008) p. 17-25 there p. 18.

24

Knapp and Boulton, ‘Ten Information Warfare Trends’ p. 18.

25

(11)

Cyber warfare is the unauthorized penetration by, on behalf of, or in support of, a government into another nation’s computer or network, or any other activity affecting a computer system, in which the purpose is to add, alter, or falsify data, or cause the disruption of or damage to a computer, or network device, or the objects a computer system controls. 26 Clarke’s definition includes actors (governments and groups), renders the problem of state attribution superfluous (on behalf of or in support of), defines the methods used (adding, altering or falsifying data) and the intended goals (disrupting or damaging computer systems). Furthermore, this way a distinction is made between cyber warfare and cyber terrorism, two terms widely used interchangeably. They should not be confused with each other.

In contrast to cyber warfare, cyber terrorism is defined as ‘premeditated, politically motivated attacks by sub national groups or clandestine agents […] that result in violence against non-combatant targets’.27 The practical difference between the two terms is that cyber terrorism has the goal of causing fear and injury to innocent bystanders to gain attention for a political cause while cyber warfare has a clearly defined target in a (declared) war.28 Clarke’s definition excludes cyber terrorism.

Another distinction must also be made for the term cyber crime. Cyber crime is merely crime that is committed through, or with, the use of information technology. Criminal cyber acts are for example: hacking into banks, stealing credit card information or the theft of building plans from a competing firm. Such acts are usually not politically or ideologically motivated, but are mostly done for financial gains. Note that although the rationale for the attacks (crime, warfare or terrorism) may be different, the methods that are used are often the same (e.g. a computer virus).29

Although Clarke’s definition excludes cyber crime, it also excludes cyber espionage. This was done on purpose, but I believe for the wrong reason. Clarke leaves cyber espionage out of the definition because he believes that espionage does not have to damage, disrupt or destroy data if it is done well.30 Yet the goal of cyber warfare is to put the adversary in a disadvantage as all definitions demonstrate. Even the definition of Clarke implies that the actor engages in cyber warfare to improve his own position over the position of the adversary. Why would one otherwise engage in this activity if it were to no benefit to him? Espionage is

26

Clarke and Knake, Cyber War p.228.

27

Janczewski and Colarik, Cyber Warfare p. xiii.

28

Janczewski and Colarik, Cyber Warfare p. xiv.

29

Janczewski and Colarik, Cyber Warfare p. xiv.

30

(12)

the stealthy, undetected extraction of information from another actor. This information is then used to prepare oneself and make better informed decisions when dealing with the other. The theft of information improves your own situation because you have more intelligence to base your decisions on. Thus, cyber espionage puts the adversary in a disadvantage, fits within the scope and meaning of cyber warfare and should therefore be included in the definition.

Note that cyber warfare is digital warfare and consists of using intangible digital weapons to produce tangible real-life results. Cyber warfare or information warfare is sometimes also used to describe the technological progress made in military warfare, for example smart bombs that use computer guidance to have a better accuracy. The use of software to improve military hardware does not constitute cyber warfare. In this dissertation cyber warfare will mean the use of digital programs as a means to an end. A malicious piece of software that takes out enemy defense systems is an act of cyber warfare; however, software that assists in targeting the enemy defenses is not. Nonetheless, these two different applications of software may sometimes be used simultaneously against the same target. For example, when Israeli fighters bombed a Syrian construction site within Syrian airspace in September 2007, Israel corrupted the software in Syrian air defenses so that it would not detect the Israeli fighters. The radar detected nothing, the fighters flew in unnoticed, bombed the target and left Syria unharmed by aerial defenses that were not automatically activated.31 Here cyber warfare (corrupting the Syrian air defense software) was used together with conventional warfare (computer guided missiles in a kinetic air attack).

To summarize, the term cyber warfare is used to describe the intangible, digital attacks taken by states to compromise the digital infrastructure of another state. Attacks are focused on altering, corrupting, changing or adding data in the software of the enemy’s digital infrastructure which results in the disruption, disabling or destruction of computer systems. The goal is often political and intentional, to gain information or weaken the adversary as to put them in a less favorable position. Cyber warfare is meant to improve one’s own situation, either by increasing the effectiveness of attacks or improving defenses.

Fighting cyber wars: bashing keyboards and clicking mousses

Now that we have determined what exactly constitutes cyber warfare, we now look at the tools used by cyber warriors. How does one fight in the fifth domain? Weapons in cyberspace have a digital nature and are intangible. A weapon in cyberspace is sometimes no more than a

31

(13)

couple lines of bad script in a piece of software. To understand how attacks work, we first need to cover some basic workings of software.

Back to basics: understanding software

A computer program consists of many lines of script which together form a code that will perform a certain function. As this text is written, the pressing of buttons on the keyboard is translated into electrical pulses that together form a code that computers can understand: binary code. A pulse represents a one, while the absence of a pulse represents a zero. E-mails for example are converted in electrical pulses which can then be transferred over copper wires. To make the computer understand what to do with these lines of zeros and ones, people write computer code in programming language to tell the computer what to do. Software consists of many lines of computer code and when humans write codes, they make mistakes. Sometimes they are unnoticed, sometimes they are intentional. Bad code (lines that do not do what they are supposed to do) can make software malfunction and when bad lines are detected, they get fixed. Sometimes bad code remains in the software.32

Those lines of data can be altered or modified to make the software behave differently than intended. The problem is often the detection of bad lines in software. As computer technology evolves and processing capacity roughly doubles every 24 months,33 computers are able to process more and more lines of codes. If you consider that the operating system Windows 95 had less than 10 million lines of code while Windows Vista has over 50 million, it is not difficult to imagine why you continuously need to download updates. More lines mean more bad lines which can be exploited by those who want to do harm.34

Sometimes flaws are put intentionally in the software. These are called Easter eggs. Typing ‘=rand(200,99)’ and then pressing enter in Microsoft Word will result in 200 pages of random text, while typing ‘about:mozilla’ in the Firefox web browser address field will show a fictional biblical text of the birth of Firefox. Other times these flaws are put in as an exploit for later times. Knowing a certain bug in the software can give you access to the administrator controls, this can be used to break-in undetected through a backdoor. One could then bypass the formal login portal and change personal information or steal data without anyone noticing. Both cyber criminals and cyber warriors spend a lot of time looking for these flaws.

32

33

This is called ‘Moore’s Law’, after the co-founder Gordon Moore of chipmaker Intel.

http://www.intel.com/technology/mooreslaw/

34

(14)

This is part one: flaws in ordinary pieces of software. The other part includes custom made programs with a specific function to add, modify or destroy data in other parts of software. These programs are called malware, a term which combines the words malicious and software. Malware is the collective noun for several kinds of software of which viruses, worms, logic bombs and Trojans are the most common. Together they form the main weapons of cyber warriors and will be explained below.

Weapons of cyber warriors: malware explained

Viruses and Worms

A computer virus is usually a small program programmed with a specific task. The behavior of a computer virus reflects the behavior of a biological virus. In biology, a virus ‘invades living cells and uses their chemical machinery to keep itself alive and to replicate itself.’35 A virus requires a living cell of a host from which it will start to replicate itself and spread to other cells. Computer viruses function the same. Although instead of living cells they need computer files to attach themselves to and to replicate themselves. Since most computers are connected to the internet, viruses can spread easily to infect other computers.36

Authors differ in opinion on when the first viruses appeared, but some date the appearance of viruses as far back as the 1960’s.37 Viruses first appeared as innocent jokes spread through floppy-disks and did little more than reboot the computer or display an annoying message.38 Gradually the destructive power of viruses became more apparent when people realized their potential. A virus hides itself and runs silently in the background, which means the user is unaware of its existence. It will then give instructions to the computer to execute which may damage the computer itself.39 These instructions can have multiple effects depending on what the virus is programmed to do.

Worms are very similar to viruses in their function and effects. The main difference between worms and viruses is that a worm does not need another piece of software to attach to and replicate itself. Worms do not require a host and can quickly replicate and spread over

35

Mitra, A., Digital Security: Cyber Terror and Cyber Security (New York 2010) p. 39.

36

Mitra, Digital Security p. 39.

37

Janczewski and Colarik, Cyber Warfare p. xx.

38

39

(15)

a network. Worms are also used for monitoring server and traffic activities, collecting information which can be used for espionage purposes.40

Effects of viruses and worms

A virus or worm can delete data or erase important documents. Most files in a Windows-based operating system include a suffix which tells the computer what to do with a specific file. For example, the extension .doc tells the computer that the file must be opened with Microsoft Word. A virus can instruct the computer to delete or alter all files with a specific suffix, making the files unreadable.41 In cyber warfare this can be used to destroy enemy intelligence or disable specific control programs. Other viruses can disable the computer itself by making the hardware unusable. There are few programs that can actually physically destroy a computer, but so-called root-kit viruses target the boot-sector of a computer. The boot-sector is a piece of memory separated from the hard drive which has specific instructions for the computer on how to properly boot (startup) the system. This start up software located on a detached memory disk is called the BIOS. These kinds of viruses are particularly dangerous because the BIOS is difficult to access and clean once it has been infected. Once the BIOS is infected, Windows can no longer boot, making the computer unusable.42 Of course, disabling the computers of an air defense system with a root-kit virus can be a very useful strategy in cyber warfare.

Trojan Horse

A Trojan Horse program functions pretty much the same as the Trojan horse brought in by the citizens of Troy in Homer’s Illias.43 A Trojan is a program that performs a legitimate function while at the same doing an unknown or unwanted activity. A Trojan opens a backdoor in a program, giving access to those who want to do harm. Viruses and worms can enter a system through a backdoor which Trojans can create. Trojans can also give hackers access to your system or can perform key-logging activities.44 Trojans are useful cyber weapons because key-loggers can provide access to restricted defense networks without having to break in. Backdoors can also provide access to enemy systems, making disabling those systems easier.

40

41

42

43

Homerus, Ilias en Odyssee, translated by M.A. Schwartz (Amsterdam 2004).

44

(16)

Logic Bomb

A logic bomb is a malicious program that when activated will erase all data on a computer or network including itself. Basic logic bombs are erasers, rendering the targeted computer useless. More sophisticated logic bombs can first execute specific commands like instructing hardware to go hay-wire before detonating.45 Logic bombs do not replicate and can be inserted through a Trojan into an enemy system. They can sometimes lay dormant undetected for a long time before triggered at the desired moment. The designer can remotely detonate logic bombs or they can have specific instructions when to go off. The most common activator is the computer’s system date,46 but the bomb can also check a website for a trigger-message. When the bomb sees this message or stops seeing a particular message, it will execute its program.47 This makes logic bombs useful weapons in cyberspace, because states can lace the enemy digital infrastructure with logic bombs in peacetime and use them in case of war, even when contact with the program is lost.

Defense against malware

A virus will enter a computer system secretly attached to another innocent file. This can happen through sharing an USB-stick, but most viruses spread through the internet hidden in e-mail attachments. Unaware that a Word document is infected, the user will silently activate the virus without knowing. The virus will then copy itself and start erasing files or whatever it is programmed to do when triggered.48 Worms can spread on their own. Trojans enter computers hidden within legitimate programs.

Defense against malware is difficult at best, because all antivirus programs are signature based.49 Since computers cannot identify computer code as malicious code, antivirus software will scan software lines for harmful codes. All antivirus programs work by comparing lines of code to their own database of known harmful code (virus definitions). If a virus signature is not found in the antivirus database, it will not be detected. Polymorphic viruses are even harder to detect, because they will constantly change their signature when

45

46

For example, the logic bomb is programmed to detonate when a certain time and date has been reached.

47

Definition of a logic bomb, http://www.tech-faq.com/logic-bomb.html

48

49

(17)

spreading to another host.50 Since databases are only updated when a new virus has appeared, this means that a cure will only be found after harm has been done, making antivirus software retroactive. 51

Another problem in the defense against malware is the staggering rate of creation. In 2008 antivirus software companies had to create a new signature every 20 seconds.52 In 2009 that changed to every 11 seconds.53 In the beginning of 2007 there were approximately 1 million written signatures, today the malware counter stands on 10.6 million.54 In only four years the number of malware has grown tenfold, a trend that bears great concern for both states and individuals securing their computers in the coming years. Antivirus software can never be 100 percent effective.

A zero-day attack is an important concept in this regard. A zero-day attack is an attack using a formerly unknown security leak or a new kind of malware which has not yet been discovered.55 This malware may be a virus, Trojan or logic bomb. The term zero-day refers to its lifespan. The discovery of the malware or leak is referred to as day one and since the initial attack took place prior to day one, the attack itself is known as zero-day.56 Zero-day attacks make use of new unexplored security gaps and are therefore a significant security threat. Defense against such an attack is virtually impossible, making it an excellent tool for cyber warriors.

Application of malware in cyber warfare

A cyber attack can take many forms, as explained above. The tools are usually a piece of malware in combination with a security leak to gain access. Sometimes the malware can create access to remotely control a computer (Trojan). Although some of these weapons may seem rather technical, their application can have far-stretching consequences. Logic bombs can be placed in peacetime in order to enable the destruction of enemy computer systems at a later date. Trojans can steal data, viruses can destroy data and worms can disable computers.

50

51

Carr, Inside Cyber Warfare p. 151.

52

53

Triumfant, The Worldwide Malware Signature Counter. Source: http://www.triumfant.com/Signature_Counter.asp

54

The Worldwide Malware Signature Counter, found on http://www.triumfant.com/Signature_Counter.asp

55

Carr, Inside Cyber Warfare p. 40 and 151.

56

Bradley, T., Zero Day Exploits. Holy Grail Of The Malicious Hacker. Source: http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm

(18)

States are vulnerable to cyber attacks because the use of computers is widespread: computer systems are used for guiding missiles, controlling air defense, transferring military intelligence via e-mail, controlling troop movement, structuring organization and much more. When logic bombs destroy military intelligence, viruses disable air defense systems, worms disable communications and Trojans take over control, a nation’s own military strength can be seriously compromised.

Take for example the aforementioned Israeli air raid. Syria’s air defenses were shut down to assist in a kinetic attack. This attack demonstrates the power of viruses. Another example is the large-scale cyber espionage on the US allegedly perpetrated by China and Russia. These operations were named Titan Rain and Moonlight Maze respectively.57 Many confidential documents were stolen from the secured DoD network, yet no one knows exactly what was taken or by whom. Consider as well the theft of the F-35 fighter blueprints. In April 2009, an unknown person broke into Lockheed Martin’s data storage systems and stole several terabytes of data.58 Since modern fighter planes are heavily dependent on software, fiddling with the software could easily cause the million-dollar aircraft to crash.59 The stolen plans can also be studied for weaknesses which can be exploited in a later stage. The trail of the likely culprit leads back to China, but due to the nature of the internet60 it is impossible to prove China’s liability.

The effects are not limited to the military. In the private sector computers have also taken on a greater role in daily life. Logic bombs that destroy financial data, such as bank accounts and statements can wreak havoc to modern society. Money is mostly digital and the ability to conduct financial transactions is fundamental to our economy. When banks are deleted, the economy will soon fall apart. Aside from the financial sector, the energy sector can also be an important target in cyber warfare. Power plants are controlled by so-called Supervisory Control And Data Acquisition (SCADA) systems61 which regulate and control multiple processes. The ‘Aurora Generator Test’ conducted by the CIA in 2007 has proven that hackers can indeed use malware to overload a power-turbine and cause its physical destruction.62 Power-turbines in the US spin at a rate of 60 MHz and a turbine is kept off the power grid until it reaches this speed of 60 MHz. If it spins at a lower rate, all power produced by the grid’s other turbines will flow to this turbine ripping of its turbine blades. In the Aurora

57

58

59

60

More on this in the section ‘DDOS: flooding the gates’ on the next page .

61

http://www.tech-faq.com/scada.html; http://www.dayton-knight.com/projects/scada/scada_explained.htm

62

(19)

test, hackers broke into the SCADA system through the internet and accessed the controls regulating the turbine fan speed.63 Changing the settings blew the turbine to smithereens. Replacing these custom made machines can take several months.64 When several power plants are disabled at the same time, large parts of the population may remain in the dark for a prolonged period of time. According to Richard Clarke, US energy infrastructure is laced with logic bombs.65 These examples demonstrate the vulnerabilities that states have in cyberspace.

DDOS: flooding the gates

One last cyber weapon that deserves attention has not been mentioned above. A Denial of Service (DOS) attack causes servers to crash and prevents webpages from being displayed. A variant of DOS is the Distributed Denial of Service (DDOS) attack which uses malware to mobilize many other systems to attack a specific target. The use of DOS attacks has grown over the last years with Estonia being the prime example. The case of Estonia will be dealt with in detail in Chapter Three, but it is useful to explain the working of the weapon here.

Servers host websites which can be accessed through the internet. When accessing a website, a computer will send a request to the server to display the website. If a computer continuously requests a website from the server,66 the server freezes as it becomes bogged down processing too many requests.67 Other computers cannot access the website because the server is too busy with handling all the requests. Too many requests will crash the server, causing the website to go offline. This is called a DOS attack.68

Most modern servers today have more processing power than one computer can consume. However, if several computers were to initiate a ping-flood, the server would not be able to cope. A DDOS attack consists of many infected computers (zombies) that are controlled by a master computer which tells them which website to take down. This hoard of zombies is called a botnet, the master is called the botherder (see figure 1).69 Most people would not realize their computer is part of a botnet, because the virus that infects your system

63

64

65

66

This act is known as ping-flooding.

67

Disterer, G., A. Alles and A. Hervatin, ‘Denial-of-Service (DoS) Attacks: Prevention, Intrusion Detection, and Mitigation’ in: L.J. Janczewski and A.M. Colarik, Cyber Warfare and Cyber Terrorism (New York 2008) p. 262-272 there p. 263.

68

For the sake of clarity only ping-flooding has been explained here as a DOS method. There are more ways to take down a server (sending large packets, SQL-injection), but since the effect is the same those methods need not be discussed here.

69

(20)

runs quietly on the background until ordered to attack by the botherder. Even when attacking, the only noticeable effect may be that their system is a bit slower than usual. The bigger the botnet, the more powerful the attack.

The master computer is often difficult or even impossible to identify. Packets that are sent over the internet normally have the source IP-address within them. However, it is possible to fake the source IP-address.70 The supposed source of an attack may be easily determined, but it can

prove to be false.71

Spoofing the attack can be very useful in a cyber attack. On the Fourth of July 2009, Independence Day, several US and South Korean government websites were subject to a DDOS attack.72 Some sites were taken down, others had stronger servers. Some estimate the size of the botnet at 20.000 zombies, others at

more than 160.000.73 Infected systems from many countries were involved in the attack. At first, the source lead to either North Korea or China, which seemed to be plausible culprits. The trail then went further, to a server in Great Britain. However, Great Britain was neither the attacker, further analyses proved that the attacks originated from a server in Miami, Florida.74 It seems unlikely that the US would attack itself, but this demonstrates the difficulty that arises in cyber warfare and shows the strength of a DDOS attack. If South Korea would

70

This act is known as spoofing.

71

Disterer, Alles and Hervatin, ‘Denial-of-Service (DoS) Attacks’ p. 264.

72

Clarke and Knake, Cyber War p.23-26.

73

74

Figure 1: graphical representation of a DDOS attack.

Source: Janczewski and Colarik, Cyber Warfare

(21)

have responded to the attack and had retaliated against North Korea, it would have found itself in rather an awkward situation.75

Defense against a DDOS attack is very difficult. Computer systems get recruited in the botnet through infection by malware. Installing updates and keeping antivirus software up-to-date helps to some extent,76 but provides no protection from a zero-day attack. Other defensive measures range from encrypting server communication to router configuration, 77 but they are not effective enough when the botnet is too large. Damage control is the best option, for example separating website services from e-mail services. This way some functionality can be preserved when an attack occurs.78

Positive characteristics of cyber warfare

Now that has been determined what cyber warfare is and what kind of weapons there are, it is necessary to put cyber warfare into perspective. The following section will examine the strategic benefits and costs of this new form of warfare. First, what are the benefits of cyber warfare?

More effective and efficient weaponry

Computer programs can be programmed to perform a specific task, for example shutting down air defense systems. This has the benefit of minimizing collateral damage, since attacks can be very precise and take down only what they must. In combination with conventional warfare this lowers casualties and reduces the risk to a state’s military personnel. This could also make cyber attacks safer than their kinetic counterparts, because no physical presence is required to execute an attack.

A cheap form of conducting warfare

The resources required for a cyber attack are relatively cheap. A computer with average specifications, an internet connection, time and a specific set of skills are all that is needed. In terms of money cyber attacks can be executed at low cost. It seems that Chinese botnets can even be hired on the internet. For as little as $ 20 per month one can herd a botnet of 10 PCs.

75

Carr, Inside Cyber Warfare p. 78-79.

76

Disterer, Alles and Hervatin, ‘Denial-of-Service (DoS) Attacks’ p. 267.

77

Disterer, Alles and Hervatin, ‘Denial-of-Service (DoS) Attacks’ p. 267. Routers can be modified to filter bad requests out, hence alleviating server stress.

78

(22)

$ 100 could even buy 1.000 bots.79 Since a virus built on a $ 600 laptop can disable enemy defenses just as effectively as a million dollar cruise missile, cyber warfare can be considered cheap. The damage done, however, can easily range into $ billions.

Negative aspects of cyber warfare

Aside from the positive characteristics, cyber warfare also has several negative aspects. These are discussed below.

Anonymous warfare

A virus cannot disclose who designed it and logic bombs wipe out all traces of its origin. Packet spoofing hides the identity of the botherder or can even be used to put the blame on a third party state. As demonstrated by the cyber attacks on the Fourth of July 2009, faulty attribution of an attacker could have brought North and South Korea to the brink of war. The difficulty with identifying the culprit makes cyber warfare anonymous. This could lower the threshold to go to war, since the other party may never know what hit it. Even spying operations could increase, because espionage has become easier and more effective in cyberspace.

Hyperproliferation

Almost everyone has a computer and knowledge to use these computers for harmful purposes can easily be found on the internet. Manuals on how to build malicious software can be Googled. Even without programming skills one can download user-friendly programs to participate in or initiate a DDOS attack.80 At the same time, a supreme governing body to regulate conduct in cyberspace does not exist. Some institutions like the ICANN81 exist, but they do only have a limited mandate.82 Since cyberspace has no regard for national borders enforcement abroad is even more difficult. An attack against another state in cyberspace is possible because there are no effective rules to govern state conduct.

79

80

81

ICANN stands for the ‘Internet Corporation for Assigned Names and Numbers’. The ICANN regulates IP-addresses and coordinates the Domain Name System (DNS). In short, ICANN tries to make sure domain names are genuine and are connected to the right IP-addresses. For example, when visiting Amazon.com, the IP registered in the DNS makes sure the right website pops up, preventing abuse. Source: ICANN

http://www.icann.org/en/participate/what-icann-do.html

82

(23)

At the same time cyberspace creates a level-playing field for those who roam in it. Power asymmetries are less consequential as even the stronger states can be seriously damaged by less powerful states. Since cyber warfare is cheap, many states can afford to engage in it. North Korea, for example, boasts that it has a significant cyber force.83 Although the North Korean conventional forces are no match for the sheer military power of the US Army, in cyberspace the tables are turned. US military hardware is heavily dependent on software to function while North Korea has very advanced training centers for cyber warriors.84 North Korea could seriously damage US infrastructure while on the other hand, North Korean infrastructure is hardly vulnerable to cyber attacks.85 This creates a different strategic calculus to warfare and transforms the playing field.

Defense is difficult at best

As mentioned above, defense against cyber attacks is difficult. Cyber war is global, skips the battlefield and happens at the speed of light.86 Large-scale DDOS attacks are almost certain to take down targeted servers, crippling communication, financial systems and more. It is estimated that every 2.2 seconds a new type of malware is released on the internet.87 Antivirus programs are signature-based and are always overtaken by events. Zero-day attacks are de facto impossible to anticipate. Due to rapid technological developments defense is difficult at best, impossible at worst.

Summary

This Chapter has provided an introduction to cyber warfare and its components. Without threading too much into jargon, it has explained key cyber weapons and clarified their functions. Illustrated by numerous examples, this Chapter has shown how cyber weapons can be applied and that they can have far-stretching consequences. Lastly, it concluded by putting cyber warfare in perspective and pointed out cyber warfare’s positive and negative effects. The following chapter will explore deterrence theory and the effects cyber warfare has on its applicability.

83

84

85

86

87

(24)

Chapter Two

Deterrence theory explained Before examining the implications of new cyber warfare methods on deterrence theory it is necessary to set out a definition of, and key assumptions that underlie, deterrence. Therefore, the concept of deterrence will be first be explained and defined. There are certain specific strands within deterrence theory which will be mentioned, as well as the foundations and assumptions on which the theory rests. After a brief history of deterrence during the Cold War, special attention will be given to the merit of deterrence theory after the Cold War’s end. To be sure, the theory has evolved since the collapse of the Soviet Union and its consequences for deterrence will be reviewed. Finally, the deterrence framework will be updated with recent developments.

What is deterrence?

Deterrence has many definitions, but they all refer to more or less the same phenomenon. The verb ‘to deter’ derives from the Latin deterrere which means ‘to frighten away from’. According to the Oxford Dictionary a deterrent is a ‘thing that discourages or is intended to discourage someone from doing something’.88 Essentially deterrence is the situation in which person A prevents person B from doing something that person A does not like.89 A prevents B’s action by threatening to do something B doesn’t like. When B refrains from doing the action, B is successfully deterred.90 In this sense, deterrence is exercising power. Since power is defined as the capacity of some to produce intended and foreseen effects on others,91 deterring opponents is using power to influence them.

Although the concept of deterrence is very broad in colloquial language, the concept of deterrence is used by scholars of International Relations to describe a specific form of interaction between states. In international politics deterrence refers mostly to the actions state A takes to prevent state B from carrying out a military attack on A. Thomas Schelling described deterrence as a part of diplomacy between states. According to Schelling, ‘the

88

Oxford Dictionary, http://oxforddictionaries.com/view/entry/m_en_gb0220560#m_en_gb0220560.005

89

Morgan, Deterrence Now p. 1.

90

Freedman, Deterrence p. 27.

91

(25)

power to hurt is bargaining power and to exploit this is diplomacy.’92 States can threaten with pain and violence to coerce other states into doing what they want. When speaking of deterrence, the prevention of a military attack is usually meant by it.93

The concept of deterrence can be divided into three levels on which deterrence is active: deterrence as a tactic, as a critical security component of the international system and as a national security strategy.94 Deterrence as a tactic refers to interaction between A and B. When A wants to prevent a particular event from occurring, A employs deterrence to make sure it doesn’t happen. Deterrence as a critical component of the international system’s security refers to a situation in which deterrence ensures the stability of global security. The Cold War can be considered an example: a Third World War did not erupt because both superpowers were deterred from launching a nuclear first strike. Deterrence as a national strategy refers for example to the influence deterrence had on shaping US foreign policy during the Cold War. This last level provided the basis for the theory of deterrence.95

Deterrence is a form of coercion, but it is not the same as compellance. Compellance is ‘the use of threats to manipulate the behavior of others so they stop doing something undesired or do something they were not previously doing’.96 Compellance looks like deterrence because it also involves the use of threats (e.g. military force) to stop B from doing something A doesn’t want (e.g. an invasion). The distinction between the two is that with deterrence A wants B not to do something, while with compellance A wants B to do something. When A threatens to bomb B if it invades A’s territory, it is deterrence. If A threatens to bomb B when it continues to invade A’s territory, it is called compellance. Also, deterrence is indefinite in timing: if B invades, then A will retaliate.97 There is no deadline before which B must act to invoke A’s retaliation, while with compellance timing has to be definite: B must stop the invasion or face A’s retaliation. Without the deadline for B to stop invading, the threat is not credible and compellance will fail.98 Although the distinction between the concepts may seem subtle, both are distinct.99

92

Schelling, Arms and Influence p. 2.

93

94

95

96

97

98

99

(26)

Essence of deterrence

The theory of deterrence rests upon a couple of fundaments and assumptions. First the fundamentals will be reviewed, after that key assumptions are discussed.

Core premises

Within deterrence theory there are three core premises100 that are required for a successful deterrence attempt. Deterrence can only be successful when the threat is credible. The deterrer has to convince the opponent of its credibility by showing him that:

- it has sufficient and effective military capability

- it could impose unacceptable high costs on the opponent - it is prepared to do so

The deterrer must have the means to impose unacceptable costs and show that it is prepared to use those means in order for the threat to be effective. The threat must be credible so that the opponent believes the deterrer is likely to respond to a given act, and the deterrer must be able to communicate the threat to the opponent.101 The opponent will then make a cost-benefit analysis and decide whether or not it will continue with its plans. If the costs are higher than the benefits, the opponent will decide to forgo a planned act.102 According to theory, deterrence is then achieved.

Communication is of utmost importance for deterrence to be successful.103 When the opponent misinterprets the signals the deterrer sends out, the opponent might decide to continue as planned. When the opponent does correctly understand the signals the deterrer is conveying, it might not be convinced of its credibility and continue nonetheless. Even when the opponent understands and is convinced, it might think the benefits outweigh the costs. Also, the threats that are sent are not always the threats that are received. Troop movements, diplomatic words and economic sanctions are ambiguous and can be interpreted differently

100

Morgan, Deterrence Now p. 4; Kaufmann, W., ‘The Requirements of Deterrence’ in: Kaufmann, W. (ed.),

Military Policy and National Security (Princeton, 1956) quoted in: Quackenbush, S., ‘Deterrence theory: where

do we stand?’ in: Review of International Studies (Vol. 37, Issue 2, 2010) p. 741-762 there p. 742.

101

Paul, T.V., ‘Complex Deterrence’ in: T.V. Paul, P.M. Morgan and J.J. Wirtz (editors) Complex Deterrence

Strategy in the Global Age (London 2009) p. 1-27 there p. 2; Morgan, P.M., ‘Saving face for the sake of

deterrence’ in: Jervis, R., R.N. Lebow and J.G. Stein (editors) Psychology and Deterrence (London 1985) p. 125-152 there p. 125.

102

Paul, ‘Complex Deterrence’ p. 3; Stein, J.G., ‘Calculation, miscalculation, and conventional deterrence I: The view from Cairo’ in: Jervis, Lebow and Stein (ed) Psychology and Deterrence p. 34-59 there p. 35.

103

Stein, ‘Calculation, miscalculation, and conventional deterrence I’ in: Jervis, Lebow and Stein (ed)

(27)

than intended by the opponent.104 This might aggravate a situation instead of soothing it, especially when the opponent’s rational analysis fails or when its decision-making process is flawed. Deterrence fails in these circumstances105, demonstrating the importance of effective and correct communication to convey threats.106

Assumptions of deterrence

Given the core premises above it becomes clear that deterrence theory is based on a number of assumptions. Here the four central assumptions of deterrence theory will be outlined.

Firstly, deterrence assumes that actors are rational and that they undertake costs-benefit analyses before they make a decision. The stakes are valued, the situation is mapped, the consequences are predicted and the costs and benefits are identified. The theory considers this to be universal in application, ordinarily all states will behave like this.107

But are states rational?108 Weak bureaucracies or internal political strife can disrupt a rational decision-making process. Strong ideological views or religious zeal could corrupt rationality. Also, individual leaders who succumb to group-think or who are prone to take high-risks will not always make rational choices.109

To deal with the question of rationality a distinction can be made between instrumental and value rationality. Instrumental rationality assumes that actors make cost-benefit analyses to advance their own well-being or to acquire goods to maximize utility. When costs are too high, actors will modify their goals. With value rationality, actors pursue intangible goals such as ideological missions or religious quests. Even when the chance of success is very low, they could still continue because of the great value they place on achieving these goals. Although sacrificing one’s life for religious goals may make little sense

104

A fear present in the Cold War. Both superpowers were wary of the escalation risk that miscommunication could pose and took measures to improve and assure communication in times of high tension. The direct Soviet-American ‘hotline’ illustrates this. Schelling, Arms and Influence p. 260-262.

105

For historical examples of various miscommunications, see: Jervis, R., ‘Perceiving and coping with threat’ in: Jervis, Lebow and Stein (ed), Psychology and Deterrence p. 13-33.

106

Freedman, Deterrence p. 28-29; Jervis, R., ’Introduction: Approach and Assumptions’ in: Jervis, Lebow and Stein (ed), Psychology and Deterrence p. 1-12 there p. 1 and 9-10.

107

Paul, ‘Complex Deterrence’ p. 5-6; Stein, ‘Calculation, miscalculation, and conventional deterrence I’ in: Jervis, Lebow and Stein (ed) Psychology and Deterrence p. 34-59 there p. 35-36; Quackenbush, S., ‘Deterrence theory: where do we stand?’ in: Review of International Studies (Vol. 37, Issue 2, 2010) p. 741-762 there p. 742-743.

108

Predicting state behavior in deterrence rests upon elements of Game Theory, which assumes perfect rationality to predict outcomes. For Game Theory, see: Schelling, T., The Strategy of Conflict (Cambridge Massachusetts 1960); for limitations of Game Theory, see: Schelling, T., Choice and Consequence (Cambridge Massachusetts, 1984) p. 238-242.

109

(28)

from an instrumental perspective, deterrence might not always work when actors are bound by value rationality.110

Secondly, the theory assumes deterrence to operate mainly among states. States are the key actors in the international system and are regarded as rational bureaucratic entities with coercive power. States are the legitimate authorities that can start wars and sign peace treaties.111 This assumption corresponds nicely with the definition of cyber warfare presented in Chapter One.

But what if the opponent is a non-state actor or a failed state which do not have a rational decision-making process?112 Deterring terrorist groups is especially interesting in this regard, is it possible to deter a terrorist who is willing to sacrifice his or her life for the pursuit of intangible religious goals? According to value rationality, deterrence might not work.113

Thirdly, there is the assumption of intense rivalry among the different parties in the international system. War is constantly considered a possibility for which a state must prepare. Whenever the opportunity arises and the benefits outweigh the costs, states will not hesitate to seize the moment.114

When these three assumptions are considered it becomes clear that deterrence theory is grounded in a realist image of the international system. Within classical Realism states are the principal actors, they are unitary, have rational decision-making processes and constantly prepare for war in a turbulent harsh world.115 War is regarded as an instrument of politics and states will go to war if it suits their interests better.116 State interest is defined in terms of power and is most important when formulating foreign policy.117 A good foreign policy minimizes risks and maximizes benefits.118 Furthermore, the concept of cyberspace shows resemblance to the neo-realistic assumption that the international system is anarchical in

110

Paul, ‘Complex Deterrence’ p. 6; Quackenbush, S., ‘Deterrence theory: where do we stand?’ in: Review of

International Studies (Vol. 37, Issue 2, 2010) p. 741-762 there p. 748-749.

Also, Janice Gross Stein has written about the possibility of using rational deterrence versus irrational adversaries. See: Paul, T.V., P.M. Morgan and J.J. Wirtz (editors) Complex Deterrence Strategy in the Global

Age (London 2009) p. 58-82.

111

Paul, ‘Complex Deterrence’ p. 6-7; Lebow, R.N., ‘Conclusions’ in: Jervis, Lebow and Stein (ed), Psychology

and Deterrence p. 203-232 there p. 203.

112

Paul, ‘Complex Deterrence’ p. 7.

113

Notable research on this particular field includes Robert Jervis, Deterrence, Rogue States and the US Policy; S. Paul Kapur, Deterring Nuclear Terrorists and Emanuel Adler Complex Deterrence in the

Asymmetric-Warfare Era. See: Paul, Morgan and Wirtz, Complex Deterrence.

114

Paul, ‘Complex Deterrence’ p. 6-7; Quackenbush, S., ‘Deterrence theory: where do we stand?’ in: Review of

International Studies (Vol. 37, Issue 2, 2010) p. 741-762 there p. 742-743.

115

Steans, J., and L. Pettiford, Introduction to International Relations (Harlow 2005) p. 51-52 and 53-54; Burchill, S., and A. Linklater (editors), Theories of International Relations (Hampshire 2009) p. 32-33.

116

See for example Clausewitz, C. von, On War.

117

Morgenthau, H., Politics Among Nations. The Struggle for Power and Peace (New York 1948).

118

(29)

nature and has no supreme government.119 Indeed, the lack of a supreme government is one of the problems concerning the deterrence of cyber attacks as will be demonstrated in Chapter Four. Nonetheless, at this stage it is sufficient to note that deterrence theory has its roots in Realism.

Lastly, deterrence theory assumes that each class of weapons has a different layer in the deterrence calculus of states. Conventional, biological, chemical and nuclear weapons all have their own playing field and deterrence is applied to each category independently.120 However, when states use nuclear weapons to respond to a conventional threat, these divisionary lines begin to blur. Also, since nuclear weapons can vaporize entire cities, would responding with nuclear threats to a conventional attack still be credible? States know the sheer power of these weapons and using them to respond to conventional attacks may seem like an overkill. How credible is such a threat? These issues have corroded the robustness of the theory and question the applicability of the theory.121 Advocates of deterrence theory have picked up on these issues and argued that deterrence has not lost its merits after the end of the Cold War. Instead, they argue that the theory has evolved into a more ‘complex deterrence’.122 Before this evolution and its consequences can be understood, we must first delve a little deeper into deterrence.

Different forms of deterrence

Deterrence comes in many forms and scholars have identified several types of deterrence. First a distinction must be made between nuclear and conventional deterrence.123 Nuclear deterrence refers to prevention of military attacks between nuclear states. What Bernard Brodie rightly called the ‘uncontestable weapon’ greatly impacted security thinking in the Cold War when states became aware that these weapons constituted a class a part.124 Their unparalleled destructive force and the immense difficulty of defending against them when used on the battlefield made atomic bombs a weapon of coercion.125 The ensuing arms-race that followed resulted in the concept of ‘mutually assured destruction’. If either side launched

119

Waltz, K., A Theory of International Politics (London 1979).

120

Paul, ‘Complex Deterrence’ p. 6-7.

121

122

Scholars that continue to discuss and defend the value of deterrence theory are for example: R. Jervis, P.M. Morgan, L. Freedman, T.V. Paul, R.N. Lebow, J.J. Wirtz and J.G. Stein.

123

Adler, ‘Complex Deterrence in the Asymmetric-Warfare Era’ in: Paul, Complex Deterrence p. 85-108 there p. 88-90; Quackenbush, S., ‘Deterrence theory: where do we stand?’ in: Review of International Studies (Vol. 37, Issue 2, 2010) p. 741-762 there p. 751-752.

124

125