Does Deterrence Work Against Cyber Terrorism?

In February of 2017, Joseph Nye wrote the article Deterrence and Dissuasion in Cyberspace, in which he discusses the applicability of the concept of deterrence to the realm of cyber. Nye distinguishes the cyber realm from deterrence in the context of nuclear weapons, noting the inherent challenges that ambiguity and attribution pose in the cyber landscape. As a result, cyber actions often land in a “gray zone”, between war and peace, with the perpetrators hiding in the shadows of several remote servers. However, Nye argues that four key mechanisms, depending on the specific context of who and what, can be applied to help deter and dissuade: threats of punishment, denial, entanglement, and taboos/norms. In discussing these mechanisms, Nye argues that entanglement, such as economic interdependence, renders the threat of a surprise attack by a major state rather unlikely. Moreover, citing the example of biological and chemical weapons, Nye believes that international norms and taboos can be leveraged to increase the stigma around attacking certain types of targets in peacetime, raising the reputational costs of such an attack.

However, I remain relatively unconvinced of the ability to deter terrorists from conducting a cyber-attack. Nye admits, “As in the kinetic world, deterrence is always difficult for truly suicidal actors such as terrorists who seek religious martyrdom”, but asserts that, “thus far terrorists have used cyber more for recruitment and coordination than for destruction…At the same time, even terrorists and criminals are susceptible to deterrence by denial.” (CITE) However, the U.S. lacks much of the leverage that they wield over traditional states. That is to say, without the ability to strike back at an electrical grid, without the risk of threatening their economic dependence on the U.S. – can the U.S. credibly deter cyber-attacks from terrorist groups? Groups such as ISIS flagrantly disregard international norms, and display an affinity for utilizing the latest internet technologies.

I agree with Nye that, thus far, criminals and terrorists have opted to utilize cyber resources for coordination and recruitment, and likely at this point, ISIS lacks the technical expertise and operational capacity to execute a large-scale cyber attack. However, cyber defense has thus-far proved to be rather porous, and the number of targets is ever increasing with the Internet of Things. Moreover, similar to the rise of DIY biological engineering, a burgeoning wave of interest in the internet and computer science has emerged, diffusing knowledge across the globe. While right now, one might believe it rather unlikely that ISIS would be able to execute a cyber-attack, if they were to develop the capacity, do people believe that terrorists could be deterred from utilizing cyber-attacks? — Olivia

22 thoughts on “Does Deterrence Work Against Cyber Terrorism?

  1. I agree with you Olivia. Cyber attacks pose a unique threat to the United States, threats which conventional deterrence measures simply will not work—particularly when considering a non-state actor.

    Threats of punishment is the one mechanisms of deterrence that seems to be universal. No one wants to be punished or harmed and will thus take the necessary steps to avoid such an outcome. While this is particularly true for a large state that is easy to target and has citizens to defend, it is still somewhat true for a non-state actor who wishes to preserve their group so they can continue to inflict as much damage as possible. However, in cyber space, attacks can be harder to trace, potentially allowing attackers to become more bold as there is a smaller chance they get caught.

    Denial while potentially effective, to me, just seems like kicking the can down the road. Improving our internet security well enough to defend against cyber attacks—which from what we’ve read seems impossible—simply will force our adversaries to look into other ways to harm us. While they may have lost time in the construction of computer viruses and bugs that intended to harm us but couldn’t, it ultimately is shielding us on just one front. Furthermore, for other attacks, like bio or nuclear weapons, denial can find itself in the form of regulating certain products or materials in the marketplace. Cyber attacks come from lines of code which can be hidden, distributed, and not regulated at all.

    Entanglement, as Nye suggests, is really only relevant for large state attackers whose economy is strongly linked with others. Nye even mentions that some countries—like Iran—whose economy is not heavily tied with ours would not be overly concerned with entanglement in the execution of a cyber attack. Thus, this is not at all an effective strategy against cyber terrorism from non-state actors.

    Norms are also irrelevant for non-state actors. Furthermore, in my opinion, with the release of Stuxnet, the United States has already altered the norms—potentially even large countries would not feel as obligated to release viruses as the US already has. Furthermore, with cyber espionage and gray-zone “attacks” as common place, it does not seem inconceivable that a full on cyber attack could follow.

    Therefore, I think that cyber attacks pose unique challenges to our system that conventional deterrence measures cannot stop. Our best bet seems to be denial by improving our own security, which will only force our adversaries to search for and ultimately find other vulnerabilities elsewhere in our country.

  2. Olivia, I think both you and Easton touch on important facets of the problems of deterring cyber attacks. Attribution seems to be the most glaring difference between cyber and conventional deterrence. The United States knows the locations and sizes of the various nuclear arsenals around the world and is therefore capable of deterring nuclear attacks. Nuclear deterrence against non-state actors is more difficult because, like in cyber attacks, it is difficult to pinpoint those directly responsible (unless, of course, they come right out and say it). Furthermore, in the age of next-generation proxy servers and VPNs, attacks can become even more convoluted and difficult to attribute.

    Easton, I disagree with your contention that the release of Stuxnet is the beginning of some kind of cyber arms race, with large countries building and releasing ever more potent cyber viruses. As Hersh, 2010 discusses, viruses like Stuxnet are difficult to control and can turn around and harm allied networks just as equally as they can harm enemies. In my (completely unprofessional) opinion, “total” cyber warfare, were viruses are created not to infiltrate, but to destroy enemy networks is unlikely to ever happen simply because life without the internet is seemingly inconceivable at this point. This is the same logic behind anti-satellite warfare: it harms all parties, even the attacker.

    Lastly, Olivia, I think it is important that we do not underestimate the skill of a single individual with a network of powerful computers at their disposal. While I agree that ISIS is unlikely to mount a large-scale cyber attack, we can’t forget that North Korea – a state that lacks much of the resources and human capital when compared with countries like China and Russia – successfully hacked several US companies, in addition to stealing billions of dollars from the central bank of Bangladesh. To me cybercrime seems like an appealing, low cost, and low risk way for any actor – state or non-state – to finance their organization.

  3. First off, I would like to agree with Olivia in that Nye seems a little too optimistic about the future of cyber-warfare, even when he does qualify his statements about deterrence by emphasizing the difficulty of attribution and the large number of non-state parties that engage in malicious cyber-activity.

    Nye quotes Michael Schmitt as saying that a proper retaliatory response to cyber attacks is hard to quantify as attacks can range from “mere annoyance to death”. I would argue that not only is it difficult to construct an appropriate response to a cyber-attack, but that it can be incredibly difficult to define the exact impact of any given cyber-attack itself. Attacks that some might place on the “mere annoyance” side of the spectrum could actually play a real role in deteriorating a political or economic institution.

    Take, for example, the antics of the Syrian Electronic Army. Formed to support President Bashar al-Assad in 2011, this group of hackers (mainly young freelancers in Syria, according to reports) famously tweeted in 2013 from the Associated Press Twitter account that the White House had been bombed and President Obama was injured. While readers and followers noticed that the tweet was false incredibly quickly, this did not prevent the stock market from dipping almost $150 billion instantaneously. The market recovered almost completely, and the tweet was deleted.

    Was this mere annoyance? There were no evident permanent repercussions on the stock market, and it’s highly unlikely that anyone suffered permanent damage in the small amount of time that the tweet was believable. But attacks like these may erode public perception of the security of certain systems in which we put our trust. When we hear that the Associated Press can be manipulated even mildly, our trust in the press as a whole may diminish. If we see a website’s design get manipulated, even as an obvious “prank”, we might not trust that that website is secure enough for us to make purchases there.

    Mere annoyances do not exist in the cyber world, and as we can all agree, deterring these occurrences is not an easy task.

  4. Like everyone above, I do not believe that deterrence will work against cyberterrorism. As PJ states, cybercrime is appealing because of its relative low cost and low risk for any actor. Terrorists do not have to be “truly suicidal,” for they very little to risk in attempting cyberattacks, especially (as PJ also points out) since attribution can be difficult in this “grey zone”. To address Olivia’s question whether ISIS will be able to execute a large-scale cyber attack, I believe that they can with some technical expertise. With all the technical vulnerabilities that exist, someone can surely find a way to exploit them. It appears, as Easton concluded, that our only solution is to bolster our own security and technical means of defense.

  5. Cyber deterrence and nuclear deterrence present very different challenges for our national security. In both cases, however, deterrence should remain only a component of our defense policy. Deterrence should never be the principle strategy underpinning national security. Cyber-defense includes many more constituent parts, including the protection of computer systems from hardware and software impairment.

    To respond to the question that Olivia posed, deterring cyber-attacks carried out by terrorists is possible, yet difficult. As previous responses have noted, Nye’s four key mechanisms to dissuade cyber attacks are not all useful when applied to terrorists. As Easton observed, terrorists are not concerned with international norms, nor are they linked economically to the US. These denial strategies therefore do not apply to terrorism.

    Deterrence-by-retaliation strategies may provide defense strategists with more optimism. Making “threats of punishment” and “denial” strategies a feasible part of US defense policy requires that the US invest more money into solving problems of attribution. If the US can acquire the capability to track the point of origin through remote servers, the US will become instantly more credible. Nye himself remarks, “high-quality attribution is often difficult and costly, but not impossible.” If the US enhances these tracing capabilities, it will make deterrence-by-retaliation much more credible.

  6. I agree with the posts above in that deterrence is unlikely to prevent terrorist cyber-attacks from ISIS and other non-state actors. The most obvious evidence supporting this conclusion, as I see it, are real-life terrorist attacks which are carried out with horrifying regularity. Terrorists have even less ‘skin-in-the-game’ so to speak, in the cyber world than in material world and yet despite our best efforts at real world deterrence they persist in attempting and occasionally succeeding in perpetrating acts of terror. Think of how much less commitment it would take for a cyber-terrorist to carry out an act of terror than a suicide bomber, for instance.

    It seems, as noted above, that we cannot rely on deterrence but should focus on bolstering our cyber-defenses. Though they may not have the technological capacity or knowhow to carry out a devastating large scale attack today, it is improbable that terrorists groups will not develop such a capacity with more time, given the ever-changing cyber-landscape and the democratization of technical knowledge, facilitated by the internet. Still, the US has immense resources at its disposal to train its own cyber-experts and develop strong cyber-defenses, as noted in the Washington Post reading for this week. Since cyber-defense must often rely on reacting to attacks as opposed to pre-empting them, it may seem like the deck is stacked in favor of potential attackers like ISIS. However, the US military budget so dwarfs that of any terrorist group or non-state actor that hopefully the calculus will tip in the US government’s favor as we develop more advanced technology and groom more cyber-security forces.

    Of course, the threat of cyber-terrorism has, as yet, not attracted the necessary alarm from the public to spur the governmental action that will be required to build the level of cyber-defenses that will ultimately be needed. The dangers posed by bad actors in cyberspace may someday rival those of more conventional threats. Yet the US Military’s spending on conventional weapons is many-many times that of our spending on cyber-security. That being said, the good news is, as the readings this week make clear, many people in positions of power take the threat seriously so I am hopeful that the US will develop the capability to fend off the inevitable cyber terrorist attacks from actors like ISIS.

  7. Nye approaches his discussion of deterrence primarily predicated on the assumption that the difficulty of attributing responsibility for a cyberattack undermines the power of deterrence. On this assumption, I agree with everyone above that we have very little deterrent power available against terrorist groups when it comes to cyberattacks, given that they don’t give any mind to the norms issue and are not hurt by entanglement, the difficulties of attribution make it difficult to credibly threaten to punish those who perpetrate cyberattacks, and as Olivia points out, defense is difficult and always a question of trying to outpace and outsmart the people trying to get around your defenses.

    However, I want to challenge the basis of the question that Olivia (and also, implicitly, Nye) is asking, about whether deterrence can work against cyberterrorism. The question I think we should be asking is, do we need to be worrying about deterring cyberterrorism? I would argue that the answer is no. ISIS is certainly capable of carrying out a large-scale cyberattack, but it hasn’t yet. This isn’t a coincidence, and I don’t think it’s a “matter-of-time” issue, as Nye and my classmates have been treating it. Cyberwarfare isn’t a very good terrorism strategy, for precisely the same reason that it is hard to deter cyberattacks—the difficulty of attribution. Terrorism fundamentally depends on attribution to succeed—they want to make you scared of them, not just generally afraid. There’s a reason terrorist groups routinely claim responsibility for attacks (even sometimes for attacks that they are not actually responsible for)—their image as a group that inspires fear depends on people knowing and believing that they have done things that they should be afraid of. This depends on big, showy attacks, which are often easier to do with a bomb than a very complex cyber weapon, and fundamentally on attribution. As long as the difficulty of attribution continues, cyberterrorism would only make sense if the terrorist group publicly takes responsibility, which would then enable deterrence by threat of punishment. And even so, there are only a few possible vectors of cyberattack that might be as terrifying to the American public as a bomb: loss of electricity, loss of internet, or loss of cell service. And while losing electricity would take lives, it is not a violent attack the way a bomb is. With attribution, cyberterrorism works, but so does deterrence. Without it, I think we can concern ourselves less with cyberterrorism and more with the many other areas of cybersecurity that are of legitimate concern.

  8. I agree with those above who argue that deterrence is an unreliable strategy in the context of cyber-terrorism, but I think that the greater threat could come from state sponsored cyber warfare. For the time being, ISIS, while certainly a danger to the United States, does not significantly threaten our existence. While ISIS militants are absolutely active online, this is mostly for recruitment purposes (the use of twitter and radical blogs does, on the other hand, pose a significant threat as a way of radicalizing citizens on American soil). Instead, the larger threat of cyber attacks seems to come from hostile states. It is important to remember the SONY hack of 2014, in which hackers, who were allegedly North Korean sponsored agents, were able to break in to the files and databases of SONY pictures in order to steal employee information and proprietary company property. Attacks like this pose a major threat the United States’ economy in a way that ISIS does not. In addition, cyber-warfare may take many forms; for example, in the 2016 election, the threat of Russian cyber-warfare was (and still is) a popular explanation for the influx of “fake news.” In this way, cyber-warfare can undermine an election process and delegitimize a governing power.
    Though state sponsored cyber-warfare poses a larger threat to the United States, Nye argues that, in this case, deterrence is much more effective. The need for continued diplomatic and economic relations, not to mention the possibility of a military response can defend against this threat much more reliably than against lone-wolf attacks.

  9. I agree with Caroline in that cyberwarfare is not an attractive strategy to certain terrorists whose main intention often is to elicit fear from the mass by showing its capabilities. However, it seems like another array of terrorism that is self-motivated and mostly fueled by ideological or religious credos is increasingly dominant in today’s Western societies. Often being referred to as ‘lone wolves,’ this sort of terrorists often try to damage their adversaries by remaining uncaught, rather than strategically orchestrating their crimes to raise public attention to certain issues. In this case, cyber area remains an area where they can attack their targets with minimal cost and low risk of being punished.

    The emergence of these spontaneous individuals with terrorist intentions pose new challenges to the debates on deterrence. Since they are outside any command structure or organization, a deterrence-by-retaliation tactic would not be effective. They are also open to the possibility of collaborating with existing terrorist groups or even state actors and leave no trace of such collusion. Their attacks are less likely to be as powerful or damaging as those of group-based players, but can still pose a significant threat if their large number overpowers cyber security forces.

    If we picture the landscape of this area of cyberwarfare as a battle between a number of individual attackers and cybersecurity professionals, in most times the latter is merely a defender who cannot hold the attackers criminally liable. Even though the prospect of tracking the attackers and holding them accountable is often not so bright as of now, I believe it should be the long term goal of the government to create sufficient institutional measures to demotivate the attackers. Deterring these individuals from attacks must be a crucial part of future cybersecurity posture.

  10. To address the question that Olivia poses at the end of her blog, my answer is no. I do not believe that terrorists could be deterred from utilizing cyber attacks. The primary reason for this is because of the lack of cyber infrastructure in many terrorist organizations that Olivia mentions. Deterrence is based on fear of retribution, however retribution is challenging when there is no electrical grid or infrastructure to target. In other words, a cyberattack on the U.S. would likely be far more devastating than a cyber attack on ISIS or Syria. With that said, a lack of cyber infrastructure also means that a cyberattack from a terrorist organization is less likely. However in spite of this, if they were to somehow develop the capabilities to create a major cyberattack, I have a hard time believing they could be deterred.

    Furthermore, beyond the lack of infrastructure, I believe there is a different, more simple reason that deterrence would not work with cyber attacks: we have limited evidence of their strength. There is no Hiroshima or Nagasaki of cyber warfare; no single moment in history that provides a sort of “horror-factor” associated with this type of weapon. There have certainly been incidents of cyber attack, such as China’s Great Firewall/Cannon, STUXNET, and even the recent Mirai DDOS attack. However none of these attacks have created nearly as much widespread death or destruction as a nuclear bomb has. This is what I believe cyber attacks lack: a visible “wow” component that truly incites fear in the civilians and the government.

    One could argue that since deterrence is still effective with chemical and biological weapons despite the lack of a “Hiroshima” event, perhaps it could work with cyberattacks as well. However, I argue that our experience with epidemic diseases, as well as the chemical weapon use in WWI and evidence of smaller scale biological attacks is enough evidence. All of these examples show the possible destruction that these weapons can illicit. Thus, it is more natural for there to be deterrence with chemical and biological weapons. In contrast, we have yet to see the ways in which a cyber attack can actually harm a nation. Because we lack this physical evidence, it is difficult for deterrence to occur. If we don’t know the full strength of these weapons, how can we truly fear them?

  11. Olivia, I take your point, but I believe there is potential in the four mechanisms that Nye describes–threats of punishment, denial, entanglement, and taboos/norms–all have the potential to deter a terrorist group from utilizing cyber. I will preface my incredulity with my distrust in the emphasis on viewing terrorist groups as “truly suicidal… who seek religious martyrdom.” Viewing religion as a sui generis category that uniquely rules human life is intellectually dubious. It separates religion and religious belief from the wider web of culture and acculturation. Promoting this false dichotomous categorization allows us to inanely consider “irrational actors” that do not exist and limit our vision of policy possibility. (Yes, irrational and “insane” people exist in isolation, but everyday processes of human acculturation combined with the conglomeration of persons within the subculture of specific terrorist group scenario imply a level of internal coherence, based on ideology and systems of ethical values, which we can and should attempt to understand to best combat their terrorist actions.) If we do negate the belief in “suicidal” or “irrational” actor groups, we open up possibilities for deterrence. Attempting to understand their values systems allow us to know what forms of taboos, punishments, and denials will get a message across and affect even those hoping for “religious martyrdom.”

  12. I agree with most on the topic of non-state actors – I do not believe that most deterrence tactics are sufficient to prevent a cyber-attack from a non-state actor. Considering Nye’s four means of deterrence and dissuasion supports this point. Punishment is already a less reliable method of deterrence in cyber space, due predominantly to the fact that often, the identity of the attacker is unknown. Therefore, it is predicted to be less applicable than, as Nye cites, nuclear weapons. Entanglement, whereby economic interdependence and the adverse effects from a cyber attack on the attacked country’s economy would dis-incentivize an attack, seems less-applicable to non-state actors, who may not hold national concerns. Finally, adherence to norms and taboos is not applicable to non-state actors, who fail to take these factors into consideration.

    Nye’s tactic of denial appears to me to be the only reliable method for deterrence in cyberspace – applicable to both state actors and non-state actors. If the United States can enhance their defense mechanisms to the degree at which the costs of a cyberattack outweigh the benefits (meaning that the state is so well-defended that the impacts of a cyber-attack would be small), attackers may not view it worthwhile to launch a cyberattack against the US. This tactic is particularly applicable to non-state actors, I believe, because it seems feasible to remove the, as Nye describes it, the “low-hanging fruit” that non-state actors would more likely be able to reach in a cyber-attack.

  13. Like everyone else, I think the answer to Olivia’s question is no. Nye gets to this idea at the end of the article when he states that the effectiveness of deterrence simply “depends on how, who, and what” (68). He goes on to state that attribution and deterrence are not impossible, but the effectiveness of deterrence based on norms or taboos is not likely for non-state actors. I agree that terrorists cannot be deterred from using cyber-warfare through logical or reasonable considerations, but I do agree that a nation-state can be deterred from using it, simply not a non-state actor (neither a terrorist nor a ‘lone wolf’). I think Caroline is also asking the more relevant question of if we need to worry about cyberterrorism? I think the answer to this is also no. It is not a major national security threat, nor do I see it becoming a major threat soon (at least not the use of cyber weapons by terrorists). I agree that the lack of recognition in cyber attacks undermines terrorist’s goal to inspire fear in a population, and we have no reason to think that cyber-attacks can cause as disastrous of a catastrophe as other forms of warfare. Nye even addresses this idea that cyber-attacks are not frequently used, and ultimately expresses wariness about the use of cyber-warfare in the future because of the uncertainties surrounding its use.

  14. I agree with most of the people above that most of the deterrent tactics Nye mentions might not be completely effective in deterring a non-state actor from developing a cyber attack. It is true that it would be incredibly difficult to attribute the source of a cyber attack due to the incredibly diverse number of actors, particularly non-state actors, in the cyber world.

    The idea of a “cuber-Pearl Harbor” was interesting to read about, as well as was Nye’s definition of deterrence. Nye argues that deterrence “means dissuading someone from doing something by making them believe that the costs to them will exceed their expected benefit.” When dealing with many non-state actors, especially groups such as the Islamic State and al-Qaeda, I do not believe that deterrence tactics will work. Policy-makers need to consider the rationality and irrationality of the actors they are working against. Terrorist groups in particular often act very irrationally, in the sense that they often act on a whim or have certain targets that strategically do not always make sense.

    Ultimately, Nye argues that “the answer to the question of whether deterrence works in cyberspace pends on how, who, and what.” This conclusion was incredibly vague! Working against a small non-state actor as opposed to a large state such as Russia would make a large difference when considering deterrence tactics. I especially agree that whether or not we are in a period of peace depends as to whether cyber deterrence tactics would work. Deterrence is not impossible, but it is highly unlikely when we consider who we would be going up against in the cyber world.

  15. Perhaps because it has become habit, I’m going to disagree.

    For one—and this is beyond the subject of this blog post or this course’s discussion per se—distinguishing between the aims, purposes, ideologies, and modi operandi of various non-monolithic terrorist groups suggests to me that ISIS has little incentive to carry out a cyber attack against the United States. We readily recognize ISIS as a heuristic for the most vile and formidable terrorist group of the day, but based on my understanding of the organization, I wouldn’t expect a cyber attack on the U.S. to come from ISIS. But let’s open the discussion to a generic cyberterrorist threat.

    As for deterrence, I’ll go back to an article that Nye wrote not in 2017, but in the Winter 2011 issue of Strategic Studies Quarterly, when he appropriately issued a caveat that “continuing technological change [can be expected to] complicate early efforts at strategy.” Nye makes an important point to suggest that the issues that would preclude deterrence, namely a difficulty in attribution of cyber attacks, are overcome. That is, deterrence can exist even without attribution in a few ways:

    “If firewalls are strong or the prospect of a self-enforcing response (‘an electric fence’) seems possible, attack becomes less attractive. Offensive capabilities for immediate response can create an active defense that can serve as a deter­ rent even when the identity of the attacker is not fully known. Futility can also help deter an unknown attacker. If the target is well protected or redundancy and resilience allow quick recovery, the risk-to-benefit ratio in attack is diminished.”

    Moreover, as Nye writes in 2017, attribution is relatively unrelated to the issues of denial, norms, and entanglement, the latter of which is a strong and compelling argument in favor of deterrence, in my opinion. All of this question about deterrence is premised on a question we haven’t asked, because it has less to do with the science of these issues, but one must be sufficiently incentivized to launch an attack of this caliber. I don’t think ISIS has that interest. I think that the forms of deterrence mentioned by Nye reduce that motivation further.

    This isn’t to say that we shouldn’t invest in defenses—we should. Nye is consistent from 2011 to 2017 in his assessment, shared by most of the class (I believe), that cyber as a war field is low-cost, (somewhat) lower risk, and has lower technological and intellectual barriers to entry. If our deterrence fails, let’s hope our defenses don’t. But we ought to try to deter.

  16. We seem to be relatively in agreement as a class in saying that Nye’s theory of deterrence is at best naive and unrealistic and at worst simply fiction. Although Nye makes good points in saying that deterrence has served a purpose in warfare since the dropping of the atomic bombs on Hiroshima and Nagasaki, he fails to account for the nature of the new threat the world faces. His overview of cyber warfare is trite and glosses over large flaws in his own argument, such as the problem of attribution in cyber which could cause nations to go to war over an attack that the other side did not commit.

    We can also look more closely at Nye’s precise language to see flaws in his hopeful theorizing. He says explicitly that “Classical deterrence theory rested primarily on two main mechanisms: a credible threat of punishment for an action; and denial of gains from an action,” in reference to nuclear deterrence. In the case of cyber attacks combined with the notion of terrorism, neither of these conditions is satisfied. The attribution aspect of cyber means that finding the perpetrator of an attack could be either time-consuming (not a popular option for a nation that has just been attacked) or impossible, making punishing an actor for an offense either impossible or unwise. And the gains from any act, in the eyes of a terrorist, are simply the levels of fear inspired in the population of the targeted, making any large-scale successfully executed attack by nature a tangible gain for a terrorist group.

    But as we have established that this article is rather unrealistic in its vision of the capabilities of deterrence, we should also be asking ourselves what our next best option is. As more and more of our world becomes dependent on computers, it becomes a greater and greater risk that one day a single line of code could wreak havoc on society. If we are unable to stop cyber warfare or cyber terrorism indefinitely, should we be looking into ways to mitigate the potential damage of future attacks? Or in creating some time of automatic response program that would attack the perpetrators of a cyber attack? And, finally, do we have any way of ensuring that future attacks would not be able to affect certain systems (Ed Skoudis, our guest lecturer today mentioned that hospitals and health services are especially vulnerable to attack) so that we may protect the weakest among us?

  17. I agree with most people that cyber attack is of a unique kind, compared to attacks from nuclear weapons or biological and chemical weapons. Like some pointed out, the consequence of cyber attacks can range from “mere annoyance to death”, and in the current world, it is more inclined towards the lighter side. However, technology often advances faster than any of us can predict, thus we don’t know if there exists the possibility that in the near future, the threat of cyber attacks will become more imminent. Therefore the threat of cyber attacks are more unpredictable than others. In addition, cyber attacks are indeed more difficult to trace, and they are less risky for terrorists, all these factors pose difficulty to developing effective deterrence mechanism.

    What responses faster to technology of the terrorists is technology of our own. Like Serena and Easton, I believe that improving our own internet security is the most effective way to fight against potential cyber terrorism. We have the most genius computer scientists in the world, whose research on internet and information security should be supported. Therefore when cyber attacks become an actual, possibly deadly threat, our increased security and technical means of defense would be there as protection.

  18. One thing I really appreciated about the Nye piece, as others have noted, was how it brought together many of the different types of security threats, and their associated thought processes, we’ve discussed this semester to provide a more well-rounded and concrete view of what can be a rather amorphous subject. Cyber attacks are very similar to chemical and bio attacks, for example, because they are hard to trace and even harder to control in the case of a cyber virus–there is no guarantee that, in the case of a nation using a virus to attack another nation that the virus would not eventually wind its way back to the original attacker. But it is precisely because of that that Nye’s logic somewhat fails, because while I agree that we should find ways to prevent hackers from attacking and punish them if successful, the inherent anonymity associated with the internet and hacking as well as the ease with which individuals can act as lone wolf outside of the purview of any government of state makes identifying those individuals either preemptively or in the wake of an attack nearly impossible. As such, it is possible that Nye’s proposals as to deterrence and dissuasion represent more idealistic modes of thinking that may or may not be viable to implement in the future. The level of that viability, however, remains to be seen.

  19. I agree with Yasmeen to the point where she suggests that the lack of a Hiroshima or Nagasaki of cyber warfare is a key reason as to why deterrence does not work with cyber attacks. I don’t believe the lack of a horror factor is the reason why cyber attacks are not deterred. I believe that the ease with which one can launch an attack while remaining anonymous is the key factor in making deterrence irrelevant. Deterrence for terrorists is mainly driven by a fear of retaliation. Cyber attacks remove this fear by making the attacker extremely difficult to track. Moreover, terrorist organizations are especially undeterred since the “collateral” they put up when they risk a cyber attack is much less than the potential benefit they gain if their attack is successful. For instance, the terrorists “collateral” may consist of a few computers but the potential benefit they may gain could include access to sensitive government/military information.

    Moreover, not only is the lack of deterrence unsettling, but also the lack of flexibility with cyber attacks. With nuclear weapons or biological weapons, countries can threaten to use them and these threats will be taken seriously. However, if a terrorist group states they are able to hack into a sensitive government database, the government has no reason to believe this threat and if the government does believe this threat, it can simply redouble efforts to buttress the specific database’s defenses, reducing the efficacy of the terrorist cyber attack should it actually occur. Thus, from a terrorist’s perspective, a cyber attack is an all-or-nothing attack. The terrorist cannot really threaten a state with a cyber attack as it could with conventional weapons. This ultimately means that cyber attacks will happen with no warning, making them all the more dangerous.

    I find that the only option is to invest in defense. However, defending against cyber attacks as they occur is exceedingly difficult so if we invest in defense, we should invest not in reactionary technologies that will allow us to better respond to a cyber attack but rather preemptive technologies that are harder to hack into in the first place.

  20. I agree with the prevailing sentiment of this thread which seems to be that Nye is overly optimistic about cyber deterrence. This is because the nature of cyber-space is very different from more traditional deterrence domains. Regarding terror groups such as ISIS, I don’t think there is any symmetric deterrence strategy which could dissuade them from executing a cyber attack. This is for several reasons.

    First is that non-state actors are elusive, and may be more difficult to attribute. A deterrence policy requires knowing the aggressor and in the murky world of cyber space, this can be hard to determine. Cyber weapons can be made near hard to impossible to trace or can be deliberately designed to frame others.

    Second and more significantly is that deterrence is based on your ability to retaliate and your enemies fear of such retaliation. However, there is a clear asymmetry between the U.S. and ISIS in this regard. The U.S. has an incredible amount of cyber infrastructure and a very technologically dependent economy which makes the potential devastation from a cyber attack very large. However, for a group like ISIS, how do you retaliate? They are not a state with a power grid or centralized computer networks. A cyber deterrent strategy would be laughable. Therefore, if the U.S. did have potential cyber offensive capabilities it could leverage against ISIS, there would be little incentive to save this capability as a deterrent instead of immediately using it to weaken the terror group.

  21. Nye elaborates many of the problems that countries currently face with regards to cyber warfare and explains how the need to resolve these challenges will only become more pressing as more and more devices and objects are connected to the internet of things. I think that Ed Skoudis effectively illustrated the problems that will arise with an expanding internet of things yesterday when he gave us an example of how something as seemingly harmless as a doll, when connected could be hijacked by hackers and used to harm children.

    In his lecture yesterday, Mr. Skoudis talked extensively about the future of hacking and cyberwarfare. He explained that, in his opinion, the industry is moving in the direction of cyber actions which can initiate kinetic effects. This is a very alluring idea, and I think it could be somewhat applicable to the difficulty that countries face in trying to deter cyber attacks by non state actors.

    I agree with Olivia’s comment that, “thus far, criminals and terrorists have opted to utilize cyber resources for coordination and recruitment, and likely at this point, ISIS lacks the technical expertise and operational capacity to execute a large-scale cyber attack. However, cyber defense has thus-far proved to be rather porous, and the number of targets is ever increasing with the Internet of Things.” In Olivia’s view, our increased vulnerability is particularly concerning because arguments that deterrence of cyber terrorists is possible appear to be relatively weak.

    I agree that the prospect of deterring cyber terrorists appears impossible. However, isn’t it already impossible to deter conventional attacks by terrorists? Isn’t this just the same problem that we face when presented with the possibility that ISIS or another terrorist organization might have the capability to put together an amateur nuclear weapon? The fact of the matter is that terrorists operate on a different plane than other states and have different incentives that don’t appear to respond to attempts at deterrence. Potential cyber attacks by terrorists appear to be yet another front of states’ ongoing fight against terrorists.

    Although I too think that deterrence of cyber terrorists seems somewhat impossible, I am not suggesting that we should allow cyber terrorist attacks to go unchecked and cyber terrorists to go unpunished. In fact I think that we should employ Mr. Skoudis’s point of kinetic consequences. An attack by a cyber terrorist should be reacted to first in terms of how the attacked country can unleash its own cyber attack on the terrorist, but second, how the attacked country can kinetically, physically attack the terrorist. Terrorists should know that the United States will not tolerate cyber attacks, and that there very well could be physical consequences following a cyber attack. I wouldn’t expect this to “deter” cyber terrorist attacks, but the linkage of cyber and kinetic could make cyber terrorists more wary of the potential retribution they might face because of their actions.

    Although deterrence may not work to deter cyber attacks by traditional terrorists like ISIS, Al Qaeda, etc., the linking of cyber and kinetic retribution for cyber attacks by non state actors could work to deter cyber attacks by other non state actors, mainly those seeking money rather than destruction. This could potentially work because cyber attackers seeking money operate on a similar plane of incentives and priorities as law abiding citizens and state actors do. Thus, they could realistically be deterred by the prospect of likely/probable arrest or punishment following a cyber attack.

  22. One of the presentations done by the final project groups today ties in well to this conversation. They discussed the risk of cyber attacks on the U.S. power grid, which could have lasting repercussions due to the US dependence on electricity for transportation, food and clean water. This seems to partially fit in to Mr. Skoudis’s concern, and Sophie’s discussion of the kinetic results of cyber attacks.

    Sophie discusses the worth of a kinetic, physical retribution for cyber attacks, especially on states and terrorist groups, and the potential for that to serve as a deterrent. However, Mr. Skoudis’s discussion on the “internet of things” and associated risk very much applies to our industries and makes the stakes of a cyber attack even higher. Ajay discusses how this also creates a level of imbalance, because this is an infrastructure that has no equivalent in terrorist organizations.

    Aside from deterrence, the overall sentiment is that cyber attacks are impossible to defend against entirely. But, the large scale risk of industrial cyber attacks could be mitigated by industries less interconnected nationally. The power grid, in particular, is so interconnected that while there are 55,000 substations, knocking out 9 could result in nationwide blackouts for sustained amounts of time. While I don’t know if this is entirely possible, it may be wise to localize the networks so that the risk would only really affect the specifically targeted areas, rather than the entire country.

    From a deterrence point of view, I agree with Ajay’s point that this imbalance makes it hard to have equal punishment for equal crime, and with the overall consensus that it is incredibly difficult to dissuade non-state actors. But, I disagree with Nye’s idea that the anonymity of attacks changes the ability to deter non-state actors. The difference between human rights violations conducted by state actors and non-state actors (specifically terrorist groups) is in taking credit. A terrorist group will take the credit for a cyber attack in order to promote their specific cause and imbue the world with a fear of their capabilities. A state actor, on the other had, does fit into Nye’s assumption because their goals would be covert.

Leave a Reply