Deterring attackers in a new era of cyber warfare: Lessons for operational technology and enterprise security from the nuclear age
Warfare is once again being revolutionized: Threats are now physical and digital. Cyber weapons are being used against IT and operational technology (OT) to threaten critical infrastructure.
Nuclear weapons instigated major evolutions of warfare. Military theorists today wonder whether we can draw lessons from nuclear conflict strategies to help keep our critical national infrastructure — and our enterprises — safe from cyber attacks on operational technology.
Generations ago the detonation of two nuclear weapons heralded a new age of warfare. Since that point, nuclear deterrence strategies have helped keep the world safe.
Warfare is once again being revolutionized: Threats are now physical and digital. Cyber weapons are being used against IT and operational technology (OT) to threaten critical infrastructure.
We search history for ways to prevent cyber attacks. Can we learn from nuclear deterrence? Or do we need a new approach?
Nuclear and cyber weapons both break a historical trend: They are offense-dominant. Before the advent of modern technology, defenders held the advantage — a castle or other fortified position would be much easier for a defender to hold than for an attacker to conquer.
The inability to defend against nuclear weapons led to new defensive strategies. Defenders realized that if they cannot intercept a nuclear missile, they must demotivate the attacker from pressing the red button.The strategy of deterrence was employed. This attribution problem is exacerbated by false-flag operations, where one threat actor poses as another. Examples of this phenomenon include the attacks on France’s TV5Monde and Saudi Arabia’s Aramco
Since anonymity is easier to achieve in cyber attacks than in nuclear attacks, deterrence becomes less feasible.
Calculus of deterrence
Deterrence influences the aggressor’s cost-benefit analysis. The idea is simple: If attackers believe the cost of a strike outweighs its benefits, they will not act. Defenders can influence this calculation in two ways.
If attackers believe the cost of a strike outweighs its benefits, they will not act.
First, defenders can increase costs. If the defender has a robust second-strike capability, the aggressor knows that any nuclear attack will invite a reciprocal strike on its homeland. This logic became known as mutually assured destruction (MAD), which was a viable strategy in an age where national leaders were all considered to be rational actors. Today, we cannot assume all leaders are rational.
Second, defenders can decrease the benefits. This can be achieved through resilience. If an entity has the ability to rapidly restore the functionality of the targeted assets, the benefits for the aggressors are minimized. This effect can also be achieved by redundancy — the ability to employ a secondary system if the primary system fails.
While there are sharp contrasts between the principles of nuclear deterrence and cyber deterrence, we can apply some lessons learned from the nuclear age and recognize where our nuclear mindset may be limiting our approaches to defense.
Key differences
Nuclear deterrence involves five clear principles that cannot readily be transferred to cyber defense.
Attribution clarity vs. attribution ambiguity
Deterrence requires attribution. If attackers are confident they can shroud their identities, then the cost-benefit equation is disrupted, as there is assumed to be no retaliatory strike.
Obscuring the identity of a nuclear attacker is hard. Space-based detection and other intelligence methods provide attribution to a high degree of confidence.
Cyber attribution is part art, part science, and is mired in subjectivity, ambiguity and deniability.
Obscuring the identity of a cyber attacker is not hard. Cyber attribution is part art, part science, and is mired in subjectivity, ambiguity and deniability. Reasonable doubt almost always persists, which acts as a bulwark against victims seeking redress via multinational bodies such as the United Nations.
Destruction assurance vs. destruction gradations
Nuclear attacks offer destruction assurance. They are binary in nature, either detonating or not. While missile defense systems exist, none are known to be reliable, and given the consequences of failure, no nation would base a defensive strategy around unproven technology.
Cyberattacks have gradations. Attackers have different intents. A low-severity attack may cause disruption to a factory floor, while a high-severity attack could disable air traffic control systems and potentially result in loss of life. Each of these could elicit a different response from the victim.
Cyberattacks can also have different degrees of success. Achieving a complex cyberattack typically requires vast investment, and to execute such an attack to strategic effect (e.g., the accomplishment of political objectives) is likely impossible for many attackers. Since the predictability of success is variable, whether even a highly tailored cyber weapon has the intended effect depends on the quality of the weapons built. It also depends on the environment in which they must operate.
In addition, effective defense is possible in the cyber domain, whereas it is not realistic in nuclear conflict. This raises questions as to whether an unsuccessful attack should be responded to in the same way as a successful attack. In the nuclear realm, even an unsuccessful attempt would likely be responded to in kind, but we have yet to determine whether this should be true for potentially destructive cyberattacks.
To manage the complexity introduced by destruction variability in cyberspace, we would need the kind of clear rules that exist with nuclear deterrence.
Red lines vs. no norms
In the nuclear world there are established rules. We know that if one nuclear country strikes another, a reciprocal attack will be triggered. There is no ambiguity; the red lines are clear.
The vast human casualties triggered by nuclear attacks and the near certainty of attribution means that nation-states know how their enemy will react. With engagement between political leaders, nongovernmental organizations (NGOs) and academia, the rules were clarified during the cold war. The “no-first-strike” concept emerged to deter pre-emptive strikes against nuclear powers. “Guaranteed second strike,” the combination of air-, land- and sea-based weapons, solidified nuclear deterrent capabilities.
In cyberspace, there are few agreed-upon red lines. Discussions aimed at defining these red lines consistently fail, as nations have different opinions on cyberspace governance.
Cyber espionage, like traditional espionage, appears to be tolerable. Few nations are failing to exploit the digital domain for intelligence gains.
Interference with other nations’ political election processes seems less acceptable, as evidenced by the expulsion of a number of Russian diplomats (and suspected intelligence officers) as a result of the U.S. government’s accusing Russia of interfering in its 2016 presidential election.
For deterrence to be effective, nations must understand what is considered acceptable behavior and what actions will trigger deterrent measures, such as military attacks.
We have very little precedent on how cyber sabotage is to be treated. The few available case studies offer little guidance but indicate the potential threats to OT systems that could result in physical damage to critical infrastructure.
For example, the 2007 attack on an Iranian nuclear facility with the malicious computer worm Stuxnet targeted OT systems that produced highly enriched uranium. While Stuxnet diminished Iran’s offensive capability (or near-future capability), it did not affect the country’s critical national infrastructure.
In 2015, a cyberattack in Ukraine became the first successful destructive attack of a national power grid. The OT systems were breached, enabling the attackers to remotely switch off electrical substations. Additional attacks against IT infrastructure, and a denial-of-service attack against the call center to bring customer service to a halt, further augmented the impact. However, we cannot judge any responses as precedent for OT attacks because this incident, judged by U.S. government officials to have been conducted by Russia, occurred when a de facto state of war already existed between the two nations.
These and other attacks raise many ethical questions. What would happen if an act of sabotage occurred when no state of war existed between two nations? Is there a difference between sabotage that diminishes military capabilities versus an act that targets critical national infrastructure and causes large-scale disruption? What if such an attack causes loss of life? What would be the response if dormant malware is found inside critical national infrastructure and its intent is clearly destructive? Does the presence of such malware alone invite military repercussions?
For deterrence to be effective, nations must understand what is considered acceptable behavior and what actions will trigger deterrent measures, such as military attacks. The absence of norms in cyberspace means that deterrence cannot function properly.
Nation-states vs. nation-states and others
Nuclear weapons are exclusively the preserve of nation-states. Fear of retaliatory strikes underpins deterrence.
Nuclear propagation has been hard. Even today, only a handful of states are known to possess weapons, and the world keeps a hawk-like gaze for any new nations or groups seeking to acquire such weapons.
Controlling cyber weapons is infinitely more challenging. Cyber weapons are physically minute, able to be stored on a secure digital (SD) card the size of a thumbnail and transferred around the world in seconds. WannaCry ransomware is a case in point. It was allegedly built by one nation’s intelligence agency, stolen by another’s spies and used by a third country to launch one of the most disruptive cyberattacks in history.
This ease of propagation results in nonstate actors acquiring cyber weapons.
Terrorists, organized criminals and hacktivists cannot be deterred in the same way that nation-states can. None of these entities falls into the nuclear paradigm of fearing a retaliatory strike on their homelands. And some terrorists may not even fear death as a repercussion of their actions.
Therefore, classical deterrence principles will not work against such threat actors. Each type will need a unique deterrence plan and, even then, such plans may be ineffectual.
Symmetric vs. asymmetric
The nuclear club is small. Until very recently, only the most technologically advanced nations were able to acquire nuclear weapons. There was a symmetry of destruction. If nations went to war, they would both likely lose their capital cities, military headquarters and economic assets. Participants in a war would suffer equally.
Cyber warfare is different. Anyone can possess a cyber weapon. While it is true that the most sophisticated weapons are built by the most technologically sophisticated nations, the poor level of global cyber defenses means that less technologically developed nations can have an outsize offensive impact. Even nations without technological capabilities can procure offensive capabilities on the black market.
Since any nation can acquire offensive cyber capabilities, there is an asymmetry in the potential impact during combat. For instance, if a highly developed nation is struck by cyber sabotage, there is a chance that the impact will be significant, given its society’s degree of reliance on technology. However, should a developing nation be struck by cyber sabotage, it is likely the attack will have a significantly lower impact because technology is not as ingrained in its national infrastructures.
Leveling the battlefield
We have demonstrated across many dimensions that nuclear deterrence and cyber deterrence are not analogous. However, several principles of nuclear deterrence can be adopted for our cybersecurity practices.
Change the attacker’s cost-benefit analysis
The adversary decides whether to attack based on a cost-benefit analysis. This is the basis of deterrence: Does the benefit outweigh the cost?
In the nuclear arena, countries continue to invest vast resources in nuclear offense and defense. For example, in March 2018, Russian President Vladimir Putin announced plans for his country’s next-generation intercontinental ballistic missiles (ICBMs), cruise missiles, undersea drones and hypersonic weapons.
However, to serve as a deterrent, adversaries must be fully aware of these new developments. The testing of nuclear weapons — as in the case of North Korea’s nuclear program — not only verifies their lethal capabilities but also ensures that adversaries understand their potency. This method informs adversaries’ cost-benefit analyses and enables deterrence.
Governments seeking to achieve a form of deterrence in cyberspace need to ensure that their adversaries are aware of their ability to conduct offensive action in the cyber realm. In the nuclear world, test explosions achieve this aim. In cyberspace, more subtle methods are required to demonstrate capability, such as releasing the news of an enhanced budget for military cyber units.
Enterprises do not have the ability to articulate their offensive prowess. However, they can influence the cost-benefit decision of the attackers in another way: offense through strong defensive communication.
The first stage of mounting any cyberattack is reconnaissance. Attackers seek as much information about their adversary as possible. They try to identify the target’s weaknesses. They are also assessing the likelihood of success — the benefit in their cost-benefit equation.
This is a key opportunity to deter the attacker. Part of the adversary’s equation is an assessment of whether an attempt to breach the target would succeed, and whether the attacker would be able to successfully execute objectives once inside the network (e.g., disabling a power station).
During this part, if an attacker were to find information suggesting that robust defenses were in place and that security was an investment priority for the target organization, this information would be fed into its cost-benefit calculation. If that adversary feels that it is unlikely to be able to breach, or remain covert long enough to achieve its post-breach objectives, it may desist or select another target.
The adversary would be further deterred if it learns that cyber resilience principles (see below) had been adopted by the target organization, resulting in the potential for rapid recovery from any successful attack. This could, for instance, mean that a targeted power station would be offline for two hours, rather than two days. All of these factors in combination might affect the attacker’s cost-benefit equation enough to deter it from acting.
Safely communicate security levels
At the moment, most organizations do not communicate security. Security capabilities are kept confidential for fear that by disclosing them, they will become less effective. However, by not communicating our security strength to adversaries, we run the risk that they will assume an absence of security or a low security maturity, which could bias the adversary toward attacking.
Achieving a balance between the two — communicating enough generic information so that the adversary understands your organization is well protected, yet not being so specific that the adversary can gain an advantage from your communications — is the balance that must be achieved.
This communication should be anchored on your organization’s website. Any sophisticated attacker will thoroughly examine the target’s website during the reconnaissance phase before making its cost-benefit analysis. This is where the organization needs to highlight its robust security.
A specific section on security is warranted, perhaps highlighting some of the key staff members, where appropriate. There could be biographical sections on some of your key security staff, perhaps with attached blogs or white papers, write-ups of conferences attended and training courses completed, high-level descriptions of some of the technologies deployed (where the adversary will not gain an advantage by knowing of their deployment).
DXC Technology believes that defensive communication is the most valuable nuclear deterrence principle that can be applied to OT security.
Adopt cyber resilience from the boardroom to the mailroom
Resilience allows enterprises to affect the benefit of an attacker’s cost-benefit equation. By being able to respond quickly, your company can diminish the effect of an attack and reduce the benefit to the attacker.
Achieving cyber resilience requires four steps, or principles:
- Make it hard for attackers to breach networks.
- Create a hostile environment when attackers breach networks.
- Rapidly detect, investigate and expel attackers.
- Quickly remediate the impact of breaches, returning fast to normal business operations.
Cyber resilience is at the heart of providing security to enable a digital future. It requires business-wide adoption of security with support by everyone — from the boardroom to the mailroom.
Critical national infrastructure and OT networks in particular benefit from this approach. The ability to quickly overcome business disruption following an attack could mean the difference between having an airport functional or closed, between thousands of people having power or sitting in darkness, or between national defense systems protecting the nation or its borders being left unguarded.
Cyber deterrence is possible
Nuclear deterrence is a product of a unique time in the history of warfare and is a useful concept to understand. However, as this paper demonstrates, not all of its principles are applicable to the digital domain — and understanding those differences can help us shift our strategies accordingly.
As difficult as it may be, cyber deterrence is possible. And, as deterrence policies evolve, we expect to see a patchwork of deterrence strategies rather than the single strategy of deterrence that exists in nuclear defense. Threat actors of all sizes and capabilities — including terrorists, criminals and nation-states — can acquire cyber weapons. We need a variety of deterrence strategies aimed at countering them all
Employing capabilities such as defensive communications and organizational concepts such as resilience should make up the foundation of your organization’s effective cyber deterrence.
About DXC in OT security
DXC’s 3,500+ security experts have been protecting the enterprise networks of critical national infrastructure companies for decades. Today, the convergence of OT and enterprise networks means that — in order to have a complete picture of adversarial activity — we need visibility, and the possibility of deploying data analytics across both.
DXC has invested heavily in its proprietary Cyber Reference Architecture (CRA). The CRA is a meticulously detailed encyclopedia of best practice security designs that covers all aspects of a successful security function, detailing components from the boardroom’s vision for security to whether the server cages have the correct grade of locks. The CRA allows DXC experts to create an end-to-end approach to securing both your enterprise and OT networks to achieve cyber resilience.
As a vendor-neutral organization, DXC is able to select the best technology coalition to deliver an end-to-end integrated security architecture. For OT security, DXC assembled a working group of security experts, our elite, to assess more than 15 OT security companies. After an intensive three-month evaluation of the vendors, DXC partnered with the best of breed. We’ve done the market research so that you don’t have to.
DXC continues to invest in our capabilities, ensuring that we are always at the forefront of security evolution and remain trusted strategic advisors to the largest organizations on the planet.
Contact us to learn more about securing operational technology.