Cyberdeterrence Needs People, Not Weapons

Mass mobilization might be the best line of defense in a world of online warfare.

By Elisabeth Braw, a fellow at the American Enterprise Institute.
This photograph, posed as an illustration on May 12, 2017, shows the website of the NHS: East and North Hertfordshire notifying users of the aftermath of a cyberattack on its network taken in London.
This photograph, posed as an illustration on May 12, 2017, shows the website of the NHS: East and North Hertfordshire notifying users of the aftermath of a cyberattack on its network taken in London. Daniel Leal-Olivas/AFP/Getty Images

In April this year, Iranian operatives were reported to have launched an online assault on a string of British banks and government agencies. A couple of weeks later, Amnesty International Hong Kong was attacked by Chinese hackers, who accessed the personal information of its supporters. This wasn’t anything special, just another round of news. But it shows how endemic such attacks have become—and how much traditional deterrence has failed to deter attackers.

Just a few weeks before the attack on U.K. institutions, Iranian hackers were revealed to have targeted government agencies and companies in the United States and Saudi Arabia over the last two years. Among the other acts of cyberaggression that became public during the same brief time span: Russian separatists attacking Ukrainian government agencies, unknown hackers attacking the Finnish election registry, unknown attackers hacking the Lithuanian Ministry of Defense, and Chinese and Russian hacks on the country’s election registry.

Western countries, of course, conduct offensives of their own. The U.S. Cyber Command polices the global cyber-neighborhood by means of regular roughing up of offenders, a policy the Pentagon calls “defend forward.” Last month, for example, the United States conducted a cyberattack against Iran. Israel is engaged in a digital tit-for-tat with Iran and Hamas, and in May, U.K. Defense Secretary Penny Mordaunt announced new funding for British Army cybercenters, explaining that “we must convince our adversaries their advances simply aren’t worth the cost.”

But those adversaries don’t seem so convinced. Prompting a response, in fact, may be just what they want. By hacking back, a government shows what it knows about the adversary’s cybersecurity knowledge and capabilities. Perhaps worse still, it displays its own weapons, allowing the adversary to use the knowledge to its advantage. The cyberweapons immediately lose some of their power. Indeed, cyberweapons begin to rust as soon as they see the light of day. “Actually, they begin rusting as soon as they’re created, because they target vulnerabilities in opponents’ systems, and those systems change,” said Mikko Hypponen, the chief research officer at the cybersecurity firm F-Secure. It was hardly a surprise when the Iranian government announced in May that it has installed a cyberdefense shield.

That makes cyberdeterrence fundamentally different from the past. Deterrence by military punishment is based on the idea that by showing off its military might, a country can convince an adversary that attacks would be ill-advised. That’s why armed forces exercise: Yes, they do so to get better at their trade, but they also signal to their adversaries that they are already powerful, like an inmate building up his muscles in prison to deter rivals.

That’s one reason—apart from autocratic ego—that military parades work. They provide pomp and circumstance but are also a none-too-subtle signal to would-be attackers. If West Germany and its NATO partners ever considered invading East Germany, the country’s formidable arsenal would have prompted them to think twice: some 2,500 tanks, 6,000 armored vehicles, 300 fighter jets, 100 naval vessels, and a mobilized force of half a million soldiers—and the Red Army had its own half-million-strong force with accompanying tanks and other weaponry in the country. And when NATO conducted the Trident Juncture exercise in Norway last year, it let the public know that the exercise comprised some 50,000 troops, 250 aircraft, and 10,000 vehicles. It communicated the numbers for reasons of public transparency, of course, but also to deter adversaries.

But that doesn’t work online. Cyberweapons are more like intelligence assets than military hardware—you want your opponent to be afraid they exist, but not to know exactly what they are or how big your network is. The dilemma of cyberdeterrence is that governments—and it has to be governments, since private-sector offensive cyberattacks are illegal—need to show their cyber-chops to deter aggression, but that trust besets cyberweapons without them ever being displayed on a figurative parade.

Here’s one way forward: democratization. Instead of deterrence by impressive weapons, countries need deterrence by impressive brains. Imagine if instead of a thousand-tank parade, they could display a 1-million-hammer one. Figurative hammers, of course: citizens equipped with the knowledge to stop one small piece of a cyberattack. By each doing their piece to protect themselves, 1 million ordinary citizens—or 2 million or 10 million of them—can help strengthen cyberdefense. Like hammers, their knowledge would be so basic that it would withstand exposure—allowing countries to boast of their potential mass without giving anything away. Ordinary citizens could, of course, not be involved in offensive cyberactions, but their mass would help strengthen our current leaky system, which allows cyberattacks to succeed simply because someone is not paying attention.

And citizens with cybersecurity expertise could play a more active role. Dan Eliasson, the director-general of Sweden’s Civil Contingencies Agency, which is known for its pioneering work in hybrid defense, told me that he envisions a digital fire department, an elite corps of civilian cyberexperts willing to assist the government during cybersecurity crises. The idea, which is based on the Computer Security Incident Response Teams that many companies and government departments already have in place, has enormous potential. Today, brilliant tech experts are often to be found in the private sector, which is why the CIA has a venture-capital arm that invests in startups. It would be hard to persuade them to go to work for the government—and that’s not necessary. Western governments could create Eliasson-style civilian digital fire departments—call them High-Tech Emergency Corps—using the structure that is currently used for military reserves: Experts sign up to join the organization, participate in exercises, and are called up for defensive and offensive crisis response duty. Governments are simply not equipped to field the force required in case of, say, a debilitating attack on the power grid.

While the West’s adversaries, including China, North Korea, and Russia, involve private citizens in cyberattacks, they use them as proxies to which attacks can be farmed out, rather than an organized defense force. “A civilian cyber-reserve would be a good answer, because most tech skills don’t reside in government departments,” Hypponen said. “And if it were mostly defensive in nature, tech experts would likely be willing to participate.” He cautioned, though, that it would be crucial to establish watertight screening for these extremely sensitive placements.

Why should tech experts sign up for service in a cyber-reserve rather than use their spare time for personal hobbies? Because uninterrupted access to daily goods such as electricity, internet, and food is in everybody’s interest, including that of cyberspecialists. (Since grocery stores rely on electricity, they would be forced to shut in case of a power cut. A recent example: When the internet went down, a card-only coffee shop in Sweden had to resort to giving out coffee for free. That’s one coffee shop during an extremely limited outage—nothing compared to the scale of a real attack.)

Currently Estonia’s volunteer Cyber Unit is the closest any country comes to a High-Tech Emergency Corps—and it is part of the country’s military. The same goes for United States Civil Air Patrol, a volunteer organization that assists the U.S. Air Force with tasks like search and rescue during crises. There is, however, a better model that could be adopted for high-tech defense. The Civil Reserve Air Fleet is formed of aircraft belonging to civilian U.S. airlines. Under ordinary circumstances, they fly their normal airline routes, but when the U.S. armed forces need to transport more troops and equipment than its own aircraft have space for, Civil Reserve aircraft are brought in. The government successfully incentivizes airlines to participate—they have to commit 30 percent of their passenger fleet and 15 percent of their cargo fleet—by offering participants access to regular Pentagon transportation contracts. In exchange for allowing their best cyberexperts to assist the government during crises, tech firms could similarly be given preferential treatment in government tenders.

Exported to cybersecurity, the aircraft model would allow governments to access not goods but the private sector’s best brains. And the best thing about deterring adversaries in cyberspace by showcasing brains rather than weapons is that the brains don’t rust. Indeed, they are able to improvise on the spot, to come up with new solutions, and thus to create an agile and unpredictable cyberforce.

Elisabeth Braw is a fellow at the American Enterprise Institute, where she focuses on defense against emerging national security challenges, such as hybrid and gray-zone threats. She is also a member of the U.K. National Preparedness Commission. Twitter: @elisabethbraw