Cyber-deterrence is the Future of Cybersecurity

Hackers pose a serious threat to countless targets in the modern world, which is why the Cybersecurity field exists. As hackers adapt to defenses, new methods need to be adopted to combat them. The number of cyber attacks has been rising in recent years, and experts may be turning to Cyber-deterrence in order to combat the rising tide of black hats.

The Internet has changed the world by allowing people to connect and communicate over vast distances in the blink of an eye, but this modern miracle has a flip side. As the world becomes more dependent on the internet, hackers are able to take advantage of more systems, including those of the most powerful countries in the world. This heralds the rise of the cyber security expert.

The cyber security field has an enormously difficult task ahead of them, and for the most part that task has been addressed by designing incredibly complex, passive defenses like firewalls and antivirus programs. Yet, some experts are considering a more active type of defense: Cyber-deterrence.

What is Cyber-deterrence?

The object of deterrence is to enable a counterattack and make attackers think twice in the first place. It works on two principles. First, you want to deny the enemy the ability to attack you by making it so difficult that they don’t even want to try. Second, if someone does attack, you want to be able to punish them badly enough to send a clear message to anyone else. Think of it as a razor-wire fence; you certainly don’t want to get cut by the razors, and if you got entangled within them you would be very vulnerable to counter-attack. In her article on deterrence, Dorothy Denning outlined how these two principles could be approached by the cyber security field.

Denial is something that cyber defenses already focus on to an extent. A focus on deterrence would require stronger login security and better encryption. Developers and defense experts already focus on software updates and antivirus applications, but they will need to increase the efficiency in order to truly deter cyber attacks. For the most part, cyber defense is already aimed in this direction, but there are still holes to patch. For example, many devices have factory-default passwords which allow hackers to compromise those systems with ease.

According to Bruce Schneier, the markets favor cheap products, even if they are more unsecured because more security raises costs. This vulnerability contributed to the success of the Mirai botnet, which took over some big name targets such as Twitter. Shneier proposes government regulations that require manufacturers to impose basic security standards or be held accountable when their devices are employed in cyber attacks.

Punishment is the intimidating part of cyber-deterrence, as cyber defenses will be taking more active measures to mitigate hacking.  Active cyber defenses will scan their systems and block intruders, resembling air defense systems which scan the sky for targets and intercept incoming missiles. Additionally, cyber defenses could be honeypots, which act as decoys that redirect hackers into safe areas where they can be studied and possibly tracked.

Defenses that focus on cyber-deterrence, then, will reach back out to hackers instead of just trying to keep them out. This means that they could strip the anonymity that protects hackers from retaliation and legal action.

Differences Between Nuclear and Cyber Attack Deterrence

The private sector has to worry about the legal ramifications of active defense, and so far they haven’t been too keen on employing it for legal reasons. According to Denning, “the private sector is reluctant to employ many active defenses because of legal uncertainties.” Hackers are showing us that they can cause some major damage to computer systems around the world, making them comparable to weapons of mass destruction, and in that arena deterrence is the established policy. For example, nuclear deterrence has proven a successful model against nuclear attack.

Nuclear deterrence has taken the form of both denial and promised punishment for years, and it works. Only a few countries are capable of using nuclear weapons, and they are well known, making international regulatory bodies such as the International Atomic Energy Agency and treaties such as the Treaty on the Non-Proliferation of Nuclear Weapons possible.

By contrast, cyber security cannot follow the model of nuclear deterrence. Nuclear weapons are costly and require complex research, while cyber attacks can be designed and deployed fairly easily. Also, cyber attacks are mostly anonymous, unlike a nuclear attack where the attacker would most certainly be tracked. Due to the aforementioned reluctance of organizations to employ active defenses, there is little promise of punishment.

One factor that might make the private sector more willing to design and implement cyber-deterrence depends on the nations of the world. Countries will need to clarify and standardize regulations within their own nation as well as internationally, thus allowing new technologies to catch up with and even go after cyber attackers. If countries could set up international standards for cyber security, it could lead to more active defenses, and countries might become a bit more vigilant to avoid the shame of an international hacking incident.

Society will always have its criminals. As such, there is little chance of ridding the world of hackers. Yet, for every hacker there is a cyber security specialist looking to keep people safe from them. With any luck, cyber-deterrence will enable those specialists to keep our systems safe and secure.