WASHINGTON, January 3, 2015 – Deterrence is the threat to retaliate for hostile action by an opponent by imposing unacceptable costs in return.
Nuclear weapons have served the nuclear powers as a deterrent to nuclear attack and direct, large-scale military attacks their territory since the 1940s. Nuclear weapons are a credible deterrent against existential national threats, but not to small-scale attacks or minor irritants. The United States can credibly commit to launch nuclear weapons against Russia or China if they launch an attack on the American homeland, but no one believes for an instant that we would use nuclear weapons against Mexican drug lords, Middle Eastern terrorists, or China for the manipulation of its currency to harm American manufacturers.
Nor would we use them against North Korea for a cyber-attack on Sony.
The U.S. has less destructive weapons in its arsenal. We fire cruise missiles at pharmaceutical plants and training camps in response to terrorist acts, and we use armed drones to attack enemy assets and wedding parties in other countries without resorting to a full-scale invasion.
Deterrence requires the ability to know who launched an attack. If an attack is launched anonymously, retaliation will be delayed or incorrectly directed, and so the threat of retaliation won’t deter the attack.
If Russia or China fires a missile at the United States, it comes with a “return address”; satellites and radar can identify the source of the launch. Terrorist attacks are more difficult. It takes a strong and extensive intelligence network to identify the source of a terrorist attack, and if the source is not a government and not located in a fixed position, retaliation is harder. That makes such attacks more difficult to deter.
The same is true of cyber-attacks. Given the importance of knowing who launches them in order to deter them, we can assume that the U.S. government has invested considerable money in measures to trace the source of cyber-attacks. But if, as now seems possible, we got it wrong on Sony, and if North Korea wasn’t to blame for the attack, then its clear to everyone that our ability to trace attacks is limited.
How and whether to respond to cyber-attacks is an essential question. Some experts believe that China has been launching small-scale cyber-attacks on American firms for years. If that’s true, they don’t seem to have posed a serious threat yet to the American economy. The problems of our economy can almost all be traced to poor policy decisions, not to cyber-warfare.
So should we retaliate against China? Without proof that the Chinese government is involved, that might simply create a feud where none existed. Also, tit-for-tat attacks that go on and on aren’t a form of deterrence; they represent its failure.
Deterrence appears to work well at a strategic level as a means to stop existential threats. In order to deter other attacks, we have to convince potential attackers that they threaten a vital national interest. An attack on Sony threatens very little except the jobs of Sony executives. An attack on GM would be an annoyance, not a national emergency.
If we’re going to deter cyber-attacks by threatening cyber-retaliation, deterrence will fail. It has to impose unacceptable costs, and disrupting Kim Jon-un’s 3G phone access to Kim Kardashian’s internet pictures is nowhere close. It’s just an annoyance, and annoying foreign leaders isn’t going to deter them. It is more likely to set off a round of tit-for-tat cyber-irritation.
In order for deterrence to work, it has to be linked to clear national interests, and it must come with clear red lines. It must impose unacceptable costs, and that means that the retaliation will more likely be conventionally military than “cyber.”
There are many reasons to use coercive force against North Korea, but the attack on Sony isn’t one of them. Nor are “proportionate” measures going to do much good. If the Korean internet outage was the result of such a measure, and if the attack on Sony didn’t come from North Korea, then the countermeasure was not only ineffective as deterrence, but possibly undermined it. It invites a Korean response, and tells hackers around the world that they can get away with it.
The best deterrence to cyber-attacks may be a greatly improved capacity to identify where they came from and then a strong international legal framework to punish them. This may not be an issue for conventional military deterrence at all, but a matter for the police and the courts.
On a final note, this is connected with Edward Snowden’s revelations about NSA spying. Cyber-espionage is treated as an example of behavior that should be deterred by a credible response. If so, the fact that the U.S. has been actively engaged in it against even its closest friends makes it hard for us to argue that it should be treated as a genuine threat to national security.
Cyber-warfare has its place as an increasingly important tool to accompany other tools of warfare. The attack against Sony, even if it came from China and North Korea, was not an act of war, and it was not something that could be credibly deterred. It should be a wake-up call to firms around the world to improve the security of their computer networks.