MARTIN C. LIBICKI
PROJECT AIR FORCE
Prepared for the United States Air Force
Approved for public release; distribution unlimited
Approved for public release; distribution unlimited
 |
| Cyberdeterrence and Cyberwar |
This monograph presents the results of a fiscal year 2008 study, “Defining and Implementing Cyber Command and Cyber Warfare
.” It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.”
The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities.
Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought.
This monograph is an attempt to start this rethinking.
The research described in this monograph was sponsored by Lt Gen Robert Elder, Jr., Commander, Eighth Air Force (8AF/CC), and Joint Functional Component Commander for Space and Global
Strike, United States Strategic Command. The work was conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE. It should be of interest to the decisionmakers and policy researchers associated with cyberwarfare, as well as to the Air Force planning community.
RAND Project AIR FORCE
RAND Project AIR FORCE (PAF), a division of the RAND Corporation,
is the U.S. Air Force’s federally funded research and development
center for studies and analyses. PAF provides the Air Force
with independent analyses of policy alternatives affecting the development,
employment, combat readiness, and support of current and
future aerospace forces. Research is conducted in four programs: Force
Modernization and Employment; Manpower, Personnel, and Training;
Resource Management; and Strategy and Doctrine.
Additional information about PAF is available on our Web site:
http://www.rand.org/paf/
Acknowledgements
RAND work profits enormously from helpful hands and helpful hints.
This monograph is no exception, and many individuals deserve heartfelt acknowledgements. First is the RAND team that worked on the overall project. Its members include Richard Mesic, who strongly encouraged this line of inquiry; Robert Anderson; Myron Hura; Lynn Scott; and Lara Schmidt. Donald Stevens, who oversees the group in which the project was conducted, also deserves special thanks. Second are our Air Force sponsors, who oversaw the effort and provided encouragement throughout, notably Lt Gen Robert Elder (Commander Eighth Air Force) and Maj Gen William Lord (Commander 24th Air Force). Third are the many individuals who looked at this documentm and shared their comments with the author: Greg Rattray; Milt Johnson (Air Force Space Command); and RAND colleagues Paul Davis, James Quinlivan, David Frelinger, Roger Molander, and David
Gompert. Fourth are the good folks who read the manuscript in the context of RAND’s quality-assurance policy: John Arquilla, Ryan Henry, and Cynthia Cook.
Special thanks are also in order for Ricardo Sanchez, who provided invaluable research support; for Jerry Sollinger, for his assistance in communicating the results; and for Catherine Piacente and Karen Suede, who helped prepare the manuscript.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 14,192 KB |
Pages
|
239 p |
File Type
|
PDF format |
ISBN
| 978-0-8330-4734-2 |
Copyright
| 2009 RAND Corporation |
Table of Contents
Preface . . . .. . . . . . . iii
Figures . . . . . . . . . . . ix
Tables . . . . . . . . . . xi
Summary . . .. . . . . . . xiii
Acknowledgements . . . . . . . xxi
Abbreviations . . . . . . . xxiii
CHAPTER ONE
Introduction . . . . . . . 1
Purpose . .. . . . . . . . . . 5
Basic Concepts and Monograph Organization . . . . . . 6
CHAPTER TWO
A Conceptual Framework . . . . . 11
The Mechanisms of Cyberspace . . . . 12
External Threats . . . . . . 13
Internal Threats . . . . . . 20
Insiders . . . . . . . . 20
Supply Chain . . . . . . 21
In Sum . . . . . . . . . 22
Defining Cyberattack . . . . . 23
Defining Cyberdeterrence . . . . .. . . 27
CHAPTER THREE
Why Cyberdeterrence Is Different . . . 39
Do We Know Who Did It? . . . . . . . . . . . . 41
Can We Hold Their Assets at Risk? . . . . . . . . 52
Can We Do So Repeatedly? . . . . . . . . .. . . . . 56
If Retaliation Does Not Deter, Can It at Least Disarm? . . . . . 59
Will Third Parties Join the Fight? . . . . . . . . . 62
Does Retaliation Send the Right Message to Our Own Side?. . .. . . . . . 64
Do We Have a Threshold for Response? . . . . . . . 65
Can We Avoid Escalation? . . . . . . .. . . . . 69
What If the Attacker Has Little Worth Hitting? . . . . . 70
Yet the Will to Retaliate Is More Credible for Cyberspace . . . . . 71
A Good Defense Adds Further Credibility . . . . . . . . . 73
CHAPTER FOUR
Why the Purpose of the Original Cyberattack Matters . . . . . 75
Error . . . . . .. . . . . . . . . . 76
Oops . . . . . . . . . . . . . . . 76
No, You Started It . .. . . . . 77
Rogue Operators . . . . . . . . . 78
The Command-and-Control Problem . . . . . . . 78
Coercion . . . . . .. . . . . 79
Force . . . . . . . . . . . . . . . . . 82
Other . . . . . . . .. . . . . . . . . . . . 86
Implications . . . . . .. . . . . 90
CHAPTER FIVE
A Strategy of Response .. . . . . . . . 91
Should the Target Reveal the Cyberattack? . . . . . . . . 92
When Should Attribution Be Announced? . . . . . . . 93
Should Cyberretaliation Be Obvious? . . . . . .. . . . . . . . 94
Is Retaliation Better Late Than Never? . . . . . . . . . . . . . 96
Retaliating Against State-Tolerated Freelance Hackers . .. . . . . . 98
What About Retaliating Against CNE? . . . . . . . . 102
Should Deterrence Be Extended to Friends? . . . . . .104
Should a Deterrence Policy Be Explicit? . . . . . . . 106
Can Insouciance Defeat the Attacker’s Strategy? . . .. . . 108
Confrontation Without Retaliation . . . . . 109
The Attacker’s Perspective . . . . . . . 112
Signaling to a Close . . . . 114
CHAPTER SIX
Strategic Cyberwar . 117
The Purpose of Cyberwar . . . .. . . . . . . . 118
The Plausibility of Cyberwar . . . . 121
The Limits of Cyberwar . . . . . . . . . 122
The Conduct of Cyberwar . . . .. . . . . 125
Cyberwar as a Warning Against Cyberwar . .. . . . 126
Preserving a Second-Strike Capability . . . . . . 127
Sub-Rosa Cyberwar? . .. . . . . 128
A Government Role in Defending Against Cyberwar . . 129
Managing the Effects of Cyberwar . .. . . . . . . 131
Terminating Cyberwar . . . . . . . . . . . . 135
Conclusions . . . . . . . . 137
CHAPTER SEVEN
Operational Cyberwar . . .. . . . . . 139
Cyberwar as a Bolt from the Blue . . . . . . . . . . 143
Dampening the Ardor for Network-Centric Operations . . . .. . . . 149
Attacks on Civilian Targets . . . . . . . . . . . 153
Organizing for Operational Cyberwar . . . . 154
Conclusions . . . . .. . . . . . . 158
CHAPTER EIGHT
Cyberdefense . . . . . . . . . 159
The Goal of Cyberdefense . . . . . . . . . . . 160
Architecture . . . . . . . . . . . . . . . . . . . . 165
Policy . . . . . . . .. . . . . . . . . . 167
Strategy . . . . . . . . . . . . . 169
Operations . . . . . . . . . 170
Hardware . . . . . . . . . . . . . . 171
Deception . . . .. . . . . 171
Red Teaming . . . . 173
Conclusions . . . . . . . . . . . 173
CHAPTER NINE
Tricky Terrain . . . . . 175
APPENDIXES
A. What Constitutes an Act of War in Cyberspace? . . . . . . . . . . . . 179
B. The Calculus of Explicit Versus Implicit Deterrence . . . . . . . . . . 183
C. The Dim Prospects for Cyber Arms Control . . . . . . . . . . . . . . . 199
References . . . . . . . . . . . . . . . . 203
Figures
2.1. Responses by Rough Order of the Level of Belligerence . . . . . . . . 29
2.2. Does the Cost-Effectiveness of a Cyberattack Decline at High Intensity Levels? . . . . 33
3.1. Where Each Caveat Applies . . . . . . . . . . . . . . . . 40
3.2. Three Dimensions of the Efficacy of Cyberattacks . . . . . . . . . . . . 60
5.1. A Decision Loop for Cyberdeterrence . . . . . . . . . . 99
9.1. Where Various Forms of Combat May Fit in the Deter-Disarm-Defend Triangle . . . . . . . 175
A.1. Ranking Various Forms of Harm in Cyberspace . . . . . . . . 181
B.1. A Schematic of Cyberattack and Response . . . . . . . . . . . 186
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
