Entanglement in Cyberspace: Minding the Deterrence Gap

ABSTRACT

Conventional models of deterrence focus on the ability to deter adversaries through ex-ante threats that impose ex-post costs or through the elevation of ex-ante costs through strategies that deny. The imposition of costs on adversaries in cyberspace is complex and the establishment of deterrence by threat or denial is constrained by problems associated with resource asymmetries, attribution, and a diverse set of actors with overlapping capabilities. Due to these challenges, conventional models of deterrence have seen limited success in cyberspace. Rather than building more robust defenses or threatening retaliatory actions, entanglement within cyberspace offers an alternative approach that might affect the decision-matrix of adversary states. This paper examines the concept of entanglement as a way of altering how states conceptualize offensive actions in cyberspace and works toward building mutual interdependencies to make actions that disrupt, degrade or deny within cyberspace undesirable.

KEYWORDS:

• Cyberspace
• deterrence
• entanglement
• conflict

Notes

1. Dave Evans, “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything” (CISCO Internet Business Solutions Group, 2011).

2. Kenneth N. Waltz, Theory of International Politics, Addison-Wesley Series in Political Science (Reading, Mass.: Addison-Wesley Pub. Co., 1979).

3. Charles Glaser, Deterrence of Cyber Attacks and U.S. National Security (Washington, DC: Cyber Security Policy and Research Institute, 2011).

4. Joseph S. Nye Jr, “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (2017): 44-71.

5. Robert O. Keohane, After Hegemony: Cooperation and Discord in the World Political Economy (Princeton, N.J.: Princeton University Press, 1984).

6. Alexander L. George and Richard Smoke, Deterrence in American Foreign Policy: Theory and Practice (New York: Columbia University Press, 1974).

7. Thomas Schelling, Arms and Influence (New Haven, Conn: Yale University Press, 1966).

8. Glaser, “Deterrence of Cyber Attacks and U.S. National Security.”

9. Jesse C. Johnson, Brett Ashley Leeds, and Ahra Wu, “Capability, Credibility, and Extended General Deterrence,” International Interactions 41, no. 2 (2015): 309-336; James D Morrow, “Alliances, Credibility, and Peacetime Costs,” The Journal of Conflict Resolution 38, no. 2 (1994): 270-297; and James D Fearon, “Signaling Foreign Policy Interests: Tying Hands Versus Sinking Costs,” Journal of Conflict Resolution 41, no. 1 (1997): 68–90.

10. “All Cyber Mission Force Teams Achieve Initial Operating Capability.”

11. Nicole Perlroth and David E. Sanger, “Hacks Raise Fear over N.S.A.’S Hold on Cyberweapons.,” June 28 2017; Scott Shane, Matthew Rosenberg, and Andrew W. Lehren, “Wikileaks Releases Trove of Alleged C.I.A. Hacking Documents,” The New York Times, March 7 2017.

12. “Jp 3–12, Cyberspace Operations,” ed. U.S. Department of Defense (Washington, D.C.: U.S. Department of Defense, 2013).

13. David Vergun, “Experts: Winning Cyberwar Takes Getting Talent Management Right,” https://www.army.mil/article/158537/experts_winning_cyberwar_takes_getting_talent_management_right (2015).

14. Robert Axelrod and Rumen Iliev, “Timing of Cyber Conflict,” Proceedings of the National Academy of Sciences of the United States of America 111, no. 4 (2014): 1298-1303.

15. Lawrence Freedman, “General Deterrence and the Balance of Power,” Review of International Studies 15, no. 2 (2016): 199-210.

16. Ron Gurantz and Alexander V Hirsch, “Fear, Appeasement, and the Effectiveness of Deterrence,” The Journal of Politics 79, no. 3 (2017): 1041-1056.

17. Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation, 2009).

18. Aaron Franklin Brantly, The Cyber Deterrence Problem (London; New York: Rowman & Littlefield International, 2020).

19. Jon R Lindsay and Erik Gartzke, “Cybersecurity and Cross-Domain Deterrence,” in Us National Cybersecurity International Politics, Concepts and Organization, ed. Damien Van Puyvelde and Aaron F Brantly (Abingdon: Taylor and Francis, 2017): 11-27.

20. Aaron F. Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-Making (University of Georgia Press, 2016).

21. John S. Davis, Martin C. Libicki, Stuart E. Johnson, Jason Kumar, Andrew Karode, “A Framework for Programming and Budgeting for Cybersecurity,” (Santa Monica: RAND, 2015).

22. From the notes of the author.

23. Schelling, Arms and Influence.

24. Ben Buchanan, The Cybersecurity Dilemma Hacking, Trust and Fear between Nations (London, UK: Oxford University Press, 2017).

25. Ellen Nakashima, “U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms,” The Washington Post, February 27, 2018.

26. https://www.c-span.org/video/?441677-1/nsa-chief-testifies-fiscal-year-2019-budget; https://www.c-span.org/video/?441917-1/nsa-nominee-testifies-senate-armed-services-committee.

27. Chris C Demchak and Peter Dombrowski, “Rise of a Cybered Westphalian Age,” Strategic Studies Quarterly (2011): 32-61.

28. Waltz, Theory of International Politics.

29. Artificial Intelligence (AI) programs are writing code for new programs indicating a portending rapid increase in coding development in future years.

30. Keohane, After Hegemony: Cooperation and Discord in the World Political Economy.

31. Robert Axelrod, “Effective Choice in the Prisoner’s Dilemma,” Journal of Conflict Resolution 24, no. 1 (2009): 3-25.

32. Daniel Kahneman and Amos Tversky, “Prospect Theory: An Analysis of Decision under Risk,” Econometrica 4, no. 2 (1979): 263-292.

33. Ibid.

34. Jeffrey Berejikian, “A Cognitive Theory of Deterrence,” Journal of Peace Research 39, no. 2 (2002): 165-183.

35. Ibid.

36. Adi Robertson, “Lenovo Reportedly Banned by Mi6, Cia, and Other Spy Agencies over Fear of Chinese Hacking,” The Verge, July 30, 2013.

37. Erik Wemple, “Opinion | Bloomberg Is Still Reporting on Challenged Story Regarding China Hardware Hack,” The Washington Post, November 27, 2018.

38. Ken H Guo et al., “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model,” Journal of Management Information Systems 28, no. 2 (2011): 203-236; and Jeffrey M. Stanton et al., “Analysis of End User Security Behaviors,” Computers & Security 24, no. 2 (2005): 124-133.

39. T. V. Paul, Patrick M. Morgan, and James J. Wirtz, Complex Deterrence: Strategy in the Global Age (Chicago: University of Chicago Press, 2009).

40. Robert O. Keohane and Joseph S. Nye, Power and Interdependence, 2nd ed., Scott, Foresman/Little, Brown Series in Political Science (Glenview, Ill.: Scott, Foresman, 1989).

41. Brett Ashley Leeds, “Do Alliances Deter Aggression? The Influence of Military Alliances on the Initiation of Militarized Interstate Disputes,” The American Political Science Review 47, no. 3 (2003): 427-439.

42. Robert Kaiser, “The Birth of Cyberwar,” Political Geography 46 (2015): 11-20.

43. Rachel Ellehuus, “Blueprint for a More Effective Nato,” BreakingDefense.Com (2019).

44. David A. Baldwin, Neorealism and Neoliberalism: The Contemporary Debate, New Directions in World Politics (New York: Columbia University Press, 1993).

45. Han Dorussen, Erik Gartzke, and Oliver Westerwinter, “Networked International Politics,” Journal of Peace Research 53, no. 3 (2016): 283–291; Erik Gartzke, Quan Li, and Charles Boehmer, “Investing in the Peace: Economic Interdependence and International Conflict,” International Organization 55, no. 2 (2001): 391-438; Edward D. Mansfield and Brian M. Pollins, “The Study of Interdependence and Conflict,” The Journal of Conflict Resolution 45, no. 6 (2001): 834-859; and John J. Mearsheimer, “Back to the Future: Instability in Europe after the Cold War,” International Security 15, no. 1 (1990): 5-56.

46. Igor Linkov et al., “Resilience Metrics for Cyber Systems,” Environment Systems and Decisions 33, no. 4 (2013): 471-476.

47. John Gerard Ruggie, “International Regimes, Transactions, and Change: Embedded Liberalism in the Postwar Economic Order,” International Organization 36, no. 2 (2018): 379-415.

48. Note here I am specifically referring to corporate espionage for commercial gain and not national security espionage which while distasteful is generally tolerated. See: Hattem, Julian. “Ex-CIA Head: ‘Shame on Us’ for Allowing Government Hack,” The Hill, June 16, 2015. http://thehill.com/policy/national-security/245101-ex-cia-head-shame-on-us-for-allowing-government-hack.

49. Lawrence A Gordon, Martin P Loeb, and William Lucyshyn, “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting and Public Policy 22, no. 6 (2003): 461-485.

50. Esther Gal-Or, “The Economic Incentives for Sharing Security Information,” Information Systems Research 16, no. 2 (2005): 186-208.

51. It should be noted that entanglement is not applicable for espionage or for criminal activities. Yet cooperation within these areas can serve as a foundation for entanglement within other areas.

52. Jon R Lindsay and Tai Ming Cheung, “From Exploitation to Innovation: Acquisition, Absorption, and Application,” in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, ed. Jon R Lindsay, Tai Ming Cheung, and Derek S Reveron (Oxford, UK: Oxford University Press, 2015): 51-86; and Ellen Nakashima, “U.S. Developing Sanctions against China over Cyberthefts,” The Washington Post, August 30, 2015.

53. “U.S. Developing Sanctions against China over Cyberthefts.”

54. “U.S. Charges Five Chinese Military Hackers for Cyber Espionage against U.S. Corporations and a Labor Organization for Commercial Advantage,” News Release, 2015.

55. Chris Bing, “With Trade War Looming, Chinese Cyberattacks May Follow,” Cyberscoop, April 4, 2018.

56. Jamie Shea, “How Is Nato Meeting the Challenge of Cyberspace?” PRISM 7, no. 2 (2018): 19-29.

57. Baldwin, Neorealism and Neoliberalism: The Contemporary Debate.

58. ibid.

59. John J. Mearsheimer, “Why the Ukraine Crisis Is the West’s Fault: The Liberal Delusion That Provoked Putin,” Foreign Affairs 93, no. 5 (2014): 1-12.

60. Aaron F. Brantly, “The Cyber Deterrence Problem” (paper presented at the 10th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia, 2018).