While the problems hindering the development of an effective and comprehensive cyber deterrence policy are clear (threat measurement, attribution, information-sharing, legal codex development, and poor infrastructure, to name several), this article focuses on one aspect of the debate that heretofore has been relatively ignored: that the futility of governmental innovation in terms of defensive efficacy is a relatively constant and shared weakness across all modern great powers, whether the United States, China, Russia, or others. In other words, every state that is concerned about the cyber realm from a global security perspective is equally deficient and vulnerable to offensive attack; therefore, defensive cyber systems are likely to remain relatively impotent across the board.
As a consequence, the goal for major powers should not be the futile hope of developing a perfect defensive system of cyber deterrence, but rather the ability to instill deterrence based on a mutually shared fear of an offensive threat. By capitalizing on this shared vulnerability to attack and propagandizing the open buildup of offensive capabilities, there would arguably be a greater system of cyber deterrence keeping the virtual commons safe. Though it may seem oxymoronic, the more effective defense in this new world of virtual danger is a daunting cyber-lethal offensive capability; not so much to actually use it, but rather to instill fear of it being used.
Interestingly, some states are clearly already adhering to this strategy, at least in the informal sense if not in explicit policy position—China’s fervent support of “honkers” and the Russian Federation’s frequent reliance upon “patriotic hackers” come to mind most readily. The United States certainly has the technological capability to equal Chinese and Russian virtual lethality. The formal lack of an open policy arguably indicates hesitancy on the part of the United States to develop a “weaponized virtual commons.” Rather than an indication of infeasibility, this reluctance seems to be a nod to intelligence considerations, meaning the United States is arguably more satisfied developing its offensive capabilities in secret as part of more-covert operations than as a piece of overt policy. This article argues the emphasis on covert offensive capability rather than overt is an error that compromises the effectiveness and potentiality of developing a true virtual commons across the globe that ensures greater security for all, not just one powerful nation.
In some ways, this reality gives argument to the possibility of cyber war existing above and beyond conventional war; not because conventional war will ever be obsolete or be a state’s most supreme form of gaining and enhancing its own security, but rather cyber war can be seen by many states as a less confrontational and more results-oriented maneuver. Effective hacking and strategic cyber-attacks at the moment still hold many more opportunities for hiding participation while successfully gaining economic, political, diplomatic, and military secrets. In simple cost-benefit calculations, cyber war is much more cost effective than conventional war, so it is arguable that its popularity over time will grow exponentially. When considering the impotence of defensive systems tasked with stopping such efforts, cyber war as a concept is fundamentally complex, convoluted, and diffused by design. This is one of the reasons the Islamic State is having greater success around the globe through its cyber recruitment and incitement while suffering heavy conventional losses in the field across the Levant.
For the past 15 years (at least), the United States has invested heavily in cyber-security technologies. Despite this commitment, major problems remain across the most fundamental areas. There is still no large-scale deployment of security technology capable of comprehensively protecting vital American infrastructure (Note the reasoning behind the en masse resignation of eight officials this weekend from the Trump Cybersecurity group). The need for new security technologies is essential, but to date the best developments have only been in small-to-medium-scale private research facilities. What would be required to make rapid, large-scale advances in new network security mechanisms is daunting:
- development of large-scale security test beds, combined with new frameworks and standards for testing and benchmarking;
- overcoming current deficiencies and impediments to evaluating network security mechanisms, which to date suffer from a lack of rigor;
- relevant and representative network data;
- adequate models of defense mechanisms; and
- adequate models of the network and for background and attack traffic data.
Most of these issues are problematic because of the severe complexity of interactions between traffic, topology, and protocols. In short, it is simply easier to attack than to defend in the cyber realm, and the innate complexities of infrastructure preparedness make it seem likely this is not just an estimation of current affairs but rather an axiom that will stand across eras, actors, and countries. In short, hackers will always trump defenders. Even with this admission, however, this piece is not in fact arguing for the creation of some cyber variant of a Dr. Strangelove doomsday machine, the repercussions of which would make the attribution problem utterly moot. Rather, taken to its extreme extrapolation, a mutually and openly weaponized cyber commons deters just as the nuclear Mutually Assured Destruction principle did, ie, the perception of realistic virtual devastation via retaliatory strike induces fear of action, thereby rendering the global system safe through a dangerous but stable equilibrium. But just as with nuclear weapons, the ability to universally destroy the virtual commons is not the sole ultimate hope and outcome for peace across the system. It is not a call to rejoice in fear and dread.
Recall that mutuality not only builds fear but also allows the possibility of trust through repeated engagement. That element of trust is essential. Up to now the dynamic nature of the cyber domain too heavily favored those who sought to only do damage against it. A weaponized cyber commons would finally put some of that dynamism in the hands of major powers with a mutual interest in rules, regulations, and stability, rather than chaos, theft, and illicit behavior. So this is not an argument for giving any president a choice between surrender to constant technological violations or hacking the modern world into the Middle Ages. Rather, a weaponized cyber commons policy — by being open, transparent, expansive, and mutual — could have enough new deterrents built into it structurally to not only provide more options to all of the actors in the game but also give pause to the rogue behavior that constantly probes its edges, threatening to disrupt the entire scenario. That combination of creating hesitation amongst rogues while instilling trust amongst major actors is where the sweet spot of global virtual peace can develop.