Ask CFR Experts

PrintPrint CiteCite
Style: MLAAPAChicago Close


Do digital wars alter deterrence in a way that favors offense? If so, how can defense respond effectively?

Question submitted by Erich Helmreich, from New York University, March 11, 2013

Answered by: Adam Segal, Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program


Several high-profile cyberattacks have been in the news lately, and the U.S. government has warned of the increased threat of attacks against the United States.

In computer network attacks, it is assumed that the offense has the advantage over the defense. Defenders have to secure millions of lines of code over numerous networks and devices; attackers only have to find one vulnerability. Attackers can mask their identity by routing attacks through multiple networks or using compromised computers, and state-affiliated attackers can use criminal gangs such as "patriotic hackers" or other proxies to conduct attacks. These problems of attribution make deterrence difficult because it is hard to deter if you cannot punish, and you cannot punish without knowing who is behind an attack.

The United States can respond to these digital assailants in three ways.

First, it can try to improve attribution through new technologies or intelligence, or at least convince potential attackers that it has done so. Former secretary of defense Leon Panetta warned, "Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America."

Second, it can improve defenses. President Obama recently signed an executive order to improve critical infrastructure cybersecurity. The order pushes the government to share threat information with privately-owned critical national infrastructure such as utility networks and the financial industry, and establishes a "cybersecurity famework," a voluntary set of cybersecurity best-practices for the private sector.

Finally, since no defense will ever be completely secure, resilience and redundancy should be built into systems.