By Zachary K. Goldman & Damon McCoy
(Re-published from the Journal of National Security Law & Policy, 8:3) Deterrence is one of the most venerable concepts in the national security lexicon. It refers to the process of manipulating an adversary’s cost/benefit calculations to prevent him from doing something you do not want him to do. The concept is as old as warfare itself, reaching its apotheosis during the Cold War, when it was the central principle governing the security relationship between the United States and the Soviet Union.
But despite the pedigree of deterrence as a theory and a strategy, the community of scholars and practitioners focused on cybersecurity and cybercrime has struggled to adapt it to the burgeoning world of cyber threats. Admiral Michael Rogers, Director of the NSA, has said that the “fundamental concepts of deterrence” in cyberspace are “immature.”[i]
“Because deterrence of financially motivated cybercrime involves manipulating the financial costs and benefits of an attack, it will rely on different tools than the deterrence of attacks against military targets or critical infrastructure.”
Senator John McCain has decried the “failure to develop a meaningful cyber deterrence strategy.”[ii] And some of the most prominent cybersecurity practitioners have noted that “deterrence is an undeveloped theoretical space in cyber war today.”[iii]
The cyber deterrence discussion has foundered thus far in part because of challenges that are unique to cyber space. This includes problems publicly attributing cyberattacks with confidence, the difficulty that inheres in determining whether a technological system has failed because of attack or for other reasons,[iv] and the unwillingness of states to discuss publicly capabilities that they treat as highly classified.
But part of the problem is also conceptual, derived from the fact that cyberattacks are motivated by an array of factors—cyber espionage is motivated by different interests than attacks on critical infrastructure–and involve a range of actors with varying degrees of linkage to states. Deterrence strategies therefore must be tailored for each set of motivations and each set of actors, a task that has proven to be a significant challenge.
Within the spectrum of motivations for the infliction of cyber harms, this article addresses financially motivated cyberattacks because they constitute a substantial portion of cyberattacks,[v] and represent a significant drag on economic activity.[vi] Deterring them will require different strategies than those used to deter other forms of cyber threat like attacks on critical infrastructure or cyberattacks in the context of armed conflicts.[vii]
We use the term “financially motivated cyberattacks” in this paper to refer to attacks that use malicious cyber capabilities to generate a profit; like other businesses, this activity is sensitive to costs. Financially motivated cyberattacks often seek data—credit card data, health records, or other personally identifiable information—that can be monetized quickly.
Financially motivated cyber criminals also seek valuable intellectual property, trade secrets, or material non-public information about companies that can provide strategic or competitive advantage.[viii] Financially motivated cybercrime also includes the sale of counterfeit or fraudulent goods perpetrated through digital intrusions—the kinds of spam messages that clog our email inboxes each day. In targeting digital information, financially motivated cyber criminals are participants in a (black) marketplace for data or goods that is “growing in size and complexity” and which has “emerged as a playground of financially driven, highly organized, and sophisticated groups.”[ix]
Deterring financially motivated cybercrime requires a defender to raise the cost in time or resources of pursuing a particular target. Defenders can also deter attacks by lowering the anticipated benefits that an attacker will receive through a particular act of cyber theft. In the context of the strategies discussed in this paper, cyberattacks can be deterred by making it harder for criminals to monetize the goods they have counterfeited or data they have stolen.
Because deterrence of financially motivated cybercrime involves manipulating the financial costs and benefits of an attack, it will rely on different tools than the deterrence of attacks against military targets or critical infrastructure.[x] Instead of punishing retaliation against the means and instrumentalities of the attack, financial sanctions and other measures taken by the private sector can raise the cost of commercially motivated theft.
This article [presents] a strategy for deterring financially motivated cybercrime that leverages the US government’s financial sanctions program targeting “Significant Malicious Cyber-Enabled Activities,”[xi] as well as private sector efforts to mitigate cybercrime. Public/private collaborations … are an important part of a deterrence strategy designed to deprive cyber thieves of the expected value of criminal behavior. These partnerships have done important work to use intellectual property law and other legal regimes to play “offense against cybercriminals … taking legal action to clean up malware and help ensure customers stay safer online.”[xii] This article also discusses techniques that credit card companies are using to make it more difficult to profit from cybercrime.
While this article focuses on deterring financially motivated cybercrime, it also seeks to establish the larger point that one cannot speak generically about “cyber deterrence.” Rather, different kinds of malicious cyber activity demand different, tailored deterrence strategies. This is because each category of cyber threat has a different motivation, and therefore will be sensitive to a different type of cost. Broadly, one can distinguish between cyber war, cyber activism (“hacktivism”), cyber espionage, cyber terrorism, cyberattacks against critical infrastructure, and financially motivated cyber theft.[xiii]
Financially motivated cyber theft does not generally pose a risk of acute catastrophe—the “Cyber Pearl Harbor” that then-Defense Secretary Leon Panetta described in 2012.[xiv] Rather, senior government officials are beginning to describe the main cybercrime threat as an “ongoing series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”[xv]
While these might prove catastrophic to a particular victim company at a particular moment, the strategy for deterring them similarly lies in a distributed approach to raising the costs of attack, and targeting what cyber thieves care about most: their wallets …
To read the complete article, click here.
[i] Admiral Michael S. Rogers (USN), Director, National Security Agency, and Commander, U.S. Cyber Command, Remarks at the New America Foundation Conference on Cybersecurity (Feb. 23, 2015).
[ii] Hearing to Receive Testimony on US Strategic Command, U.S. Transportation Command, and US Cyber Command In Review of the Defense Authorization Request for Fiscal Year 2016 and the Future Years Defense Program: Hearing Before the S. Armed Services Comm., 114th Cong. (2015) (Statement of Sen. John McCain, Chairman).
[iii] RICHARD A. CLARKE & ROBERT K. KNAKE, CYBER WAR: THE NEXT THREAT TO NATIONAL SECURITY AND WHAT TO DO ABOUT IT 189 (2010)Transportation Command, and USS.elease paper onial Courtroom in Dineen Hall, April 2016.
[iv] MARTIN LIBICKI, CYBERDETERRENCE AND CYBERWAR 45-47 (2009) (hereinafter “LIBICKI, CYBERDETERRENCE AND CYBERWAR”).
[v] VERIZON ENTERPRISE SOLUTIONS, 2014 DATA BREACH INVESTIGATIONS REPORT 9 (2014) [hereinafter 2014 VERIZON DATA BREACH REPORT] (noting that approximately 60% of data breaches are financially motivated).
[vi] Estimates about the cost of cybercrime to the economy vary widely and measuring the cost of breaches with any precision is difficult. Ellen Nakashima & Andrea Peterson, Report: Cybercrime and espionage costs $445 billion annually, WASH. POST (June 9, 2014), https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html; Paul Taylor, Cybercrime costs US $100bn a year, report says, FIN. TIMES (July 23, 2013), www.ft.com/cms/s/0/45bf9898-f3bf-11e2-942f-00144feabdc0.html. See Ross Anderson et al., Measuring the Cost of Cybercrime (2012) (paper for the Workshop on the Economics of Information Security), http://cseweb.ucsd.edu/~savage/papers/WEIS2012.pdf.
[vii] Indeed, some argue that cyber war has not—and will not—take place. See, e.g., THOMAS RID, CYBER WAR WILL NOT TAKE PLACE (2013). Rid, a noted theorist of military strategy, argues instead that much of what we consider acts of cyber war are in fact better understood as one or a combination of espionage, sabotage, or subversion. Rid argues that cyberattacks largely do not amount to acts of war “because the use of force in war is violent, instrumental, and political.” Id. at 4. Cyberattacks have, however, been used in the context of armed hostilities. See CLARKE AND KNAKE, supra note 3, at 5-8 (describing reported Israeli cyber operations to blind Syria’s air defense systems before striking a nuclear facility there in September 2007). Russia also accompanied its 2008 attack on Georgia with crippling cyberattacks against the country. Id. at 18-21.
[viii] Press Release, Federal Bureau of Investigation, Nine People Charged in Largest Known Computer Hacking and Securities Fraud Scheme: More than 150,000 Press Releases Stolen from Three Major Newswire Companies, Used to Generate Approximately $30 Million in Illegal Trading Profits (Aug. 11, 2015), https://www.fbi.gov/newyork/press-releases/2015/nine-people-charged-in-largest-known-computer-hacking-and-securities-fraud-scheme.
[ix] LILLIAN ABLON, MARTIN C. LIBICKI & ANDREA A. GOLAY, MARKETS FOR CYBERCRIME TOOLS AND STOLEN DATA ix (2014) [hereinafter MARKETS FOR CYBERCRIME TOOLS].
[x] LIBICKI, CYBERDETERRENCE AND CYBERWAR, supra note 4, at 91-116 (for a discussion of the importance of retaliation in the deterrence of cyber threats against military or infrastructure targets).
[xi] Exec. Order No. 13694, 31 C.F.R. 578 (Apr. 2Transportation Command, and USS.elease paper onial Courtroom in Dineen Hall, April 2016.
[xii] Richard Domingues Boscovich, Microsoft Takes on Global Cybercrime Epidemic in Tenth Malware Disruption, THE OFFICIAL MICROSOFT BLOG (June 30, 2014), http://blogs.microsoft.com/blog/2014/06/30/microsoft-takes-on-global-cybercrime-epidemTransportation Command, and USS.elease paper onial Courtroom in Dineen Hall, April 2016.
[xiii] Catherine A. Theohary & John W. Rollins, Cong. Research Serv., R43955, Cyberwarfare and Cyberterrorism: In Brief, (2015).
[xiv] Leon Panetta, U.S. Secretary of Defense, Keynote Address to the Business Executives for National Security: “Defending the Nation from Cyber Attack” (Oct. 11, 2012). We leave aside questions about what might happen if a financially motivated cyberattack produces unintended consequences because of digital interdependencies that are poorly understood by attackers.
[xv] Susan Landau, What We Must Do About Cyber, LAWFARE BLOG (Mar. 10, 2015), http://www.lawfareblog.com/2015/03/what-we-must-do-about-cyber.