The US military’s purpose is not just to fight and win wars, but also to deter others from preparing for war. This deterrence is only possible when rivals have clear awareness of the capabilities of US military forces, a concept exemplified by the US nuclear deterrence strategy. Cyberattack capabilities, however, resist this notion for a variety of reasons, but primarily because their effectiveness is specific to the software, architecture and management details of the targeted system. Furthermore, there has never been a cyberattack with the destructive capability and casualties comparable to traditional war, which makes it difficult for a country to demonstrate its full cyber potential.
National cyberwarfare capabilities are also a closely guarded secret, because flaws and vulnerabilities in targeted systems are only exposed when attacked, which informs the best ways to address these issues. However, while cyberattack capabilities cannot easily be used to shape the behavior of others, it does not mean they cannot be used at all.
Cyberwarfare capabilities may be demonstrated to intimidate an enemy. One way to demonstrate the ability to hack into an enemy’s system is to carry out an attack whereby a digital trail is left with the intention of ensuring the source of the breach is known to decision-makers. By carrying out repeated similar attacks, or exploiting new system vulnerabilities, the targeted entity may recognize the attacker’s ability to infiltrate their system at any time, and reconsider its own position in relation to the attacking forces.
While cyberwarfare can be used to compromise enemy infrastructure and operations, the ability to hack into a system does not necessarily mean that it can be corrupted and destroyed. This would require breaking into higher levels and the ability to continuously block the system from performing its tasks. However, the initial hack itself may be threatening enough if those targeted cannot tell the difference between system penetration and total disruption. Disrupting a system is clearly far more hostile and difficult to achieve than breaking into one. It requires an understanding of what makes a system fail, as well as conducting an attack in a way that ensures system administrators cannot detect it and quickly repair the damage.
Brandishing a weapon is intended to reveal what it is and how it can be used. The forms of brandishing can be implicit, leaving it to others to determine the implications of its use, or explicit, with actors choosing the context and timing in which they signal their capabilities. Brandishing can only work within cyberwarfare when capabilities are repeatedly demonstrated in a way that minimizes hostility, striking a careful balance between manipulating a system and inflicting damage.
Brandishing US cyberattack capabilities may also help dissuade other states from pursuing high technology networking power to counter conventional US military capability. The best way to demonstrate the threat of networking is to hack into military systems to show their fragility. Claiming responsibility is unnecessary, as the goal is not to emphasize US power, but rather to stress the vulnerability of an enemy’s network-based systems. As a matter of policy, the United States has never publicly confirmed or denied its engagement in cyberwarfare, but has not refuted claims of US involvement in the Stuxnet attacks on Iranian nuclear facilities.
It is not yet clear whether brandishing cyberattack capabilities reduces the impetus for conflict among potential enemies. Some states believe they have no choice due to limited options, while others believe they can succeed even if their technology systems are disrupted. Meanwhile, other states may discount the threat entirely, believing their systems—when called on for war—can be disconnected from the rest of the world. Another scenario is that the target simply believes itself to be invulnerable, whether in peace or during times of conflict. Going to war requires overcoming a great many fears, not least of which is the ever-present specter of a cyber threat.
Brandishing cyberattack capabilities may deter others from pursuing capabilities that depend on digital systems and networks. A particular threat is that potential enemies could operationalize the information obtained, or compromise strategic decisions. Cyber threats need not be pre-emptive (“if you do this …”), and can instead undermine a target’s trust in their data simply by suggesting that a data corruption attack has achieved its goal. The efficacy of brandishing cyberwarfare capabilities depends on the initial intent and the ways in which target states perceive the motives and timing of those signalling their capabilities.
About the Author:
Martin C. Libicki is an American scholar and professor at the Graduate School in Santa Monica, California. He is a Senior Management Scientist at RAND Corporation, where his research focuses on the effects of information technology on domestic and national security. He graduated from the Massachusetts Institute of Technology (MIT) in Cambridge, where he received a Bachelor of Science degree in Mathematics. He went on to receive a master’s degree in City and Regional Planning, as well as a PhD in Economics from the University of California, Berkeley.
Publisher: Emirates Center for Strategic Studies and Research [In Arabic]
Year of Publication: 2014