Brandishing Cyberattack Capabilities

Abstract

The U.S. military exists not just to fight and win wars but also to deter them, that is, to persuade others not to start them (or even prepare for them). Deterrence is possible only when others know or at least have good indications of what the U.S. military can do. Such acknowledgment is at the heart of U.S. nuclear deterrence strategy and, to a lesser extent, the U.S. maintaining strong mobile conventional forces that can intervene almost anywhere on the globe. Cyberattack capabilities resist such demonstration. No one knows exactly or even approximately what would happen if a country suffered a full-fledged cyberattack, despite the plethora of hostile activity in cyberspace. For one thing, there has never been a cyberwar attacks with destruction and casualties comparable to physical war. Theory also works against demonstration. Flaws in target systems enable cyberattacks. To reveal which flaws enable attack is to inform others how to fix the flaws and hence neutralize them. It is no wonder that national cyberwar capabilities are a closely guarded secret. That cyberattack capabilities cannot easily be used to shape the behavior of others does not mean they cannot be used at all. This report explores ways that cyberattack capabilities can be brandished and the circumstances under which some deterrence effect can be achieved.1 It then goes on to examine the obstacles to realizing such achievement and sketches out some realistic limits on the expectations. As a matter of policy, the United States has never said that it would use cyberattacks, but neither has it said that it would not. It has also not vigorously disputed the notion that it had some hand in the Stuxnet attacks on the Iranian nuclear facility. The

Document Details

Document Type

Technical Report

Publication Date

Jan 01, 2013

Accession Number

ADA584126

Entities

Tags