Today, let me share some thoughts with you on the possible 21st century adaptation of the German saying ‘Angriff ist die beste Verteidigung’. This line translated means that the best way to defend yourself is by attacking your enemy. Let us have a look if, from the perspective of the state, this saying holds true in the framework of cyber-warfare.
As nation-state you are facing a lot of challenges and potential security risks when it comes to attacks from the cyberspace. The risks are not too high if all classified information are stored on computer outside the Internet – and have it on a separate network. However, this is only a small portion of things that can happen to a nation-state. In 1998 for example, a teenager got control of the Roosevelt Dam, being able to flood several villages with thousands of people living in there. Power-Grids and traffic controls might have similar stories. Also in 2009 when allegedly North Korean or Chinese hackers stole the US deployment plans for South Korea from American servers. This list goes on and on but it shows the vulnerability of the nation-state towards cyber-attacks and their potential outcome. So what can the nation-state do?`
One possible course of action would be to just apply defensive measures. This would include using secure networks for certain transactions and networks (Command and Control, Classified information etc.). For those information that have to be connected to the Internet, Red Teams for probing and white hat teams for defensive measures would be more than appropriate. Also laws and policies towards more corporate responsibility for security would be feasible (HBGary…Hi). All of that and more can be done on a defensive level.
The second possible course of action (and a lot of in-betweens) would include offensive actions as well. Grey hats could trace attackers back to the origin and try come back to them. Honeypots and sandboxes can be used to figure out how the attackers work and subsequently apply that knowledge while coming after them. One potential risk you are running is to hack back the wrong person. Another risk is to attract even more hackers. Arresting or hacking hackers might cause an online outrage which keeps your white hats busy until the end of all days (AntiSec).
A more drastic approach would be offensive actions involving also non-cyber-weapons such as conventional missiles. The US government for example never said it would only respond to cyber-threats by hacking back. For the worst case it always kept its conventional weapons in mind. A cyber-attack on the American power-grid might than be followed by tracing back the origin of the hack. Verifying the track. Using conventional weapons to retaliate. In less severe cases (and the cases of individual hackers and not state-supported hackers) it might involve some CIA agents kicking down your door and dragging you to some interrogation facility in East-Europe (which we know do not exist). Both outcomes are physical responses to virtual violence.
For me it is a matter of commensurability. If someone steals my information, I try to get back on him and steal his information. Maybe, I will also cripple his system to make him think twice before he does it again (which can of course start a vicious circle). If someone shuts down the traffic-controls and subsequently people get killed over it, physical use of force should not be a no-no. Hacking back would be no deterrence. Deterrence can only work if the same level or a higher level of force can be threatened with. Nuclear deterrence did not rely on the fact that if Russia sends its missiles towards American soil, America will send the carries and order them to destroy St. Petersberg. The threat was that even if the attack is not detected, the second strike capabilities are large enough to destroy every major Russian city.
So deterrence against virtual attacks only works by threatening to use virtual or physical violence. Deterrence against physical attacks only works by threatening with the use of physical force. And even though a cyber-attack is virtual, if it is aimed at traffic controls its casualties are physical. And that is the important thing. However, if you retaliate with physical use of force to a non-physical attack – just to keep up future deterrence – you might end up losing more. Citizens don’t take it lightly if their country starts a war just because some state-backed hackers from another country stole important information. They might not like it, but being dragged into a war might be worse for them and subsequently for their state.