Denial by Defense

While Threats of Punishment as deterrence to a large degree requires attribution to function, Denial by Defense has very little need for attribution to succeed.⁵⁴ This is because of the at times passive nature of this approach to deterrence. Denial by defense would involve several different approaches to change the cost/benefit analysis of potential aggressors. These

53 Nye, 55

54 Nye, 56

include hardening networks, improving general cyber hygiene, improving their resilience and capacity to recover, and improving general surveillance and the active defense of networks. All of these would increase the difficulty of attacking United States networks.

Hardening networks would be one of the most basic approaches to improving defenses, along with improving general cyber hygiene. Hardening networks would essentially be attempting to improve the impregnability of networks. One possible tactic would include protecting critical systems from data overload, a tactic often used by hackers to bring down websites through denial-of-service attacks.⁵⁵ Another option would be to increase usage of authentications to prevent outside access to sensitive data.⁵⁶ Lastly, a more active approach to hardening systems would involve constantly monitoring and patching systems.⁵⁷ This would require trained operators who understand what are normal system conditions, and who would be able to react quickly to possible threats. This final aspect would also be considered active defense. Hardening of defenses would likely reduce low-level incursions as it would greatly change the aggressors cost/benefit analysis.⁵⁸

Another important approach to improving deterrence through defense would be by improving cyber hygiene. As discussed at length in Chapter two, many of the most spectacular hacks are as a result of simple user error. The Stuxnet worm, for example, was likely delivered into a closed network through an infected USB stick.⁵⁹ The possible Korean missile hacks were

55 Mandel, Robert. Optimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacks. Washington, DC: Georgetown University Press, 2017. 202.

56 Mandel, 202

57 Ibid.

58 Nye, 56

59Zetter, Kim. "An Unprecedented Look at Stuxnet, The World's First Digital Weapon." Wired. November 3, 2014.

https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

also likely a result of user error, as Kim Jong Un executed multiple security officials for either incompetence or possible treason. Improving in this regard would involve constant training and retraining of staff, ensuring that no one with access to sensitive data would unknowingly click on a Spear-Phishing email or enter data into false login pages. Cyber hygiene development for the United States government would involve the development of a set of best practices that require accountability from users. The United States, in response to the WannaCry virus and other hacks, passed legislation in 2017 that seeks to establish best practices when it comes to cyber hygiene.⁶⁰ While the Promoting Good Cyber Hygiene Act is not mandatory currently, it is likely that in the future these best practices will become standardized and expected; particularly the federal government and those wishing to do business with the federal government will be expected to follow the rules outlined in the Act.

Improving network resilience and their capacity to recover is another important way to improve deterrence through improved defensive measures. Network resiliency assumes that at some point the cyber attackers will prevail. However, if the attacked networks can quickly recover, there is a lowered incentive for an attack at all. Joseph Nye offers a clear example to explain how network resiliency may dissuade aggressive actions. In his example of resiliency, if Japan had known how resilient the United States would be following Pearl Harbor, it is likely that no attack would have occurred in the first place.⁶¹ Developing resilience in the cyber world can take a multitude of forms. One approach could include developing redundancy in systems and redundancy in important infrastructures in case of attacks, however it would be quite

60Orrin Hatch United States Senator for Utah. "Hatch Introduces Legislation to Combat Cybercrime." News release, June 29, 2017. United States Senator Orrin Hatch. https://www.hatch.senate.gov/public/index.cfm/2017/6/hatch- introduces-legislation-to-combat-cybercrime.

61 Nye, 56

expensive. Joseph Nye also offers cheaper examples of developing resiliency, such as continuing to train officers how to navigate by the stars; this would be in case global positioning systems were knocked out.

The United States government has already begun to improve resiliency, as the Department of Homeland Security and United States Computer Emergency Readiness Team offers a Cyber Resilience Review (CRR) service.⁶² This method of analyzing and improving resiliency is done on a voluntary basis and has seen success with a wide variety of government and non-government customers, including the Department of Homeland Security, the Department of Energy, the United States Postal Service, and Lockheed Martin. The CRR service enabled a structured and repeatable plan of improving technical resiliency for those that opted into the service. However, it should be noted that CRR reports are considered classified, and even with a Freedom of Information Act request will not be released.

Lastly, the United States is improving the surveillance of its networks and developing a more active defensive posture to further deter aggressive actors. Active defense as a concept has changed over the past decades, as debates over how to respond to aggression in kind with inherent attribution issues were made. In 2017, Dorothy E. Denning and Bradley J. Strawser published an interesting article wherein they apply concepts of air defense to cyber defense.⁶³ The definitions of active and passive defense they use are as follows: “Active cyber defense is a direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets, and passive cyber defense is all measures, other than active

62"Assessments: Cyber Resilience Review (CRR)." United States Computer Emergency Readiness Team. https://www.us-cert.gov/ccubedvp/assessments.

63Denning, Dorothy E., and Bradley J. Strawser. "Active Cyber Defense: Applying Air Defense to the Cyber Domain."

In Understanding Cyber Conflict: Fourteen Analogies. Georgetown University Press.

cyber defense, taken to minimize the effectiveness of cyber threats against friendly forces and assets. Put another way, active defenses are direct actions taken against specific threats, while passive defenses focus more on protecting cyber assets from a variety of possible threats” (194-195).⁶⁴ Further, the pair ultimately argue that while there are ethical issues at times, similar to air defenses that may impose collateral damage, the ends may justify the means. The authors cite the case of the Coreflood botnet takedown as an example of using active defense effectively⁶⁵. The Coreflood botnet was a Russian creation released in 2010. It infected millions of systems that included state and local government agencies, airports, defense contractors, banks, and financial institutions. The program would open a backdoor in the compromised computer and then gather what useful information it could find.

The active defensive measures had several steps and a grouping of the Federal Bureau of Investigation, Department of Justice, and the Internet Systems Consortium (ISC) worked together to bring down the Russian threat.⁶⁶ First, the ISC was given the legal go-ahead to switch its servers with Coreflood's command and control servers. The government was also allowed to take over domain names that were being used by Coreflood. When infected machines would then attempt to contact the command and control servers for instructions, they were issued stop orders. This neutralized the damaging effects of the malware on host machines. Following this action, the FBI would forward the IP addresses of infected machines to Internet Service Providers, who would then inform their customers. Microsoft also cooperated, by releasing an updated Software Removal tool to help victims remove the malicious code.

64 Denning and Strawser 194-195

65 Denning and Strawser 196

66 Denning and Strawser 196-197

The authors draw an analogy between this case and defending against a hijacked aircraft, with hijackers receiving information from a separate command center. In the air defense case, the defenders would jam the command center and replace the signal with their own, ordering the hijackers to land at a specific airport. The specific airport would then be given identifying information so the hijackers could be apprehended on arrival. This approach provided by the authors would also be used by Microsoft, who commandeered the control servers of two Zeus botnets, preventing future harm.

The example above provides some specific means of using an active defense against intruders; the United States government has also taken it upon itself to fund and implement the proliferation of an active defense mindset throughout the country. In a similar fashion to the aforementioned Cyber Resilience Reviews, DARPA has developed new active defense technologies and the Department of Defense has been offering usage to interested parties.⁶⁷ The United States government has acknowledged the threats of the future, and is actively researching and funding ways to deter these threats.

Denial by defense has been an important deterrent since the internet and networking itself arose. The United States has adapted to new threats posed by nation-state and non-government actors by hardening networks, improving general cyber hygiene, improving network resilience and capacity to recover, and improving general surveillance and the active defense of networks.

At the highest level of government, this aspect of deterrence has been embraced. As a result, many actors will likely be dissuaded at present and into the future.

67"Active Cyber Defense (ACD)." Information Assurance by the National Security Agency.

https://www.iad.gov/iad/programs/iad-initiatives/active-cyber-defense.cfm.