Threats of Punishment

United States cyber policies will likely evolve most noticeably and quickly in terms of Classical Deterrence. Beginning with Threats of Punishment, there are clear examples of the United States taking this path to deter hostile cyber operations. These examples may be divided into two approaches, first, revealing or not revealing capabilities to the public, and secondly, developing and maintaining a new and clear hierarchy of national responses to aggression.

However, because of the proactive nature of this approach, attribution problems will be inherent.

There are two examples that highlight the sophistication of United States Cyber operations.

The first case would be that of the Stuxnet worm. The Stuxnet worm is an extremely advanced and malicious program that was designed to target Iranian nuclear facilities. Work on the worm began in 2005, and initial versions were found in 2007.⁴² It was a joint operation between the United States and Israel, with an additional goal of preventing overt Israeli strikes that may have sparked further conflict. Stuxnet would also change over time, according to the desires of its creators. Initially, it was a slower acting worm that destroyed equipment in less obvious fashion.

In 2009, it was modified to be much more aggressive. As a result of this, it was more quickly

42 Slayton, 95

found out after abnormalities became impossible to ignore.⁴³ Further, the worm spread around the world, and in 2010 it was discovered and analyzed by a Belarusian cyber security firm. That same year, after months of research and analysis, Symantec published a report on the worm that would lead to further independent research.⁴⁴ Following these releases, Stuxnet became widely known, and its success in Iran ended.

Much has been written on Stuxnet and whether it indicates that Cyber will favor offensive actions or defensive postures. Additionally, there has been discussion of the cost effectiveness of the worm.⁴⁵ In this paper, the perceptions that have arisen as a result of Stuxnet are the most important aspect. Much of this importance is derived from the sheer technical scope of the worm itself. As noted in chapter two, Stuxnet made use of four separate zero-day and two stolen certificates that took advantage of local network vulnerabilities to spread the virus. This indicates two things. First, discovering multiple zero-day exploits signifies an extremely high level of expertise, especially when using so many of these exploits for one program. Zero-day exploits are some of the most valuable and sought after hacks in the world, with the United States National Security Agency budgeting $25 million to purchase them in 2013 alone.⁴⁶ Further, the Stuxnet worm made use of two stolen certificates, digital documents that allow programs to run on an operating system. These, like zero-day exploits, would be worth in the millions of dollars.⁴⁷ Secondly, the nature of the Stuxnet worm indicates it was an extremely focused attack. Other

43 Ibid.

44 Slayton, 96

Zetter, Kim. "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History." Wired. July 11, 2011.

https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.

45 Slayton, 108

46 Slayton, 100

47 Ibid.

authors have attempted to quantify how much it may have cost to develop and deploy the worm, with numbers reaching as high as hundreds of millions of dollars.⁴⁸ This high price was deemed acceptable when the target was only one nuclear facility in Iran. While Stuxnet has never been publicly acknowledged by the United States, the sophistication and damaging potential of it has likely shaped perceptions of United States cyber power and whether hostile cyber incursions are worth the cost when the target is capable of throwing massive amounts of resources behind bleeding edge retributive cyber operations.

More recently, the United States has been noted for using cyber tools to sabotage North Korean missile tests. Following increasing North Korean aggression and a frenzied schedule of ballistic tests, the Obama administration began exploring more methods to deter or destroy launches.⁴⁹ Some of these methods have been cyber based, such as using cyber operations to interfere with North Korean missile control systems; however, other proposed methods are more direct, such as using drones and aircraft to shoot down just launched missiles. The cyber approach, also known Left of Launch, was likely first used in 2014. It was during this period that a large number of the missiles failed at various stages of launch and flight. Over time launch records, however, improved. It is possible that the initial cyber attacks were found and dealt with, similar to Stuxnet. In 2017, missiles again began to fail and Kim Jong Un ordered an investigation into possible hacking through imported hardware and also had senior security officials executed in response.⁵⁰ It is possible that not all failed missile tests were due to cyber

48 Slayton, 98

49Sanger, David E., and William J. Broad. "Trump Inherits a Secret Cyberwar Against North Korean Missiles." The New York Times. March 4, 2017. https://www.nytimes.com/2017/03/04/world/asia/north-korea-missile-program-sabotage.html.

50Persio, Sofia Lotto. "NORTH KOREA EXECUTES OFFICIAL IN CHARGE OF NUCLEAR TEST SITE: REPORT."

Newsweek. December 19, 2017. http://www.newsweek.com/north-korea-purges-and-executes-official-

charge-nuclear-test-attacks from the United States. There is a definite possibility that it was also a result of incompetence, bad luck, or compromised North Korean officials. However, it is highly likely, even assured when taking into account testimony on Korean targeted cyber attacks, that the United States and its cyber operatives and intelligence officers have been behind many of the failed launches.⁵¹ While the primary importance of this subject would be regarding United States-North Korean relations, this story is also important in terms of cyber and threat perceptions. Where Russia, for example, is most famous for botnets and spam, the United States has illustrated capabilities that include sabotaging high security nuclear enrichment facilities in Iran and manipulating North Korean ballistic missile tests. Even when exposed, these operations may have value in deterring future cyber operations against the United States because of how sophisticated a response could be; as any reader of recent National Security Agency leaks would be amazed and horrified at the scope of their power. Further, many discussions on possible cyber programs are available in public records, although specific details are often omitted.⁵² It would be quite simple for any foreign power to find hints at United States cyber power through these records, and to likely abstain from any harmful cyber actions.

With a clear perception of the United States as a sophisticated cyber operator, a well developed hierarchy of national responses to aggression would also serve to deter actions through threats of punishment. A ladder of possible responses to aggression may consist of:

site-report-752196.

51Patterson, Dan. "Cyberweapons Are Now in Play: From US Sabotage of a North Korean Missile Test to Hacked Emergency Sirens in Dallas." TechRepublic. https://www.techrepublic.com/article/cyberweapons-are-now-in-play- from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/.

52United States. The White House. Office of Management and Budget. By Mick Mulvaney. https://www.politico.com/f/?

id=0000015f-931e-ded9-a15f-9bdf94370000.

diplomatic, economic, cyber, physical force, and nuclear force.⁵³ Currently, all major powers acknowledge the possible damaging power of diplomatic, economic, physical, and nuclear responses. As public and leaked information on cyber capabilities come to light, the cyber aspect of the deterrence ladder will gain importance for foreign powers considering belligerent actions.

However, it should be noted that in the hierarchy, cyber responses are in a mid-level position;

nuclear weapons and regional force projection capabilities will continue to serve as the anchor of the deterrence ladder.

The United States has engaged in cutting edge advanced cyber attacks and these attacks have driven perceptions of the United States as a powerful cyber foe. As a result, many would-be attackers are likely put off from attacking the United States, for fear of overwhelming retaliation.

Threats of punishment may serve as a useful tool to reduce cyber incursions; however, as a result of attribution issues it is limited. As noted earlier in chapter 2, attribution problems are particularly associated with retaliatory actions and, as will be discussed later, norms violations.

Threats of punishment would likely serve as part of a comprehensive deterrence ladder, however, motivated advanced cyber operatives may not be dissuaded by threat perceptions alone.