Bildet viser Håkon Bergsjø, seksjonsleder ved NorCERT sitt operasjonssenter i Oslo Foto: Heiko Junge/NTB Scanpix

WATCHING OUT: Håkon Bergsjø leads Norway's national centre for cyber - NorCERT's - operational centre in Oslo. NorCERT is a department within the Norwegian National Security Authority (NSM) and handles cyberattacks againt critical infrastructure and information. The last weeks they have worked with the ransomware WannaCry. 

Rethinking cybersecurity

Published: 23 May 2017

New Policy Brief: How to ensure deterrence in a virtual world?

In 2016 NATO was targeted by some 500 cyberattacks every month – 60% more than the previous year. Nearly two weeks ago, more than 230 000 computers all over the world were hit by the ransomware cryptoworm Wannacry. Among the systems attacked were Britain's National Health Service (NHS), FedEx and Deutsche Bahn, to mention only a few.

The need for a coordinated defence to secure cyberspace is rapidly growing stronger.

Deterrence in cyberspace

The challenges and dilemmas related to deterrence in matter of defence – more specifically in the cyber-domain – is the subject  of a new NUPI  Policy Brief written by researcher Lilly Pijnenburg Muller (NUPI) and Dr. Tim Stevens (King’s College London).

Simply put, deterrence involves frightening off a potential attack, by getting  your adversaries to believe that you have the capacity to impose upon them significant costs or at least limit their possible gains, should they undertake offensive action against you.

‘Military deterrence in the traditional sense works by demonstrating, for instance through military exercises, that one has a defence capacity, like submarines, tanks and troops.  Being a NATO member state represents another kind of deterrence. Basically, deterrence is everything that keeps an enemy from attacking you as a nation’, Muller explains.

Also read:

Different kinds of cyber deterrence

As within traditional domains, there are several ways to deter in the cyber field.

‘For example, the USA may publicly acknowledge having been hacked, thereby showing that it possesses the capacity to detect a hacker attack. In the Stuxnet case, where a nuclear plant in Iran was sabotaged by an advanced computer worm, the USA has never taken responsibility for the attack, but neither has Washington denied it. That too can be a type of deterrence. The USA gives others the impression that it has the capacity to attack through cyberspace. But as soon as a cyberweapon is used and revealed, its deterrence value drops rapidly’, Muller points out.

A complex matter

In the digital age, deterrence is more complex than flexing muscles through steadily growing weapon arsenals and impressive military technology.

In this context, considerable attention has paid given to the challenges of attribution – being able to determine responsibility or blame. Discovering who is behind a cyberattack can be very difficult – and how do you deter enemies if you don’t even know who they are?

This, in combination with the growing number of more sophisticated cyberattacks, has made clear the need to re-evaluate and modernize Cold War-era deterrence thinking.

Re-orientation

‘The dynamism of the environment, the range of threats, the multiplicity of state and non-state actors and the technical challenges of attribution – all require a reorientation of deterrence posture and practice’, Muller and Stevens conclude in their policy brief, titled Upholding the NATO cyber pledge.

They point out that NATO’s future cyber-deterrence regime will need to look beyond the military aspects and consider the context of adversarial decision-making in its social and political dimensions. Deterrence must be understood as a cumulative process of ongoing offensive and defensive operations that repeatedly demonstrate both intent and capability, as a means of generating credibility.

A better cyber defence?

In 2016, the NATO member states signed the NATO Cyber Defence Pledge, where they recommitted to strengthen cyber defence in their countries in order to protect infrastructures and networks.

On 25 May, the member states gather in Brussels for a summit meeting.

‘We can hope for a reinforcement of the NATO cyber-defence pledge this week. It’s very likely there will be a lot of attention to this at the meeting. As President Trump will be present, there will probably a considerable focus on the role of the USA in NATO – but the cyber pledge is still very recent, and Wannacry is on everyone’s lips nowadays’, Muller adds-

‘Has NATO been too slow in putting cybersecurity on the agenda and taking the threats seriously?’

‘No. NATO was relatively early, and cybersecurity has been on the agenda for two years now. The challenge is – as we have pointed out – how to do this in practice.’

Read more about our research on cyber:

Publications

Projects