The National Academies of Science functions in part to provide independent scientific advice to the US government. In that capacity, the office of the Director of National Intelligence contracted with the NAS to look into the prospects of developing cyberwarfare capabilities that are sufficient to deter an attack on its national infrastructure. The NAS has recently submitted a progress report on its efforts, and the dry text of the introductory letter (the report is termed, "The first deliverable for Contract Number HHM-402-05-D- 0011") obscures a sometimes fascinating look into how the cold-war thinking that drove the development of the concept of nuclear deterrence fails to scale to the networked world. That may seem like a statement of the obvious, but the report points out that deterrence was actually a fully fleshed-out conceptual framework, and there is a significant parallel between cyber and nuclear weapons that's a major component of this framework: it's much easier to engage in offense than defense. "Passive defensive measures must succeed every time an adversary conducts a hostile action, whereas the adversary’s action need succeed only once," the text notes, and recent history is replete with evidence that hostile actions can easily succeed far more often than once.
So, the prospect of mutually assured cyberdestruction might seem to offer the possibility of a framework that's at least similar to the one that governed the world of nuclear weapons. The body of the report, however, focuses on the various reasons it probably doesn't.
Perhaps the biggest reason is that, for deterrence to work, we and our adversaries have to have a rough idea of each other's offensive capabilities. "Classical deterrence theory bears many similarities to neoclassical economics, especially in its assumptions about the availability of near-perfect information (perfect in the economic sense) about all actors," as the report notes. Leaving aside the shortcomings of these assumptions in neoclassical economics, this simply doesn't describe the current reality.
Right now, the US has chosen to keep its offensive cyber weaponry entirely classified and, since there's no launch infrastructure or physical indications of testing (hallmarks of nuclear weaponry), nobody is likely to develop a complete picture of what we can do. The US is unlikely to disclose its capabilities because, in contrast to nuclear weaponry, knowing these capabilities may help adversaries plan defenses. It may be somewhat effective as a deterrent—it's generally assumed that the US has the most potent capabilities around. But it leaves the US in a situation where it is counting on everyone to assume it has the weapons.
This post is excerpted from the Ars Technica article, Modeling cyberattack deterrence on nuclear deterrence fails, by John Timmer, April 6th, 2010.
For more on cyber attack deterrence, visit Ars Technica.