Within the last 2 months, the internet has experienced a dramatic escalation in attack magnitude yielded from Distributed Denial of Service (DDOS) attacks. First Krebs, then OVH, and finally Dyn. This confirms what we all have feared, which is that the rapid proliferation of insecure IOT devices can turn into a multitude of evil minions for botnet masters.
Unfortunately, the botnet master can be anyone from a teenager to a nation state. And just as unfortunately, attribution is virtually impossible. The increase in attack magnitude, coupled with an inability to attribute leaves us in a wholly untenable situation where the basic rules of deterrence do not apply.
Deterrence rests on the complete certainty of who the opponent is, and complete certainty that the opponent can survive the first strike, and strike back.
Our deterrence strategies worked well to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game, and of those actors, a basic self-interest in survival underpinned the effectiveness of Mutually Assured Destruction.
In addition, we knew exactly who had nuclear weapons. There are many methods and technologies available for tracking and monitoring the mining and use of nuclear materials and technologies and we have a fairly accurate inventory. For example, the US could be sure of Russia’s nuclear capabilities and vice versa. Although tense, it was stable.
In the cyber theater, the attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies of conventional warfare.
For one, Mutually Assured Destruction depends on knowing who your opponent is and two, knowing exactly their capabilities. In the cyber theater, both of these requirements are virtually impossible to fulfill.
So we need a new model to deal with this old threat. I am surprised that our friends at the State Department have had little to say about recent events and this is evidence that we sorely need a new paradigm.
Specifically, our US Cyber Strategy needs to reinvigorate the arts of Deterrence, Diplomacy, and De-escalation as they apply to the cyber threat landscape.
In addition, as demonstrated by the recent escalation of attack magnitude and the looming IOT crisis, we need to start implementing a no-tech, low-tech, analog redundancy strategy for resilience. Changing the payoff calculus of critical infrastructure attacks is imperative.
Assured Survival through Resilience is the new deterrence paradigm in cyberspace. If our enemies know that we can both survive a critical infrastructure attack and hack back, our critical infrastructure will no longer be a valuable target and we can prevent it from happening in the first place.
Article originally appeared on LinkedIn November 9, 2016.