Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack

TLDR: A formal model is used to explain why there are many low-value anonymous attacks but few high-value ones, showing how different assumptions about the scaling of exploitation and retaliation costs lead to different degrees of coverage and effectiveness for deterrence by denial and punishment.

Abstract: Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic about cyber deterrence. The attribution problem appears to make retaliatory punishment, contrasted with defensive denial, particularly ineffective. Yet observable deterrence failures against targets of lower value tell us little about the ability to deter attacks against higher value targets, where defenders may be more willing and able to pay the costs of attribution and punishment. Counterintuitively, costs of attribution and response may decline with scale. Reliance on deception is a double-edged sword that provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders. Many of the properties of cybersecurity assumed to be determined by technology, such as the advantage of offense over defense, the difficulty of attribution, and the inefficacy of deterrence, are in fact consequences of political factors like the value of the target and the scale-dependent costs of exploitation and retaliation. Assumptions about attribution can be incorporated into traditional international relations concepts of uncertainty and credibility, even as attribution involves uncertainty about the identity of the opponent, not just interests and capabilities. This article uses a formal model to explain why there are many low-value anonymous attacks but few high-value ones, showing how different assumptions about the scaling of exploitation and retaliation costs lead to different degrees of coverage and effectiveness for deterrence by denial and punishment. Deterrence works where it is needed most, yet it usually fails everywhere else.