By Wen Baihua, Visiting Fellow to RSIS
After a long discussion, White House, finally delivered Cyber Deterrence Strategy to make an excuse for developing offensive cyber power, and meanwhile, win trust from its alliances. But actually, Cyber Deterrence Strategy stems from fear in mind other than for justice, and cannot "Make sure our politics reflect America's best" as Obama's final State of the Union said.
The Cyber Deterrence Strategy has been debated overseas and domestically ever since Obama took office in 2008, when America began to pursue Cyber Deterrence Strategy. Of all four pillars of Cyber Deterrence Strategy, (a) transparency, (b) response strategy, (c) resiliency, and (d) denial of attacks, the most concerned issue by international society is about its ability of "denial of attacks".
Denial of attacks can be reduced to (a) deterrence for cyber threats (i.e. U.S. nuclear, conventional weapon or economic sanction for cyber threats), (b) deterrence in cyberspace (i.e. cyber resilience ability, cyber defense ability and cyber attributing ability in cyberspace), and (c) retaliation through cyberspace, which refer to offensive cyber ability to stop cyber attack. It is retaliating through cyberspace that caused the biggest controversy.
Actually, offensive cyber power has been treated as another political option for Obama to snatch national, political, economic, and military interests for their own, just as demonstrated in hacking into Merkel's cell phone for German detailed decision-making response to Greece debt crisis and hacking into Japan Finance Minister's cell phone for finance policy in advance, and finally be bound to bring about a militarized cyberspace.
U.S.offensive cyber ability among Cyber Deterrence Strategy will only lead the world to a more uncertain future in a long run
Apparently, there is clear difference between offensive cyber retaliation and offensive nuclear revenge. Offensive cyber ability is more like a conventional weapon in information times other than strategical one like nuclear weapon. And its policy threshold would be difficult to define due to its secrecy or low visibility, in stark contrast to offensive nuclear revenge.
One country's cyber deterrence will only lead to another country's investment in offensive cyber ability to make sure their own security in mind, because of strategic panic, and that will eventually spread globally, not like nuclear deterrence in cold war times.
The European countries, including Britain, German, France and Italy, would most probably occupy cyber battlefield more independently, other than depending on U.S. during cold war times in traditional security fields, and their policy will be more inclined to focus on cyber deterrence too.
Brazil, India, China, Russia, Japan, and South Korea, all desire to and have great potential to become cyber powers. For Israel, Iran and the DPRK, offensive cyber weapon is a natural strategic tool to fight for survival.
To the contrary of what Painter once said firmly in 2015, U.S. Cyber Deterrence Strategy cannot absolutely make global cyber ecosystem more stable.
Even Huge investment on offensive cyber ability cannot secure U.S. cyber security
According to Snowden documents, U.S. has invested a series of offensive cyber programs to shape entire ecosystem in cyberspace. But they still have to admit that "high confidence attribution in real time remains difficult". Three recent significant cases can also demonstrate the limit of this unilateral cyber ability:
(a) 2014 JPMorgan Chase hack, was just a classic cyber economic crime, other than done by Russia, as U.S. declared at the very beginning. (b) Until now, U.S. still do not have 100% confidence in attribution, and still reluctant to divulge evidence of the DPRK's role behind the Sony Picture hack to the international community. (c) Only through joint investigation between America and China in 2015, the attack on U.S. OPM turned out only to be another cybercrime case.
It will become more and more difficult to control cyberspace, even with offensive cyberspace operation with the evolution of cloud computing, internet of things, Quantum Communication.
If only more countries would invest on constructing direct telecommunicate chain bilaterally, just like the Brazil-Portugal submarine cable project, to bypass the North American continent's telecommunication chain, America would lose more confident in massive and global internet data monitor.
Reckless offensive cyber ability poses a serious threat to global digital economy
Obama must envisage the negative impact from its current Cyber Deterrence Strategy on global digital economy, which created and propelled by themselves.
On one hand, digital economy have no national boundaries, but the digital industry companies have state hood. International ICT companies may be compelled by its motherland national policies or laws for unilateral national interests, just as demonstrated in the Stuxnet and Prism Project, and recently Apple decipher case.
On the other hand, national offensive cyber ability, which once originated from the international hack market, is still fueling the prosperity of the international hack market at these times. The digital economic company and its products have become the primary goal under attack by the hack market.
These two factors have caused digital economies suffer embarrassment and struggle between pursuing its host national security and global market sharing. Digital economy is doomed to be scapegoat behind of these international game. Their social value can be said to be sinking into whirlpool pushed by reckless Cyber Deterrence Strategy.
What Obama really intended to do, through continuously interpreting Cyber Deterrence Strategy, is not only to win alliance's trust, but also anchor their hope on winning buffer time for its cyber power to mature in the future.
But the asymmetric nature of cyberspace determines that no single cyber power can totally control cyberspace. Facts have proven and will again prove that collective security has more value in the era of globalization than unilateral security in cyberspace.
The responsible state, especially the leading cyber power, should be more cautious in developing its Cyber Deterrence Strategy, and constrain developing and wielding offensive cyber ability.