Given that the most serious threats in cyberspace are other state actors and their proxies, traditional thinking is focused on deterrence. Yet there are significant challenges for cyber deterrence.

The concept of deterrence was originally developed during the rise of nuclear technology. It relies on second-strike capabilities of opponents and complete certainty of who the opponent is, that it can survive the first strike and that it can strike back. This is known as mutually assured destruction (MAD).

Deterrence strategies have worked well throughout history to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game. Of those actors, a basic self-interest in survival underpins the effectiveness of MAD.

There are many methods available for monitoring the mining and use of nuclear materials and technologies, and we have a fairly accurate inventory. In the cyber theater, however, the cyber attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies in conventional warfare. As mentioned, MAD depends on knowing who your opponent is and understanding their capabilities for a second strike. In the cyber theater, both of these requirements are virtually impossible to fulfill.

What Are the Top Challenges to Cyber Deterrence?

Because of the inherent architecture of the internet and threat actors’ ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with a high degree of certainty. This results in a cyber attribution dilemma whereby the need to impose the costs necessary for cyber deterrence is juxtaposed with the potential costs of misattribution.

1. Misattribution

Many are concerned about the dangers of misattribution in cyber warfare and the potential escalations it could cause. The current deterrence paradigm of mutually assured disruption — the equivalent of MAD in the cyber arena — has a high risk of escalating into a tit-for-tat exchange as a result of a false accusation.

2. False Flags

Adversaries have historically used false flag operations to make an operation appear as though it was perpetrated by someone else. Because of the cyber attribution dilemma, false flags are much easier to execute in cyberspace, where the challenge of attribution already exists. False flags in cyberspace exploit this existing uncertainty and further compound doubt by casting suspicion on other actors.

3. Plausible Deniability

The attribution dilemma also gives threat actors the benefit of plausible deniability, further reducing the risks and costs associated with cyber actions. If you can’t be certain who is responsible, once again, you can’t impose costs without risking imposing the costs on the wrong actor.

In the Absence of Attribution, Resilience Is Critical

The stakes are high in cyberspace and growing daily. Deterrence rests on enterprises’ ability to impose costs or deny gains. Without the ability to impose costs while avoiding misattribution and escalation, denying gains and surviving cyberattacks through resilience is hypercritical.

Advanced attacks executed by sophisticated actors who know how to stay under the radar often cause the most damage. Adopting threat hunting in your security operations center (SOC) can help reduce dwell time as well as the cost and impact of attacks.

Read the SANS threat hunting survey

More from Threat Hunting

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

RomCom RAT Attack Analysis: Fake It to Make It

The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…

A Perfect Storm: 7 Reasons Global Attacks Will Soar in 2023

In 2023, the global annual cost of cyber crime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report. This seemingly enormous figure might still be a major underestimate. In 2021, U.S. financial institutions lost nearly $1.2 billion in costs due to ransomware attacks alone. That was a nearly 200% increase over the previous year. If we continue at that rate, next year could see global costs approaching $16 trillion. Why might costs be so high? Here…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…