DSBlog

Cyber Threats: To Deter or Not To Deter

Sep 20, 2011

Should governments pursue the cyber-space equivalent of the Cold War era’s doctrine of mutually assured destruction, or a similar form of deterrence?

At the Brookings Institution today, two experts debated the cases for and against cyber-deterrence. Dmitri Alperovitch, a former vice president at McAfee and author of the recent report Revealed: Operation Shady RAT, faced off against Ralph Langner, who led the team that cracked the code revealing the Stuxnet malware’s final target in Iran.

According to a Brookings summary of the discussion, Alperovitch presented a case “for a strategic declaratory deterrence policy to counter highly destructive cyber threats from nation-state actors against critical infrastructure and other crucial national security and economic assets.” (This sounds similar in some ways to what the White House declared in early summer.) Langner, on the other hand, argued “that deterrence is unlikely to prevent intense cyber war and cyber-terrorist attacks because they can be carried out by small international teams and prepared months or years in advance. He also [pointed] out cyber attacks against critical infrastructure and terrorist targets such as chemical facilities and nuclear power plants can and must be prevented by solid cyber protection.”

In a subsequent interview with a Washington Post blogger, Langner noted: “The bigger problem that we have with Stuxnet is not the virus itself – it is that various exploits used in Stuxnet can be copied and can be used against targets .... These systems remain vulnerable. These systems cannot only be found somewhere in Iran – they can also be found, for example, in U.S. power plants, chemical facilities, in production facilities for food and beverages, et cetera.”

To listen to a podcast of the Brookings debate (one hour and 20 minutes), click here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.