Applying Traditional War Theory to Cybersecurity

Cybersecurity is one of the biggest threats affecting the global economy. Identified by the World Economic Forum as one of the top ten global risks both currently and in the future, it is estimated to cost an annual $10.5 trillion by 2025.With the rising risk and cost of protecting personal data, governments, policy makers and researchers are pooling their resources to build a more robust cybersecurity strategy.

Alex Wilner, a researcher at Carleton University’s Norman Paterson School of International Affairs and director of the Infrastructure Protection and International Security program, is part of this collaborative effort. Wilner is a leading expert in deterrence theory – a traditional wartime theory that refers to the practice of how to deter attacks – and is expanding its scholarship to apply to cyberspace.

A black and white headshot of a professionally dressed man wearing glasses.
Carleton University researcher Alex Wilner

“Deterrence is about keeping you safe from attack by convincing an adversary not to attack you in the first place,” Wilner says.

“We’re looking at how to do that in the complicated and vast world of cyberspace.”

Cybersecurity & Cyber Deterrence

Deterrence theory is technically very simple – a defender needs to convince an aggressor that either the costs of attacking are too high, or the benefits of doing so are too low. This concept dates back to the Cold War when the United States and the Soviet Union deterred invasions through threats of nuclear retaliation.

Since then and with the growth of the internet, security threats have expanded to cyberspace. In response, Wilner is modernizing traditional deterrence theory to make it applicable to cyber threats. With his team of 10 Carleton graduate students, Wilner has compiled data on the types of cyber incidents that are happening in Canada and abroad to better understand who is conducting these attacks and how to deter them.

“When you download and use a new app, engage with digital commerce, or register for certain provincial or federal services, your information is at risk of capture,” Wilner explains.

The cyber attacks Canadians face vary from malware, which leads to unauthorized access and theft of sensitive data; spyware, which collects and sends information to a third party; phishing, which gain access to personal or business information through fraudulent emails; and ransomware, which locks users from accessing their data, forcing them to pay a ransom to regain control.

A person using a laptop with a warning message displayed on the screen.
Tippapatt / iStock

“The vast majority of cyber attacks are not stemming from a central government or military trying to penetrate your computer, and steal data for intelligence purposes,” says Wilner. “Rather, it’s a criminal syndicate stealing your data in order to sell it.”

Influencing Cyber Policy

With a better understanding of emerging cybersecurity threats, Wilner is working with the Department of National Defence, Global Affairs Canada, and others, to develop Canada’s cyber deterrence posture. The posture will define unacceptable behaviour in cyberspace and outline what retaliation can be taken as a result of engaging in that behaviour.

“We’ve done this in the physical world. We know that certain behaviours – like using chemical weapons, political assassinations, and torture – cross a red line. But where is that line drawn for cybersecurity?” Wilner asks.

“If we can create a better understanding of how we will respond to various forms of cyber aggression, then we can diminish even the most severe types of cyber attack.”

Group of soldiers or spies in dark room with large monitors and advanced satellite communication technology.
Evgeniy Shkolenko / iStock

Part of the solution may entail building a version of an extended deterrence relationship between the Canadian government and everyone else. Governments and militaries have the ability to retaliate to cyber aggression using both cyber and physical means. But no provincial or municipal government, private or non-profit actor, or individual can do the same. It’s not lawful, nor do they have the means. In extended deterrence, the central government deters malicious activity on behalf of others.

Looking Ahead: Artificial Intelligence

With the recent rise in the use of artificial intelligence (AI), the Carleton researcher is looking at ways in which AI may facilitate deterrence by speeding up how we collect, assess and act on intelligence.

“What is concerning many experts in the field is the pairing of AI with weapons and robotics, effectively providing faster-than-life responses to traditional aggression. If that future emerges, it won’t only influence the ethics of warfare, but will fundamentally alter how we think about and apply deterrence to international affairs,” Wilner warns.

Wilner first became interested in deterrence theory after al-Qaeda’s 9/11 attack and went on to emerge as a leading figure in the field of terrorism deterrence. Now he is hoping his timely work on cyber deterrence will help address cybersecurity issues that plague Canadians every day.

An over the shoulder view of a hoodie wearing computer user typing in front of a keyboard, in front of several computer monitors.
Evgeniy Alyoshin / iStock

“Right now, online attackers feel untouchable. We need them to know that if they come for us, whether it be our infrastructure, our businesses, or our people – that we have the means, the right, and the will to retaliate as required.”

You might also like

Latest articles