Cyber Attacks, Attribution, and Deterrence: Case Studies Stuxnet Attack on Iran, LulzSec, and Estonian Attacks, Protection of Cyberspace and Digital Infrastructure as Vital to National Security

This excellent report has been professionally converted for accurate flowing-text e-book format reproduction. The purpose of this monograph is to examine the role of a defender's ability to attribute a cyber attack and its effect on deterrence. Conflict in cyberspace is constantly evolving and deterrence might provide stability and understanding of these conflicts. Because of the speed at which cyber attacks can occur and the rate at which they can spread, it is important to understand how countries using cyber weapons frame the problem.

The method used in this paper is controlled comparison of three different cyber attacks: the 2007 attacks on Estonia, the Stuxnet attack on Iran, and the LulzSec attacks multiple targets in 2011. These three events bore the similarity that defenders could not immediately attribute the attack to an actor. This attribution problem influenced how the defenders responded to the problem.
Upon further research, however, it became apparent that attribution was not the defenders' biggest problem in two of the three cases. Attribution may not always be immediately available through technical means, but eventually defenders had enough information on which to act. At this point, other problems arose, like escalating a cyber conflict with a far more powerful neighbor or determining how to respond without a cyber capability of one's own. These cases demonstrate attribution is a necessary but not sufficient cause for responding to a cyber attack and that defenders have many response options available, from technical defense of their networks to escalation of the conflict to kinetic military strikes.

Additionally, cyber deterrence does not require the high levels of attribution that some theorists argue. Instead, a counterattack can rely on a lower level of attribution because the target is typically a known adversary and because the results from a cyber attack are generally much lower than the effects from a kinetic attack. Thus, because of the need for a state to respond to cyber attacks in kind and the lower attribution requirements, an offensive cyber capability is both necessary and useful.

Dettagli