What is the Future of Cyber Deterrence?

Excerpt

Scholars and practitioners alike have debated the feasibility of applying deterrence models to cyberspace. Advocates of “cyber persistence theory,” for instance, posit that deterrence strategies are unlikely to succeed in the cyber domain. In contrast, the Cyberspace Solarium Commission’s March 2020 report advocates for updating traditional deterrence concepts to account for the implications of emerging technologies, calling for the United States to implement a strategy of “layered cyber deterrence.” In this article, we unpack the concept of cyber deterrence from three perspectives: definitional differences; distinguishing between general and specific deterrence; and the role of thresholds. Based on our analysis, we demonstrate why cyber strategies anchored in persistent engagement and near-constant offensive maneuver are insufficient to address the range of threat actor behavior in cyberspace. Instead, we offer a theoretical framework that articulates the conditions under which deterrence is possible in cyberspace. Finally, we conclude by providing policy recommendations for the United States.

Introduction

The question of the applicability of deterrence frameworks to cyberspace is an enduring debate among scholars and practitioners. Deterrence is a strategy to prevent a target from taking an action that the deterrer finds undesirable through manipulating the target’s perception of the costs, benefits, and risks of cooperating versus defecting.¹ Deterrence is often associated with the threat of punishment (e.g., threatening to impose significant costs on a target to dissuade them from acting). US nuclear deterrence strategy during the Cold War is associated with this form of deterrence. However, deterrence could also take other forms, such as denial, by making it more difficult for a target to carry out an action through increasing the military costs of doing so, which is prevalent in conventional deterrence; entanglement in leveraging the interdependence of the deterrer and target; or norms, by creating reputational costs for violating the terms of the threat.² Deterrence succeeds when the target perceives that these costs outweigh the expected gains and that the deterring state has both the capability and willingness to carry out the threat.³ Therefore, possessing a capability, or even demonstrating a capability, is not necessarily sufficient for deterrence to succeed. The deterring state must communicate to the target its expectations about behavior and consequences for defection in a way that is appropriately understood by the target, making signaling an essential element of deterrence.⁴

Early academic work on cyber deterrence, largely drawn from nuclear deterrence literature, expressed skepticism that the logic of deterrence could be extended to cyberspace.⁵ According to these scholars, while cyber capabilities may change the nature of conflict, certain characteristics of cyberspace also create vexing challenges for deterrence and signaling.⁶ For example, several factors may complicate the effective communication of deterrent threats in cyberspace. These include the preference for operating secretly and maintaining plausible deniability and, by extension, challenges of attribution; the absence of common indices or shared frameworks to help clarify the intent behind observed behavior; and the ways that cyber operations function as ambiguous (rather than clear) signals. Additionally, some purported attributes of cyberspace complicate deterrence capabilities beyond communication, such as the “borderless” nature of cyberspace; the speed with which attacks take place; the low barriers to entry and proliferation of capabilities across numerous actors; and the advantages of offense over defense.⁷ And finally, there are credibility issues associated with cyber deterrence, particularly in terms of punishment-based strategies, because the lack of violence in cyber operations and the limitations of obtaining strategic effects—the damage that can be inflicted with cyber capabilities in comparison to other military capabilities—raise questions about whether states would actually follow through on the terms of deterrent threats.⁸

Given these challenges, some academics have extended this line of reasoning to reject the feasibility of cyber deterrence outright, particularly for cyber operations that occur in the competitive space below the level of armed conflict. The emergence of cyber persistence theory, epitomized by Richard Harknett and Michael Fischerkeller’s work, reflects the idea that the absence of traditional sovereignty in cyberspace, coupled with a state of “constant contact” between rivals, poses insurmountable hurdles for deterrence strategies.⁹ Instead, states should operate continuously in cyberspace to “shape cyberspace ad infinitum.”¹⁰ Over time, Fischerkeller posits, norms of behavior and stability will emerge in cyberspace through a process of tacit bargaining, whereby, through continuously interacting in cyberspace, rivals will come to shared understandings of what is acceptable versus unacceptable behavior, an “agreed competition.”¹¹

Dr. Erica Lonergan (née Borghard) is an assistant professor in the Army Cyber Institute at West Point. She is also a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University. Erica previously served as a senior director on the Cyberspace Solarium Commission. Retired Rear Admiral Mark Montgomery, US Navy, is the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Mark previously served as the executive director of the Cyberspace Solarium Commission. Follow Mark on Twitter @MarkCMontgomery. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.

1. Glenn Snyder, Deterrence and Defense: Toward a Theory of National Security, (Princeton, NJ: Princeton University Press, 1961), 9; Lawrence Freedman, Deterrence (Cambridge, UK: Polity, 2004), 26; Robert J. Art, “To What Ends Military Power?,” International Security 4, no. 4 (1980): 3–35.
2. Joseph S. Nye, “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (2016): 44–71: John J. Mearsheimer, Conventional Deterrence, (Ithaca, NY: Cornell University Press, 1985): 14–15.
3. John J. Mearsheimer, “Nuclear Weapons and Deterrence in Europe,” International Security 9, no. 3 (1984): 21.
4. In this article, we focus on cyber deterrence between states or their non-state proxies. The challenges of cyber deterrence are compounded when the target of deterrence is a non-state actor, such as a terrorist organization, that is not operating on behalf of a state.
5. See, for example, Martin Libicki, Cyberdeterrence and Cyberwar, (Santa Monica: RAND Corporation, 2009); Richard L. Kugler, “Deterrence of Cyber Attacks,” in Cyberpower and National Security, ed. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, (Washington, D.C.: National Defense University Press, 2009); Emily O. Goldman and John Arquilla, Cyber Analogies (Monterey, CA: Naval Postgraduate School, 2014); Ben Buchanan, The Cybersecuritiy Dilemma: Hacking, Trust, and Fear Between Nations, (New York, NY: Oxford University Press, 2016).
6. Lucas Kello, The Virtual Weapon and International Order (New Haven, CT: Yale University Press, 2017); John Arquilla and David Ronfeldt, “Cyberwar is Coming,” Comparative Strategy 12, no. 2 (1993): 141–165; Also see Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth,” International Security 38, no. 2 (2013): 41–73; Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, no. 1 (2012): 5–32; Brandon Valeriano, Benjamin M. Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion, (New York, NY: Oxford University Press, 2018).
7. Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, no. 1–2 (2015): 4–37; Libicki, Cyber Deterrence and Cyberwar; On signaling, see Valeriano et al., Cyber Strategy, which discusses cyber operations as ambiguous signals. On offense versus defense, see Rebecca Slayton.
8. Erica D. Borghard and Shawn Lonergan, “The Logic of Coercion in Cyberspace,” Security Studies 26, no. 3 (2017): 452–481.
9. Michael Fischerkeller and Richard Harknett, “Deterrence is Not a Credible Strategy,” Orbis 61, no. 3 (2017): 382.
10. Fisherkeller and Harknett, “Deterrence is Not a Credible Strategy,” 388.
11. Michael P. Fischerkeller, “Persistent Engagement and Tacit Bargaining: A Strategic Framework for Norms Development in Cyberspace’s Agreed Competition,” Institute for Defense Analysis, (November 2018).