Deterrence Theory and Cyber Context

The author will approach deterrence in the cyber realm in a similar fashion to the earlier mentioned Joseph Nye article; in particular disregarding fanciful ideas of total prevention and focusing on a reduction of incursions and dissuasion. Nye lists “four major mechanisms to reduce and prevent adverse actions in cyberspace: threat of punishment, denial by defense, entanglement, and normative taboos,” and also notes the latter two are not strictly considered deterrence; although views them as important and useful from a policy perspective.

Punishments are the direct retaliatory use of force against aggressors, or more accurately, the threat of retaliation that will deter aggression. Punishment in the cyber realm is also the most difficult as a result of attribution issues and, in the United States, a reticence to reveal offensive capabilities to the general public. However, while deterrence through punishment is difficult and frequently criticized in cyberspace, it is still a valid option and may grow in importance if attribution capabilities also improve.

Denial by defense as deterrence is increasingly gaining in importance as cyber operations are approached in less absolute terms. Hardening of important systems and developing resilience and recovery capabilities changes the value judgements of attackers. Where previously cyber operations may have been effective and cost efficient, if cyber defenses improve then future

attackers may be dissuaded due to the low chances of success. Further, if systems are hardened and easily recoverable, there is even less value in aggressive infiltration operations and the risks to the attackers of retaliation further alter the calculations. Nye discusses this aspect of deterrence in cyber by bringing up disparate fields, such as public health models, where proper

“cyber hygiene” may aid in preventing unsophisticated hackers from affecting important systems. While more sophisticated attacks may get through, if the majority can be prevented through improved defensive measures that is progress.

In addition to mechanisms of classical deterrence, Nye also looks to Glenn Snyder's definition and concept of “Broad Deterrence” that includes ideas of entanglement and norms.

Entanglement, as used by Nye, “refers to the existence of various interdependencies that make a successful attack simultaneously impose serious costs on the attacker as well as the victim.” An example in the world of cyber would include a hostile power not engaging in aggressive cyber operations due to the value of the internet and a global open cyberspace to their economy. There are examples of this phenomenon occurring in other areas as well, particularly between great states that are competing economically and militarily. This additional factor is interesting to examine when analyzing the future of cyber, the internet, and economies. As the internet and technology contributes more and more to economies around the world, entanglement may reduce state sponsored operations in favor of fostering an open and profitable environment.

Norms and taboos are in the earliest stages of development with regards to cyber. Past examples in history would be with regards to nuclear weapons. While tactical nuclear weapons and miniaturized versions were considered for conventional usage, over time the concept fell out

of favor and in the present nuclear weapons are seen as a last resort option that should never be used except for in the rarest of instances. If a state were to use nuclear weapons, unless circumstances were dire, they would assuredly receive international condemnation. Cyber may also develop these elements if nation states take the lead to proactively put limits on how cyber will be used in the future. Similarities could be seen to biological and chemical weapons bans and agreements, where while some actors did maintain and use them, they were considered to be largely taboo in the international community. The United States and Chinese governments have offered international legislation in this direction, although currently there is still little beyond the beginnings of norms development.

From this theoretical approach, the author will analyze the respective subjects and their unique cases. In the case of the United States, there are also points that may be examined through this framework. Threat of punishment has developed a growing group of supporters in the United States, and it all ties into how attribution technology will develop to aid in this strategy. Denial by defense has also been improving, as a new cyber posture is developing in the United States armed forces and new technology is being rolled out for this specific purpose. Entanglement may be seen in how the United States approaches its interactions with Russia, and other major states, to deter future hacks. For example, direct negotiations with foreign officials on this subject, and in particular China.²⁰ Lastly, the United States has been involved in developing norms and taboos with foreign powers to reduce cyber incursions, especially with China because of the strong economic ties found between the two nations.

20Harold, Scott W. "The U.S.-China Cyber Agreement: A Good First Step." The Rand Blog (blog), August 1, 2016.

Accessed March 26, 2018. https://www.rand.org/blog/2016/08/the-us-china-cyber-agreement-a-good-first-step.html.

In the case of Russia, one can examine all four points. Regarding threats of punishment, it is most interesting to examine how Russia has used cyber to undermine traditional notions of deterrence by its geopolitical rivals.²¹ Further, it has maintained cyber capabilities that likely prevent operations from rivals such as Ukraine and Georgia. Russia has also managed to break through many states defenses, leaving many scrambling to develop better denial capabilities.

Entanglement is also likely at play, preventing Russian operatives from engaging in direct kinetic cyber operations in already compromised systems, for example in Ukraine.²² Norms and taboos may also be involved, as Russian operatives are not known for kinetic operations. This may be because of an inherent fear of reprisals in that regard. The author will more fully elucidate all of these points in each state's respective chapter.