Deterrence is based on the elements of denial (denying an adversary’s attempt to attack our interests) and punishment (inflicting unacceptable costs to the attacker in reply for having conducted the attack). At present, most U.S. cyber deterrence efforts have been defensive. And, so far, the United States has yet to reply to a cyber-intrusion with punishment via a cyber operation. Although a state could pursue deterrence via defense alone, without both elements – denial and punishment – deterrence will be weak or fail. To date, cyberspace operations worldwide have been dominated by the offense of malicious actors and the absence of retaliatory punishment by the United States.
Deterrence via denial alone is hard and without an enormously increased commitment, likely impossible. The cyber victim is always in the hopeless position of trying to discern what adversary accesses exist in one’s networks and how to stop such malicious intrusions. Adversary capabilities are written specifically to enter these networks surreptitiously and conduct malicious operations in secret.
Deterrence via punishment is hard as well. Many cyber response operations cause little pain to the attacker. And a deep commitment to international law makes it difficult for the United States to contemplate and conduct cyber operations that might violate state or third-party sovereignty, or inflict enough pain that subsequent attacks are successfully deterred.
Successful deterrence requires the demonstration of both defensive and offensive capabilities – through exercises, technology demonstrations, and so forth – in order to signal and warn adversaries. Successful deterrence is not achieved by a robust, threatening public statement alone, but should be combined with a demonstration of capabilities. Deterrence was effective in the nuclear age, for example, not by the publication of declaratory policy, but by the fielding of thousands of protected, redundant, and openly tested nuclear weapons, all supported by a robust command and control apparatus, and exercised frequently at the highest levels of the U.S. government. U.S. resolve was proven through its clear capabilities to retaliate against potential attackers.
The goal for cybersecurity, therefore, should not be to appear non-threatening, but to appear extremely capable in cyberspace in order to deter malicious and destructive cyberspace actions through the credible threat of retaliation. Additionally, this goal must include demonstrating that capability when necessary. Were the United States to suffer a renewed high crime rate, for instance, it could not expect to improve such a climate without policing malicious behavior. The same applies in cyberspace. The United States cannot expect to improve the current climate where many malicious actors use cyberspace to utilize weapons against U.S. critical infrastructure, steal intellectual property, or advance terrorism planning and recruitment without an established and prepared form of retaliatory punishment.
Furthermore, the United States cannot develop norms in cyberspace unless it has developed and exercised capabilities for the domain. A state cannot develop norms at sea, for instance, unless it has ships at sea and the will and the means to create norms through practice. The United States cannot achieve the outcome it desires without conditioning the behavior it expects. There are many ways to set the parameters for a contested space, such as attributing shame for and, if necessary, punishing activities that go beyond accepted norms.
Norms are created through common state practice; over time, some norms are codified into customary international law – practices mutually conducted and accepted by states. Such norms, for example, became the basis of the Law of the Sea, conduct in space, and treatment of warships at sea. Therefore, intrusions conducted against the United States but left unanswered will begin to gain a level of international acceptance, no matter how many demarches or norms are advocated diplomatically. Thus, good cyber deterrence policy is a combination of both international norms established on paper within international forums, as well as clearly executed and well-signaled responses to unacceptable activity.
In the cyberspace domain, however, the United States cannot demonstrate its cyber capabilities to the world at an airshow or weapons fair, or in retaliation to an attack without revealing – and therefore forever losing – such capabilities. In the nuclear age, tests and fielded weapons made nuclear deterrence real and credible. In the cyber age, a state cannot reveal its cyber code and accesses into adversary networks without losing both to the adversary. Thus, the United States has generally refrained from establishing clearly marked red lines in the cyber world, opting instead to lead by example by not stealing proprietary information or attacking the critical infrastructure of another state.
Thus, the United States runs the very real risk of trivializing cyber attacks, such as during the instance of the November 2014 North Korean attack against Sony, the denial of service attack against TV5Monde in France in April 2015, or the December 2015 and 2016 cyber attacks against Ukraine’s electrical power grid. Instead of retaliation, the United States labeled these events as “vandalism” and abstained from punishing the attackers. In response to such attacks, the United States often dithers on both a cyber and whole-of-government reply, thereby sending the message that such activities will not be met by any sort of robust, punitive U.S. or international response – cyber or otherwise.
Heavy reliance on the internet for many aspects of contemporary life may render the United States especially vulnerable to cyber operations, but it does not change the characteristics of deterrence. Denial and punishment remain at the core of deterrence. Cyberspace is but one delivery mode – a single domain – for capabilities to inflict punishment on an adversary, though punishment need not necessarily come through the cyber domain in response to a cyber-domain attack.
Almost always, warfare involves most or all military domains; the introduction of the cyber domain will not change this fact. Deterrence is effected through defense and the threat of punishment via all domains; cyberspace does not change this reality either. There likely will be no “cyber deterrence” strategy that claims cyberspace alone can deter all wars, control theater conflict, dissuade states and non-state actors away from espionage or intellectual property theft, or deter terrorist use of the internet.
The Danger in Not Inflicting Punishment
There is, however, a perverse danger to not acting in response to malicious cyber activity. Although it may be hard to deter states and non-state actors from many forms of malicious cyberspace activity, it is imperative that the United States respond to such activity.
Adversary states likely assume today that the United States has at least the cyber capability and intent that they have, if not superior capabilities. In fact, most states likely assume the United States is the world leader in cyberspace capabilities, whether it is or not. Therefore, somewhat perversely, assuming that our adversaries likely think the United States is already in their networks, or at least could be during a crisis, our adversaries might become emboldened to escalate a crisis if the United States were to not use cyberspace capabilities to control a crisis. Since we are more capable, they assume, inactivity would be evidence of a lack of capability. Why wouldn’t the United States hit back following a cyber attack or severe malicious cyber activity?
Similarly, assuming that adversaries think that the United States is already in their networks, in a crisis, adversaries might assume that the United States is going to attack their networks and, therefore, believe they ought to preempt such an attack in cyberspace. By not having such a cyber capability ready or a policy in place to retaliate against unacceptable cyber activity, the United States may only place itself at greater risk of escalation. As a crude analogy, if the U.S. voluntarily were to eschew use of airpower in confrontations with adversaries, where it was assumed U.S. airpower was highly capable, the United States might suggest over time that its airpower was not as strong as thought. Therefore, the U.S. may not be advancing good cyberspace behavior by not responding to cyber attacks via cyberspace from time to time.
Commanders today assume that suspicious outages in cyberspace may be part of a conflict or confrontation with a capable state or non-state actor, given that cyberspace is a warfighting domain through which attacks can and occasionally do occur. Such a fact could work in the U.S. favor: adversary commanders would assume that the slightest, direct confrontation with the United States might lead to complicated and subtle cyber failures in their networks and critical infrastructure. Just as the advent of nuclear weapons made even small, direct conflict between the United States and the former Soviet Union far more dangerous – theoretically, escalation could lead to nuclear war. Similarly, states may conclude that they must avoid any and all confrontation with the United States, lest they risk complicated cyberspace attack in response.
Deterrence is a function of establishing redlines, denying benefits, and imposing costs. Each military domain contributes differently to warfare; operating in each domain carries costs and benefits. All such domains work best when they work together. The United States must provide international leadership for the development of functional peacetime norms in cyberspace. If the United States does not contribute to shaping the domain, it will inevitably be forced to react to norms set by others, favorable or not.
Whereas most nations tend to respect the traditional rules of peacetime behavior in the land, sea, air, and space domains, many adversaries exploit cyberspace today and ignore traditional rules of conduct, warfare, and sovereignty. If nations cannot agree diplomatically on general concepts and rules of behavior in the cyberspace domain, the United States cannot realistically expect malicious actors to respect the norms it voluntarily imposes on itself in cyberspace. Malicious actors will have to be made to see the benefits of adhering to a stable international relationship within the cyber domain.
At the moment, adversaries are putting cyberspace capabilities on U.S. networks and threatening its critical infrastructure and key resources. If the United States were not to do the same, adversaries would enjoy a perverse advantage. In a sense, the United States may be behind some adversaries in a new era of “mutual disruption,” where states can threaten mutual strategic cyber-attack on each other. If the United States does not move to a relationship that is indeed mutually threatening, it may very well create the very instability it seeks to avoid. It would be akin to thinking that in order to deter nuclear war with the former Soviet Union, the United States should never build nuclear weapons.
Deterring Kinetic Conflict via Cyberspace
“Cyber deterrence” may seem to imply that deterrence of malicious cyber activity only occurs through the employment of defensive and offensive cyber capabilities. But malicious cyber activity does not have to be deterred necessarily by cyber activity. Malicious cyber activity can be deterred by defense and punishment through the other domains and through a whole-of-government approach, including sanctions, public attention, diplomacy, and private sector activity.
Likewise, malicious kinetic activity by adversaries outside of the cyber domain may be deterred – at least in part – by U.S. cyberspace operations. The United States, therefore, ought to use both kinetic and cyberspace capabilities to deter traditional kinetic conflicts. This is what is meant by the phrase, “cross domain deterrence.”
Until the United States demonstrates the willingness to use cyber or other capabilities to punish unacceptable behavior in cyberspace, threats of punishment alone will continue to ring hollow, and defense alone will be insufficient. It may sound contradictory, but if the United States wants to reduce the number and severity of malicious cyber operations against it, it must attack back more often. Malicious cyber actors are currently shaping cyber norms. If the United States aims to develop credible deterrence, it must act, and preferably act in all domains. There is much that can and must be done, consistent with international law, to deter cyber or traditional conflict through the cyber domain.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the U.S. government, the Department of Defense, or the National Intelligence University.