The Short Life and Quick Death of Cyber Deterrence (How I Learned to Stop Worrying and Love Cyber)
21 Pages Posted: 23 Apr 2016
Date Written: April 17, 2016
In 2015, the United States took three significant steps to developing a cyber deterrence policy. In April, the Department of Defense released the DoD Cyber Strategy. At the same time, President Obama issued an Executive Order authorizing sanctions against cyber actors. And in December, the White House released its long-anticipated cyber deterrence policy. Specifically, the White House policy is built on a two-element strategy of deterrence by denial; and deterrence through cost imposition. Unfortunately, the White House policy does little to address or answer the thorny questions raised by the reality of today's cybersecurity environment. First, the policy relies on traditional notions of deterrence that may have been effective in prior nuclear and non-nuclear contexts, but it ill-suited to cybersecurity. Second, the policy focuses primarily on defensive strategies and does not confront the reality and likelihood of offensive counter-operations. Third, insomuch as deterrence is a public relations communications strategy and psychological game backed by capability and credibility, the United States has a poor track record of deterring cyber-attacks.
To understand this problem, my research begins with a brief historical review of the development of deterrence theory, in particular as it relates to conventional war and the Cold War. Next, I turn to the development of cyber deterrence as a strategy of the American government, and in particular, recent efforts by the United States to define a cyber deterrence policy. In that light, I examine the White House cyber deterrence policy from a historical and critical perspective, and especially given the distinct characteristics that distinguish cyber deterrence from traditional deterrence. Finally, this paper will discuss whether deterrence is even a reasonable strategy in the cyber environment.
Ultimately, this paper concludes that the current synthesis of cyber deterrence is unworkable and ought to be scrapped. As a result, cyber deterrence as an overall public relations strategy should be de-emphasized as part of an aggressive cyberspace strategy that acknowledges both defensive and offensive capabilities. To be sure, sub-components of the current policy, like strengthening networks to reducing the incentive to conduct cyber-attacks, are laudable goals that the United States should continue to pursue. However, relying on deterrence by denial as a publicly communicated strategy to discourage attacks has failed, and continues to fail with each new attack. Instead, American efforts should focus on improving attribution, not as a deterrent measure, but to allow policy makers the ability to respond to attacks with offensive cyber capabilities.
Keywords: cybersecurity, cyber, deterrence, cyberattack
Suggested Citation: Suggested Citation