Does cyber deterrence exist?

What are the US options if cyber deterrence is an intractable idea? Jake Bebber has a few ideas.

Estimated time to read:  2 minutes

By Marcus McNabb

Much has been written about American adversary use of cyberspace as a way to threaten American interests and degrade American credibility and freedom of action. These discussions typically revolve around cyber deterrence, with an analysis of why the US is ineffective at deterring adversarial cyber actions and perhaps some ideas on how to improve. But this approach makes the unstated assumption that cyber deterrence is a plausible ideal. Given the low cost of entry, widespread applicability, reach, speed, and other advantages of operating in the cyber domain, perhaps deterring action is not a feasible approach in this environment.

Jake Bebber argues that the “blended, interrelated nature” of cyberspace makes it difficult to establish concrete rules and roles, which ultimately complicates target discrimination and “makes calculating proportional responses problematic.” Instead, Bebber proposes an alternative to deterrence in cyberspace. He claims that a more effective approach is to embrace constant contact, move from trade-off models to synergy models, and transition from coordination to integration. Ultimately, he says “security is achieved not through imposed norms but through retaining the ‘cyber initiative’ — the operational outcome of effectively anticipating the exploitation of cyber-related vulnerabilities.”

This article is an excellent start to the conversation of the evolution of US cyber policy and strategy, but it does leave much of the details unexplored. The ambiguity of the dividing lines between civilian and government structures in cyberspace makes fratricide nearly unavoidable, particularly if one is to be offensively prolific. Stuxnet provides a perfect warning bell in this area as the code from this attack vector spread to over 10,000 computers worldwide. From a military perspective, domain overlap of cyberspace with the traditional domains owned by the services makes operating rules difficult to implement. The DoD is grappling with this very question now as US Cyber Command works to establish command and control relationships within the broader service and combatant command construct. But the existence of these challenges does not take away from Bebber’s excellent ideas of moving away from the intractable idea of cyber deterrence to a more realistic offensive-based approach. OTH would recommend taking a few moments to read his article in its entirety.

Marcus McNabb is an Air Force officer with over 13 years of academic and operational experience as an operations research analyst. He holds a PhD in Operations Research from the Air Force Institute of Technology and has worked in a variety of jobs including test and evaluation, staff of US Air Forces in Europe, the Air Force Nuclear Weapons Center, and the 609th Air and Space Operations Center.

The views expressed are those of the author and do not necessarily reflect the official policy or position of the Department of the Air Force or the U.S. Government.

4 thoughts on “Does cyber deterrence exist?

  • April 20, 2018 at 8:32 am

    The ideas of “low cost of entry” and “Widespread applicability” can yet be challenged and should be considered in the abstraction. It depends on what you want to achieve.

    (I) Launching a cyber attack similar to Olympic games request a lot of money, time and knowledge that many countries cannot afford.
    In their article “Categorizing and Understanding Offensive Cyber Capabilities and their Use”, Gregory Rattray and Jason Healey argue that “Cyberattack planning may take more time and effort than use of conventional forces due to the complexity of the environment and the targeted systems (Tactically fast but operationally slow).”

    (II) By the same token, cyber effects are rarely both widespread and persistent. Rattray and Healey explain for example that “the logical-physical disconnect is one of the reasons why cyber attacks have tended to have effects that are either
    • (1) widespread but limited in duration
    • or (2) persistent but narrowly focused.”

    • April 20, 2018 at 9:03 pm

      This is exactly on point. Offensive cyber effects, like most non-kinetic effects, require an inordinate amount of intelligence and planning to achieve results that, as you aptly point out, are mostly fleeting. That could be okay if enemy reconstitution plays no role in the commanders desired end state a cyber effect may enable, but it’s undebatable the fact that offensive action in this domain to create the effects on par with kinetic weapons requires ridiculous levels of planning and intel. Truly, it’s a state level game. Regardless of the Hollywood depiction of cyber a teenager isn’t going to be hacking an aircraft carrier anytime soon.

  • April 20, 2018 at 8:59 am

    *should not considered in the abstraction !

  • May 2, 2018 at 2:56 pm

    Both this blog post and the Bebber articles are a fair critique of the transference of deterrence theory from nuclear to cyber-related capabilities. I tend to agree that there is no such thing as Cyber Deterrence, in the same vein as nuclear deterrence, but I can’t buy the argument outright for two reasons: (1) the world has yet to have a Hiroshima or Nagasaki moment and (2) there is no transparency of capability which is critical to justifying the “Doctrine of Restraint.”

    Perhaps one reason cyber deterrence does not work in its current form is because the costs have not been high enough … yet. What I mean is that, nuclear deterrence works, in part, because people remember Hiroshima and Nagasaki or can at least understand the events and what it means to an individual. World leaders and citizens understand pictures and videos of nuclear blast tests in the Pacific and other places. The world has a rightful fear and respect for the use of nuclear weapons. Subsequently, the peoples (or cronies) of the world hold their leaders (even in oppressive regimes) to account for nuclear employment because they realize that they can feel the effects of nuclear weapons in a very personal way. The world, including the military, talk about, theorize and romanticize cyber capabilities.

    What happens when New York City loses power for a week or two because of a cyber attack by a state actor? What happens when Russia loses the entirety of its oil and gas industry for a month? What happens if all of Europe’s rail and metro networks are shut down for a week? In each of these situations I can envision thousands, if not tens of thousands of people dying. There may be hundreds of billions of dollars lost in financial market confusion. The world has heard about cyber attacks in Eastern Europe and other places but, those attacks were fairly isolated and not well-translated to the average person around the world. Perhaps the cavalier attitude about cyber attacks from some states change when their capitols or most populace cities are brought to a screeching halt?

    I agree that deterrence does not necessarily exist for cyber capabilities but I don’t think it’s because of the complexities of the information domain. I think, in part, it is because there has not been a Hiroshima or Nagasaki moment for cyber. Resultantly, the world’s military lack the rules and norms talked about in the article. When the cyber-Nagasaki or Hiroshima moment happens, I think the calculus of using “limited,” “offensive” cyber capabilities starts to change because no one wants to revisit the major psychological and human loss of a large cyber attack. Or, at least, leaders will think twice about using those capabilities.

    Secondly, if there is no transparency with cyber weapons how can another state tailor its strategies and response to react to so-called deterrence? Everyone assumes that the US has a cyber capability and that we respond when necessary. But these are all assumptions based on a shroud of unnecessary secrecy. No one has to make assumptions about nuclear weapons. Each state publicly displays its capabilities so the world knows that they are in fact a nuclear power (a la North Korea). If states demonstrate their capabilities, I think it can change the calculus and effectiveness of cyber capabilities to include the deterrence model. And in this way, the “intellectual constraints [that] might be dying off” may be the constraints that helps avoid a major psychological moment or catastrophic moment of human loss. Because when that moment happens, unlike Hiroshima and Nagasaki, the United States will not be the only state with “the bomb” … or in this case, “the keystroke.”

    I agree that some more liberal activities should be taken in cyberspace but they should be deliberate, and publicly acknowledged. Deliberateness ensures there is no misinterpretation that the United States means business when it chooses to act. And, it should be publicly acknowledged so that our targets know that it was us defending ourselves and that we won’t hesitate to do it again. I think what the Bebber article advocates is more activity “below the threshold of military conflict,” but I think that term is itself antiquated. Operations in the information domain converts the very existence of a cyber capability into an act that necessitates a military response, whatever that may look like. Here is where I think the “Doctrine of Restraint” has helped. But, a willingness to act does not necessarily portend abandonment of a “Doctrine of Restraint.” What it should mean is that when we act, it should be for clearly defined objectives with a clear strategy and a clear way to let the American people know that its military is doing what is necessary to protect American interests.


Leave a Reply