The Concept of Deterrence and its Applicability in the Cyber Domain
Publication Type:Journal Article
Source:Connections: The Quarterly Journal, Volume 18, Issue 1, p.69-92 (2019)
Keywords:cyber operations, Cybersecurity, Deterrence, legal framework
Cyberspace as the fifth domain is omnipresent, and all developed states increasingly realize that international relations and typical domains of statehood change in the face of global digitization. With the advent of game-changing technologies, traditional statecraft tools, such as deterrence, seem disregarded as outdated in the national security strategy building process. Advanced states, in particular, depend heavily on an open and safe cyber domain but, at the same time, suffer from manifold vulnerabilities. The recent past showed that sophisticated cyberattacks have the potential to disrupt governments, economies, and societies significantly and therefore pose a threat to core security interests. As a classical tool in international relations, deterrence can help bolster national security interests, even if the cyber domain requires some special considerations. Therefore, the article explains the basic mechanisms of deterrence in the nuclear age and contemporary international relations, cyberspace’s legal framework, and possible ways to apply deterrence in the cyber domain. It aims to urge global leaders to thoroughly consider deterrence in the cyber domain as a powerful asset and to provide policymakers with options for action.
Speaking about deterrence in the 21st century feels like excavating remnants of a bygone era. With the advent of nuclear technologies and mainly during the Cold war, deterrence was a topic not only for politicians and academia but also shaped the daily lives of millions, no matter which side of the ‘blocks’ they belonged to. Since then, deterrence diminished its presence in the public perception together with the nuclear arsenals of the great powers. What remains is still of enormous potential but as a tool of statecraft rather than a placeholder.
Especially states face the gradual change of the traditionally state-centered setting of the international system, particularly in habitual domains of statehood, like security. The classical understanding of war and conflict blurs and the traditional state structures seem to be overstrained to respond with the classical tools, as the new type of conflict is multilayered (political, military, and economic, among others), conducted mostly by non-military means like propaganda and political agitation and amongst diverse state and non-state actors.,
In the face of daily and continuing attacks on governments and their organs, the question persists: What keeps an actor in the cyber domain from carrying out the same attacks over and over again, or even climbing up the escalation ladder and causing irreversible harm, if it serves his interests. There seems to be no respect, no fear of retaliation, and no serious technical barriers in the cyber domain – or in other words, no deterrence.
This article will survey if the concept of deterrence is only effective if it is tied to nuclear weaponry and if it becomes useless in a no longer (purely) nuclear but cyber-dominated international system. The author claims that this is not the case! Even in the cyber age, deterrence can be a powerful tool of statecraft and could contribute to the protection of state’s national security interests. To prove this hypothesis, this article will scrutinize the concept of deterrence by looking into the past that generated manifold experiences on that topic, to finally project the findings into present times. Therefore, existing concepts of deterrence and special implications of the cyber arena, together with the legal framework of the ever more digitized international system, will be examined to finally find effective ways to apply deterrence in cyber space.
The following assumptions and exclusions are considered common ground:
• The emerging fifth-generation mobile technology (5G) and cloud technologies will boost the spreading of the Internet of Things. Critical processes will be gradually transferred to these technologies and cyber risks will rise exponentially as the new devices create more opportunities for potential breaches. Plus, by controlling physical assets, even physical harm can be caused.,
• According to the “Assume-Breach-Paradigm,” it is highly likely that every sufficiently complex software product has critical vulnerabilities and that updates are either not provided or the vulnerability is kept secret.
• This research will focus on political cyber threats and cover criminal cyber activities only as far as they occur in the context of conflict. Traditional espionage via cyber means will be excluded from this research.
Mechanisms of Deterrence
The concept of deterrence is as old as mankind’s craving for fighting each other. The term “deterrence” is derived from the word “terror,” which reflects the fear of costs that are related to a certain action. In academic literature, sometimes the term “dissuasion” appears to indicate the broader range of measures, which are not only focused on inflicting costs but also on denying benefits for the adversary. For the sake of a clear distinction and in view of the dominating use in the political and academic realm, this work will use “deterrence” as an umbrella term, aware of the fact that the concept is much broader.
Joseph Nye also takes both denotations into account by defining deterrence as 
… dissuading someone from doing something by making them believe that the costs to them will exceed their expected benefit.
This means to preserve the status quo by preventing an opponent from conducting a course of action that is viewed as unfavorable. It is not about compelling the adversary to certain behavior and thereby altering the status quo. Considering key mechanisms and the application in International Relations (IR) will help to understand the common ground and lead the way to cyber deterrence.
According to the deterrence theorists Sir Michael Quinlan, there is “no such thing as an undeterrable state.”  As basic prepositions for successful deterrence (no matter in which realm), he considers the following five points :
- Capability and a credible intent
- Deterrence declaration
- Prospect to cause multifaceted costs
- Using the whole range of possible responses.
Ideal deterrence would work with certainties, for example, “if you take my lunch, I will destroy your toy.” But as human interaction is of a rather complex nature, several uncertainties emerge, and misperception and misinterpretation are unavoidable. To face that, probabilities need to be considered. Not only the potential gain value (“lunch”) and loss value (“toy”) play a relevant role, but also the probability of succeeding or losing. As a consequence, the dimensions of gain probability (“you can’t be sure to get my lunch because I will try to defend it”) and loss probability (“if you take my lunch, I will do my best to destroy your toy and maybe I will succeed”) need to be added to the following decision calculus ,:
Gain Value * Gain Probability < Loss Value * Loss Probability
An effective deterrence in an uncertain environment needs to address all four factors of the inequation to ensure that the left part stays smaller than the right part in the adversary’s perception.
Capability and a Credible Intent
Capabilities are the basis for an adversary to calculate the value he could gain and lose. However, there is also a need for a credible intent of using these capabilities to affect the calculation of probabilities. Powerful offensive measures can increase the loss value, the credibility of offensive and defensive measures can change the calculation of probability of gain and loss.
Gain Value * Gain Probability () < Loss Value () * Loss Probability ()
Whereas capabilities are rather a matter of money, a credible intent can only be proven by action, but still, both need a “show of force” to be perceived by an opponent.
Besides capability and credibility, the effective communication of the right deterrence message to the right audience is of significant importance., Therefore, it is vital to state what actions will not be allowed to stand, that (offensive or defensive) capabilities for an appropriate reaction are at hand and that these will be employed. Hereby, an over-exact, self-limiting speciﬁcation is unnecessary and can even be detrimental, as it opens the path for the adversary to evade or head off a response. Effective communication gives the adversary distinct factors for his calculation and reduces misinterpretations or misperceptions. Furthermore, a strong deterrence declaration can per se affect the perception of gain and loss probability.
Gain Value * Gain Probability () < Loss Value * Loss Probability ()
Current experts, like the former US undersecretary of defense for policy, James Miller, point out that, “[y]ou don’t really deter states, you deter individuals and group decision-makers…”  This means that the deterrence declaration needs to be designed reversely, starting with the desired effect, and considering how it will be processed by those it should deter. The assumption that an adversary acts rationally is rather simplified, as it would require perfect information and the willingness to take decisions only based on its strategic implications. Decision-makers never have perfect information and are influenced by many factors like emotions or personal interests.
Prospect to Cause Multifaceted Costs
By building up defensive structures, the desired effect can be denied or at least mitigated. This will sow the seed of doubt in the adversary’s mind as he needs more time and resources, and the probability of detection rises. In short, denial measures increase the opportunity costs of the challenger. Combining retaliation and denial measures and increasing the variety of costs makes it harder for the opponent to prepare and harden its values in advance. Thus, both the loss value and the loss probability rise.
Gain Value * Gain Probability < Loss Value () * Loss Probability ()
To increase this effect, it can be expedient to tailor a strategy to a specific adversary. This demands contextual knowledge of the actor’s motives, decision-making processes, and command and control structures and would mean a high intelligence effort and cultural understanding.
Using the Whole Range of Possible Responses
If the costs displayed do not match the means or magnitude of the actions attempted to prevent, even opponents of different sizes and value-systems can be deterred. Using the entire range of possible responses makes it harder for the adversary to predict an answer and protect himself. Thus, the loss value, as well as the loss probability, can be increased.
Gain Value * Gain Probability < Loss Value () * Loss Probability ()
As a state usually holds the monopoly on the use of force and possesses a wide range of kinetic means, this can be an advantage in facing non-state opponents. Switching the domains of response to classical and familiar grounds of statehood can strengthen legitimacy and credibility.
Special Implications of the Cyber Domain
Ever since states and governments engaged with each other in the arena of IR, deterrence used to be a valuable tool. The most influential era of deterrence emerged with the advent of nuclear weapons and essentially defined the Cold War course. There are parallels to the cyber age, which can provide valuable help, but there are also aspects that must be disregarded.
The 1945 atomic bombing of Hiroshima and Nagasaki suddenly forced the world to face a new military capability that was perceived as unstoppable and producing non-survivable effects. It took strategists several years to come from NATO’s so-called “massive retaliation” over the turning points of the Sputnik-Shock and the Cuba-Crisis and the subsequent deterrence concept of “mutual assured destruction” to the comprehensive strategy of “flexible response.” That was a graduated concept, escalating from conventional defense to the strategic employment of nuclear weaponry. It was based on capability (conventional and nuclear forces) and at least some credibility (the US nuked Japan), relying on the whole range of means (from conventional response to tactical and strategic nuclear means) to promise multifaceted costs (strikes against military and economic targets on the battlefield and in the homeland), but it was not self-limiting in the ways of response (no predefined escalation-ladder).
This well-defined strategy indeed brought a certain stability to the international system and was based on five factors that characterized the then modern concept of war (and thus of deterrence) in the face of new and complex technology :
1. Time factor: Excessive harm could now be done in a short time, with hardly any prewarning.
2. Force factor: Immediately available forces outrivaled mobilization forces due to the time factor.
3. Survival factor: A first excessive strike needed to be survived to launch a counter attack.
4. Globalization factor: A nuclear war would escalate globally immediately.
5. Defense factor: NATO’s defense needed to be based on displaying strengths, not on protecting weaknesses.
NATO is still a nuclear alliance (mainly based on the US capability and credibility), and nuclear deterrence remains a part of its defense strategy. Nonetheless, since the Cold War, the world’s atomic arsenals got systematically reduced, and various non-nuclear technologies emerged. Some even say that in the context of powerful alternatives, nuclear weapons are relegated to a passive and symbolic role in IR. At the same time, the vertical  and horizontal  proliferation of destructive technologies became easier to conduct and harder to control.
But even if the concepts of nuclear deterrence cannot be copied, it is still possible to learn how a complex strategy for the use of new and overwhelming technologies can be developed. In parallel with the nuclear age, the cyber age stands for the development of a new, man-made, and hard to grasp technology that has overwhelming potential for civil use and, at the same time, for unimaginable destruction. These common features enable the assumption that the same factors as in nuclear deterrence play at least a basic role in cyber deterrence. The following paragraph will examine the previously introduced implications of time, forces, survival, globalization, and defense in the cyber domain and will add the cyber specific factor of attribution to the set of aspects.
In the cyber age, the time factor for the attack itself seems to tend to zero as Artificial Intelligence employs algorithms to take over basic, but time-consuming tasks, and actors all around the world are connected in milliseconds. This so-called “net-speed” creates a simultaneity of cause and effect that ceases the need to costly and difficultly bridge distance. Now even small actors can affect states without any prewarning. However, this only holds true for the attack itself. Similar to the Cold war, the preparation of the battlefield is a necessary precondition to attack in net-speed. Like identifying command bunkers, an advanced cyber attacker needs to infiltrate and map a system, gain access and place backdoors., This means a long-term campaign, which cannot be conducted entirely from behind a computer but consists of complex human intelligence (HUMINT) operations.
Immediately and constantly available forces with the latest technological knowledge and equipment outrivaled mobilization forces due to the time factor. Still, governments use the same concepts as for noncyber attacks by delegating defensive tasks and deterrence duties against small actors to local police forces and employing federal agencies only against state actors or terrorist groups. This means fragmentation of responsibilities and an incoherent strategy. Simultaneously, technological knowledge and equipment cost immense amounts of money and require agile and specialized structures. Both are only available to a certain extent in governments, and therefore an increasingly significant role falls to the private sector.
Special focus falls to the supply chain of IT soft- and hardware. Often cybersecurity and data protection issues are not considered in the invention stage and the ex-post fixing of vulnerabilities is not always possible. By compromising hardware in an early stage of development, vulnerabilities can be created and easily distributed up the supply chain. This brings into focus the whole chain, down to the smallest “smart valve.” Although such targets may sound insignificant, it has been evaluated that especially highly sophisticated threat agents concentrate on them. Thus, it has become crucial to determine who manufactures, tests, and certifies hardware, where spare parts come from, and which manufacturing and distribution processes need to be under constant national control.
Being able to survive the first strike and staying able to act was a key element in the nuclear setting. The cyber domain as well seems to be an offence-dominated environment in which attackers have a structural advantage over defenders, and definite protection is not possible. Moreover, industrialized and connected countries seem to be more vulnerable than less advanced ones., This leads to a nuclear-era-like self-deterrence of the powerful, industrialized, and connected states. Being aware of their own cyber vulnerability, a reluctance to use the usual superiority in other areas (like conventional weapons) emerges. As it seems impossible to reduce the level of interconnectedness in modern societies, the best option is to improve deterrence and defenses.
Like nuclear war, cyberattacks ignore the barriers and borders in the real world. An attacker no longer needs to be near the scene or in reach of the defenders. Net-speed collapses spatial distance to zero and allows actors outside a state’s jurisdiction to exercise power against it with a good chance of never getting prosecuted. This leads to a global cyber arena, where state actors are often bound by jurisdictions whereas their attackers evade their grasp easily., Even more than in the nuclear age, such attacks can have a wide spectrum of effects that makes its scale hard to predict. A cyber tool like a virus can bounce back, spread to other countries, or create unpredictable global havoc in minutes.
A further aspect of a globalized arena is the geopolitical symmetry, even for states not neighboring each other. If a state does not possess the escalation dominance (a favorable asymmetry of power and means), it might struggle to appropriately retaliate as it must fear to lose the escalations series in the end in the physical domain.
Unfortunately, the cyber realm lacks clear norms of what a proper defense and what an appropriate response are., Besides the fact that cyber conflict skips the traditional battlefield and takes place in every-day systems (e.g., banks, television, and air traffic management, the biggest challenge for deterrence is that offensive and defensive capabilities are kept under a code of silence. On the one hand, an opponent can prepare its own defense if he knows the adversary’s offense and, on the other hand, there is no incentive to disclose a breach as it might ruin the reputation of the victim. Thus, there is no chance of learning from others and developing proper defense tools. In the context of deterrence, this is counterproductive (as constant communication of clear and targeted deterrence decelerations is key) and must be overcome with a compromise of keeping secret as much as possible but disclosing and communicating enough to effectively deter.
Attribution was not a big issue in the nuclear age and, even today, with only nine states possessing nuclear weapons and well-known isotopic identifiers of each arsenal, it is a matter of minor concern. But unlike nuclear weapons, cyber means are harder to trace back, and the hundred percent attribution to an originator is seldom possible. The opinion is widespread that this thwarts the concept of deterrence, but in fact, even with an imperfect attribution, deterrence is possible, as long as three audiences are addressed :
- The defending government wants a relatively high assurance from its intelligence agencies and network forensics;
- The attacking government or non-state actor knows what has been done but cannot be sure how good the opposing forensics and intelligence are; even if it denies the attack, it will never know how credible this deception was;
- The domestic and international public needs to be convinced of the justice of retaliation. Therefore, a certain degree of detail needs to be disclosed, even if forensic methods can become useless for future cases.
The quality of attribution is a function of available resources, available time, and the adversary’s sophistication. The less top-end forensic skills and highly experienced personnel are available, the lower the attribution quality will be. The higher the time pressure for attribution, the lower the quality will be. The more experienced and well-funded an opponent is, the lower the quality of attribution will be.
Today it is less a question of if it is possible to attribute a cyberattack, but rather how long it will take. As long as all cyberattacks follow the Cyber-Kill-Chain pattern  and involve a human adversary, there will be mistakes, individual motivations, and relationships that make the tracing, fighting and deterring possible. This fact brings up another parallel to the nuclear age. Dealing with humans cannot be done virtually or from behind a computer. The best way to attribute an attack after it happened is to already have an intelligence campaign of infiltration and trusted contacts in place. This rather traditional HUMINT intelligence techniques become important again and may outpace the recently preferred and convenient signal intelligence (SIGINT).
Legal Framework of Cyber Space
Like the advent of nuclear weapons, the information age brought game-changing modern technologies that altered the way IR and their legal frame were to be seen. Some even argue that these new technologies outpaced law and that recent legislation cannot fully govern emerging cyber capabilities., But as isolated solutions of single actors cannot work, only International Law (IL) is able to provide a legal framework. It still tries to grasp the implications of a digitized world and needs time to translate it into a cyber-specific treaty and customary law. Until then, cyberspace’s escalation potential stays significant, as states can rely on leeway by resorting to differing interpretive positions. The only way to reduce this destructive potential is to provide a stable and accepted legal framework.
In 2013, the UN’s Group of Governmental Experts agreed that International Law—and in particular the Charter of the UN—is applicable in the cyber domain. This groundbreaking position by an internationally recognized body was the first crucial step to fill the legislative vacuum in cyberspace. It was accompanied by the release of the “Tallinn Manual on the International Law Applicable to Cyber Warfare” and followed by the Tallinn Manual 2.0 in 2017, which were drafted as non-binding studies under the leadership of the NATO CCDCOE. The EU even went beyond that opinion by stating in its Cyber Security Strategy that “the same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain.” 
Accordingly, for all states, the rules of engagement in the cyber arena are defined by IL’s conditions, and to find an effective and credible deterrence position, the following points need clarification:
· How to classify a cyberattack under international law?
· What kind of response to a cyberattack is lawful?
· Which targets are lawful in a cyber-exchange?
Classification of a Cyber-Attack under International Law
The Tallinn Manual 2.0 states that “the principle of state sovereignty applies in cyberspace,” and thus, a state can take all measures not prohibited by IL that it considers necessary and appropriate to deal with its cyber infrastructure, with actors in the cyber domain or with cyber activities within its territory., Consequently, every hostile cyber operation aimed against a state’s cyber and non-cyber infrastructure means a violation of sovereignty if physical harm or injury is caused. This is not the case if an attack manipulates or deletes databases to cripple the economy or to influence political processes. Although several scholars demand to include these non-physical effects, they are still out of scope in the common interpretation.
Cyber operations are non-kinetic in nature, and therefore often misperceived as non-forceful, although their effects can range from simple annoyance to death. Thus, cyberattacks need to be assessed according to their effects on the real world, and if they have an outcome comparable to a kinetic attack, they constitute a “use of force.” , However, a state is only allowed to conduct forceful defensive actions in the case of an “armed attack,” which means the use of force must reach a certain threshold., This edge sometimes is kept in a strategic ambiguity to make the prediction of potential self-defense actions harder for the adversary. The Tallinn Manual 2.0 becomes concrete only for acts of cyber intelligence gathering, cyber theft, and brief interruption of non-essential services, which do not qualify as armed attacks due to the lack of serious injuries or deaths or the cause of severe damage., For attacks that do not reach the threshold of an armed attack but that are an unlawful use of force, only countermeasures aimed to stop the attack are utilizable. If the use of force mounts to an armed attack, carried out through the instrument of classic military force causing or risking destruction of property and injury or death, then forceful defensive action is permitted. Should the cyber operation be a component of an overall military action, it constitutes an armed attack, even if it independently would not qualify as such. Consequently, states have an incentive to quickly treat pure cyber operations as an armed attack to justify a forceful defensive response, increasing the likelihood of escalation significantly.
Lawful Responses to a Cyber-Attack
A state that falls victim to an unlawful cyber operation has certain rights under international law if the attack reaches at least the level of the use of force. This starts with the always lawful claim for compensations for physical or financial losses and non-forceful responsive actions like blocking incoming data transmissions. Above that, typical technical, political, or economic countermeasures aiming at cessation and reparation can be taken in response to an identified use of force. These measures can involve a limited degree of military force and would normally be contrary to international obligations, but are lawful if proportionate to the injury suffered and below the threshold of an armed attack. However, the opposing state needs to be called in advance to refrain from going on or to take measures to stop acts emanating from its territory., The right to take countermeasures is reserved for states, even if there are private IT-companies with cyber capabilities that exceed the state’s arsenal. Nevertheless, the Tallinn Manual 2.0 explicitly mentions the right of an injured state to turn to private firms to conduct cyber operations on its behalf. Of course, the responsibility for the countermeasures conducted by the privateer stays with the state.,
If the use of force mounts to the level of an armed attack (no matter if initiated by a state or a non-state actor), the right of self-defense applies, and necessary and proportionate forceful actions can be conducted against an attacking opponent. As there is no international consensus on the borderline between the use of force and armed attack, this becomes a matter of interpretation and persuasive power of the injured state, as IL does not dictate the level of certainty of attribution to act in self-defense. The question arises, how to respond to non-state actors, which, per definition, cannot violate the prohibition of the use of force under the international law made for states. In such cases, state responsibility offers an option to apply IL anyway. A state is not only responsible for the actions of its governmental organs but also for the conduct of individuals or groups that act on the instructions or under the control of the state. Furthermore, a state can be held responsible for unlawful acts of non-state actors in its territory if it fails to take appropriate measures to stop the attack or provide all available support to investigate the incident., If this state is unwilling or incapable to fulfill its legal duty, the victim state can act in self-defense and stop the attack with kinetic or cyber means, even on the other state’s territory. But self-defense is not only possible in response of an ongoing armed attack. It can also be conducted facing an imminent attack (evidenced by hostile actions like preparatory cyber operations that will result in effects on the armed attack level) with no other reasonable hope of fending it off than responding immediately.
Lawful Targets in a Cyber-Exchange
If the situation mounts to the point where forceful self-defense or retaliation becomes a lawful option, the question of how and what to attack arises. The cyber domain is characterized by pervasive dual-use infrastructure, which might be designated for civilian use but can by nature, location, purpose, or use be utilized for military purposes. Thus, this infrastructure becomes a lawful military target under International Humanitarian Law (IHL), as the total or partial destruction, capture, or neutralization offers a direct and concrete military advantage. Ultimately this means that due to the heavy reliance on civilian products and infrastructure, the range of targetable objects in the cyber arena expands, and systems with important civilian functions can legally be affected. In the case of a forceful response in a cyber exchange, this brings certain flexibility in choosing targets but, at the same time, cyber means face the issue of difficult scalability and specific targeting. IHL requires that a weapon discriminates between combatants and civilians or civilian and military objects. If a cyber weapon cannot be directed at a specific military objective or generates uncontrollable effects, its employment is prohibited. These restrictions do not apply for defensive measures and non-forceful means like malware that does not cause injury, damage, or loss of system functionality, even if it can spread into civilian systems. If non-combatants that are not affiliated with an organized armed group and not under the control of a state are involved in a cyberattack, they can be targeted for the time they take direct part in the hostilities. In the cyber arena, this can start with gathering and spreading military intelligence by cyber means, probing an adversary’s systems to identify vulnerabilities, or developing software specific to an attack.
Application of Deterrence in the Cyber Domain
By considering the experiences made with the basic mechanisms of deterrence and by respecting the special implications and the legal characteristics of the cyber domain, it becomes clear that cyber deterrence cannot be applied in isolation but must be one vital component of a comprehensive security strategy., In contrast to the nuclear concepts, defenses and resilience are a fundamental starting point to deny an adversary’s success. Besides denial by defense, the classical deterrence aspect of retaliation as threat of punishment plays a major role. As this research is based on a broader understanding of deterrence, two more ways come into focus: Deterrence by entanglement and by establishing normative taboos.
Deterrence by Denial
Focusing on the defensive side becomes more important as the number of potential state adversaries with offensive cyber capabilities is on a steady rise. Deterrence by denial aims to build resilience and the capacity to recover. Thereby, the adversary’s benefits of an attack can be reduced until an engagement becomes futile and, after a blow, it can be ensured that cyber and non-cyber military responses are accessible for retaliation. There are measures of different sophistication and costs available, but all have the common goal of chewing up the attacker’s resources and time and disrupting his calculus of the perceived gain probability and value., According to the “Assumed-Breach-Paradigm” there is no way of eliminating the successful penetration of one’s networks. But the breech can be crafted difficult and tedious. Consequently, an attacker makes more “noise,” needs more time, and becomes easier to identify as he leaves more traces.
On the way to a resilient culture, private-public-partnerships (PPP) and cyber insurances play a vital role. PPPs, on the one hand, bring together the government (as a legislator with rich resources in manpower, which is not focused on profit but effectiveness and can rely on intelligence services) with efficiency-driven privateers (who are highly experienced and technically specialized in the cyber domain, where they can access a large quantity of data and information). On the other hand, mandatory cyber insurances for the economy contribute to systemic resilience and the denial of holding a nation’s economy at risk. By putting a price tag on various private cyber practices, an incentive for higher standards and minding a “basic cyber hygiene” arises, whereby the low hanging fruits can be taken off the table and quick wins can be attained. Furthermore, the reporting and connecting of attack-related data could be boosted significantly by profiting from the insuring industry’s sophisticated crisis reaction centers and processes. Thus, the information asymmetry between privateers and government can finally be reduced, the reaction times can be increased, and the ground for a trust-based information sharing culture can be provided. To additionally foster private-public cooperation, “responsible disclosure agreements”  and “temporary clearances”  should be implemented.
Further starting points to improve the resilience and recovering capabilities can be found in the structure of the defense itself. It cannot be enough to protect only the outer perimeters of a system. As a breach is possible at any time, there are measures for an in-depth defense, able to detect the attacker inside the system, trace, identify, and disturb him. This can be supported by segmented networks and segmented sectors that do not allow, once a perpetrator is in, to spread his access over the entire system. Keeping vital capabilities as redundancies might be expensive at first glance but significantly lowers the gain probability of the adversary. Finally, protecting the supply chain is indispensable to avoid an opponent sneaking in. This requires an intense security-by-design debate with a consequent vetting of manufacturers and service providers and assessment which parts of critical supply chains need to be under national control.
Deterrence by denial is more than the mere repelling of a cyberattack. Conducted in a comprehensive manner, it can increase the time and survival factor, relive the force factor and provide the basis for the attribution factor on which retaliation becomes possible. If communicated in an appropriate way, the defense capabilities of a state can significantly influence the opponent’s calculus of gain value and gain probability and give the government the leeway to pivot to major threats in the cyber arena.
Deterrence by Retaliation
Responding to unwanted behavior with punishment is the most prominent way of deterrence. The goal is to promise to inflict costs on the attacker that outweigh the benefits anticipated from the initial attack. This only works if the attack can be attributed to an adversary in a sufficient way, addressing the three above-mentioned audiences. Retaliation does not have to stay in the cyber domain but can take the shape of diplomatic, informational, military, and economic actions tailored to the opponent and considering potential back coupling effects due to international interdependencies. Besides, geopolitical symmetry plays a key role. Retaliating against an adversary can mean to actuate an escalating series of retaliations outside the cyber arena, which in the long run can only be won if the escalation dominance lies on one’s side.
Countermeasures inside the cyber realm can be manifold and contain various levels of aggressiveness. Outside the cyber domain, sanctions are the most common response to unwanted behavior, though in most cases they affect the population of a state more than the government. Therefore, it turns out to be more effective to invest resources in identifying attackers and aim sanctions on those individuals. Even if no specific individual can be named, it is still possible to aim retaliation measures on relationships and social networks in which the attackers participate. This works, as all attackers are bound by dependencies and their calculus of gain and loss can be affected indirectly. Suspected groups can be cut from privileges like participating in the financial community and public outrage can be used to put internal pressure on the perpetrators and even outlaw them to the point where the network turns against them to avoid harm.
Effective retaliation needs the time, force, survival, and attribution as baseline to contribute to the defense factor. Kinetic means have proved to be efficient tools of statecraft to respond to cyberattacks. As a result, conventional military means can be chosen as well as a nuclear answer in extremely severe cases.
Deterrence by Entanglement
The modern international system is characterized by various dependencies, interconnections, and shared vulnerabilities. Deterrence by entanglement tries to encourage responsible state behavior by emphasizing the return from cooperation on mutual interests. If an attack has negative back coupling effects on the attacker and benefits the status quo and its continuation, malicious engagement loses attractiveness. Entanglement boosts the survival and globalization factors and increases the adversary’s perception of loss value and probability, even if the attack is not actively defended against or there is no fear of retaliation. The deterrence effect is contingent on a complex international deterrent relationship and works better when interdependencies are stronger.
To enhance the effects of entanglement, confidence-building measures are an appropriate tool to strengthen international peace and security by increasing interstate cooperation, transparency, predictability, and stability. In the cyber arena, communication hotlines, regional communication centers, prenotification agreements, and agreements on not attacking specific targets are feasible options and can be supplemented by forensic assistance in an IT incident and noninterference agreements with the workings of computer emergency response teams. Only establishing a cyber arms control regime faces some difficulties. Most technologies that could be described as cyber weapons are dual-use (like vulnerability assessment programs that can either find security gaps to protect a system or to exploit it) and, as a result, there is no consensus on what a cyber-weapon really is. Above that, verifying the stock of cyber arms is nearly impossible, as this weaponry is not tangible and can easily be hidden or recreated after deletion. To tackle this issue, “effects” instead of “used weapons” must be addressed. In addition, normative taboos can be established, which is the last of the four ways of cyber deterrence.
Deterrence by Normative Taboos
With established strong norms, an aggressive actor will suffer reputational costs that will damage its soft power beyond the value gained from the attack. If a state breaks a taboo (e.g., using nuclear weapons in a minor conflict against a weaker state), it faces the danger of being ostracized by the international system. This deterrence effect works although there is no active defense or a credible retaliation, but needs a certain degree of attribution. In history, the international community agreed on several implicit and explicit norms, such as the prohibition of chemical and biological weapons in the Geneva Convention.
In the cyber domain, the normative agreement on the applicability of international law and the United Nations Charter was the first important step. In 2013, the UN’s “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” proposed basic norms, like meeting the international obligations if a wrongful act gets attributed to a state, not to use proxies and not to tolerate non-state actors using a state’s territory to commit wrongful acts. Also, the use of International Tribunals and the International Criminal Court for the conviction of cybercriminals, terrorists, and state actors can be a powerful norm to deter and transmit a warning message. Cyber-related norms can guide state behavior and increase predictability, trust, and stability in cyberspace as well as reduce the potential for conflict due to misperceptions. This only works, if norms are accepted by the majority of states and become institutionalized over time, e.g., under the umbrella of the UN. Normative taboos can contribute to a certain extent to control over cyber weapons, even if it is impossible to establish a cyber arms control regime. They need to focus on tabooed effects and targets and, thus, can help distinguish which behavior is tolerated and which is ostracized.
It became apparent that basic mechanisms of deterrence work in all realms, also in the cyber domain. Especially, as nuclear deterrence loses relevance in IR and current conflicts are ever more characterized by cyber components, the need for a comprehensive understanding of cyber deterrence is undeniable. Moreover, it was shown that five underlying factors (time, forces, survival, globalization, defense) of a game-changing new technology like the atomic bomb can be adapted to the cyber age. Above that, attribution plays a crucial role in the cyber domain and needs to be added to the discussion It became clear that the international system is still in an early stage of applying IL in the cyber domain and that legislation must go a long way to catch up with the technological developments.
The derived four ways to apply deterrence in the cyber domain (denial, retaliation, entanglement, and normative taboos) provide a feasible approach to integrating cyber deterrence aspects into a state’s cybersecurity strategy (knowing that cyber deterrence can be only one pillar of an overall security strategy). However, those ways never work in an isolated way but rather in a comprehensive package with variable weighting of the single elements. By complying with the basic mechanisms of deterrence and by tailoring the package to specific threat actors, a versatile and sound deterrence becomes possible.
Therefore, the hypothesis of this work can be validated: Even in the cyber age, deterrence can be a powerful tool of statecraft and contribute to the protection of a state’s national security interests!
Still, effective deterrence does not arise by itself. It needs to be managed strategically or its effects will not be controllable. Politicians and strategists all around the world must prepare for a new and demanding age of deterrence to avoid sleepwalking into a real cyberwar.
In a subsequent article, the present findings will be applied in the example of Germany. It will be explained how Germany as an important player in an ever more digitized international system, can approach a cyber deterrence strategy to bolster its national security interests.
The views expressed are solely those of the author and do not represent official views of the PfP Consortium of Defense Academies and Security Studies Institutes, participating organizations, or the Consortium’s editors.
Connections: The Quarterly Journal, Vol. 18, 2019 is supported by the United States government.
About the Author
Manuel Fischer is a security professional, working in the German defense sector with focus on counter-UAS Solutions. He looks back on twelve years of service in the German military (Bundeswehr) as a military police officer. During this time he acquired a Master of Science in Economics and Organizational Science from the University of the Federal Armed Forces in Munich. His service in the military was followed by his studies at the George C. Marshall European Center for Security Studies where he graduated its Master’s program of International Security Studies concentrating on cyber security.
F-117 Stealth ﬁghter-bomber, surely not because of the threat of the Panamanian air defenses but to demonstrate a new capability in the toolbox, see Richard A. Clarke and Robert K. Knake, Cyber War: What It Is and How to Fight It (New York: HarperCollins, 2010), 194.