Deterrence is the ability to dissuade an entity “from doing something by making them believe that the costs to them will exceed their expected benefit” (Nye, 2017). This can be difficult to accomplish because the main goal with deterrence is to change or prevent behaviors (Valeriano, 2018). Deterrence is a type of coercion that depends on credibility and potential retaliation, but in the cyber realm efforts are focused on changing behavior by attacking digital targets, information or networked installations (Valeriano, 2018). Deterrence is possible in cyberspace but very difficult to accomplish. The two main reasons deterrence is difficult to accomplish in cyberspace is secrecy and attribution.
Secrecy in the aspect of deterrence is the desire for states to keep their capabilities hidden from others. Within the mindset of the security dilemma, states do not want their adversaries to know how to defend or create countermeasures against any weapons they have created. “Information is the equalizer for many states. In theory, increased information allows a rising power to catch up, leaping technology by generations through stealing intellectual property or military plans” (Valeriano, 2018). For states that do not have the money or time to build and create new weapons, they turn to stealing necessary information. Stealing information can lead to great leaps in weapon development capabilities. In the documentary, The Perfect Weapon, a cybersecurity company, Crowdstrike, investigates a client that had been hacked. This client produces satellites and stores all their intellectual property of how the satellites are built on their systems. During their investigation, Crowdstrike employees found direct links to prove the hack was carried out by a Chinese military officer. This is a direct example that the Chinese wanted to equalize themselves. In turn, they hacked a U.S. company to steal proprietary information. The newly acquired information could have been used by the Chinese for creating their own satellites, but it could also be used to develop exploits against the satellites. With the information of the interworking of these satellites, the Chinese can now figure out how to hack the communication between the satellites in orbit and the dishes sending and receiving on ground.
Secrecy in cyberspace allows for states to have weapons in hiding until ready to launch an offensive attack. An example of this is the cyber exploit, Stuxnet. This was the first time an offensive cyber weapon was deployed by a nation state that caused physical destruction (HBO, 2021). There was supposed to be secrecy of how the Iranian nuclear plant was being developed, but the attackers found specifications and built a cyber weapon as a countermeasure to slow the building process. Specifically, this weapon was developed using multiple zero day attacks (HBO, 2016). A zero day vulnerability is a software vulnerability discovered and not disclosed to the vendor. Without the knowledge of this vulnerability, the vendor cannot patch the system and therefore, an attacker can develop an exploit leveraging the vulnerability (Kaspersky, 2021). In the case of Stuxnet, the developers of the exploit knew about multiple zero day attacks, which is rare in cyberspace. They chose to wait until this exploit to use the zero day vulnerabilities. There was meant to be secrecy of the Iranian nuclear facility, but that was not achieved. Thus, deterrence was not achieved by the Iranians and attackers were able to deploy a cyber attack and physically damage their assets.
The other reason deterrence is difficult to achieve is due to attribution. Attribution is the ability to hold an entity accountable for their actions (Jordan, 2021). Within cyberspace, due to technology’s use of VPNs and other factors, determining the starting location of a cyber attack can be near to impossible. “Credibility is critical for success in coercive operations. Holding true to commitments will enhance a state’s ability to coerce the opposition” (Valeriano, 2018). The need for credibility persists in cyberspace. There is a fine line where inferences of the culprit can be made due to the political climate or a state’s actions outside of cyberspace but finding evidence is difficult. This fine line is important because states want to have the credibility that they were able to pull off the attack; however, they do not want to be outright and cause retaliatory actions to take place. “Prompt, high-quality attribution is often difficult and costly, but not impossible” (Nye, 2017). When a cyber attack occurs, there usually is an investigation that looks through all the details including determining an entry point into the system and what kind of attack was used. However, a thorough investigation is not always possible. Instead, usually the quick solution to get the company or establishment back up and running is chosen without looking into further details about the attack. States will need to prioritize attribution and then response plans to succeed in deterring future cyber attacks.
An instance of deterrence being possible is the Snowden leaks. These “revelations compromised tradecraft, but they also advertised that the NSA probably had more exploits and tradecraft” (Gartzke, 2017). This was not done by a nation state willingly. The disclosure of secret information was difficult to expose in the aspect that it had to be accomplished by an insider threat.
Cross domain deterrence (CDD) exists when different domains are used in conjunction with one another to deter a threat. “The Pentagon now recognizes five operational environments or so-called domains (land, sea, air, space, and cyberspace)” (Schneider, 2019). Any combination of these five domains used for deterrence would be considered cross domain deterrence. “Cyber operations are generally covert and often difficult to attribute, they might not be perceptible enough for adversaries to factor into their action calculus” (Schneider, 2019). Land, sea, air and space are categories where attribution is easier to determine. When someone uses one of these methods as a form of attack, it is a physical attack. Whereas a cyber attack is not necessarily a physical attack when they go after information or denial of service instead of destroying property through code. Discussed in lecture, states are more likely to achieve policy end with a combination of cyber and a measure from another domain (Jordan, 2021). Deterrence is dependent on credibility and cyberspace lacks easily disclosing credibility for attacks. As states are looking to deter their adversaries, they know that cross domain deterrence is their best option to engage and be successful. However, this may lead to a slippery slope and cause escalation when only deterrence was the goal.
The United States does not have much policy in place about using cyber as a form of deterrence or retaliation. The U.S. is starting to discuss how policy would be implemented. Deterrence “policies would remain largely ambiguous, focus on investments in defense, and shy away from CDD options that might inadvertently escalate crises” (Schneider, 2019). There is currently a struggle of when cyber attacks turn into physical acts of war. Is it when the first cyber attack occurs? Is it when a physical retaliatory action takes place? How the United States responds to a cyber attack directly impacts the credibility of following through with a retaliatory action. This also brings up the notion of an attack occurring against a company versus a nation state. If any company were to retaliate offensively, it may be seen as an act of war on behalf of the nation state in which they reside. Additionally, if retaliatory actions against the wrong state take place, there may be a spiral of escalation. Therefore this debate exists because if states are unable to hold other states accountable for their attacks, then deterrence is unlikely to succeed. Adversaries are then not deterred and know they can attack without retaliatory actions.
There is much uncertainty when dealing with the “cyber operations — a product of its secretive and virtual nature — [which] serves as a hindrance to the utilization of cyber operations for deterrence” (Schneider, 2019). Cross domain deterrence leads to the discussion of whether incidental escalation will occur. Due to the secrecy and attribution difficulties tied to cyberspace, there are struggles for states to use cyber operations as a form of deterrence against their adversaries.
References
Gartzke, E., Lindsay, J. (2017). Thermonuclear cyberwar, Journal of Cybersecurity, Volume 3, Issue 1, Pages 37–48. https://doi.org/10.1093/cybsec/tyw017
HBO. (2016). Zero Days. Retrieved 2021, from https://play.hbomax.com/page/urn:hbo:page:GYLfqGgrcO7GLCwEAAAZF:type:feature
HBO. (2021). The Perfect Weapon . Retrieved 2021, from https://play.hbomax.com/page/urn:hbo:page:GX2pSUgq6241IugEAAACT:type:feature.
Jordan, J. (2021) “Cybersecurity.” INTA-6103. Georgia Institute of Technology. Online Lecture.
Kaspersky. (2021) “What Is a Zero-Day Attack? – Definition and Explanation.” https://www.kaspersky.com/resource-center/definitions/zero-day-exploit.
Nye, J. S. (2017). Deterrence and dissuasion in cyberspace. International Security, 41(3), 44–71. https://doi.org/10.1162/isec_a_00266
Schneider, J. G. (2019). Deterrence in and through cyberspace. Cross-Domain Deterrence, 95–120.
Valeriano, B., Jensen, B., & Maness, R. C. (2018). How rival states employ cyber strategy. In Cyber strategy: The evolving character of power and coercion (Illustrated ed., pp. 22–52). Oxford University Press. https://ebookcentral.proquest.com/lib/gatech/detail.action?docID=5341461
This work is licensed under a Creative Commons Attribution 4.0 International License.