Keywords

1 Introduction

The question on whether and how deterring an adversary in or through cyberspace is feasible has provoked the minds of scholars and practitioners for decades. The definition of ‘cyber deterrence’ has evolved over time and been conceptually stretched.Footnote 1 Today, it remains a quintessential anchoring concept for the political debates on how to deal with the wide-range of cyber threats in general and offensive military cyber operations in specific. But does the concept of deterrence in cyberspace have a future when for almost 30 years little to no seemingly feasible practical solutions nor an academic consensus have emerged?Footnote 2

The purpose of this chapter is to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deterrence has an analytical future.Footnote 3

This chapter is logistically structured into three sections. The first section discusses the historical evidence of cyber deterrence literature—also delving into its conceptual origins. The second section looks at the two uses of the term in the present—and identifies six distinct cyber deterrence mechanisms. The third section is about the future of cyber deterrence research. It explains why a deeper understanding of the dynamics of cyber operations is essential for the cyber deterrence concept as a whole. It also explores avenues for new theoretical research that moves beyond the mere idea of traditional deterrence concepts. The chapter culminates with a conclusion that draws out several implications.

2 The Past

To map the evolution of deterring an adversary online, it is worth venturing back to the early days of the hacking community. During the 1970s and 80s, phreakers—or phone hackers—used to listen to “the clicks and clunks and beeps and boops” to figure out how the telephone system worked and how they could manipulate it.Footnote 4 Although few underground stories from those hay days have been made public, the most well-known phreaker ‘conflict’ occurred back in 1989—when the Masters of Deception (MoD) went to ‘war’ against the Legion of Doom.Footnote 5 The ‘cyber activity’ of the time could include switching a target’s phone carrier to another carrier; making a target’s phone ring constantly to the effect that the victim had to unhook his phone and leave it unhooked for hours on end; or eavesdropping on and cross-connecting a victim’s phone call (imagine you are calling your parents and suddenly a 911 operator joins the call wanting to know what your emergency is).Footnote 6 During this “gang-war in cyberspace”, as Wired called it, deterrence was primarily discussed with a criminology mind-set—though with an ill understanding of seriousness of offense, rehabilitation, recidivism, and above all offender’s motivations and ability to act. Kevin Mitnick spent five years in prison for various ‘cyber crimes’, including eight months in an isolation cell, when he was caught by the FBI in 1995. The reason he received this harsh treatment is because someone convinced the judge he was able to initiate “a nuclear war by whistling on a public telephone”.Footnote 7

Parallel to the end of the phreaking days and the expansion of the World Wide Web, the idea of—what was then called—information warfare, gained increasing traction within the US Department of Defense.Footnote 8 Definition-wise, it was an amalgam ranging from “media wars to electronic combat, and from economic competition to strategic conflict waged against civilian populations”.Footnote 9 In a sense, information warfare then was what hybrid warfare is now. A concept that encompassed everything and was analytically so broad that it is hard to strategize, plan, and act around the term. Early attempts at bringing deterrence thinking into the information warfare discussion, led to the recognition that network defences were overall inadequate and that they needed to be improve to deter anyone. In other words, deterrence was largely equated with better defence.

Through several war-gaming scenarios, the United States Department of Defense (DoD) slowly but surely realized that the US would be unable to simply deter an adversary through defensive measures alone when they themselves were unable to climb their way out of the proverbial glasshouse.Footnote 10 Consequently, information warfare turned purely offensive, sparking concepts such as decapitation strikes—whose aim was to sever the linkages between an adversary’s political leadership and the mechanisms it utilizes to control its civilian population; and counter command-and-control—which focused on breaking the communication links between an adversary’s military leadership and the military assets deployed on the battlefield.Footnote 11 In essence, adversaries were seen as information hubs and spokes systems whose functioning was dependent upon the continuous information exchange between its parts. Anything from telephone lines, computers, radios, and media outlets were subsequently tagged as cut-off point to break this information flow and thereby weaken and subsequently defeat an enemy through sheer chaos creation.

In 1993, RAND’s John Arquilla and David Ronfeldt introduced the concept of ‘Netware’ in an article titled “Cyberwar is Coming”.Footnote 12 Netwar was distinctly different from cyberwar. Cyberwar stood in the tradition of counter command-and-control, by focusing on the disruption if not even destruction of adversarial information and communication systems. Its primary goal: tipping the balance on information and knowledge. Netwar by contrast was defined by Arquila and Ronfeldt as “trying to disrupt, damage, or modify what a target population ‘knows’ or thinks it knows about itself and the world around it”.Footnote 13 Meaning, pure Netware was a societal-level focused, inherently non-violent, ideational conflict, aimed at disruption rather than destruction. To some degree Netware shared significant overlaps with what was then known as information-based deterrence, that is “turning international opinion against an aggressor, altering his perception of the military correlation of forces in theatre, and fostering instability in his country”.Footnote 14 However, Netware, as Arquila and Ronfeldt defined it, was removed from the traditional battlefield and encompassed adversaries as diverse as “transnational terrorists, criminals, and even radical activists”.Footnote 15 In other words, it also included organized non-state hacker communities. At its core, Arquila and Ronfeldt viewed an adversary not as one large harmonious network, but numerous smaller ones, each with their own internal stability, interests, and allegiances, that were organized to function as a somewhat coherent unit. The most important aspect of counter-Netware thinking was thus that an adversary could be potentially defeated by targeting the connectivity between and among these smaller networks, to shape how they interacted and behaved differently when disconnected from each other. Defending against a Netware would be inherently difficult, if not impossible, given how deep an adversary will have to penetrate into a target’s society. Writing in the late 1990s, Arquila and Ronfeldt therefore concluded that, “it may be that deterrence against netwar will grow problematic, and all that will remain is a choice between either preclusive or depth-oriented defensive schemes. The former applies an ability to provide ‘leak-proof’ defences, while the latter accepts initial incursions, then aims to expel the intruders or invaders by means of counterattack.”Footnote 16

Amidst the question of how deterrence might work in the context of this more refined view of information warfare, the term cyber deterrence was forming. In his 1994 Wired piece, James Der Derian coins ‘cyber deterrence’ talking about the US Army’s Desert Hammer VI war game exercise.Footnote 17 Far from outlining how an adversary can be deterred in cyberspace, Der Derian’s term described the Army’s fusing of “media voyeurism, technological exhibitionism, and strategic simulations” to create a hyper digitalized image of US military dominance across the four traditional battlespace domains.Footnote 18 Coming out of the aftermath of Desert Storm, which saw the baptism of stealth technology, precision guided ammunition use, and the unprecedented access of embedded journalists, Der Derian’s definition made perfect sense. The major problem was that cyber deterrence stood apart from the cyberwar concept, had little to nothing to do with Netware, and only partially captured the logic of information warfare. What Der Derian’s definition nonetheless did, was to point out the obvious fact: Deterrence is a mind game.

In 1995, the DoD eventually tasked RAND to explore “the development and achievement of national information warfare goals” in a series of wargames. While the final report by Molander et al. opened up more questions than answers, it does provide a few insights into the early days of cyber deterrence thinking as it is widely understood today. The report summarized the participant’s question by noting that;

[first], how will one make retaliatory threats and against whom when there is great uncertainty about the origin of an attack. Second, there is the question of the proportionality of any response when the immediate and collateral damage associated with a particular act of cyberspace retaliation is poorly understood by national decision makers. Third is the potential asymmetry of vulnerability between the United States, its allies, and the potential opponent. […] All of this points to the prospect that there will be no low-cost and conceptually simple deterrent concept that obviates the need to worry about future cyberspace attacks.Footnote 19

By 1996, still very few scholars and practitioners actually thought about deterrence in cyberspace as being feasible. Richard Harknett for example concluded that “the nature of Netware and cyberwar lend themselves to analytical frameworks and a strategic calculus dominated by offense-defence models, rather than by deterrence.”Footnote 20 Gary Wheatley and Richard Hayes similar observed that “while significant, overall U.S. capability and will do not guarantee deterrence of information attacks.”Footnote 21 It would take another 25 years for this ‘demonstration of will’ to translate into the strategic concept we now call: persistent engagement.

Figure 20.1 provides a historical overview of the journal articles, book chapters, and research reports written on the specific terms ‘cyber deterrence’ and ‘cyberdeterrence’.Footnote 22 Based on the figure, we can roughly distinguish between three phases in the literature: The early period, stretching from the early 1990s to the DDoS attacks against Estonia in 2007. The advancement period, when publications on cyber deterrence sky-rocketed from 2007 until 2016. And the reflection period, which has seen publications on cyber deterrence drop from its height in 2016 to 2014 levels.Footnote 23

Fig. 20.1
figure 1

(Source Soesanto and Smeets)

Journal articles, book chapters, and research reports on cyber deterrence, Jan 1990—Dec 2019

3 The Present

In the aftermath of the DDoS attacks against Estonia, the cyber literature turned into high gear.Footnote 24 From 2007–2008 onwards, discussion of cyber war has dominated the literature.Footnote 25 Betz and Stevens note the “popular discourse on cyberwar tends to focus on the vulnerability of the ‘physical layer’ of cyberspace to cyber-attack and the ways in which this may permit even strong powers to be brought to their knees by weaker ones, perhaps bloodlessly.”Footnote 26 Indeed, Richard Clarke and Robert Knake wrote one of the most widely-read books on cyberwar in 2010—spurring an increase in academic literature—talking about the different ways a cyber-attack could potentially take down the United States power grid.Footnote 27 More sceptical research was published too, observing a striking absence of destructive cyber-attacks—including the article and book by Thomas Rid pushing back against the cyberwar hype.Footnote 28

Against this backdrop, it is hardly surprising that cyber deterrence started to receive increased attention. If war and conflict are possible in cyberspace, then deterrence must be possible or needed as well.Footnote 29 By 2016, the academic discussion on cyber deterrence peaked with 480 publications that year.Footnote 30

Today, as a military concept, cyber deterrence has at least three different meanings. First, cyber deterrence can refer to the use of (military) cyber means to deter a (military) attack. Second, cyber deterrence can refer to the use of (military) means to deter a (military) cyber-attack. Third, cyber deterrence can refer to the use of (military) cyber means to deter a (military) cyber-attack. Although not explicitly spelled out, the majority of the existing literature has focused on the latter two conceptions.Footnote 31

Scholars currently disagree to what degree it is generally possible to deter an adversarial cyber-attack. Table 20.1 provides an overview of the distinct positions various scholars have articulated over the past few years.Footnote 32 Within this table we can roughly distinguish between three groups of scholars. The first group (denoted in the table in light grey) argues that cyber deterrence does not have distinctive problems and therefore works—or occasionally fails—like conventional deterrence. Dorothy Denning, for example, notes that cyberspace “shares many characteristics with the traditional domains,” and thus deterrence can be achieved through existing regimes—e.g. norms and international agreements, better cyber security, and applying the classical deterrence by punishment logic.Footnote 33 The second group of scholars (denoted in the table in dark grey) believes that cyber deterrence encompasses a unique set of issues because cyberspace is inherently different from the traditional domains. Solving the deterrence puzzle is thus only be possible if we gain a better understanding of the underlying dynamics at play. Proponents of cyber deterrence—in either the first or second group—tend to discuss one of the following four deterrence logics: (i) Deterrence by denial, (ii) deterrence by punishment, (iii) deterrence by entanglement and (iv) deterrence by—delegitimization.Footnote 34

Table 20.1 Overview of arguments on the potential to deter cyber attacks

First, deterrence by denial is essentially synonymous to cybersecurity. At its core, the conceptual idea is that better cybersecurity will decrease the probability of network penetration, and thus influence the cost-benefit calculations of an adversary to the degree that it either disincentives an attack or grinds an attacker to halt over time. Second, deterrence by punishment seeks to discourage the adversary from attacking, recognizing the costly consequences following their actions outweigh the benefits. We have seen variations of this logic being proposed as well. According to Lucas Kello, instead of trying to deter individual acts, countries should go for punctuated deterrence: “a series of actions that generate cumulative effect, rather than tit for tat response”.Footnote 35 Third, deterrence by entanglement rests on the unresolved discussion in international relations theory on whether state-to-state interdependence mitigates interstate conflict. Fourth, deterrence by de-legitimization focuses on the creation of norms and rules for state behaviour in cyberspace, will over time translate into a general principle of restraint, raise the reputational costs of bad behaviour, and shrink the battlespace to only encompass military combatants.

The third group (denoted in the table in white) argues that cyber deterrence is not possible. At least not in the way that the first two groups tend to believe. Jon Lindsay and Erik Gartzke, for example, put forward the idea of a comprehensive deception strategy—both on offense and defence—because the cyber domain is “a global network of gullible minds and deterministic machines.”Footnote 36 In contrast Harknett and Fischerkeller make the case that the unique characteristics of cyberspace “[demand] a unique strategy, a capabilities-based strategy of cyber persistence,” whose goal it is “to remove the escalatory potential from adversarial action”.Footnote 37

4 The Future

Figure 20.1 suggests that the writing and thinking about cyber deterrence is slowly falling out of fashion among scholars. This could be for at least three reasons: (i) everything has been said already;Footnote 38 (ii) the concept of deterrence is misapplied in cyberspace, or (iii) other strategic concepts are gaining more prominent attention. Likely a mix of these causes, it is unlikely this trend reverses itself anytime soon. Instead, we expect the debate to fork into four directions, which—although distinct and separate—do not mutually exclude each other.

The first direction will seek to increasingly incorporated cyber deterrence as an element within the broader international security and contest in a multi-domain world. Aaron Brantly for example argued back in 2018 that the main challenge of the future is not to define deterrence in cyberspace, but to “understand the role digital technologies play in the broader scope of interstate deterrence”.Footnote 39 A recently published edited volume of Jon Lindsay and Erik Gartzke on Cross-Domain Deterrence has also already moved in this direction. As the scholars write, “cross-domain deterrence is not new today, but its relevance is increasing. Strategic actors have long combined capabilities or shifted domains to make coercive threats or design around them […] As a larger and more diverse portfolio of tools available for coercion complicates strategic choices, a better understanding of [cross-domain deterrence] becomes a critical asset for effective national security strategizing.”Footnote 40

Given the technical nature of the cyber domain, the second direction will primarily focus on deterrence effects that can be achieved on the operational and tactical level. Currently, there are numerous practical obstacles that hinder scholars and strategists to explore this route, including: highly classified documents, non-access to cyber operators, and the embryonic stage of existing military cyber organizations. Over time, we expect those hurdles to slowly melt away to the extent that operational and tactical know-how on how cyber operators actually defend, fight, and win in cyberspace will increasingly make its way into open source.Footnote 41 Insights into this ground game, will also highly likely lead to a better understanding on how escalation dynamics work in cyberspace and what psychological effects can and cannot be created.

The third direction seeks to shift the attention away from deterrence, towards the other form of coercion: compellence.Footnote 42 Compellence refers to an action that persuades an adversary to stop or change an action. Compellence is conventionally considered to be more difficult. When the actor changes behaviour, there are often reputational costs. In this respect, offensive cyber operations may come with an advantage: “Its effects do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face. More specifically, the compelled actor can deny that the effect was caused by OCC.lFootnote 43 There are also more opportunities to reverse the effects of cyber operations, which may further encourage compliance.Footnote 44

The final direction will explore strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking. Persistent engagement is a first step into this direction—a concept also adopted by the US Cyber Command in their 2018 ‘Vision’ document entitled “Achieve and Maintain Cyberspace Superiority”.Footnote 45 Early contours of this concept are found in a 2016 article by Richard Harknett and Emily Goldman, talking about an “offense-persistent strategic environment” in which “the contest between offense and defence is continual [and] the defence is in constant contact with the enemy”.Footnote 46 Harknett and Michael Fischerkeller further refined the idea a year later, arguing that “in an environment of constant contact, a strategy grounded in persistent engagement is more appropriate than one of operational restraint and reaction for shaping the parameters of acceptable behaviour and sustaining and advancing U.S. national interests.”Footnote 47 Underlying this move away from deterrence thinking is a belief that the literature paid too much attention to the ‘the high-and-right’ cyber equivalent to an armed attack—that is, the concept of ‘cyberwar’, ignoring the fact that the actual behaviour of actors in cyberspace has been of a far more nuanced nature. As Harknett and Smeets wrote in a 2020 Journal of Strategic Studies article, “what has emerged are campaigns comprised of linked cyber operations, with the specific objective of achieving strategic outcomes without the need of armed attack”.Footnote 48

It is also likely we will see the emergence of alternative strategic concepts, beyond persistent engagement. Analysts from European states can be expected to promote ideas that stand in stark contrast to U.S. thinking. While most European states have absorbed early U.S. thinking of cyberspace being a warfare domain and the need for cyber deterrence, European policymakers are uncomfortable with adopting much less discussing persistent engagement, as it is perceived as overly aggressive. Similarly, most European military cyber organizations will not be able to increase their operational capacities to such a degree that they can navigate “seamlessly, globally, and continuously”, as persistent engagement demands. Recognizing these limitations, EU member states will have to fill this strategic vacuum with creative conceptual thinking.

5 Conclusion

The purpose of this chapter was to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deterrence has an analytical future. Born in the 1990s, the thinking on cyber deterrence was nurtured by the U.S. Department of Defense in numerous war-gaming exercises. Hitting puberty in the aftermath of the distributed denial-of-service campaign against Estonia in 2007, we showed in this chapter that cyber deterrence matured after Stuxnet and received peak attention from policymakers and academics from 2013 to 2016 during the golden age of ‘cyberwar’ scholarship. Yet, it also became clear that, from 2016 onward, the interest in cyber deterrence started to fade to the extent that it is now intentionally neglected.

We argued that the future deterrence debate can move into four directions: increased incorporation of cyber deterrence as an element within the broader international security and contest in a multi-domain world. A deeper focus on the technical aspects of the cyber domain to achieve deterrence effects on the operational and tactical level. A closer analysis of compellence, as the alternative form of coercion. And an exploration of new strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking.

In contrast to the evolution of deterrence theory in realspace, which has moved along four (respectively five) distinctive waves, the evolution of cyber deterrence is to some degree schizophrenic. Theory-wise it is still stuck between the first and second wave—due to absence of large empirical datasets and comprehensive case studies. As a result, the three groups of scholars outlined in Table 20.1, are still interlocked in a disagreement on the very fundamentals of deterrence thinking in the cyber domain. Meanwhile, mechanism-wise, cyber deterrence is seen as an inherent part of the fourth (deterring asymmetric threats) and fifth deterrence wave (resilience and cross-domain integration). To reconcile this schizophrenic approach, scholars and practitioners need to figure out whether cyberdeterrence mechanisms can actually work without having a firm grasp on cyber deterrence theory, and whether cyber deterrence theory is actually based on evidence collected from the cyber domain rather than deduced from known behavioural outcomes in realspace. Answers to these questions will likely be found within the three future directions we have outlined.