Cyber Deterrence: The Past, Present, and Future

The question on whether and how deterring an adversary in or through cyberspace is feasible has provoked the minds of scholars and practitioners for decades. Today, cyber deterrence remains a quintessential anchoring concept for the political debates on cyber policy. However, does the concept of deterrence in cyberspace have a future when for almost three decades little to no seemingly feasible practical solutions nor an academic consensus have emerged? The purpose of this chapter is to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deter-S

rence has an analytical future. We argue that the future deterrence debate can move into four directions: increased incorporation of cyber deterrence as an element within the broader international security and contest in a multi-domain world. A deeper focus on the technical aspects of the cyber domain to achieve deterrence effects on the operational and tactical level. A closer analysis of compellence, as the alternative form of coercion. And an exploration of new strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking.
Keywords Cyber Deterrence Á Offensive Cyber Operations Á strategy Á cyberspace

Introduction
The question on whether and how deterring an adversary in or through cyberspace is feasible has provoked the minds of scholars and practitioners for decades. The definition of 'cyber deterrence' has evolved over time and been conceptually stretched. 1 Today, it remains a quintessential anchoring concept for the political debates on how to deal with the wide-range of cyber threats in general and offensive military cyber operations in specific. But does the concept of deterrence in cyberspace have a future when for almost 30 years little to no seemingly feasible practical solutions nor an academic consensus have emerged? 2 The purpose of this chapter is to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deterrence has an analytical future. 3 This chapter is logistically structured into three sections. The first section discusses the historical evidence of cyber deterrence literature-also delving into its conceptual origins. The second section looks at the two uses of the term in the present-and identifies six distinct cyber deterrence mechanisms. The third section is about the future of cyber deterrence research. It explains why a deeper understanding of the dynamics of cyber operations is essential for the cyber deterrence concept as a whole. It also explores avenues for new theoretical research that moves beyond the mere idea of traditional deterrence concepts. The chapter culminates with a conclusion that draws out several implications. 1 Indeed, many other cyber terms-and the prefix itself-have suffered the same fate ;Sartori 1970;Shires and Smeets 2016. 2 For a more extensive discussion on the lack of agreement, see Brantly and Smeets, forthcoming. The general notion is that cyber deterrence below the threshold of armed attack is not working. 3 Also, whilst compellence is a potentially more promising form of coercion in cyberspace, this chapter only focuses on cyber deterrence. For broader overviews on coercion and the strategic value of offensive cyber operations, see Borghard and Lonegran 2017;Smeets 2018;Libicki 2012;Byman and Waxman 2001.

The Past
To map the evolution of deterring an adversary online, it is worth venturing back to the early days of the hacking community. During the 1970s and 80s, phreakers-or phone hackers-used to listen to "the clicks and clunks and beeps and boops" to figure out how the telephone system worked and how they could manipulate it. 4 Although few underground stories from those hay days have been made public, the most well-known phreaker 'conflict' occurred back in 1989-when the Masters of Deception (MoD) went to 'war' against the Legion of Doom. 5 The 'cyber activity' of the time could include switching a target's phone carrier to another carrier; making a target's phone ring constantly to the effect that the victim had to unhook his phone and leave it unhooked for hours on end; or eavesdropping on and cross-connecting a victim's phone call (imagine you are calling your parents and suddenly a 911 operator joins the call wanting to know what your emergency is). 6 During this "gang-war in cyberspace", as Wired called it, deterrence was primarily discussed with a criminology mind-set-though with an ill understanding of seriousness of offense, rehabilitation, recidivism, and above all offender's motivations and ability to act. Kevin Mitnick spent five years in prison for various 'cyber crimes', including eight months in an isolation cell, when he was caught by the FBI in 1995. The reason he received this harsh treatment is because someone convinced the judge he was able to initiate "a nuclear war by whistling on a public telephone". 7 Parallel to the end of the phreaking days and the expansion of the World Wide Web, the idea of-what was then called-information warfare, gained increasing traction within the US Department of Defense. 8 Definition-wise, it was an amalgam ranging from "media wars to electronic combat, and from economic competition to strategic conflict waged against civilian populations". 9 In a sense, information warfare then was what hybrid warfare is now. A concept that encompassed everything and was analytically so broad that it is hard to strategize, plan, and act around the term. Early attempts at bringing deterrence thinking into the information warfare discussion, led to the recognition that network defences were overall 4 Lapsley 2013. 5 This is an inherently western-biased conception of the emergence of the field. For an early history in the Chinese context (from 1995), see Henderson 2007. 6 Slatalla and Quittner 1994. 7 Mitnick 2012. 8 The term is said to originate in 1970s, when Tom Rona in the Office of Net Assessment was investigating the relationships among control systems (now known as cybernetics). See Keuhl 2002. 9 In fact, as the Congressional Research Service writes in a report, "Although several official documents now refer to "information warfare" in other countries, [as of 2018] the United States has no formal government definition of IW. The DOD definition of information operations refers only to military operations and does not emphasize the use of cyberspace to achieve nonmilitary strategic objectives"; Wheatley and Hayes 1996, p. iii;Theohary 2018, p. 6. inadequate and that they needed to be improve to deter anyone. In other words, deterrence was largely equated with better defence.
Through several war-gaming scenarios, the United States Department of Defense (DoD) slowly but surely realized that the US would be unable to simply deter an adversary through defensive measures alone when they themselves were unable to climb their way out of the proverbial glasshouse. 10 Consequently, information warfare turned purely offensive, sparking concepts such as decapitation strikeswhose aim was to sever the linkages between an adversary's political leadership and the mechanisms it utilizes to control its civilian population; and counter command-and-control-which focused on breaking the communication links between an adversary's military leadership and the military assets deployed on the battlefield. 11 In essence, adversaries were seen as information hubs and spokes systems whose functioning was dependent upon the continuous information exchange between its parts. Anything from telephone lines, computers, radios, and media outlets were subsequently tagged as cut-off point to break this information flow and thereby weaken and subsequently defeat an enemy through sheer chaos creation.
In 1993, RAND's John Arquilla and David Ronfeldt introduced the concept of 'Netware' in an article titled "Cyberwar is Coming". 12 Netwar was distinctly different from cyberwar. Cyberwar stood in the tradition of counter command-and-control, by focusing on the disruption if not even destruction of adversarial information and communication systems. Its primary goal: tipping the balance on information and knowledge. Netwar by contrast was defined by Arquila and Ronfeldt as "trying to disrupt, damage, or modify what a target population 'knows' or thinks it knows about itself and the world around it". 13 Meaning, pure Netware was a societal-level focused, inherently non-violent, ideational conflict, aimed at disruption rather than destruction. To some degree Netware shared significant overlaps with what was then known as information-based deterrence, that is "turning international opinion against an aggressor, altering his perception of the military correlation of forces in theatre, and fostering instability in his country". 14 However, Netware, as Arquila and Ronfeldt defined it, was removed from the traditional battlefield and encompassed adversaries as diverse as "transnational terrorists, criminals, and even radical activists". 15 In other words, it also included organized non-state hacker communities. At its core, Arquila and Ronfeldt viewed an adversary not as one large harmonious network, but numerous smaller ones, 10 Wheatley and Hayes 1996, op cit.

11
Also see Broder 1990;Molander et al. 1996. 12 It should be noted, however, is that it was the Mongol way of warfare from the 12th and 13th century which inspired Arquilla and Ronfeldt to coin the term 'netwar'. See Arquilla and Ronfeldt 1993. 13 Arquilla and Ronfeldt 1993, op cit, p. 28. 14 Nichiporuk 1999, p. 193. 15 Ronfeldt and Arquilla 1999, p. 352. each with their own internal stability, interests, and allegiances, that were organized to function as a somewhat coherent unit. The most important aspect of counter-Netware thinking was thus that an adversary could be potentially defeated by targeting the connectivity between and among these smaller networks, to shape how they interacted and behaved differently when disconnected from each other. Defending against a Netware would be inherently difficult, if not impossible, given how deep an adversary will have to penetrate into a target's society. Writing in the late 1990s, Arquila and Ronfeldt therefore concluded that, "it may be that deterrence against netwar will grow problematic, and all that will remain is a choice between either preclusive or depth-oriented defensive schemes. The former applies an ability to provide 'leak-proof' defences, while the latter accepts initial incursions, then aims to expel the intruders or invaders by means of counterattack." 16 Amidst the question of how deterrence might work in the context of this more refined view of information warfare, the term cyber deterrence was forming. In his 1994 Wired piece, James Der Derian coins 'cyber deterrence' talking about the US Army's Desert Hammer VI war game exercise. 17 Far from outlining how an adversary can be deterred in cyberspace, Der Derian's term described the Army's fusing of "media voyeurism, technological exhibitionism, and strategic simulations" to create a hyper digitalized image of US military dominance across the four traditional battlespace domains. 18 Coming out of the aftermath of Desert Storm, which saw the baptism of stealth technology, precision guided ammunition use, and the unprecedented access of embedded journalists, Der Derian's definition made perfect sense. The major problem was that cyber deterrence stood apart from the cyberwar concept, had little to nothing to do with Netware, and only partially captured the logic of information warfare. What Der Derian's definition nonetheless did, was to point out the obvious fact: Deterrence is a mind game.
In 1995, the DoD eventually tasked RAND to explore "the development and achievement of national information warfare goals" in a series of wargames. While the final report by Molander et al. opened up more questions than answers, it does provide a few insights into the early days of cyber deterrence thinking as it is widely understood today. The report summarized the participant's question by noting that; [first], how will one make retaliatory threats and against whom when there is great uncertainty about the origin of an attack. Second, there is the question of the proportionality of any response when the immediate and collateral damage associated with a particular act of cyberspace retaliation is poorly understood by national decision makers. Third is the potential asymmetry of vulnerability between the United States, its allies, and the potential opponent.
[…] All of this points to the prospect that there will be no low-cost and conceptually simple deterrent concept that obviates the need to worry about future cyberspace attacks. 19 16 Ronfeldt and Arquilla 1996, p. 94. 17 Der Derian 1994. 18 Ibid. 19 By 1996, still very few scholars and practitioners actually thought about deterrence in cyberspace as being feasible. Richard Harknett for example concluded that "the nature of Netware and cyberwar lend themselves to analytical frameworks and a strategic calculus dominated by offense-defence models, rather than by deterrence." 20 Gary Wheatley and Richard Hayes similar observed that "while significant, overall U.S. capability and will do not guarantee deterrence of information attacks." 21 It would take another 25 years for this 'demonstration of will' to translate into the strategic concept we now call: persistent engagement. Figure 20.1 provides a historical overview of the journal articles, book chapters, and research reports written on the specific terms 'cyber deterrence' and 'cyberdeterrence'. 22 Based on the figure, we can roughly distinguish between three phases in the literature: The early period, stretching from the early 1990s to the DDoS attacks against Estonia in 2007. The advancement period, when publications on cyber deterrence sky-rocketed from 2007 until 2016. And the reflection period, which has seen publications on cyber deterrence drop from its height in 2016 to 2014 levels. 23 20 Harknett 1996. 21 Participants at the 1993 US-Navy sponsored wargame titled 'Strategic Deterrence and Information Warfare' even argued that "[high leverage options] work best with other deterrent measures such as presence, force movements (e.g. movements into theater; call up of reserves), and other direct deterrent actions that serve as a demonstration of will". Wheatley and Hayes op cit,p. 19. 22 Annual JSTOR search results for the terms 'cyber deterrence' and 'cyberdeterrence.' The terms 'cyber deterrence' and 'cyberdeterrence' were chosen, due to JSTOR's search engine ignoring hyphens between two words as well as capitalizations. Meaning, the term 'Cyber-deterrence' returns the same search results as 'cyber deterrence.' The annual division was attained by searching for the keywords from ex. 2000/01 to 2000/12. The former number denoting the year, the latter the month. Additionally, the search was performed with the 'access type' switched to 'all content' to capture even those publications JSTOR includes in its search results that are inaccessible through the JSTOR subscription. The methodology has several shortcomings, which, although significant, we deem good enough for the rough estimation of the growth and decline of the usage of the term cyber deterrence/cyberdeterrence. The most obvious shortcoming is that JSTOR treats the search query 'cyber deterrence' also a search for the individual terms 'cyber' and 'deterrence.' Meaning, it returns hits in which both terms are used pages apart. From a statistical point of view this is a problem. From an analytical perspective it is not. Any writings on 'cyber' that touch upon 'deterrence' even in a different context are worth including. In this case, casting a wider net is more adequate than using a narrow one. The second shortcoming concerns the time lag for newer publications to make their way into the JSTOR database. Meaning the further away the year of publication, the more stable the number of search hits for that year. One could argue that this invalidates our notion of a decrease in the publications on cyber deterrence since 2016. While we do expect a rise in the numbers for the years 2017, 2018, and 2019, we are highly confidentbased on the analytical part of this chapter-that these figures will not reach the level of 2016. Time will tell whether we are right. As of this writing we definitely are. 23 Excluding results from unrelated disciplines, such as toxicology, does not significantly alter the search results.

The Present
In the aftermath of the DDoS attacks against Estonia, the cyber literature turned into high gear. 24 From 2007-2008 onwards, discussion of cyber war has dominated the literature. 25 Betz and Stevens note the "popular discourse on cyberwar tends to focus on the vulnerability of the 'physical layer' of cyberspace to cyber-attack and the ways in which this may permit even strong powers to be brought to their knees by weaker ones, perhaps bloodlessly." 26 Indeed, Richard Clarke and Robert Knake wrote one of the most widely-read books on cyberwar in 2010-spurring an increase in academic literature-talking about the different ways a cyber-attack could potentially take down the United States power grid. 27 More sceptical research was published too, observing a striking absence of destructive cyber-attacksincluding the article and book by Thomas Rid pushing back against the cyberwar hype. 28 Against this backdrop, it is hardly surprising that cyber deterrence started to receive increased attention. If war and conflict are possible in cyberspace, then  Betz and Stevens 2011, p. 76. 27 Clarke and Knake 2010. 28 Rid 2012. deterrence must be possible or needed as well. 29 By 2016, the academic discussion on cyber deterrence peaked with 480 publications that year. 30 Today, as a military concept, cyber deterrence has at least three different meanings. First, cyber deterrence can refer to the use of (military) cyber means to deter a (military) attack. Second, cyber deterrence can refer to the use of (military) means to deter a (military) cyber-attack. Third, cyber deterrence can refer to the use of (military) cyber means to deter a (military) cyber-attack. Although not explicitly spelled out, the majority of the existing literature has focused on the latter two conceptions. 31 Scholars currently disagree to what degree it is generally possible to deter an adversarial cyber-attack. Table 20.1 provides an overview of the distinct positions various scholars have articulated over the past few years. 32 Within this table we can roughly distinguish between three groups of scholars. The first group (denoted in the table in light grey) argues that cyber deterrence does not have distinctive problems and therefore works-or occasionally fails-like conventional deterrence. Dorothy Denning, for example, notes that cyberspace "shares many characteristics with the traditional domains," and thus deterrence can be achieved through existing regimes-e.g. norms and international agreements, better cyber security, and applying the classical deterrence by punishment logic. 33 The second group of scholars (denoted in the table in dark grey) believes that cyber deterrence encompasses a unique set of issues because cyberspace is inherently different from the traditional domains. Solving the deterrence puzzle is thus only be possible if we gain a better understanding of the underlying dynamics at play. Proponents of cyber deterrence-in either the first or second group-tend to discuss one of the following four deterrence logics: (i) Deterrence by denial, (ii) deterrence by punishment, (iii) deterrence by entanglement and (iv) deterrence by-delegitimization. 34 First, deterrence by denial is essentially synonymous to cybersecurity. At its core, the conceptual idea is that better cybersecurity will decrease the probability of 29 Having said this, Martin Libicki-discussing the Estonia DDoS attacks as the opening of his classic book 'cyberdeterrence and cyberwar'-was quick to note that the "ambiguities of cyberdeterrence contrast starkly with the clarities of nuclear deterrence" and "military cyberdefense is like but not equal to civilian cyberdefense". Libicki 2009, pp. xii-xvii. 30 This paper focuses on academic research in the international relations field, which dominates the discussion on cyber deterrence. There are however several underdeveloped cyber deterrence research silos that have distinctly different views on the topic, such as the field of criminology (tackling cybercrime), psychology (defending against information warfare), intelligence studies (curbing digital espionage), and the computer sciences (mitigating system vulnerabilities and network disruptions).  The scholars note that "Studies of 'cyber deterrence' raise as many problems as would be raised by a comparable study of 'land deterrence'. " Denning 2015. 34 For a similar classification, see Nye 2016/2017; for a general description, see the Preface by Osinga and Sweijs in the present volume. network penetration, and thus influence the cost-benefit calculations of an adversary to the degree that it either disincentives an attack or grinds an attacker to halt over time. Second, deterrence by punishment seeks to discourage the adversary from attacking, recognizing the costly consequences following their actions outweigh the benefits. We have seen variations of this logic being proposed as well. According to Lucas Kello, instead of trying to deter individual acts, countries should go for punctuated deterrence: "a series of actions that generate cumulative effect, rather than tit for tat response". 35 Third, deterrence by entanglement rests on the unresolved discussion in international relations theory on whether state-to-state interdependence mitigates interstate conflict. Fourth, deterrence by de-legitimization focuses on the creation of norms and rules for state behaviour in cyberspace, will over time translate into a general principle of restraint, raise the reputational costs of bad behaviour, and shrink the battlespace to only encompass military combatants. Denning 2015 Same problems for CD as for conventional deterrence. Potential for CD through existing regimes Gartzke and Lindsay 2015 CD suffers from problems of rationality, attribution, and secrecy. This means we have to instead focus on deception as distinct strategy Tor 2015 We should move from 'absolute' CD to 'cumulative' CD, which is restrictive and continuous in nature Stevens and Muller 2017 (NATO) CD seems to be viable. Yet, it should be viewed as a cumulative process, beyond military Sulmeyer 2017 CD might be possible in theory. However, we are still unclear what activity to deter, and which tools to use to impose costs Kello 2017 CD does not work as a strategy, but we should aim for punctuated CD instead: we should not deter individual actions but a series of actions Healey 2017 CD is still working on the high-end-yet, nations show limited restraint. It is the aspect of 'constant cyber activity' which causes problems Nye 2017 Conventional CD is difficult. Instead, we should focus on deterrence by economic entanglement and norms to overcome barriers Harknett and Fischerkeller 2017 CD is impossible due to the structure of cyberspace. We need to move away from the deterrence paradigm and consider different forms of strategy Brantly 2018 Absolute deterrence may not be possible-but a form deterrence as in criminology might be. We need to move away from deterrence only by punishment and denial (Source Smeets and Lin 2018a, p. 62) 35 Kello 2017.
The third group (denoted in the table in white) argues that cyber deterrence is not possible. At least not in the way that the first two groups tend to believe. Jon Lindsay and Erik Gartzke, for example, put forward the idea of a comprehensive deception strategy-both on offense and defence-because the cyber domain is "a global network of gullible minds and deterministic machines." 36 In contrast Harknett and Fischerkeller make the case that the unique characteristics of cyberspace "[demand] a unique strategy, a capabilities-based strategy of cyber persistence," whose goal it is "to remove the escalatory potential from adversarial action". 37

The Future
Figure 20.1 suggests that the writing and thinking about cyber deterrence is slowly falling out of fashion among scholars. This could be for at least three reasons: (i) everything has been said already; 38 (ii) the concept of deterrence is misapplied in cyberspace, or (iii) other strategic concepts are gaining more prominent attention. Likely a mix of these causes, it is unlikely this trend reverses itself anytime soon. Instead, we expect the debate to fork into four directions, which-although distinct and separate-do not mutually exclude each other.
The first direction will seek to increasingly incorporated cyber deterrence as an element within the broader international security and contest in a multi-domain world. Aaron Brantly for example argued back in 2018 that the main challenge of the future is not to define deterrence in cyberspace, but to "understand the role digital technologies play in the broader scope of interstate deterrence". 39 A recently published edited volume of Jon Lindsay and Erik Gartzke on Cross-Domain Deterrence has also already moved in this direction. As the scholars write, "cross-domain deterrence is not new today, but its relevance is increasing. Strategic actors have long combined capabilities or shifted domains to make coercive threats or design around them […] As a larger and more diverse portfolio of tools available for coercion complicates strategic choices, a better understanding of [cross-domain deterrence] becomes a critical asset for effective national security strategizing." 40 Given the technical nature of the cyber domain, the second direction will primarily focus on deterrence effects that can be achieved on the operational and tactical level. Currently, there are numerous practical obstacles that hinder scholars 36 Gartzke and Lindsay 2015. 37 Harknett and Fischerkeller 2017. 38 We consider this reason to be least likely given that nuclear deterrence continues to be a prolific research area despite the numerous articles published in the field over the past decades. 39 Brantly 2018. 40 Lindsay and Gartzke 2019, pp. 333-335; also see Futter 2018. and strategists to explore this route, including: highly classified documents, non-access to cyber operators, and the embryonic stage of existing military cyber organizations. Over time, we expect those hurdles to slowly melt away to the extent that operational and tactical know-how on how cyber operators actually defend, fight, and win in cyberspace will increasingly make its way into open source. 41 Insights into this ground game, will also highly likely lead to a better understanding on how escalation dynamics work in cyberspace and what psychological effects can and cannot be created.
The third direction seeks to shift the attention away from deterrence, towards the other form of coercion: compellence. 42 Compellence refers to an action that persuades an adversary to stop or change an action. Compellence is conventionally considered to be more difficult. When the actor changes behaviour, there are often reputational costs. In this respect, offensive cyber operations may come with an advantage: "Its effects do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face. More specifically, the compelled actor can deny that the effect was caused by OCC.l 43 There are also more opportunities to reverse the effects of cyber operations, which may further encourage compliance. 44 The final direction will explore strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking. Persistent engagement is a first step into this direction-a concept also adopted by the US Cyber Command in their 2018 'Vision' document entitled "Achieve and Maintain Cyberspace Superiority". 45 Early contours of this concept are found in a 2016 article by Richard Harknett and Emily Goldman, talking about an "offense-persistent strategic environment" in which "the contest between offense and defence is continual [and] the defence is in constant contact with the enemy". 46 Harknett and Michael Fischerkeller further refined the idea a year later, arguing that "in an environment of constant contact, a strategy grounded in persistent engagement is more appropriate than one of operational restraint and reaction for shaping the parameters of acceptable behaviour and sustaining and advancing U.S. national interests." 47 Underlying this move away from deterrence thinking is a belief that the literature paid too much attention to the 'the high-and-right' cyber equivalent to an armed attack-that is, the concept of 'cyberwar', ignoring the fact that the actual behaviour of actors in cyberspace has been of a far more nuanced nature. As 41 There is also the opportunity for more game theoretical modeling at this level. For an initial analysis, see Axelrod and Iliev 2014 Harknett and Smeets wrote in a 2020 Journal of Strategic Studies article, "what has emerged are campaigns comprised of linked cyber operations, with the specific objective of achieving strategic outcomes without the need of armed attack". 48 It is also likely we will see the emergence of alternative strategic concepts, beyond persistent engagement. Analysts from European states can be expected to promote ideas that stand in stark contrast to U.S. thinking. While most European states have absorbed early U.S. thinking of cyberspace being a warfare domain and the need for cyber deterrence, European policymakers are uncomfortable with adopting much less discussing persistent engagement, as it is perceived as overly aggressive. Similarly, most European military cyber organizations will not be able to increase their operational capacities to such a degree that they can navigate "seamlessly, globally, and continuously", as persistent engagement demands. Recognizing these limitations, EU member states will have to fill this strategic vacuum with creative conceptual thinking.

Conclusion
The purpose of this chapter was to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deterrence has an analytical future. Born in the 1990s, the thinking on cyber deterrence was nurtured by the U.S. Department of Defense in numerous war-gaming exercises. Hitting puberty in the aftermath of the distributed denial-of-service campaign against Estonia in 2007, we showed in this chapter that cyber deterrence matured after Stuxnet and received peak attention from policymakers and academics from 2013 to 2016 during the golden age of 'cyberwar' scholarship. Yet, it also became clear that, from 2016 onward, the interest in cyber deterrence started to fade to the extent that it is now intentionally neglected.
We argued that the future deterrence debate can move into four directions: increased incorporation of cyber deterrence as an element within the broader international security and contest in a multi-domain world. A deeper focus on the technical aspects of the cyber domain to achieve deterrence effects on the operational and tactical level. A closer analysis of compellence, as the alternative form of coercion. And an exploration of new strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking.
In contrast to the evolution of deterrence theory in realspace, which has moved along four (respectively five) distinctive waves, the evolution of cyber deterrence is to some degree schizophrenic. Theory-wise it is still stuck between the first and second wave-due to absence of large empirical datasets and comprehensive case studies. As a result, the three groups of scholars outlined in Table 20.1, are still interlocked in a disagreement on the very fundamentals of deterrence thinking in the cyber domain. Meanwhile, mechanism-wise, cyber deterrence is seen as an inherent part of the fourth (deterring asymmetric threats) and fifth deterrence wave (resilience and cross-domain integration). To reconcile this schizophrenic approach, scholars and practitioners need to figure out whether cyberdeterrence mechanisms can actually work without having a firm grasp on cyber deterrence theory, and whether cyber deterrence theory is actually based on evidence collected from the cyber domain rather than deduced from known behavioural outcomes in realspace. Answers to these questions will likely be found within the three future directions we have outlined.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License ( http://creativecommons.org/licenses/by/4.0/ ), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.