5,317
Views
33
CrossRef citations to date
0
Altmetric
Articles

‘Cumulative Deterrence’ as a New Paradigm for Cyber Deterrence

 

ABSTRACT

This article suggests that there is a paradigm crisis in the sub-field of cyber deterrence. Cyber deterrence is evolving slowly and unpromisingly as a strategic tool in both theory and practice, mostly due to the ill-fitting theoretical framework and underlining assumptions it borrows from the absolute-nuclear-deterrence context. Therefore, this article suggests replacing the accepted yet inadequate paradigm of absolute deterrence with a better-fitting restrictive-cumulative-deterrence paradigm that draws on the Israeli approach to deterrence, introducing it into the cyber domain. The article further criticizes the current discourse in the field, including some ‘common knowledge’ (mis)understandings of cyberspace and the ways it affects the possibility of deterrence.

Acknowledgments

This article was written with the support of the Daphna and Shlomo Gal Foundation and the Eyal Ragounis Foundation.

Notes

1 State of Israel, Promoting National Cyber Capabilities, Decision No. 3611 of the 32nd Government, August 2011. For more information on the national cyber initiative in Israel, see also State of Israel, National Council for Research and Development, Annual Report 2010-2011, July 2012, pp. 10–18. Russia Ministry of Foreign Affairs, Doctrine of the Information Security of the Russian Federation, September 2000; Russia, Conceptual Views on the Activates of The Armed Forces of the Russian Federation in Information Space, 2011 (partial translation available at http://www.aofs.org/2012/04/15/russia%C2%B4s-cyber-strategy-published/); The White House, US National Strategy to Secure Cyberspace, February 2003; US Department of Defense, Strategy for Operating in Cyberspace, July 2011; US Department of Homeland Security, Blueprint for a Secure Cyber Future, November 2011; Barack Obama, US International Strategy for Cyberspace, The White House, May 2011; UK Cabinet Office, Cyber Security Strategy of the United Kingdom, June 2009; UK Cabinet Office, The UK Cyber Security Strategy, November 2011; German Federal Ministry of the Interior, The New Cyber Security Strategy for Germany, February 2011; the Netherlands Cabinet, The National Cyber Security Strategy, 2011; the Czech Republic, Cyber Security Strategy for the Czech Republic, 2011; Agence Nationale de la Sécurité des Systèmes D’information (ANSSI), Défense et Sécurité des Systèmes D’information Stratégie de la France, February 2011.

2 See: Dima Adamsky, ‘From Israel with Deterrence’, Forthcoming Security Studies; Dima Adamsky and Yossi Baidatz: ‘The Development of the Israeli Approach to Deterrence: a Critical Discussion on its Theoretical and Practical Aspects’, Eshtonot (8), Israel’s National Security Collage, October 2014, pp 9–16 (in Hebrew).

3 Adamsky and Baidatz ‘The Development of the Israeli Approach’, 11.

4 Rid, ‘Deterrence beyond the State: the Israeli Experience’, Comparative Security Policy, 33/1 (Citation2012), 126–29.

5 Adamsky and Baidatz ‘The Development of the Israeli Approach’,12; Rid ‘Deterrence beyond the State’, 137.

6 For a detailed description of the evolution of Israeli deterrence paradigm see: Uri Bar-Joseph, ‘Variations on a theme: The conceptualization of deterrence in Israeli strategic thinking’, Security Studies 7/3 (Citation1998), 145–81; Doron Almog, ‘Cumulative Deterrence and the War on Terrorism’, Parameters 34/4 (winter 2004-2005), 4–19; Dag Henriksen, ‘Deterrence by Default? Israel’s Military Strategy in the 2006 War against Hizbollah,’ Journal of Strategic Studies 35/1 (February 2012), 95–120; Boaz Atzili and Wendy Pearlman, ‘Triadic Deterrence: Coercing Strength, Beaten by Weakness’, Security Studies 21 (2012), 301–35; Amos Malka, ‘Israel and Asymmetrical Deterrence’, Comparative Strategy 27/1 (2008), 1–19; Emanuel Adler, ‘Complex Deterrence in the Asymmetric-Warfare Era’, in T.V. Paul, Patrick M. Morgan, and James, J. Wirtz, Complex Deterrence: Strategy in the Global Age (Chicago: The University of Chicago Press, 2009), 85–109; Thomas Rid, ‘Deterrence beyond the State: the Israeli Experience’, Comparative Security Policy.33/1 (Citation2012), 124–47.

7 See also Bar-Joseph ‘Variations on a theme’, 147–48.

8 It should be noticed that there seems to be some congruence between the concept of ‘compellence’ as discussed by Freedman (Lawrence Freedman, Deterrence, Cambridge: Polity, Citation2004), and the concept of cumulative deterrence as discussed here. Compellence according to Freedman is about changing existing behaviors, rather than preventing actors from embarking upon them in the first place, so these two concepts of strategic action are relatively close in purpose. In the case of cumulative deterrence, however, there is a distinctive paradigm regarding the method implementing short and powerful military campaigns, in order to achieve the desired effect of restricting and shaping the rival’s strategic behavior, as discussed above.

9 Industrial control systems are the systems that control the operation of industrial machines. It is important to distinguish between supervisory control and data acquisition (SCADA) – that is, the computer systems responsible for large-scale industrial processes over a broad geographic area (such as an electrical grid) – and distributed control systems (DCS), which oversee the operation of industrial machines at a given site (such as a discrete power station).To date, most of the cyber-attacks known publicly targeted IT infrastructure and databases. Nonetheless, the technology needed for carrying out a successful attack against ICS targets is already available to several state actors, and therefore it is important to this study as it describes the possible level of current and near future threat to national security, and the pressing need to build a current and relevant deterrence strategy.

10 See also: Patrick Beggs (Director, Cyber Security Evaluations), Securing the Nation’s Critical Cyber Infrastructure, US Department of Homeland Security (2010), 6–11.

11 See: James P. Farwell and Rafal Rohozinski, ‘Stuxnet and the Future of Cyber War’, Survival 53 (Citation2011),23–40; Myriam Dunn Cavelty, ‘Undoing the Effect of “Stuxnet”: Continuity and Change in the Discourse on Cyber Threats’, Military and Strategic Affairs (in Hebrew); Isaac R. Porche III, Jerry M. Sollinger and Shawn McKay, A Cyber Worm that Knows no Boundaries (Santa Monica, California: RAND Corporation, Citation2011); Gary McGraw, ‘Cyber War Is Inevitable (Unless We Build Security In)’, Journal of Strategic Studies (February 2013). For a detailed discussion see: David E. Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (New York: Random-House, Citation2012); Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, November 2014). For a detailed analysis of the technological aspects of Stuxnet see: Nicolas Falliere, Liam O. Murchu and Eric Chien, W32. Stuxnet Dossier - Version 1.4 (Symantec Citation2011); cf. Ralph Langner, ‘What Stuxnet is All About’, The Last Line of Cyber Defense (January 2011); Ralph Langner, ‘Matching Langner’s Stuxnet Analysis and Symantec’s Dossier Update’, The Last Line of Cyber Defense (February 2011); Ralph Langner, ‘A Declaration of Bankruptcy for US Critical Infrastructure Protection’, The Last Line of Cyber Defense (June 2011).

12 Compare to Barzashka’s argument in The RUSI Journal that the success of Stuxnet is over-stated and did little to halt the Iranian nuclear program: Ivanka Barzashka, ‘Are Cyber-Weapons Effective? Assessing Stuxnet’s Impact on the Iranian Enrichment Programme,’ RUSI Journal 158/2 (April 2013). For a detailed analysis of the extent of Stuxnet technical impact, see: David Albright, Paul Brannan and Christina Walrond, ‘Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment’, ISIS Report (22 December 2010); David Albright, Paul Brannan and Christina Walrond, ‘Stuxnet Malware and Natanz: Update of ISIS December 22, Citation2010 Report’, ISIS Report (15 February 2011).

13 Tim Stevens, ‘A Cyberwar of Ideas? Deterrence and Norms in Cyberspace’, Contemporary Security Policy 33/1 (April 2012),148–70; cf. Jeffrey W. Knopf, ‘The Fourth Wave in Deterrence’, .Research, Contemporary Security Policy 31/1 (Citation2010), 1–33.

14 John Arquilla and David Ronfeldt, ‘Cyber War is Coming!’ Comparative Strategy 12/2 (Citation1993), 65–141.

15 Alvin Toffler and Heidi Toffler, War and Anti-War: Survival at the Dawn of the 21st Century (Boston, MA: Little, Brown, and Co., 1993), 140.

16 James Der Derian, ‘Cyber-Deterrence’, Wired 2/9 (September 1994).

17 Brian E. Fredericks, ‘Information Warfare at the Crossroads’, Joint Force Quarterly 17(Summer Citation1997), 98.

18 Richard J. Harknett, ‘Information Warfare and Deterrence’, Parameters 26/3 (Autumn Citation1996), 93–107.

19 John Arquilla and David Ronfeldt, The Advent of Net War (Santa Monica, California: RAND Corporation, Citation1996), 94.

20 Martin Libicki, Cyber Deterrence and Cyber War (Santa Monica, California: RAND Corporation, Citation2009).

21 See: Patrick M. Morgan, ‘Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm’, Committee on Deterring Cyber Attacks, National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, Citation2011; cf. Patrick M. Morgan, ‘The State of Deterrence in International Politics Today’, Contemporary Security Policy 33/1 (April 2012), 102; Stephen J. Lukasik, ‘A Framework for Thinking about Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains’, Committee on Deterring Cyber Attacks, National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, Citation2011, p. 101.

22 Compare: Amir Lupovitz, ‘Cyber War and Deterrence: Trends and Challenges in Research’, Military and Strategic Affairs 3/3 (December 2011) (in Hebrew).

23 See for example Richard J. Harknett, John P. Callaghan and Rudi Kauffman, ‘Leaving Deterrence Behind: War-Fighting and National Cybersecurity’, Journal of Homeland Security and Emergency Management 7/1 (Citation2010). Nevertheless, many have addressed the development of deterrence models that complemented the development of extensive and more expensive defensive measures. See Richard L. Kugler, ‘Deterrence of Cyber Attacks’, in Franklin Kramer, Stuart Starr and Larry Wentz (eds), Cyber Power and National Security (Washington, DC: National Defense University, Citation2009), Ch. 13, 309–40; Jonathan Solomon, ‘Cyber Deterrence between Nation-States-Actors: Plausible Strategy or a Pipe Dream?’, Strategic Studies Quarterly (Spring Citation2011).

24 See for example: David D. Clark and Susan Landau, ‘Untangling Attribution’, Committee on Deterring Cyber attacks, National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, Citation2011. pp: 25–40. Cf. Patrick M. Morgan, ‘Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm’, Committee on Deterring Cyber Attacks, National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, 201, p.67.

25 Eric Sterner, ‘Retaliatory Deterrence in Cyberspace’, Strategic Studies Quarterly (Spring Citation2011), 62–80.

26 Regarding the three core premises of deterrence see: T.V. Paul’ Complex Deterrence – An Introduction’ In: T.V. Paul, Patrick M. Morgan and James J. Wirtz, ‘Complex Deterrence’ (Chicago: The University of Chicago Press, Citation2009).

27 Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38/1-2(Citation2015),4–37.

28 Compare Will Goodman, ‘Cyber Deterrence – Tougher in Theory than in Practice?’ Strategic Studies Quarterly (Fall Citation2010); Charles L. Glaser, Deterrence of Cyber Attacks and U.S. National Security (Elliot School of International Affairs, George Washington University, June 2011).

29 For a more detailed discussion, see: Rid and Buchanan ‘Attributing Cyber Attacks’.

30 T.V. Paul, Patrick M. Morgan and James J. Wirtz, ‘Complex Deterrence’, Citation2009, p. 2.

31 On the basic principles of cyber weapons see: Thomas Rid and Peter McBurney, ‘Cyber-Weapons’, The RUSI Journal 157/1 (February 2012), 6–13; Dale Peterson, ‘Offensive Cyber Weapons: Construction, Development, and Employment’, Journal of Strategic Studies (February 2013).

32 See: Adam P. Liff, ‘Cyber War: A New ‘Absolute Weapon’? The Proliferation of Cyber Warfare Capabilities and Interstate War’, Journal of Strategic Studies (May 2012),1–28; Daniel Cohen and Aviv Rotbart, ‘The Proliferation of Weapons in Cyberspace’, Military and Strategic Affairs 5/1 (May 2013).

33 Matthew D. Crosston, ‘World Gone Cyber MAD: How “Mutually Assured Debilitation” Is the Best Hope for Cyber Deterrence’, Strategic Studies Quarterly (Spring Citation2011),100–16.

34 See for example: Jon R. Lindsay, ‘Stuxnet and the Limits of Cyber Warfare’, Security Studies 22/3 (August 2013), 365–404. http://dx.doi.org/10.1080/09636412.2013.816122

35 Compare: Amir Lupovitz, ‘Cyber War and Deterrence: Trends and Challenges in Research’, Military and Strategic Affairs 3/3 (December 2011), 46 (in Hebrew).

36 Doron Almog, ‘Cumulative Deterrence and the War on Terrorism,’ Parameters (Winter 2004-2005), 4–19.

37 Thomas Rid, ‘Deterrence beyond the State: the Israeli Experience,’ Comparative Security Policy.33/1 (Citation2012), 125.

38 See Rid’s discussion on the matter including the distinction between general and specific deterrence, and relevant criminological literature on the subject. Rid, Ibid., 126–27.

39 See: Martha Crenshaw, ‘Will Threats Deter Nuclear Terrorism?’, and Janis Gross Stein, ‘Deterring Terrorism, Not Terrorists,’ in Wenger and Wilner, Deterring Terrorism – Theory and Practice (CA: Stanford Security Studies, Citation2012).

40 See: Eran Ortal: ‘The Paradigm of Deterrence Operations’: a Strategic Pattern at a Dead-End, Eshtonot (1), Israel’s National Security Collage, January 2013, 7–22, (Hebrew); Dima Adamsky and Yossi Bydatz,Ibid., 17–24.

41 Adamsky and Baydatz, Ibid. (2015), 12,15; Rid, Ibid. (2012), 137.

42 G.E.P. Box and N.R. Draper, Empirical Model Building and Response Surfaces (New York: Wiley, Citation1987), 424.

43 Patrick M. Morgan, ‘Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm’, Committee on Deterring Cyber Attacks, National Research Council, Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, Citation2011, p. 51.

44 US Senate, Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command, April 2010, http://www.armed-services.senate.gov/statemnt/2010/04%20April/Alexander%2004-15-10.pdf.

45 See for example: U.S. International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington, DC: The White House, May 2011), footnote 9, pp. 10, 14; cf. Thomas Rid, ‘Cyber War Will Not Take Place’, Journal of Strategic Studies (October 2011), 25, footnote 70.

46 An example of this kind of thinking was exhibited at the STRATCOM conference on cyber deterrence, which also involved the US Department of Defense and CYBERCOM and was held in late 2011. Analysis of the lectures given at that conference indicates that, at that time, some in the US military were already thinking about systematic approach for cyber deterrence. See: US STRATCOM, ‘Cyberspace Deterrence vs. Deterrence - Is It a Meaningless Distinction?’, Deterrence Symposium, Panel 3, August 2011, http://www.youtube.com/watch?v=-ck6QH0pm6;

47 Lawrence Freedman, Deterrence (Cambridge, UK: Polity, Citation2004). On norms and deterrence in cyberspace see Tim Stevens, ‘A Cyberwar of Ideas? Deterrence and Norms in Cyberspace’, Contemporary Security Policy (April 2012).See Rid: Thomas Rid, ‘Deterrence beyond the State: the Israeli Experience’, Comparative Security Policy33/ (2012), 126.

48 See Tim Stevens, ‘A Cyberwar of Ideas? Deterrence and Norms in Cyberspace’, Contemporary Security Policy 33/1 (April 2012), 148–70.

49 Dmitry Dima Adamsky, ‘The 1983 Nuclear Crisis – Lessons for Deterrence Theory and Practice’, Journal of Strategic Studies 36/1 (Citation2013),4–41.

50 Jake Tapper, ‘Leon Panetta: A Crippling Cyber Attack Would Be an “Act of War”’, ABC News, May 27, Citation2012, http://abcnews.go.com/blogs/politics/2012/05/leon-panetta-a-crippling-cyber-attack-would-be-act-of-war/. Cf. The New York Times quoted former Secretary of Defense Leon E. Panetta as follows: ‘If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president’. Elisabeth Bumiller and Thom Shanker, ‘Panetta Warns of Dire Threat of Cyber attack on U.S.’, New York Times, 11 October 2012, http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all&_r=0

51 Panetta clearly pointed at Russia and China (Ibid). Compare: George Patterson Manson III, ‘Cyberwar: The United States and China Prepare for the Next Generation of Conflict’, Comparative Strategy 30/2 (Citation2011),121–133. This assessment also reflected in the so-called ‘Black Budget ‘of the US intelligence community that was leaked by Edward Snowden and published in August 2013: Barton Gellman and Greg Miller, ‘U.S. Spy Network’s Successes, Failures and Objectives Detailed in ‘Black Budget’ Summary, The Washington Post, 29 August 2013. http://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networks-successes-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html?tid=ts_carousel

52 See the media reports: IDG News Service, Serious Cyber-attacks Are Imminent Warns Leon Panetta: A Cyber Pearl Harbor or Cyber 9/11, 11 October 2012, http://www.youtube.com/watch?v=z1IF0bEMZts; Jennifer Booton, Matt Egan and Adam Samson, ‘Bank of America Hit By Cyber Attack’, Fox Business, 18 September 2012, http://www.foxbusiness.com/industries/2012/09/18/bank-america-website-experiencing-sporadic-outages; Ellen Nakashima, ‘Iran blamed for Cyber attacks on U.S. Banks and Companies’, The Washington Post, 21 September 2012, http://articles.washingtonpost.com/2012-09-21/world/35497878_1_web-sites-quds-force-cyberattacks#; Lolita C. Baldor, ‘US: Hackers in Iran Responsible for Cyber attacks’, CBS News, 11 2012, http://m.nbcnews.com/technology/technolog/us-hackers-iran-responsible-cyberattacks-1C6423908.

53 SeeRid and Buchman, Ibid., (Citation2015), 27.

54 See also: U.S Department of Justice - Office of Public Affairs, ‘U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage’, 19 May 2014. http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor

55 See for example: David E. Sanger and Nicole Perlroth: ‘U.S. Said to Find North Korea Ordered Cyber attack on Sony’. The New York Times, 17 December 2014. http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html?_r=0; BBC News, Sony hack: ‘White House views attack as security issue’, 19 December 2014. http://www.bbc.com/news/world-us-canada-30538154

56 See for example: David E. Sanger and Nicole Perlroth: ‘North Korea Loses Its Link to the Internet’. The New York Times, 22 December 2014. http://www.nytimes.com/2014/12/23/world/asia/attack-is-suspected-as-north-korean-internet-collapses.html

57 Devin Dwyer: ‘President Obama Sanctions North Korea after Sony Cyber attack’, ABC News, 2 January 2015. http://abcnews.go.com/Politics/obama-sanctions-north-korea-sony-cyberattack/story?id=27965524

Additional information

Notes on contributors

Uri Tor

Uri Tor is a research fellow in the Comparative National Security Project (CNSP) at the Interdisciplinary Center (IDC), Herzliya, Israel.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.