![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
When compared to advancements in conceptualising deterrence in other domains, cyber deterrence is still in it messy infancy. In some ways cyber deterrence practice outpaces cyber deterrence theory. Tactics, strategy, doctrine, and policy are developed and put to use even before corresponding theories are properly understood. This article analyses how American cyber deterrence has been implemented over the past two decades in order to inform ongoing debates within the academic study of deterrence, and to provide insights from practice for how cyber deterrence theory can be better conceived and refined.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 Joseph Marks, ‘Trump Acknowledges Russian Hacking, points to Poor Defenses’, NextGov, 11 January 2017.
2 Donald J. Trump, ‘Cybersecurity’, Presidential Campaign Website, 2016, https://www.donaldjtrump.com/policies/cyber-security (accessed January 2017).
3 Michael Shear and Julie Hirschfeld Davis, ‘Trump, on YouTube, Pledges to Create Jobs’, New York Times, 21 November 2016.
4 The White House, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical infrastructure, 11 May 2017.
5 US Department of State, Office of the Coordinator for Cyber Issues, ‘Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats’, 31 May 2018.
6 Joseph Marks, ‘Many Top Cybersecurity Posts Remain Empty – and Not on Purpose’, DefenseOne, 10 November 2017; Mohana Ravindranath, ‘Many CFO Act federal Agencies are Still being Lead by Acting Chief Information Officers’, Nextgov, 17 November 2017.
7 In a moment of further intrigue, Bossert resigned his post in April 2018, on the request of John Bolton, Trump’s newly-appointed national security advisor. Bossert’s departure was followed a week later by Rob Joyce’s, the White House cybersecurity coordinator. President Trump later eliminated Joyce’s position altogether, in May 2018. Shaun Waterman, ‘Bossert Promises New National Cybersecurity Strategy’, CyberScoop, 24 October 2017; Reuters, ‘Trump Scraps Cyber Czar Post after first Appointee Leaves: White House’, 15 May 2018; Ellen Nakashima, ‘White House Cybersecurity Official to Return to NSA’, The Washington Post, 16 April 2018.
8 US Senate Confirmation Hearing, Advanced Policy Questions for James Mattis, 12 January 2017.
9 Chris Bing, ‘National Security Council Delays Publication of Cyber Strategy over Inclusion of “Offensive” Measures’, CyberScoop, 15 May 2018; Sean Lyngaas, ‘White House Announces federal cyber strategy, vows to go on Offensive’, CyberScoop, 20 September 2018.
10 Though only a single case of American cyber deterrence is explored, lessons derived from it will be of use beyond the US context both for developing a broader understanding of the theoretical concepts imbedded in cyber deterrence and for tailoring cyber deterrent strategy and doctrine in other states and jurisdictions.
11 Moving beyond theory and strategy, Amir Lupovici contends that deterrence is also an idea, internalized within the identity of those who rely on it. Lupvici, The Power of Deterrence (Cambridge 2016).
12 On the latter, see for instance, Jerry Mark Long and Alex Wilner, ‘Delegitimizing al-Qaida: Defeating an “Army Whose Men Love Death”’, International Security 39/1 (2014).
13 Lawrence Freedman, Deterrence (Cambridge: Polity Press 2004), 26.
14 Thomas Schelling, Arms and Influence (1966), 1–34.
15 Alex Wilner, ‘Contemporary Deterrence Theory Counterterrorism: A Bridge too Far?’ NYU Journal of International Law and Politics 47/2 (2015).
16 The literature is expansive. For a reference point, consider these various meta-analyses of the empirical record: Anthony Braga and David Weisburd, ‘The Effects of Focused Deterrence Strategies on Crime’, Journal of Research in Crime and Delinquency 49 (2012); Rob Guerette and Kate Bowers, ‘Assessing the Extent of Crime Displacement and Diffusion of Benefits’, Criminology 47/4 (2009); Trevor Bennett, Katy Holloway, and David Farrington, ‘Does Neighborhood Watch Reduce Crime?’ Journal of Experimental Criminology 2/4 (2006); David Farrington, et al., ‘The Effects of Closed-Circuit Television on Crime’, Journal of Experimental Criminology 3 (2007).
17 See, for illustration Kevin Woods and Mark Stout, ‘Saddam’s Perceptions and Misperceptions’, Journal of Strategic Studies 33/1 (2010); Richard Ned Lebow and Janice Gross Stein, ‘Rational Deterrence Theory: I Think, Therefore I Deter’, World Politics 41/2 (1989); Robert Jervis, Richard Ned Lebow, and Janice Gross Stein, Psychology and Deterrence (Baltimore: Johns Hopkins University Press 1985); Daniel Kahneman, Thinking, Fast and Slow (Random House 2011).
18 Jeffrey Knopf, ‘Terrorism and the Fourth Wave in Deterrence Research’, in Wenger and Wilner, (eds.) Deterring Terrorism: Theory and Practice (Stanford UP 2012); Amir Lupovici, ‘The Emerging Fourth Wave of Deterrence Theory’, International Studies Quarterly 54 (2010); Alex Wilner, ‘Deterring the Undeterrable: Coercion, Denial, and Delegitimization in Counterterrorism’, Journal of Strategic Studies 34/1 (2011); Thomas Rid, ‘Deterrence Beyond the State: The Israeli Experience’, Contemporary Security Policy 33/1 (2012).
19 T. V. Paul, Patrick M. Morgan, and James J. Wirtz (eds.), Complex Deterrence: Strategy in the Global Age (Chicago: University of Chicago Press 2009); James Lebovic, Deterring International Terrorism and Rogue States (London: Routledge 2007); Keith Payne, Deterrence in the Second Nuclear Age (Lexington: University of Kentucky 1996); Alex Wilner, ‘Apocalypse Soon? Deterring Nuclear Iran and Its Terrorist Proxies’, Comparative Strategy 31/1 (2012).
20 See, among others, Andreas Wenger and Alex Wilner (eds.) Deterring Terrorism (Stanford 2012); Alex Wilner, Deterring Rational Fanatics (Penn Press 2015); Daniel Sobelman, ‘Learning to Deter’, International Security 41/3 (2016/17).
21 Alex Wilner and Andreas Wenger (eds.) Deterrence by Denial: Theory, Practice, and Empiricism (Under Review Winter 2018); James Wirtz, ‘The Cyber Pearl Harbour’, Intelligence and National Security 32/6 (2017); Alex Wilner ‘The Dark Side of Extended Deterrence: Thinking through the State Sponsorship of Terrorism’, Journal of Strategic Studies 40/1 (2017).
22 See John Lindsay and Erik Gartzke, Cross-Domain Deterrence project, http://deterrence.ucsd.edu/ (accessed January 2018).
23 The US government has gone to some length to define cyberspace in the context of national security. The 2003 National Strategy to Secure Cyberspace defines it as a ‘nervous system’ or ‘control system’ for US critical infrastructure, comprised of ‘hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables’. The 2006 National Military Strategy for Cyberspace Operations later defined cyberspace as a ‘domain’, characterized by ‘the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures’. And in a 2008 memo, Deputy Defense Secretary Gordon England defined cyberspace as ‘a global domain’, consisting of ‘the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers’. While definitions of cyberspace continue to evolve, for the purposes of this paper, cyberspace is understood as a global, interconnected domain constituting hardware, digital data, and related infrastructrue in which electronic devices are used to create, save and disseminate information. The phrase ‘cyber deterrence’ also lacks a precise definition. At its broadest, cyber deterrence is a field of study – as deterring terrorism might be thought of – that involves applying and exploring the logic, theory, and practice of deterrence within cyberspace. More narrowly, cyber deterrence might be understood as the deterrence of attacks within or using cyberspace, or conversely, the use of cyberspace to accomplish deterrence in other domains. This paper relies on the broader definition but highlights the narrow use of the term where necessary.
24 The Economist (Benjamin Sutherland, ed.) Modern Warfare, Intelligence and Deterrence (Wiley 2011), 152–63; Tim Stevens, ‘A Cyberwar of Ideas?’ Contemporary Security Policy 33/1 (2012); Kamale Jabbour and E. Paul Ratazzi, ‘Deterrence in Cyberspace’, in Lowther (ed.), Thinking about Deterrence (Air University Press 2013); Clorinda Trujillo, ‘The Limits of Cyberspace Deterrence’, Joint Force Quarterly 75/4 (2014); Richard Harknett, ‘Information Warfare and Deterrence’, Parameters (Autumn 1996); Amir Lupovici, ‘Cyber Warfare and Deterrence’, Military and Strategic Affairs 3/3 (2011); Alex Wilner ‘Cyber Deterrence and Critical Infrastructure Protection’, Comparatvie Strategy 36/4 (2017).
25 See among several others: Nicholas Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’, Journal of Conflict & Security Law (2012); Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38/1–2 (2015); Charles Glaser ‘Deterrence of Cyber Attacks and US National Security’, George Washington University working paper (2011); Clement Guitton and and Elaine Korzak ‘The Sophistication Criterion for Attribution’, RUSI Journal 158/4 (2013); Martin Libicki, Cyberdeterrence and Cyberwar (Rand 2009), Chapter Three; Jon Lindsay, ‘Tipping the Scales’, Journal of Cybersecurity 1/1 (2015).
26 Lucas Kello, ‘The Meaning of the Cyber Revolution’, International Security 38:2 (2013); Richard Clayton ‘Anonymity and Traceability in Cyberspace’, University of Cambridge Technical Report # 653 (2005); Eric Sterner ‘Retaliatory Deterrence in Cyberspace’, Strategic Studies Quarterly (Spring 2011).
27 Richard Clark and Susan Landau, ‘Untangling Attribution’, Harvard Law School National Security Journal 2 (2011).
28 Robert Mandel, Optimizing Cyberdeterrence (Georgetown 2017), 38–40.
29 David Wheller and Gregory Larsen, ‘Techniques for Cyber Attack Attribution’, Institute for Defense Analyses (P-3792), 2003; Ronald Deibert, et. al., ‘Cyclones in Cyberspace’, Security Dialogue 43/1 (2012); Richard Clarke and Robert Knake, Cyber War (Ecco Press 2010), Chapter Four.
30 Rid and Buchanan, ‘Attributing’; Clark and Landau ‘Untangling’; Sterner ‘Retaliatory’; James Farwell and Rafal Rohozinski, ‘Stuxnet and the Future of Cyber War’, Survival 53/1 (2011).
31 Stevens ‘Ideas’; Libicki Cyberdeterrence (2009), Chapter Five.
32 Richard Kugler, ‘Deterrence of Cyber Attacks’, in Kramer, Starr, Wentz (eds.), Cyberpower and National Security (Potomac Press 2009); Sterner, ‘Retaliatory’.
33 Sterner, ‘Retaliatory’.
34 Rid and Buchanan, ‘Attributing’.
35 Glaser, ‘Deterrence’; Will Goodman, ‘Cyber Deterrence’, Strategic Studies Quarterly, 2010; Lindsay, ‘Tipping’; Ben Buchanan, The Cybersecurity Dilemma (Oxford 2016), 145; Joseph Nye, ‘Deterrence and Dissuasion in Cyberspace’, International Security 41/3 (2017), 51–52.
36 Richard Harknett, et. al. ‘Leaving Deterrence Behind’, Journal of Homeland Security and Emergency Management 7/1 (2010); Adam Liff, ‘Cyberwar: A New “Absolute Weapon?”’ Journal of Strategic Studies 35/3 (2012).
37 Lupovici, ‘Cyber Warfare’; Paul Rosenzweig, ‘The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence’, Proceedings of a Workshop on Deterring Cyberattacks (Washington, DC: The National Academies Press, 2010).; Mike McConnell, ‘Cyberwar is the New Atomic Age’, New Perspectives Quarterly 26/3 (2009); James Adams, ‘Virtual Defense’, Foreign Affairs 80/3 (2001); Martin Libicki, Conquest in Cyberspace (Cambridge 2007), Chapter 11; Libicki, Cyberdeterrence (2009), Chapter Three; Libicki, ‘Cyberwar as a Confidence Game’, Strategic Studies Quarterly (Spring 2011); Martin Libicki, Cyberspace in Peace and War (Naval Institute Press 2016), Chapter 16 & 17; Harknett, ‘Information Warfare’.
38 James Lewis, ‘Cross-Domain Deterrence and Credible Threats’, CSIS Working Paper (July 2010); Jon Lindsay and Erik Gartzke (eds.), Cross-Domain Deterrence (under review 2018); Kugler, ‘Deterrence’; Sterner ‘Retaliatory’; Liff, ‘Cyberwar’; Herbert Lin, ‘Laying an Intellectual Foundation for Cyberdeterrence’, in Kruger et al., (eds.), The Secure Information Society (Springer-Verlag 2013).
39 Mandel, Optimizing, 199–201.
40 Lewis ‘Cross-Domain’; Anthony Cordesman and Justin Cordesman, Cyberthreats, Information Warfare, and Critical Infrastructure Protection (Praeger 2002), Chapter One; Kugler, ‘Deterrence’; Lupovici, ‘Cyber Warfare’; Sterner ‘Retaliatory’; Liff ‘Cyberwar’; Lin ‘Laying’.
41 Harknett et al., ‘Leaving’; Rid ‘Cyber War’; Thomas Rid, ‘More Attacks, Less Violence’, Journal of Strategic Studies 36/1 (2013).
42 Amir Lupovici, ‘The “Attribution Problem” and the Social construction of “Violence”’, International Studies Perspectives 17/3 (2016); Goodman, ‘Cyber Deterrence’; Ronald Deibert and Rafal Rohozinkis, ‘Risking Security’, International Political Sociology 4 (2010); Joseph Nye, ‘Cyber Power’, Belfer Center, Harvard Kennedy School Working Paper, 2011.
43 Jon Lindsay, ‘Stuxnet and the Limits of Cyber Wafare’, Security Studies 22/3 (2013).
44 John Arquilla and David Ronfeldt, ‘Cyberwar is Coming!’ Comparative Strategy 12/2 (1993); Arquilla and Ronfeldt, The Advent of Netwar (Rand 1996); Stephen Blank, ‘Can Information Warfare be Deterred?’ Defense Analysis 17/2 (2001); Libicki, Conquest; Harknett et al., ‘Leaving’; Paul Davis, ‘Deterrence, Influence, Cyber Attack, and Cyberwar’, Rand Working Paper (2014).
45 Wirtz, ‘Cyber Pearl Harbor’.
46 Buchanan, Dilemma, 103–110.
47 Patrick Morgan, ‘Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm’, Proceedings of a Workshop on Deterring Cyberattacks (Washington, DC: The National Academies Press, 2010); Cordesman and Cordesman, Cyberthreats, 2002; John Arquilla, ‘Twenty Years of Cyberwar’, Journal of Military Ethics 12/2 (2013).
48 See various chapters in John Arquilla and David Ronfeldt (eds.), Networks and Netwar (Rand 2001); Jason Rivera, ‘Achieving Cyberdeterrence and the Ability of Small States to Hold Large States at Risk’, 7th International Conference on Cyber Conflict (NATO CCD COE), 2015.
49 Clarke and Knake, Cyber War; Emilio Iasiello, ‘Is Cyber Deterrence an Illusory Course of Action?’ Journal of Strategic Security 7/1 (2014); Benjamin Mazzotta, ‘Leverage in Cyberspace, without Deterrence’, Annual Convention of the International Studies Association (2011); Harknett et al., ‘Leaving’.
50 P.W. Singer and Allan Friedman, ‘Cult of the Cyber Offensive’, Foreign Policy, January 2014; Ivanka Barzashka, ‘Are Cyber-Weapons Effective?’ RUSI Journal 158/2 (2014); Davis, ‘Detrrence’.
51 Morgan, ‘Applicability’; Sterner, ‘Retaliatory’; Uri Tor, ‘“Cumulative Deterrence” as a New Paradigm for Cyber Deterrence’, Journal of Strategic Studies 40/1–2 (2015); Lucas Kello, The Virtual Weapon (Yale 2017), 196–7; 205–21.
52 James Adams, ‘Virtual Defense’, Foreign Affairs 80/3 (2001); Kevin Beeker, et al. ‘Operationally Responsive Cyberspace’, in Lowther (ed.), Thinking about Deterrence (Air University Press 2013); Martin Libicki, ‘Can Denial Deter in Cyberspace?’ in Wilner and Wenger (eds.) Deterrence by Denial (Under Review 2018); Jay Kesan and Carol Hayes, ‘Thinking Through Active Defense in Cyberspace’, Illinois Public Law and Legal Theory Research Paper, No. 10–11 (2010); Lin, ‘Laying’; Nye ‘Deterrence’.
53 Jabbour and Ratazzi, ‘Deterrence’; Stephen Lukasik, ‘A Framework for Thinking about Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for these Domains’ Proceedings of a Workshop on Deterring Cyberattacks (Washington, DC: The National Academies Press, 2010).
54 Anne-Marie Slaughter, The Chessboard & The Web (Yale 2017), chapter four; Greg Rattray, et al., ‘American Security in the Cyber Commons’, in Denmark and Mulvenon (eds.) Contested Commons (Center for a New American Security 2010); Sterner, ‘Retaliatory’.
55 Jabbour and Ratazzi, ‘Deterrence’; Libicki, Cyberdeterrence; Glaser, ‘Deterrence’; Goodman, ‘Cyber Deterrence’.
56 Diebert and Rohozinksi, ‘Risking’; Libicki, ‘Pulling Punches in Cyberspace’ Workshop Proceedings Deterring Cyber Attacks (2010); Panayotis Yannakogeorgos and Adam Lowther, ‘The Prospects for Cyber Deterrence’, in Yannakogeorgos and Lowther (eds.), Conflict and Cooperation in Cyberspace (Taylor & Francis 2010); Catherine Lotrionte, ‘State Sovereignty and Self-Defense in Cyberspace’, Emory International Law Review 26 (2012); Martha Finnemore, ‘Cultivating International Cyber Norms’, in Lord and Sharp (eds.), America’s Cyber Future: Security and Prosperity in the Information Age (Center for New America 2011).
57 Nye, ‘Deterrence’, 60–2.
58 Johan Eriksson and Giampiero Giacomello, ‘The Information Revolution, Security, and International Relations’, International Political Science Review 27/3 (2006); Myriam Dunn Cavelty, ‘From Cyber-Bombs to Political Fallout’, International Studies Review 15 (2013); David Betz and Tim Stevens, Cyberspace and the State, Adelphi (IISS) 51:242 (2011); Lene Hansen and Helen Nissenbaum, ‘Digital Disaster, Cyber Security, and the Copenhagen School’, International Studies Quarterly 53 (2009); Buchanan, Cybersecurity.
59 Stephen Korns and Josh Kastenberg, ‘Georgia’s Cyber Left Hook’, Parameters (Winter 2009); Kelo, The Virtual Weapon; Mandel, Optimizing Cyberdeterrence.
60 The 2003 document was, however, preceded by several antecedent publications that outlined how the US envisioned cybersecurity, including, a Clinton-era Presidential Commission report (1997) and a 2000 National Plan on information security. Report to the President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, 1997; The White House, National Plan for Information Systems Protection: An Invitation to a Dialogue, 2000.
61 US Government, The National Strategy to Secure Cyberspace, 2004, 14.
62 Ibid., 59, 50.
63 The White House, Executive Order 13231, Critical Infrastructure Protection in the Information Age, October 2001.
64 Homeland Security Presidential Directive No. 7, Directive on Critical Infrastructure, Prioritization, and Protection, 2003.
65 Department of Homeland Security, National Infrastructure Protection Plan, 2006. The 2006 NIIP includes an expansive appendix on ‘Cross-Sector Cyber Security’. Follow-up NIPPs were published in 2009, 2013, and 2015. President Obama also issued EO 13636, Improving Critical Infrastructure Cybersecurity, in 2013, and the Cybersecurity National Action Plan in 2016. Department of Homeland Security, National Infrastructure Protection Plan, 2006.
66 Ibid., 45–47.
67 Fred Kaplan, Dark Territory (Simon and Schuster 2016), 278–85.
68 The White House, National Security Presidential Directive No. 54, Cybersecurity Policy, 2008; US Government, Cyber Space Policy Review, 2009; The White House, Comprehensive National Cybersecurity Initiative, 2009.
69 CNCI, 4.
70 Office of the Director of National Intelligence, The National Counterintelligence Strategy of the United States of America, 2007. New iterations of the National Counterintelligence Strategy were published in 2008, 2009 and 2016. The US National Intelligence Strategy was updated in 2009 and 2014.
71 NSPD 54, pp. 11.
72 CNCI, 5.
73 US Department of Defense, Strategy for Operating in Cyberspace, 2011, 5–6.
74 In October 2016, in Obama’s last months in office, Cybercom finally reached its full operating capability, translating into a force of roughly 6,000 cyber-warriors. US Cyber Command News Release, ‘All Cyber Mission Force Teams Achieve Initial Operating Capability’, 24 October 2016.
75 Ibid., 1.
76 DoD Cyberspace Policy Report, 2011, 2–4.
77 DoD Defense Science Board, Resilient Military Systems and the Advanced Cyber Threat, 2013, 41. The 2010 NPR references ‘cyber’ exactly once; see DoD Nuclear Posture Review, 2010.
78 Admiral Michael Rogers, Statement before the Senate Committee on Armed Services, March 2015.
79 DoD Cyber Strategy, 2015, 10–11.
80 Navy Vice Adm. Nancy Norton took command of the Headquarters in February 2018. US Cyber Command News Release, ‘DoD’s Network Defense Headquarters Achieves Full Operational Capability’, 31 January 2018; Defense Information Systems Agency News, ‘Norton Assumes Command of JFHQ-DODIN and Directorship of DISA’, 1 February 2018.
81 DoD Defense Science Board, Task Force on Cyber Deterrence report, 2017, Appendix 1.
82 Ibid., 4.
83 Ibid., 7.
84 For an exploration of how and why North Korea’s hack manipulated Sony’s behaviour, which ultimately triggered the US response, see Travis Sharp, ‘Theorizing Cyber Coercion: The 2014 North Korean Operation against Sony’, Journal of Strategic Studies 40/7 (2017).
85 UK National Cyber Security Centre, ‘Joint US-UK Statement on Malicious Cyber Activity Carried out by Russian Government’, 16 April 2018; UK National Cyber Security Centre, ‘Advisory: Russian State-sponsored Cyber Actors Targeting Network Infrastructure Devices’, 16 April 2018.
86 The White House, International Strategy for Cyberspace, 2011, 3.
87 Adam Segal, ‘The Top Five Cyber Policy Developments of 2015’, Council on Foreign Relations blog, 4 January 2016.
88 UN General Assembly, ‘Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’, Seventieth Session, Item 93, 2015.
89 The White House, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, May 2011, 13–14.
90 The 2017 DSB report does however argue, rather cryptically, that ‘some would view’ the OPM heist as an example of ‘egregious behavior’ that crossed the ‘unwritten rules of traditional espionage’, DSB 2017, 7, 11–12. See also, David Sanger, ‘US Wrestles with how to fight back against Cyberattacks’, NY Times, 30 July 2016; Mike Levine, ‘China is “Leading Suspect” in Massive Hack of US Government Networks’, ABC News, 25 June 2016.
91 Sanger, ‘Wrestles’.
92 Department of Homeland Security, ‘Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector’, 6 January 2017.
93 Cheryl Pellerin, ‘Rogers Discusses near Future of U.S. Cyber Command’, DoD News, 24 February 2017.
94 Separately, in February 2018, the White House signaled its intention to nominate Lt. Gen. Paul Nakasone as Rogers’ replacement at the helm of the NSA and Cybercom. The White House, Statement by President Donald J. Trump on the Elevation of Cyber Command, 18 August 2017; Chris Bing, ‘White House Official: Paul Nakasone Nominated for NSA Director’, CyberScoop, 13 February 2018.
95 Sean Lyngass, ‘PPD-20 Elimination opens arguments over how US should Conduct Offensive Hacking Operations’, CyberScoop, 16 August 2018.
96 DoD, Nuclear Posture Review, 2018.
97 State Department, ‘Recommendations’, 1. Emphasis in original.
98 Department of Defence Cyber Strategy (Summary), September 2018.
99 Zaid Shoorbajee, ‘Google and Microsoft ask Georgia Governor to Veto “Hack Back” Bill’, CyberScoop, 27 April 2018; Ryan Johnston, ‘After Widespread outcry, Georgia Governor Vetoes “Hack Back” Bill’, State Scoop, 8 May 2018.
100 Dan Lohrmann, ‘Hack Back Law’, Government Technology, September 2017; Nicholas Schmidle, ‘The Digital Vigilantes who Hack Back’, New Yorker, 7 May 2018.
101 The White House, ‘Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea’, 19 December 2017.
102 Bruce Schneier, ‘Botnets of Things’, MIT Technology Review, March/April 2017.
103 Sean Lyngaas, ‘US Looks to Restart Talks on Global Cyber Norms’, CyberScoop, October 2018.
104 The White House, ‘Remarks by Homeland Security Advisor Thomas P. Bossert at Cyber Week 2017’, 26 June 2017.
105 Robin Emmott, ‘NATO mulls “Offensive Defense” with Cyber Warfare Rules’, Reuters, 30 November 2017.
106 National Cyber Strategy of the United States of America, September 2018, 21.
107 Sean Lyngaas, ‘Pentagon, DHS agree to Framework for Joint Cyberdefense’, CyberScoop, 14 November 2018.
108 ‘Press Briefing’, December 2017.
109 I am indebted to an anonymous reviewer for illustrating this point.
110 DoD, Department of Defense Videos, ‘Shanahan Speaks at Naval Conference’, 6 February 2018. https://www.defense.gov/Videos/videoid/583404/, minute 29–33.
111 National Strategy 2003, foreword, 14.
112 The author is exploring this research question as part of a 2016–2019 SSHRC-funded project on mutli-domain cyber deterrence.
Additional information
Funding
Notes on contributors
Alex S. Wilner
Alex S. Wilner is an Assistant Professor of international affairs at the Norman Paterson School of International Affairs, Canada (https://alexwilner.com). His books and edited volumes include Deterring Terrorism: Theory and Practice (Stanford University Press, 2012) and Deterring Rational Fanatics (University of Pennsylvania Press, 2015).