![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Many scholars and practitioners are unconvinced that cyber deterrence is possible. This article aims to demonstrate why some of this skepticism is misplaced, as well as provide greater clarity and conceptual rigor to the proliferation of arguments within the United States about deterrence in cyberspace. Specifically, we argue that cyber deterrence frameworks that draw from the traditional nuclear deterrence literature and the logic of deterrence by punishment are mismatched to deterrence challenges in cyberspace. Instead, we advocate for a deterrence by denial approach, but one that is oriented around counter-cyber operations rather than simply improving defenses. While there has been some scholarship and work by practitioners that implicitly rests on a deterrence by denial logic, they suffer from a lack of systematic assessment of how traditional denial concepts, especially those developed in the conventional deterrence literature, could be extended to cyberspace. Therefore, in this article, we review different deterrence concepts in theory and practice, articulate a logic of cyber deterrence by denial, and provide policy recommendations for the United States.
Acknowledgements
The authors would like to thank the Commissioners and staff of the U.S. Cyberspace Solarium Commission, on which they both served, who significantly contributed to their thinking about deterrence by denial strategies in cyberspace and their policy implications. The views expressed in this article are personal and do not reflect the policy or position of any U.S. government entity or organization.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1 Robert Jervis, ‘Deterrence Theory Revisited’, World Politics 31/2 (January 1979), 289–324. Jeffrey Knopf identifies a ‘fourth wave’ of deterrence theory that addressed asymmetric threats in a post-9/11 international system. See Jeffrey W. Knopf, ‘The Fourth Wave in Deterrence Research’, Contemporary Security Policy 31/1 (2010), 1–33. For a review of deterrence theory, see Austin G. Long, Deterrence: From Cold War to Long War (Santa Monica, CA: RAND Corporation, 2008).
2 See, for example, Martin Libicki’s Cyberdeterrence and Cyberwar (Santa Monica: RAND Corporation, 2009); Gregory J. Rattray, Strategic Warfare in Cyberspace (Massachusetts: The MIT Press, 2001); Proceedings of a Workshop on Deterring Cyber Attacks, particularly the collection of chapters under ‘Group 2’ that address strategy, policy, and doctrine. Richard L. Kugler, ‘Deterrence of Cyber Attacks’, in Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz (eds.), Cyberpower and National Security (Washington, D.C.: National Defense University Press, 2009); Emily O. Goldman and John Arquilla, Cyber Analogies (Monterey, CA: Naval Postgraduate School, 2014); Ben Buchanan, The Cybersecurity Dilemma: Hacking, Trust, and Fear Between Nations (New York, NY: Oxford University Press, 2016); Ilai Saltzman, ‘Cyber Posturing and the Offense-Defense Balance’, Contemporary Security Policy 34/1 (2013). Richard A. Clark and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York, NY: Harper Collins, 2010); Notably, there were some early skeptics of the cyber-nuclear analogy. See Joseph S. Nye Jr., ‘Nuclear Lessons for Cyber Security?’ Strategic Studies Quarterly, (U.S. Air University, 2011).
3 See, for example, Lucas Kello, The Virtual Weapon and International Order (New Haven, CT: Yale University Press, 2017); John Arquilla and David Ronfeldt, ‘Cyberwar is Coming’, Comparative Strategy 12/2 (1993), 141–165. Also see Erik Gartzke, ‘The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth’, International Security 38/2 (2013), 41–73 and Thomas Rid, ‘Cyber War Will Not Take Place’, Journal of Strategic Studies 35/1 (2012), 5–32; Brandon Valeriano, Benjamin M. Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (New York, NY: Oxford University Press, 2018).
4 For further reference, please see Aaron F. Brantly, ‘The Cyber Deterrence Problem’, 2018 10th International Conference on Cyber Conflict (CyCon), IEEE, (2018), 31–54; Jacquelyn G. Schneider, ‘Deterrence in and through Cyberspace’, in Erik Gartzke and Jon R. Lindsay (eds.), Cross-Domain Deterrence: Strategy in an Era of Complexity (New York, NY: Oxford University Press, 2019); and Dorothy E. Denning, ‘Rethinking the Cyber Domain and Deterrence’, Joint Forces Quarterly 77/2 (2015), 8–15.
5 Glenn Snyder, Deterrence and Defense (Princeton, NJ: Princeton University Press, 1961), 14–15; Allan Friedman and P.W. Singer, Cybersecurity and Cyberwar: What Everyone Needs to Know (New York, NY: Oxford University Press, 2014).
6 Some of the unique characteristics of the cyber domain are due to the global, interdependent, and effectively borderless nature of cyberspace, where adversary activities occur across traditional sovereign boundaries. Furthermore, some early cyber deterrence scholars believed these unique characteristics enabled the offense to possess the ‘upper-hand.’ For further analysis, see the following: Michael P. Fischerkeller and Richard Harknett, ‘Deterrence is Not a Credible Strategy for Cyberspace’, Orbis 61/3 (2017), 381–393; Rebecca Slayton, ‘What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment’, International Security 41/3 (2017), 72–109; and Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38/1–2 (2015), 4–37.
7 Fischerkeller and Harknett, ‘Deterrence is Not a Credible Strategy’, Libicki, Cyber Deterrence and Cyberwar; Joseph S. Nye, Jr., ‘Deterrence and Dissuasion in Cyberspace’, International Security 41/3 (2017), 44–71; and Fischerkeller and Harknett explicitly contend deterrence is not possible sub-threshold in cyberspace because of what they identify as inherent attributes of the cyberspace environment.
8 Fischerkeller and Harknett, ‘Deterrence is Not a Credible Strategy’, 382.
9 Ibid., 388.
10 Schneider, ‘Deterrence in and through Cyberspace’; and Jon Lindsay, et al., ‘Cybersecurity and Cross-Domain Deterrence: The Consequences of Complexity’, Journal of Cybersecurity 1/1 (2015), 53–67.
11 Nye, ‘Deterrence and Dissuasion in Cyberspace’, 58–60; and Henry Farrell and Abraham L. Newman, ‘Weaponized Interdependence: How Global Economic Networks Shape State Coercion’, International Security 44/1 (Summer 2019), 42–79.
12 Erik Gartzke and Jon R. Lindsay, ‘Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace’, Security Studies 24/2 (2015), 316–348.
13 Nye, ‘Deterrence and Dissuasion in Cyberspace’, 56–57; and Schneider, ‘Deterrence in and through Cyberspace’, 112–115.
14 ‘Advance Policy Questions for Lieutenant General Paul Nakasone, USA Nominee for Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service’, Senate Armed Services Committee, 1 March 2018, pp. 14–15.
15 ‘United States of America Cyberspace Solarium Commission’, March 2020, p. 23.
16 ‘United States of America Cyberspace Solarium Commission’, March 2020, pp. 14–15.
17 ‘Task Force on Cyber Deterrence’, Department of Defense, Defense Science Board (February 2017). ‘National Cyber Strategy of the United States of America’ (September 2018).
18 A similar critique has historically been leveled at deterrence theorists. See, for example, George H. Quester, Deterrence Before Hiroshima: The Airpower Background of Modern Strategy (Routledge Publishers, 1986).
19 Robert J. Art, ‘To What Ends Military Power?’ International Security 4/4 (1980), 3–35.
20 ‘Summary: Department of Defense Cyber Strategy’, U.S. Department of Defense, January 2018.
21 There are other mechanisms of deterrence beyond punishment and denial, such as deterrence by entanglement or deterrence by normative taboos, which have also been extended to cyberspace. See Nye, ‘Deterrence and Dissuasion’, However, to scope our analysis, we exclude these.
22 However, it is important to note that recent research has demonstrated that Cold War nuclear strategies were not solely organized around punishment via countervalue strikes, and also included damage limitation and counterforce strategies. We are grateful to Reviewer 1 for this insight.
23 Glenn Snyder, Deterrence and Defense, 9; and Lawrence Freedman, Deterrence (Cambridge, UK: Polity, 2004), 26.
24 Art, ‘To What Ends Military Power?’ However, it is difficult to ascertain whether a given deterrent threat was successful because deterrence has a negative objective. See the following for debates about the efficacy of deterrence strategy during the Cold War: Robert Jervis, The Illogic of American Nuclear Strategy (Ithaca, NY: Cornell University Press, 1984); Lawrence Freedman, The Evolution of Nuclear Strategy (London, UK: Palgrave Macmillan, 1989); Long, Deterrence; and Francis J. Gavin, Nuclear Statecraft: History and Strategy in America’s Atomic Age (Ithaca, NY: Cornell University Press, 2012).
25 John J. Mearsheimer, ‘Nuclear Weapons and Deterrence in Europe’, International Security 9/3 (1984), 21.
26 The addition of deterrence by entanglement and norms did not come until much later and is beyond a pure definition of deterrence, according to Nye in ‘Deterrence and Dissuasion in Cyberspace’.
27 John J. Mearsheimer, Conventional Deterrence (Ithaca, NY: Cornell University Press, 1985), 14–15.
28 Freedman, The Evolution of Nuclear Strategy, 83.
29 Glenn Snyder, Deterrence and Defense, 14–15.
30 Daniel Byman and Matthew Waxman, The Dynamics of Coercion: American Foreign Policy and the Limits of Military Might (Cambridge, UK: Cambridge University Press, 2002), 50. Importantly, their discussion of denial is in the context of coercion rather than deterrence, but deterrence is a coercive strategy and has a shared logic.
31 Robert A. Pape, Bombing to Win: Air Power and Coercion in War (Ithaca, NY: Cornell University Press, 1996), 19. While this is also a discussion of coercion, the same logic holds for deterrence.
32 Byman and Waxman, The Dynamics of Coercion, 79; and Pape, Bombing to Win, 29.
33 Snyder, Deterrence and Defense, 15–16; and Samuel P. Huntington makes a similar point in ‘Conventional Deterrence and Conventional Retaliation in Europe’, International Security 8/3 (1983), 35.
34 For denial in a nuclear context, see, for example, Jack L. Snyder, The Soviet Strategic Culture: Implications for Limited Nuclear Operations (Santa Monica, CA: RAND Corporation, 1977); Colin S. Gray, ‘Theater Nuclear Weapons: Doctrines and Postures’, World Politics 28/2 (January 1976), 305; Mearsheimer, ‘Nuclear Weapons and Deterrence in Europe;’ and Bernard Brodie’s discussion of tactical nuclear weapons in ‘The Development of Nuclear Strategy’, International Security 2/4 (Spring 1978), 76–78. For conventional deterrence by denial, see, for example, Mearsheimer, Conventional Deterrence; Colin S. Gray, ‘War-Fighting for Deterrence’, The Journal of Strategic Studies 7/1 (1984), 5–28. Notably, Huntington argues that conventional deterrence by retaliation is also a viable strategy, which is essentially conventional deterrence by punishment. See Huntington, ‘Conventional Deterrence,’ 36.
35 Mearsheimer, Conventional Deterrence, 15. Conventional deterrence is almost always discussed in the context of large-scale ground warfare, but there is some literature on maritime conventional deterrence. See, for example, James J. Wirtz, ‘Strategic Conventional Deterrence: Lessons from the Maritime Strategy’, Security Studies 3/1 (1993), 117–151. For a discussion of contemporary conventional deterrence, see Karl P. Mueller, ‘Conventional Deterrence Redux: Avoiding Great Power Conflict in the 21st Century’, Strategic Studies Quarterly 12/4 (Winter 2018), 76–93.
36 Mearsheimer, Conventional Deterrence, 23–24. One challenge with conventional deterrence that Mearsheimer notes is that it is difficult to properly assess the costs of war ex ante. This lays the groundwork for rationalist explanations for war. See, for example, James D. Fearon, ‘Rationalist Explanations for War’, International Organization 49/3 (1995), 379–414.
37 Mearsheimer, Conventional Deterrence, 23.
38 Ibid., 24.
39 Huntington, ‘Conventional Deterrence’, 35–36.
40 In particular, Mearsheimer identifies three strategies of conventional deterrence: attrition, blitzkrieg, and limited aims. Mearsheimer, Conventional Deterrence, 29–30.
41 Art, ‘To What Ends Military Power?’ 5. Although, interestingly, Art’s definition of deterrence is entirely focused on deterrence by punishment and does not conceive of deterrence by denial.
42 Thomas C. Schelling, Arms and Influence (New Haven, CT: Yale University Press, 1966), 78.
43 Snyder, Deterrence and Defense, p. 30 fn. 21, and p. 31.
44 Ibid, 3–5.
45 Ibid, 31.
46 Huntington, ‘Conventional Deterrence’, 36. Huntington notes that many people neglect the distinction between the concepts of ‘defense’ and ‘retaliation’ on page 37 of his work.
47 Schelling, Arms and Influence, 78–79.
48 Richard Ned Lebow and Janice Gross Stein, ‘Deterrence: The Elusive Dependent Variable’, World Politics 42/3 (1990), 336–369; and Paul Huth and Bruce Russett, ‘Deterrence Failure and Crisis Escalation’, International Studies Quarterly 32/1 (1998), 29–45.
49 Snyder, Deterrence and Defense, 11.
50 Schelling, Arms and Influence, 78.
51 Jonathan Shimshoni, Israel and Conventional Deterrence: Border Warfare from 1953 to 1970 (Ithaca, NY: Cornell University Press, 1988).
52 Snyder, Deterrence and Defense, 12–13.
53 We are grateful to Reviewer 2 for pointing out both the conceptual and policymaking consequences of the ambiguities in existing cyber deterrence concepts.
54 For a discussion of why punishment strategies are unlikely to succeed, see Erica D. Borghard and Shawn W. Lonergan, ‘The Logic of Coercion in Cyberspace’, Security Studies 26/3 (2017), 452–481.
55 ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’, The White House, May 2011, p. 14.
56 ‘National Cyber Strategy of the United States of America’, The White House, September 2018, p. 21.
57 ‘Department of Defense, Defense Science Board Task Force on Cyber Deterrence’, Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics, February 2017, p. 17.
58 2018 Nuclear Posture Review, pp. 31, 57–58.
59 Sarah Kreps and Jacquelyn Schneider, ‘Escalation Firebreaks in the Cyber, Conventional, and Nuclear Domains: Moving Beyond Effects-Based Logics’, Journal of Cybersecurity 5/1 (2019), 5. Also see Brandon Valeriano and Ryan C. Maness, ‘The Dynamics of Cyber Conflict Between Rival Antagonists’, Journal of Peace Research 51/3 (2014), 347–360.
60 ‘Executive Order – ‘Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities’, The White House, 1 April 2015.
61 Lisa Monaco, ‘Expanding Our Ability to Combat Cyber Threats’, The White House, 1 April 2015.
62 Allison Peters and Pierce MacConaghy, ‘Unpacking US Cyber Sanctions’, Third Way, 29 January 2021.
63 See, for example, Robert A. Pape, ‘Why Economic Sanctions Still Do Not Work’, International Security 22/1 (Summer 1998), 66–77; Daniel W. Drezner, The Sanctions Paradox (Cambridge University Press, 2010).
64 ‘Department of Defense, Defense Science Board Task Force on Cyber Deterrence’, Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics, February 2017, p. 15.
65 Ellen Nakashima, ‘White House authorizes “offensive cyber operations” to deter foreign adversaries’, The Washington Post, 20 September 2018.
66 David E. Sanger and Nicole Perlroth, ‘U.S. Escalates Online Attacks on Russia’s Power Grid, ’ The New York Times, 15 June 2019.
67 For a review, see Borghard and Lonergan, ‘The Logic of Coercion in Cyberspace.’
68 See Erik Gartzke, ‘The Myth of Cyberwar’, International Security 38/2 (Fall 2013), 41–73; and Thomas Rid, Cyber War Will Not Take Place (Oxford: Oxford University Press, 2013).
69 Max Smeets and Herbert S. Lin, ‘Offensive cyber capabilities: To what ends?’ 2018 10th International Conference on Cyber Conflict (CyCOn), Tallinn, Estonia.
70 Eric Talbot Jensen, ‘The Tallinn Manual 2.0: Highlights and Insights’, Georgetown Journal of International Law 48/3 (2017), 736.
71 Nadiya Kostyuk, Scott Powell, and Matt Skach, ‘Determinants of the Cyber Escalation Ladder’, The Cyber Defense Review 3/1 (2018), 123–134.
72 Borghard and Lonergan, ‘The Logic of Coercion in Cyberspace’; Erica D. Borghard and Shawn W. Lonergan, ‘Cyber Operations as Imperfect Tools of Escalation’, Strategic Studies Quarterly 13/3 (2019), 122–145.
73 Julie Creswell, Nicole Perlroth, and Noam Scheiber, ‘Ransomware Disrupts Meat Plants in Latest Attack on Critical U.S. Business’, The New York Times, 1 June 2021. Ellen Nakashima and Lori Aratani, ‘DHS to issue first cybersecurity regulations for pipelines after Colonial hack’, The Washington Post, 25 May 2021.
74 Patrick M. Morgan, ‘Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm’, In Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for US Policy (2010), 55.
75 Denning, ‘Rethinking the Cyber Domain and Deterrence’, 14.
76 Schneider, ‘Deterrence in and through Cyberspace’, 112.
77 Ibid, 113.
78 Nye, ‘Deterrence and Dissuasion in Cyberspace’, 56–57.
79 ‘The DoD Cyber Strategy’, The Department of Defense, April 2015, 11.
80 It would be a misnomer to argue that the 2018 DoD Cyber Strategy rejects the concept of deterrence outright. For example, in the unclassified summary, deterrence is specifically enumerated as a strategic objective, and the term appears eleven times across only seven short pages. See ‘Summary: Department of Defense Cyber Strategy 2018.’
81 ‘Summary: Department of Defense Cyber Strategy 2018’, p. 2.
82 ‘Summary: Department of Defense Cyber Strategy 2018’, p. 2.
83 For a full discussion of this topic see Erica D. Borghard Shawn W. Lonergan, ‘U.S. Cyber Command’s Malware Inoculation: Linking Offense and Defense in Cyberspace’, Council on Foreign Relations-Net Politics, 22 April 2020, https://www.cfr.org/blog/us-cyber-commands-malware-inoculation-linking-offense-and-defense-cyberspace.
84 ‘Hunt Forward Estonia: Estonia, US strengthen partnership in cyber domain with joint operation,’ U.S. Cyber Command, 3 December 2020.
85 @CNMF_VirusAlert, Twitter, https://twitter.com/CNMF_VirusAlert; @CYBERCOM_Malware_Alert, VirusTotal, https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/.
86 ‘U.S. Cyber Command, DHS-CISA release Russian malware samples tied to SolarWinds compromise’, U.S. Cyber Command, 15 April 2021.
87 See the ‘Cyberspace Solarium Commission Report’, Cyberspace Solarium Commission, 11 March 2020, https://www.solarium.gov/report, 114–115.
88 ‘Cyberspace Solarium Commission Report’, p. 2. Also see p. 32.
89 For further discussion of these measures, see the Cyberspace Solarium Commission Report, especially pillars 3–5.
90 Erica D. Borghard, ‘A Grand Strategy Based on Resilience’, War on the Rocks, 4 January 2021.
91 ‘Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience’, Written Testimony of Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator, Before the U.S House Committee on Homeland Security, 10 February 2021, p. 2.
92 Borghard and Lonergan, ‘The Logic of Coercion in Cyberspace’, 474.
93 Aniket Kesari, Chris Hoofnagle, and Damon McCoy, ‘Deterring Cybercrime’, Berkeley Technology Law Journal 32/3 (2017), 1093–1134. Zachary K. Goldman and Damon McCoy, ‘Economic Espionage: Deterring Financially Motivated Cybercrime’, Journal of National Security Law and Policy 8 (2016), 595–619.
94 ‘Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Criminal Networks.’ Hearing Before the Subcommittee on Crime and Terrorism of the Committee on the Judiciary, United States Senate, One Hundred Thirteenth Congress, Second Session, 15 July 2014.
95 ‘Report of the Attorney General’s Cyber Digital Task Force’, U.S. Department of Justice (2018), p. 49.
96 The first time this occurred was in 2014, when the U.S. Department of Justice indicted five Chinese nationals with cyber espionage. See ‘U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage’, The United States Department of Justice, 19 May 2014, https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor.
97 Garrett Hinck and Tim Maurer, ‘Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity’, Journal of National Security Law and Policy, forthcoming 2020, 3. This has also occurred outside of the United States, such as Germany’s decision in May 2020 to charge a Russian individual said to be a member of the Main Intelligence Directorate (GRU) with hacking into German parliament computer systems in 2015. Catain Cimpanu, ‘German authorities charge Russian hacker for 2015 Bundestag hack’, ZDNet, 5 May 2020, https://www.zdnet.com/article/german-authorities-charge-russian-hacker-for-2015-bundestag-hack/ and ‘Merkel: Evidence of Russian Role in German Parliament Hack’, The Washington Post, 13 May 2020, https://www.washingtonpost.com/world/national-security/merkel-evidence-of-russian-role-in-german-parliament-hack/2020/05/13/9b8d9b98-9530-11ea-87a3-22d324235636_story.html.
98 Joseph Demarest, ‘Taking Down Botnets’ Federal Bureau of Investigation, 15 July 2014, https://www.fbi.gov/news/testimony/taking-down-botnets and Andy Greenberg, ‘Operation Bayonet: Inside the Sting that Hijacked an Entire Dark Web Drug Market’, Wired, 8 March 2018, https://www.wired.com/story/hansa-dutch-police-sting-operation/.
99 ‘Emotet Botnet Disrupted in International Cyber Operation’, U.S. Department of Justice, 28 January 2021. Also see Andy Greenberg, ‘Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware’, WIRED, 27 January 2021.
100 Hinck and Maurer, ‘Persistent Enforcement’, 8.
101 Ibid., 9.
102 Rebecca Slayton describes the organizational maturity and skills required for sophisticated offensive cyber operations. See Rebecca Slayton, ‘What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment’, International Security 41/3 (Winter 2016/17), 72–109.
103 Pape, Bombing to Win, 29; Byman and Waxman, The Dynamics of Coercion, 79; Nye, ‘Deterrence and Dissuasion’, 56. The distinction between what constitutes a military versus civilian target is more ambiguous in cyberspace given the inherently dual-use nature of capabilities and infrastructure, as well as the relationships states have established with private entities. For further information, see Erica D. Borghard and Shawn W. Lonergan, ‘Can States Calculate the Risks of Using Cyber Proxies?’ Orbis 60/3 (2016), 395–416; Tim Maurer, Cyber Mercenaries, (Cambridge, UK: Cambridge University Press, 2018).
104 For a definition and discussion of “systemically important critical infrastructure, see the Cyberspace Solarium Commission Report, 11 March 2020, https://www.solarium.gov/report, pp. 96–97.
105 This is the case because most cyber operations do not have independent, decisive effects.
106 Fischerkeller and Harknett, ‘Deterrence is Not a Credible Strategy’, 387.
107 Ibid., 385.
108 Schelling, Arms and Influence, 78.
109 Borghard and Lonergan, ‘The Logic of Coercion in Cyberspace’, 458; Borghard and Lonergan, ‘Cyber Operations as Imperfect Tools of Escalation’, 134.
110 Max Smeets, ‘A Matter of Time: On the Transitory Nature of Cyberweapons’, Journal of Strategic Studies 41/1–2 (2018), 6–32.
111 Martin C. Libicki, Brandishing Cyber Capabilities (Santa Monica, CA: RAND Corporation, 2013), xi, 2–3. Also see Brendan Rittenhouse Green and Austin Long, ‘Conceal or Reveal? Managing Clandestine Military Capabilities in Peacetime Competition’, International Security 44/3 (2020), 82. Despite Libicki’s stark statement on the ‘single-use’ nature of cyber capabilities, while the overall meaning of his statement is accurate, in practice there is some time period between when a capability is used and when it becomes less effective due to modified defenses.
112 For prior work on measuring the dependent variable in continuous terms, see Uri Tor, ‘Cumulative Deterrence’ as a New Paradigm for Cyber Deterrence’, Journal of Strategic Studies 40/1–2 (2017), pp. 92–117. Also see Nadiya Kostyuk, ‘Deterrence in the Cyber Realm: Public versus private cyber capability’, International Studies Quarterly (2021).
113 However, it is important that observable indicators of deterrence outcomes appropriately capture what a state is seeking to measure. For instance, using the number of attempted intrusions as a deterrence metric may erroneously suggest that deterrence is failing when the reverse is true if a state has hardened its defenses such that an attacker has to expend greater resources to gain access.
114 Erica D. Borghard and Shawn W. Lonergan, ‘Public-Private Partnerships in Cyberspace in an Era of Great-Power Competition’, in Jacquelyn G. Schneider, Emily O. Goldman and Michael Warner (eds.), Ten Years In: Implementing Strategic Approaches to Cyberspace (Newport: U.S. Naval War College Press, 2020).
115 Chris Inglis, ‘Illuminating a New Domain: The Role and Nature of Military Intelligence, Surveillance and Reconnaissance in Cyberspace’, SSRN Electronic Journal 14/1 (June 2016).
116 Borghard and Lonergan, ‘Can States Calculate the Risks.’
117 ‘U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations’, United States Department of Justice, 4 October 2018, https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and; ‘Who is COZY BEAR (APT 29)?’ Crowdstrike, 19 September 2016, https://www.crowdstrike.com/blog/who-is-cozy-bear/; ‘Who is FANCY BEAR (APT 28)?’ Crowdstrike, 19 February 2019; ‘Grand Jury Indicts Thirteen Russian Individuals and Three Russian Companies for Scheme to Interfere in the United States Political System’, The Department of Justice, 16 February 2018, https://www.justice.gov/opa/pr/grand-jury-indicts-thirteen-russian-individuals-and-three-russian-companies-scheme-interfere; Laura Galante and Shaun Lee, ‘Defining Russian Election Interference: An Analysis of Select 2014 to 2018 Cyber Enabled Incidents’, The Atlantic Council, September 2018. Erica D. Borghard, ‘What a U.S. Operation Against Russian Trolls Predicts about Escalation in Cyberspace,’ War on the Rocks, 22 March 2019, https://warontherocks.com/2019/03/what-a-u-s-operation-against-russian-trolls-predicts-about-escalation-in-cyberspace/.
118 Robert Jervis, The Logic of Images in International Relations (Princeton University Press, 1970).
119 Austin Carson and Keren Yarhi-Milo, ‘Covert Communication: The Intelligibility and Credibility of Signaling in Secret’, Security Studies 26/1 (2017), 124–156.
120 United States, Congress, Senate Armed Services Committee, Advance Policy Questions, Nomination Hearing, 16 July 2019, 116th Congress, Washington, 2019 (Advance Policy Questions for Dr. Mark T. Esper, Nominee for Appointment to be Secretary of Defense); Senate Armed Services Committee, February 2019, Statement of General Paul M. Nakasone; ‘An Interview with Paul M. Nakasone’, Joint Force Quarterly 92 (1st Quarter, 2019), 4–9; Paul M. Nakasone, ‘A Cyber Force for Persistent Operations,’ Joint Force Quarterly 92 (1st Quarter, 2019), 10–14.
121 ‘Summary: Department of Defense Cyber Strategy’, 2018, 1.
122 Some might argue that the 2018 election defense efforts were not deterrence because U.S. officials believed Russia was determined to interfere. However, the U.S. may have been aiming to dissuade Russia from certain types of interference, similar to the U.S. attempt in 2016 to deter directly interfering with state voting tallies.
123 Statement of General Paul M. Nakasone, Commander United States Cyber Command, Before the Senate Committee on Armed Services, 14 February 2019, 4–5.
124 The Cyberspace Solarium Commission, for instance, argues that defend forward should be incorporated into an overall deterrence approach. Also see Senator King depiction of ‘defend forward by strengthening deterrence of cyberattacks’, https://www.king.senate.gov/newsroom/press-releases/king-solarwinds-hack-highlights-need-for-increased-deterrence-of-cyberattacks. In another example, Colin Kahl, Undersecretary of Defense for Policy, stated in his confirmation hearing that defend forward ‘needs to be part of a layered approach’, and specifically endorses the Cyberspace Solarium Commission’s approach. See ‘Hearing to Consider the Nomination of Dr. Colin H. Kahl To Be Under Secretary of Defense for Policy’, Committee on Armed Services, March 2021, pp. 41, 54, 72–73.
125 For instance, in Chairman of the Joint Chiefs of Staff General Mark Milley’s 2019 confirmation hearings, he links the DoD’s defend forward strategy with deterrence, but it is not clear how the former serves the latter. See, ‘Hearing to Consider the Nomination of: General Mark A. Milley, USA, For Reappointment to the Grade of General and to be Chairman of the Joint Chiefs of Staff’, Senate Armed Services Committee, 11 July 2019, 64–66.
126 ‘National Cyber Strategy of the United States of America’, The White House, September 2018.
127 John S. McCain National Defense Authorization Act for Fiscal Year 2019, H.R. 5515, 115th Congress, 2018, Section 1652. ‘Summary: Department of Defense Cyber Strategy’, 2018; and ‘National Security Strategy of the United States of America’, Executive Office of the President, December 2017.
128 The March 2020 U.S. Cyberspace Solarium Commission report specifically recommends that this should occur through the Executive branch issuing an updated national cyber strategy that includes this discussion. See page 32.
129 Kevin Liptak, ‘John Bolton: U.S. is Going on the Offensive Against Cyberattacks’, CNN, 20 September 2018, https://www.cnn.com/2018/09/20/politics/us-cybersecurity-strategy-offense-john-bolton/index.html; Jason Healey, ‘Getting the Drop in Cyberspace’, Lawfare, 19 August 2019, https://www.lawfareblog.com/getting-drop-cyberspace; Erica D. Borghard and Mark Montgomery, ‘Defend Forward as a Whole-of-Nation Effort’, Lawfare, 11 March 2019, https://www.lawfareblog.com/defend-forward-whole-nation-effort.
130 Stenographic Transcript Before the Committee on Armed Services, United States Senate Hearing to Conduct a Confirming Hearing on the Expected Nomination of: Honorable Mark T. Esper to be Secretary of Defense, 16 July 2019, Washington, D.C., 37, 60. Also see Ellen Nakashima, ‘White House Authorizes “Offensive Cyber Operations” to Deter Foreign Adversaries’, Washington Post, 20 September 2018, https://www.washingtonpost.com/world/national-security/trump-authorizes-offensive-cyber-operations-to-deter-foreign-adversaries-bolton-says/2018/09/20/b5880578-bd0b-11e8-b7d2-0773aa1e33da_story.html.
131 ‘Hearing to Consider the Nomination of Dr. Colin H. Kahl To Be Under Secretary of Defense for Policy’, Committee on Armed Services, March 2021, p. 72.
Additional information
Notes on contributors
Erica D. Borghard
Erica D. Borghard is a Senior Fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. She is also a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University. Previously, she was a Senior Director on the U.S. Cyberspace Solarium Commission and an Assistant Professor at the United States Military Academy at West Point.
Shawn W. Lonergan
Shawn W. Lonergan is a U.S. Army Reserve officer assigned to 75th Innovation Command and a senior director in the cyber, risk, & regulatory practice at PricewaterhouseCoopers. Previously, he served as a Senior Advisor on the U.S. Cyberspace Solarium Commission and as an Assistant Professor at the United States Military Academy at West Point.