Redefining deterrence in cyberspace: Private sector contribution to national strategies of cyber deterrence

ABSTRACT

This article explores the nature and the desirability of private sector contribution to national strategies of cyber deterrence. The article starts by developing a variation of the concept of cyber deterrence, called RCDC deterrence, which is simultaneously restrictive, comprehensive, dynamic, and complemental. Second, it applies RCDC deterrence to identify and analyze specific areas of cyber deterrence that can benefit the most from private sector contribution. Third, the article cautions about the potential security, legal, and moral issues that could arise from such private contributions. Instead of offering definitive answers on these complex issues, the article ends by suggesting avenues for further research. The ultimate objective is to assist decision-makers in designing policies and regulations aimed at maximizing the benefits of public–private cooperation in cyber deterrence while mitigating its potential downsides.

KEYWORDS:

• Cyber security
• cyber deterrence
• private sector
• cyber strategy
• cyber defense
• United States

The indisputable dependence of modern societies on cyberspace has generated a lively debate about the relevance and applicability of traditional concepts of national defense to this newer environment (Koch & Golling, 2018; Taillat, 2019; Valeriano & Jensen, 2019). This debate has also involved the concept of cyber deterrence. Like the plethora of neologisms now containing the prefix “cyber,” cyber deterrence also lacks a universally agreed-upon definition. Despite that, the concept of cyber deterrence has been generally understood in two ways. First, as the deterrence of malicious activity occurring within or through cyberspace. Second, as the use of cyberspace and Information and Communications Technology (ICT) to achieve deterrence in other domains like land, sea, air, and space.

Providing an exhaustive review of the existing literature is beyond the scope of this article (for a review, Wilner, 2020). Rather, this article seeks to identify a new angle from which to explore deterrence in cyberspace. Broadly speaking, the extant literature can be categorized into four main research clusters (Wilner, 2020). The first cluster investigates the applicability of deterrence to cyberspace. Does the unique nature of cyberspace allow for a direct translation of the logic, theory, and practice of deterrence from the more traditional domains of land, air, sea, and space? The second cluster focuses on the balance between offense and defense. Is cyberspace inherently an offense-dominant or a defense-dominant environment? The third cluster explores cyber denial. To what extent do policies of denial, resilience, and recovery contribute to cyber deterrence? The fourth cluster looks into the potential role of norms, regimes, and stigmatization. How can these factors help to influence individual and collective behavior in cyber-space?

This prolific area of research has generated divergent perspectives. On the one hand, critics have pointed out that for a number of reasons, especially the idiosyncratic nature of cyber-space, a strategy of cyber deterrence is of limited to no value (Fischerkeller & Harknett, 2017; Lupovici, 2016). On the other hand, supporters of the concept have developed variations of traditional deterrence which, they argue, would make it an effective strategy in the cyber domain (Kello, 2017; Lindsay & Gartzke, 2019). Despite the unquestionable value of this growing body of work, the scholarship on cyber deterrence is still characterized by a major shortcoming: The vast majority of the research on cyber deterrence has focused on the role of state actors, to the near exclusion of the role that non-state actors might play in deterring malicious activity in cyberspace.

When scholars have indeed discussed the role of non-state actors, they have usually done so in terms of non-state actors being the perpetrators of malicious activities—cyber-terrorists, cyber-criminals, or hostile state proxies (Grabosky, 2013; Marsili, 2019; Maurer, 2018). Notably, studies in the broader field of cyber security, of which cyber deterrence can be considered a sub-field, have paid significantly more attention to the role of non-state actors as partners to national governments (Carr, 2016; Eichensehr, 2017; Klimburg, 2011). However, these works in cyber security usually lack a systematic investigation of the link between the role of the private sector and the theory of deterrence. As a result, the possibility of non-state actors being partners in national cyber deterrence strategies remains an especially understudied and undertheorized area of research (Doty, 2016; Thumfart, 2020).

There are of course some partial exceptions. Some authors have acknowledged that non-state actors can, and should, contribute to national strategies of cyber deterrence. Nevertheless, the role of non-state actors remains very peripheral in these authors’ analyses of cyber-deterrence; their primary focus is firmly centered on the role of state actors (Burton, 2018; Nye, 2017; Rosenzweig, 2010; Wilner, 2020). Similarly, others have conducted research exploring the role of private sector non-state actors in attributing cyber incidents (Romanosky & Boudreaux, 2019; Stevens, 2020). Others still have explored the private sector’s active cyber defense through the lenses of the just war theory (Thumfart, 2020). However valuable, these studies have stopped short of providing a comprehensive investigation of the key areas in which the private sector can contribute to national cyber deterrence.

The importance of studying the contribution of the private sector to national strategies of cyber deterrence cannot be overstated. In fact, “cyber-space is not a state-centric environment” (Wilner, 2020, p. 29). To begin with, the private sector is the place where groundbreaking research and development of ICT takes place. Tellingly, governmental agencies regularly buy cyber tools, including cyber weapons, from private actors (Cox & Franceschi-Biccherai, 2018). In addition to the technology, entities in the private sector also provide an invaluable pool of human talent and skills. This has led some observers to argue that “the top tech companies appear to be as powerful as States, and sometimes even more so, to prevent cyber-attacks, attribute them and to respond to malicious acts” (Bannelier & Christakis, 2017, p. 10). Last, and perhaps most importantly, contrary to the domains of land, sea, air, and space, most of the infrastructure of cyberspace is commonly owned and/or operated by the private sector. For all these reasons, any effort at applying deterrence to cyberspace which ignores the potential contribution of the private sector is inherently incomplete.

All that considered, this article aims at advancing the academic literature on cyber deterrence by providing an investigation of the role of the private sector as a partner in national strategies of cyber deterrence. This article goes beyond the existing literature on the topic in at least three important ways. First, because its focus is firmly on the private sector. Second, because it makes explicit the link between private sector contribution and the theory of deterrence. Third, because it expands the previous research on individual areas of private sector contribution to cyber deterrence by offering a more comprehensive analysis of a larger number of areas where private sector contribution can make a difference. One of the advantages of this more comprehensive approach is that it can assist in the detection of synergies between areas of private sector contribution that research with a narrower focus may instead overlook.

On the one hand, this article finds evidence suggesting that national strategies of cyber deterrence can benefit from the participation of the private sector. On the other, it cautions that some private sector contributions may also pose meaningful challenges. In the end, rather than providing definitive conclusions, this article fundamentally pushes for further research. In particular, it aims at starting a more structured and systematic conversation on the nature and desirability of private sector non-state actors’ contribution to national strategies of cyber deterrence. The ultimate objective is to assist decision-makers in designing policies and regulations aimed at maximizing the benefits of public–private cooperation in cyber deterrence while mitigating its potential downsides.

To achieve its objective, the article starts by developing a variation of the concept of cyber-deterrence, called “RCDC deterrence,” which is simultaneously restrictive, comprehensive, dynamic, and complemental. The article, then, applies RCDC deterrence to identify and analyze specific areas of private sector contribution. This is followed by a discussion of the potential security, legal, and moral issues that could arise from such contributions. Finally, the article concludes by suggesting avenues for future investigation.

Conceptualizing cyber deterrence

As mentioned above, the debate on the nature of cyber deterrence and its applicability is unresolved. Hence, to avoid confusion, it is helpful to make explicit how cyber deterrence is understood in this particular work. To begin with, this article focuses exclusively on deterrence as a strategy aimed at dissuading actors from performing malicious activities in or through cyberspace; it is not concerned with the use of ICT and cyberspace to deter activities in other domains. Moreover, this article espouses the view that conceptual variations of classical deterrence can still be usefully applied in the cyber domain. Accordingly, it draws on the relevant scholarship and maintains that cyber deterrence should be restrictive, comprehensive, dynamic, and complemental (RCDC).

Restrictive

Deterrence in cyberspace should not be understood in absolute terms as it was in the Cold War nuclear context when even a single successful attack would have been devastating. As noted by Nye (2017), the analogy between cyber deterrence and nuclear deterrence is often “misleading” (p. 45). In fact, contrary to nuclear deterrence some failures of deterrence in cyberspace should be expected. Moreover, such failures should not lead to the complete dismissal of the concept but rather to the acknowledgement of cyber deterrence’s restrictive nature. As argued by Tor (2017), “deterrence is perceived as a spectrum rather than a dichotomous, binary state – that is, one is concerned with degrees of deterrence instead of simply assuming its total presence or absence” (p. 112). In other words, cyber deterrence is a strategy seeking to shape and limit the overall frequency and severity of malicious activity (restrictive) rather than one aimed at dissuading all attacks from occurring at all times (absolute). Like similar efforts in the fields of countering violent extremism or criminal behavior, a strategy of cyber deterrence is unlikely to be always successful. Deterrence, however, can still be useful by adding another consideration to the cost–benefit calculus of the attacker. Furthermore, some deterrent measures may be effective against a specific threat—that is Distributed Denial of Service attacks (DDoS)—but ineffective against others—that is Advanced Persistent Threats (APTs). In this last scenario, the “restrictive” deterrent function against DDoS attacks has the benefit of allowing the defender to divert more resources and time to counter APTs. It stands to reason that cyber deterrence does not need to be absolute to be effective.

Comprehensive

Issues of secrecy, attribution, legality, liability, and verification represent real obstacles to cyber deterrence. Any endeavor at applying deterrence to cyberspace is also made more challenging by the existence of a wide range of threat actors moved by distinct motivations and using a diverse collection of attack vectors. These considerations have led authors like Jasper (2015) to argue that no single means of deterrence can fully account for the complexity of cyberspace. Consequently, a comprehensive strategy which relies on a combination of means of deterrence is more likely to be effective. First, to be comprehensive the concept of cyber deterrence needs to be broader than that of classical deterrence. Classical deterrence is generally limited to deterrence by punishment and deterrence by denial. Comprehensive cyber deterrence should consist of these two classical means of deterrence plus deterrence by entanglement and deterrence by norms. A significant benefit of adopting this broader conceptualization of deterrence is that it allows to account for different forms of strategic rationality.¹ Tor (2017) maintains that

strategic rationality may be divided into instrumental rationality—that is, a system of mathematical cost–benefit considerations—and normative rationality—that is, the cost–benefit considerations derived from the value an actor assigns to the elements of the cost–benefit equation. (p. 107)

Arguably, the effectiveness of classical means of deterrence depends primarily on instrumental rationality whereas deterrence by entanglement and by norms become more relevant when normative rationality is concerned.

Second, to be comprehensive the concept of cyber deterrence should not be limited to the use of cyber tools but instead it should rely on deterrent measures taken in the other operational domains of land, sea, air, and space. This conceptualization of deterrence should also include the whole range of instruments of national power including diplomatic, information, military, economic, financial, intelligence, and law enforcement (DIMEFIL) instruments (Missiroli, 2019). In short, comprehensive cyber deterrence should be broader than classical deterrence, cross-domain, and inclusive.

Dynamic

Partly as a result of its human-made nature, cyberspace is characterized by constant and rapid change. Change especially relevant to the study of cyber deterrence can take place because of technological innovation and/or evolution of norms. The speed and intensity of technological innovation continuously reshapes the characteristics of the cyber domain. Technological innovation can make possible today what only yesterday seemed highly unlikely. In particular, breakthroughs in ICT have the potential to alter the balance between defense and offense by making new capabilities available both to the defender and the attacker. For example, the development of polymorphic and metamorphic malware—that is, malicious software able to change its code while propagating—has made it more difficult for traditional signature-based antivirus to detect these threats. Dynamic deterrence responds to technological innovation by constantly monitoring systems and networks, updating defenses, improving intelligence sharing, patching vulnerabilities, and renewing contingency plans. Dynamic cyber deterrence, therefore, is not a passive endeavor.

Norms of acceptable behavior in cyberspace are also subject to change. Although in a slower fashion than it is the case with technological innovation, current norms of acceptable cyber behavior may no longer be so in the future. This is because both cyberspace and the strategy of deterrence are shaped by social constructions. These social constructions, in turn, affect how actors behave. The theory of social constructivism tells us that social constructions, including what is deemed as acceptable behavior in cyber-space, may change due to future iterations of social interactions. A practical example can be instructive in this regard. Lupovici (2016) argues that current norms about attribution “legitimize retaliations only if the defender is able to fully identify the source of attack” (p. 330) therefore making deterrence by punishment particularly difficult. However, actors dissatisfied with the existing situation may start to justify retaliation based on lower levels of certainty, effectively modifying through practice what is considered acceptable. As a consequence, dynamic deterrence requires the implementations of measures aimed at actively shaping the evolution of norms in cyber-space. Given the above, a strategy of cyber deterrence cannot be either passive or static. To be effective cyber deterrence needs to be dynamic; that is, capable of responding and adapting to constantly and rapidly changing circumstances. Notably, this is in stark contrast to the common understanding of traditional deterrence which Sperandei (2006) describes as “tactically static” and consisting of “waiting forever for the opponent to act” (p. 255).

Complemental

Brantly (2018) maintains that “deterrence has never been the single tool within the toolbox of the state [or of any other actor] to dissuade or shape adversary behavior” (p. 49). In fact, deterrence works better if it is considered as complemental to other forms of strategic interaction. One of such forms is compellence. Schelling (1966) describes compellence as a strategy intended to persuade an actor to do something; in particular to modify a current unwanted behavior. Compellence consists of a clear demand, a threat of punishment for failure to comply, and a time limit for compliance. Deterrence and compellence are commonly seen as distinct expressions of coercive diplomacy. While this distinction may be useful theoretically, when deterrence and compellence are analyzed against empirical cases their differences often blur; revealing instead their complemental nature. Sperandei (2006) notes as much in her analysis of traditional deterrence:

Reasonably, after a deterrent threat has failed and the stakes of deterrence have remained unaltered, a more compellent action has to be initiated. By contrast, once a compellence policy has succeeded, there may be an advantage in preserving the status quo through a deterrent policy. (p. 261)

The argument for a rigid division between deterrence and compellence seems even less relevant when the two strategies are applied to an environment characterized by constant operational contact, like cyberspace. In the cyber-domain, in fact, defense and attack are always in contact and malicious activities take place constantly (Fischerkeller & Harknett, 2017). Given that, the distinction between the statements “don’t attack my network” (deterrence) and “stop attacking my network” (compellence) tends to be minimal.

Another form of strategic interaction available to shape adversary behavior is the use of force. While deterrence, especially deterrence by punishment, has been understood largely in terms of the threat of relying on force, actors can also decide to rely on the actual application of force. These two forms of strategic interaction are complemental insofar as the occasional and exemplary use of force may be necessary both to increase the credibility of deterrence, by making explicit the costs of a specific malicious activity, and to show the willingness and capability of the deterrer to impose such costs on the attacker. In his work, Tor refers to a somewhat similar dynamic as a “learning process between the parties” (Tor, 2017, p. 94). Conversely, usable capabilities originally developed to increase the credibility of deterrence can become later functional for instances when the actual application of force is the required course of action.

Along with these forms of coercion, deterrence can also work in tandem with the non-coercive strategies of cooperation, cooptation, and bargaining to influence adversary behavior. Finally, the concept of deterrence hinges on the assumption that actors will think and act rationally. Nevertheless, the literature on behavioral studies and cognitive psychology has showed that this is not always the case (Allison & Zelikow, 1999; Janis, 1972). For this reason, Herring (1995) suggests that deterrence should be complemented by a strategy of reassurance aimed at reducing the likelihood of provoking the very attacks deterrence was intended to dissuade. In sum, a strategy of cyber deterrence should not be expected to work best as a separate tool in an actor’s toolbox but rather, as complemental to other forms of coercive and non-coercive strategic interaction.

Areas of private sector contribution

This section analyzes areas of private sector contribution to national strategies of cyber deterrence through the lenses of RCDC deterrence. At this point, a few qualifications are in order. First, this article refers to the private sector as the part of the national economy that is not controlled by the state but, instead, is run for profit by individuals and organizations. For the purpose of this analysis, the private sector mainly consists of tech companies, cyber security firms, and owners and operators of critical infrastructure.² Second, the article considers as malicious cyber activities any unlawful activity that seeks to compromise or impair the confidentiality, integrity, or availability of information and communications systems, the physical and virtual infrastructure controlled by those systems, or the information itself. Notably, this definition does not include influence operations aimed at fabricating or disseminating propaganda and disinformation through ICT means. Finally, this article primarily uses the United States as the legal, social, and economic context of its analysis. In fact, the United States by means of its preeminence in cyberspace and world-class domestic ICT private sector represents an especially instructive case. Moreover, lessons learned from the United States case can be usefully applied to other national contexts.

To begin with, the private sector can contribute to national strategies of cyber deterrence both by offering services, hardware, and software to government agencies and by sharing information. These are two examples of deterrence by denial which enhance primarily the comprehensive, restrictive, and dynamic elements of cyber deterrence. As part of the comprehensive element of RCDC deterrence, deterrence by denial rests on depriving the attacker of the benefits expected from a particular behavior by both hardening defenses and enhancing resilience. Hardening defenses consist of measures stopping a threat before it successfully compromises a system or network. Enhancing resilience consists of measures improving the ability to withstand and quickly recover when the system and network defenses have been breached (Cyberspace Solarium Commission, 2020). In addition to denying an attacker of their expected benefits, deterrence by denial ensures that critical functions remain available to the defense for retaliation or “punishment.”

By offering services, hardware, and software to government agencies, the private sector can help to improve national defense and homeland security. Given its vast resources, technologies, and expertise, the private sector is especially well-positioned to support government action in these areas. By contracting private sector companies, a government can expect to have fast-track access to the latest state-of-the-art solutions in ICT research and development. This, in turn, can provide an operational and strategic edge against challengers while freeing up government resources to be directed to other purposes. Moreover, the domestic cyber security industry can provide hardware and software alternatives to foreign made products which are believed to represent a threat to national security. As stressed by one interviewee, “the U.S. government is willing to store some of its most confidential information with domestic providers and not foreign ones.”³

The United States offers some fitting examples of this type of private sector contribution. With regard to national defense, in 2018 the United States Department of Defense (DoD) awarded Microsoft a contract dubbed JEDI (Joint Enterprise Defense Infrastructure). The key objective of this contract was to transition DoD data and services from a series of existing networks to a single cloud environment. Under JEDI, Microsoft would also be responsible for hosting classified military information (DOD Inspector General, 2020). Microsoft’s hardening of the defenses around DOD information systems is a case of restrictive deterrence insofar as it aims at shaping and limiting the number of successful attacks against those systems. Concerning homeland security, in 2019 the United States government awarded Raytheon Technologies a contract to help protecting the.gov domain. In particular, the contractor would support the United States Department of Homeland Security (DHS) efforts to develop, deploy, and sustain solutions that monitor, analyze, and mitigate cyber threats to the.gov networks (Raytheon Technologies, 2020). By being instrumental to DHS continuous monitoring effort of United States governmental networks, Raytheon Technologies would contribute to the dynamic element of RCDC. With the specific objective of facilitating this kind of contacts and collaborations with the private sector, the United States government has established a number of entities such as the Defense Innovation Unit and In-Q-Tel.

Another way in which the private sector can enhance RCDC deterrence is through intelligence sharing. In the context of cyber deterrence, intelligence sharing involves the sharing of threat indicators and defensive measures along with the provision of the necessary context, relevance, and priority, which is sometimes called enriched intelligence. Given the fast-changing nature of threats in cyberspace, timely, accurate, and actionable intelligence becomes critical for decision-makers tasked with prioritizing defensive actions, reducing risk, and increasing resilience. Private sector contribution in intelligence sharing for cyber deterrence purposes has great potential. In fact, private actors have both access to large volumes of real-time information through the sensors positioned in their networks and the technical and human resources necessary to analyze the growing amount of available material. This valuable intelligence can then be passed on to governments or to other private actors resulting in one’s detection of a threat becoming another’s prevention.

IBM is a case in point. The company has a global reach and huge resources that allow it to monitor an average of seventy billion security events per day in more than 130 countries. Through the threat intelligence sharing platform IBM X-Force Exchange, it makes available an impressive eight hundred terabytes of threat activity data, information on over 17 million spam and phishing attacks, real-time reports of live attacks, reputation data on nearly one million malicious IP addresses from a network of 270 million endpoints. Moreover, in part because of their extremely competitive salaries, companies in the private sector have been consistently able to recruit the best talent in their teams, including former government spies and intelligence officers (O’Neill, 2019). IBM intelligence sharing is instrumental to hardening defenses and increasing resilience; that is to enhance the restrictive element of RCDC. Moreover, IBM intelligence sharing is also an example of dynamic deterrence since it helps defenders to respond and adapt to constant technological innovation.

The Unite States government has actively promoted intelligence sharing by encouraging the establishment of Information Sharing and Analysis Centers—for sector specific collaboration—and Information Sharing and Analysis Organizations—for non-sector specific collaboration. Moreover, the United States government has developed cooperation initiatives like Infragard which involves intelligence sharing between the Federal Bureau of Investigation (FBI) and the private sector with the express goal of protecting critical infrastructure.

A second set of areas of private sector contribution includes both active cyber defense and attribution. These are examples of deterrence by punishment which strengthen the comprehensive and complemental elements of cyber deterrence. Traditional deterrence by punishment hinges on the credible threat of retaliation by the defender in response to an action perpetrated by the attacker. As explained earlier, RCDC deterrence goes beyond the mere threat of retaliation to include the possibility for the occasional and exemplary application of retaliatory measures. This, in turn, contributes to improving the overall credibility of the threat of punishment itself.

Given this conceptualization of deterrence, active cyber defense can become a prolific area of private sector contribution. The term active cyber defense is “widely understood to include offensive actions in cyber space taken with defensive purposes in mind” (Lin, 2013). Such actions sit along a continuum of increasingly aggressive or pro-active measures. All of them are limited in scope and intended to impose costs on a specific threat actor. Honeypots can be created to deceive an attacker into wasting time on fabricated or unimportant material. Beacons can be built into files to track back the perpetrator of a data exfiltration. Remote access tools can be installed to surreptitiously monitor or control an adversary’s system. Servers can be shut down to disrupt an attacker’s operation. The last two measures are considered particularly aggressive and are often referred to as hacking back. These few examples show that active cyber defense can contribute to deterrence by confusing an attacker, gathering intelligence on an incident, and stopping an ongoing attack.

The private sector can contribute to active cyber defense in two ways: jointly with the national government or independently from it. In the first scenario, the public and private sectors pool their resources together to retaliate against threat actors. In a cyber domain characterized by the increased number and sophistication of threats, resource sharing becomes extremely valuable. One interviewee noted that “in an ideal world, governments would devote more resources to this.”⁴ The work of Microsoft Digital Crimes Unit (DCU) is a telling case of how this form of public-private collaboration can play out. For several years, the DCU has been working in tandem with law enforcement to identify, investigate, and disrupt malware-facilitated cyber crime and state-sponsored malicious activity. After investigating an incident, the DCU takes legal action and refers the case to law enforcement authorities. Following a supportive court decision, the DCU has repeatedly executed orders to disrupt, take control of, or shut down the cyber-infrastructure used by malicious actors (Burt, 2019).

The work of the DCU is an example of comprehensive deterrence. In fact, DCU deterrent activity is cross-domain, insofar as DCU work relies on measures taken beyond cyberspace, and inclusive, insofar as it applies instruments of power beyond cyber tools. In the second scenario, the private sector applies retaliatory measures independently from the national government. This form of self-help can increase the speed of retaliation which, in turn, improves the credibility of deterrence by punishment. In fact, the speed of governmental action—especially in liberal democracies—is structurally reduced by the requirements of due process and the boundaries of its geographically limited authority. Therefore, by sidestepping the government, the private sector can respond more quickly to threats. Notably, it has been reported that some actors in the private sector are already taking this particular course of action (Hoffman, 2018; Thumfart, 2020). This kind of self-help is instrumental to enhancing the complemental element of RCDC since it is a type of coercion intended to rely on the occasional and exemplary application of force (i.e., particularly aggressive forms of active cyber defenses).

The attribution of cyber incidents is another way in which the private sector can advance RCDC deterrence. Attribution in cyberspace consists of the process of collecting and analyzing evidence aimed at associating a malicious cyber activity to its originating party. However difficult and resource-consuming, cyber attribution has often proved to be possible (Rid & Buchanan, 2015). Attribution is key to make the threat of punishment credible. In fact, the identification of the perpetrator of a malicious act is a prerequisite for any measure aimed at punishing said act. Moreover, the public attribution of a cyber incident can be seen as a type of cost imposition in itself in the form of naming and shaming. Since it is both a prerequisite for and an actual tool of punishment, attribution contributes to the effectiveness of both the comprehensive and complemental elements of RCDC deterrence. Furthermore, publicly calling out the perpetrators of malicious activities can enhance deterrence by norms by building international consensus around what is considered irresponsible behavior in cyberspace.

The benefits of private sector contribution to the process of attribution can be many and significant. First, as in the case of intelligence sharing, the private sector possesses the technical, human, and financial resources to investigate a growing number of increasingly complex incidents. The crowdsourcing of certain cases of attribution to the private sector can allow a government to focus on those cases which carry the most serious national security implications. Second, contrary to national authorities, the private sector has direct visibility into the threat landscape beyond domestic networks. In fact, a private company may have direct access even into the network of the target of a specific attack. In the United States, it is not unusual for targets of cyber attacks to hire private cyber security firms for investigations rather than resorting to government agencies. This is not only because of the private sector’s advanced forensic capabilities but also out of concern that law enforcement may impose fines and liabilities on the target for having failed to implement certain security measures. Third, a government can leverage private sector’s public attribution to avoid the disclosure of highly classified sources or forensic methods. In fact, by referring to the findings of private investigations, government officials do not have to offer to the public the details of their own forensic analyses. As explained by one interviewee,

if there were to be a listing process for sanctions in a multilateral organization, it is very unlikely that States would be able to use their highly classified intelligence—as [they] would not be able to defend this in court; the information/evidence has to come from open source, and that open source needs to be compelling enough to convince not only a multilateral organization but also—potentially—a judge if there is an appeal.⁵

At its best, public attribution by the private sector can impose reputational costs on the perpetrator of an attack without the need for the targeted government to do or say anything at all.

In an exemplary case, the cyber-security firm CrowdStrike was the first in June 2016 to publicly attribute the breach of the United States. Democratic National Committee (DNC) to two threat actors—Cozy Bear and Fancy Bear—which the firm described as “to be closely linked to the Russian government’s powerful and highly capable intelligence services” (CrowdStrike, 2020). Later, the United States. government also issued several reports attributing the DNC hack to Russia. When publicly asked to explain the methods and sources used to arrive to their conclusions, the United States officials repeatedly referenced the forensic analysis done by CrowdStrike (Romanosky & Boudreaux, 2019).

A third area of private sector contribution is entanglement. Entanglement can especially reinforce the comprehensive, restrictive, and dynamic elements of RCDC deterrence. The deterrent effect of entanglement is grounded on the existence of political, economic, and strategic interdependencies that make a malicious activity simultaneously impose serious costs on both the attacker and the defender. As part of the comprehensive element of RCDC deterrence, deterrence by entanglement depends on actors’ common interest in the preservation of a mutually advantageous situation and also on the attacker’s aversion to suffer costs originated from their own actions. At its best, entanglement enhances restrictive deterrence by dissuading an actor from behaving irresponsibly without even the need to resort to the threat of punishment or the hardening of defenses. Moreover, entanglement can improve the effectiveness of other elements of RCDC deterrence. For example, it can strengthen dynamic deterrence by developing mutual interests which, in turn, can facilitate agreement on shared international norms. Likewise, interdependencies, especially of economic nature, can improve the credibility of cross-domain retaliation through economic sanctions, boycott, and divestment; that is, forms of comprehensive deterrence.

The concept of entanglement is particularly relevant to the cyber domain. To a certain extent all actors in modern societies, both public and private, big and small, have developed a stake in the correct functioning of cyberspace. Preserving its integrity is widely considered to be a common interest that cuts across national borders. This shared dependency on cyber-space, and the vast benefits deriving from it, can act as a restraint on activities aimed at its destabilization.

The infamous NotPetya attack of 2017 offers a telling example of how these interdependencies work in cyberspace. Several governmental and private sector sources attributed NotPetya to the Russian government and identified the intended target with Ukraine. However, the global and mostly borderless nature of cyberspace resulted in the malware spreading the world over, including to Russia. With an estimated total cost of $10 billion, NotPetya is considered the costliest cyber-attack to date (Greenberg, 2018). The NotPetya incident shows how malicious activities in an interconnected cyber-domain can have vast and indiscriminate consequences.

Another cogent example of interdependencies in cyber-space is that of ICT supply chains. In May 2019 the United States government decided on a double ban. On the one hand, a presidential executive order prohibited the domestic use of ICT equipment produced by companies considered a national security threat (Trump, 2019). While the order did not name any entity specifically, it was widely understood as intended to target the Chinese company Huawei. On the other hand, the Department of Commerce added Huawei to its Entity List; in fact, requiring the company to obtain a United States government-issued license to access the United States technologies (Bureau of Industry and Security, 2019). These two disruptive decisions made explicit the global and interconnected nature of ICT supply-chains. The executive order put significant pressure on the United States wireless carriers, especially rural ones which relied heavily on Huawei’s hardware, to search for equally affordable alternatives or else face marked increases in expenditures. Meanwhile, Commerce’s decision exposed Huawei’s dependence on the United States suppliers. For example, Huawei was no longer able to pre-install Google’s popular services on its new smartphones. Similarly, the ban made Huawei’s access to cutting-edge microchips, indispensable for the production of modern laptops and servers, limited to a smaller number of suppliers (Knight, 2020).

The obvious dependence of private actors on a functioning cyberspace and their apparent vulnerability to cyber attacks make the private sector an interested party to the deterrent effects of entanglement. To begin with, entanglement-aware private actors can develop an individual or collective sense of self-restraint. Self-restraint, in turn, can lead to an overall reduction of cyber-malicious activities. Notably, a number of large ICT companies have publicly pledged not to resort to the use of offensive cyber-technologies that are likely to undermine the security of cyber-space (Tech Accord, n.d.). Self-restrain can even potentially moderate the behavior of cyber criminals whose illegal profits depend primarily on legit actors taking their businesses online. In nature, pathogens exploit their host to thrive.

However, pathogens also have an interest in the survival of the host. In fact, the death of the host would also result in the death of the pathogen. Similarly, if legitimate actors come to understand cyberspace as too risky for doing business and, as a consequence, overwhelmingly withdraw from it, cyber criminals will be unable to make any profit.

Beyond self-restraint, the private sector has also a strong incentive in restraining government action. In particular, private actors can use their economic and political influence to lobby the government against embarking in cyber-activities which are likely to have unintended negative consequences for domestic companies, the broader national economy, and in some cases even for national security. The private sector can take this effort a step further and advocate for the adoption of international cyber-norms by international organizations. These restraining effects of entanglement can be instrumental to improve restrictive deterrence.

Finally, the interdependences existing in cyber-space increase the ability of the private sector to contribute to the impact of forms of cross-domain punishment such as sanctions, boycott, and divestment. Private companies can act independently, as Google did in 2010 when it decided to stop the provision of its services to China in retaliation for the Chinese state-sponsored Operation Aurora targeting Google’s customers (Council on Foreign Relations, 2010). Otherwise, private companies can cooperate with the national government by complying to official orders, as it was the case with the United States Commerce Department’s decision mentioned earlier. Both cases are examples of private sector contributions to comprehensive deterrence because they rely on non-cyber tools and/or take place outside of cyberspace.

A fourth area of contribution is norm entrepreneurship. Norm entrepreneurship can primarily enhance the restrictive and dynamic elements of cyber deterrence. Norms are expectations of appropriate behavior. The deterrent effect of norms is based on the assumption that breaking norms can damage an actor’s soft power beyond the expected benefits from a malicious activity. In addition to the reputational damage, breaking norms can impose other costs on the offender in the shape of diplomatic, economic, or in extreme cases, even military sanctions. Moreover, developing norms can improve deterrence by instructing actors on the most appropriate ways to respond to specific incidents or needs.

As in other areas of human relations, norms in cyberspace can represent an additional factor in the cost–benefit calculation of people. Theorists have explained how the internalization of norm-breaking costs can incentivize actors to abide by them (Finnemore & Sikkink, 1998). In turn, adherence to cyber norms can lead to a reduction in the frequency and severity of malicious cyber activity, therefore enhancing the restrictive element of RCDC. Cyber-norms can take different forms. They can be enshrined in formal binding agreements, for example in an international treaty on cyber-crime like the 2001 Budapest Convention. Norms can also be established through bilateral or multilateral confidence-building measures, such as threat-information sharing or capacity-building efforts. Developing norms in cyber-space present unique obstacles and opportunities which have been discussed extensively (Healey et al., 2014; Ruhl et al., 2020). This section focuses on how the private sector can play the role of norm entrepreneur and contribute to the internalization of norms; that is, on ways in which private actors can strengthen dynamic deterrence by actively shaping the evolution of norms in cyber-space. An obvious benefit of private sector contribution is the vast resources that private actors can bring to the table. These resources include money, personnel, time, and expertise. Moreover, in an international context characterized by intense antagonism among great powers, industry-led initiatives may make progress where state-led ones are instead stalling. As pointed out by one interviewee, “the private sector can help in defining best practices, facilitating discussion, and defining what is acceptable and what is not.” Furthermore, “the private sector can provide valuable legal analysis and research that could lead to the classification of certain cyber-activities as violations of international law.” More to the point, the private sector can contribute to “build[ing] a body of customary legal analysis which could be the basis for customary international law.”⁶ In other words, the contribution of the private sector can be significant.

Three forms of private sector contribution to deterrence by norms stand out. Firstly, the private sector has the resources to establish and support the activities of nonprofit organizations and research centers. The Cyber Peace Institute is a fit example of this first kind of contribution. The Institute’s stated mission is to serve “as an advocate for advancing the role of international law and norms governing the behavior of state and non-state actors in cyber-space” (Cyber Peace Institute, n.d.). Facebook and Microsoft are two of the major sponsors of the Institute. Secondly, the private sector can participate into multistakeholder initiatives along with states and representatives of civil society. One especially instructive initiative is the Paris Call for Trust and Security in Cyberspace. As of mid-2020, the number of signatories to the Paris Call has topped one thousand, including 78 states, 29 public authorities and local governments, 348 members from civil society, and 643 private sector entities. The signatories are committed to “working together to adopt responsible behavior and implement within cyber-space the fundamental principles which apply in the physical world” (Paris Call, n.d.). Notably, the United States federal government has not signed on to the document while a large number of the United States companies, states, and local authorities have. Lastly, the private sector can set up their own industry-led norm processes. The Cybersecurity Tech Accord is a case in point. The Accord unites more than one thousand private companies, including large and influential ones like CISCO, Cloudflare, Facebook, LinkedIn, and Microsoft. Members to the Accord advocate for the global adoption of cyber-norms of responsible behavior (Tech Accord, n.d.).

Security, legal, and moral issues

The previous section discussed the opportunities deriving from private sector contribution to national strategies of cyber deterrence. This section, instead, looks at its potential unintended consequences. In particular, it highlights the security, legal, and moral issues which could arise from private sector contribution in the previously identified areas of cyber deterrence.⁷ Decision-makers should be made aware of these unintended consequences when considering policies and regulations aimed at maximizing the benefits of public-private cooperation in cyber-deterrence.

Offering services, hardware, and software to government agencies

Entrusting the private sector with responsibilities for national defense and homeland security could have serious national security implications. This is especially true in the case of private contractors hired to handle government’s sensitive communications or classified information. To begin with, information could be accidentally exposed. In 2019, cyber security firm HackerOne disclosed that, due to a human error, some of their customer cyber vulnerability reports were made available to unauthorized personnel (HackerOne, 2019). The United States Department of Defense was one of HackerOne’s customers. It is unclear whether DOD information was affected by this specific incident. However, the possibility of something similar happening in the future cannot be completely discounted.

Moreover, private sector’s access to government’s sensitive information could lead to the abuse of such information for private gain. Private companies are ultimately responsible to shareholders rather than to the citizenry. How can they be held accountable to the nation’s interest? Furthermore, ICT companies, especially large ones, employ people from the world over. Where would these employees’ loyalty lie in case of heighten international tensions or an open confrontation? With the country which contracted them or with their country of origin? This particular form of private sector contribution could also have negative consequences for democratic governance. In the United States, for example, the revolving door between public and private sectors, the concentration of defense contracts in the hands of a small number of entities, and the classified nature of many of their activities have led to the establishment of a cyber-intelligence-industrial complex with large political sway and little public accountability (Shorrock, 2015). This, in turn, could result in instances of corruption, collusion, and undue influence in the process of democratic decision-making.

Intelligence sharing

Legal considerations could limit the willingness of the private sector to contribute to intelligence sharing. First, intelligence sharing may raise issues of violation of domestic laws on antitrust and privacy. Second, public disclosure of a security breach could damage the reputation of a company or a product with investors and consumers alike. Third, private companies may hesitate to share a cyber-incident with law enforcement out of fear of being fined for not having implemented certain security measures. The credit rating company Equifax, for example, was fined more than $575 million by the United States Federal Trade Commission for its failure to implement reasonable steps to secure its network which led to a data breach in 2017 that affected approximately 147 million people (Federal Trade Commission, 2019). In order to assuage some of these concerns, the United States Congress passed the Cybersecurity Information Sharing Act of 2015. The act provides certain legal protections for private entities sharing information with the United States government. Despite this effort, a United States government report issued in December 2019 described private sector participation to its information sharing program as “minimal” (Office of the Inspector General of the Intelligence Community, 2019, p. 2). Market considerations could also represent an obstacle to effective intelligence sharing. In fact, companies could decide to withhold information if they believe that such information may give them an advantage over their competitors. Likewise, companies whose stock and trade are cyber-threat intelligence could be skeptical of sharing “their product” for free with the competition.

Active cyber defense

Deploying measures of active cyber defense that are likely to have an impact outside one’s network is legally questionable. This is especially the case for the most aggressive forms of active cyber defense commonly known as hacking back. In the context of the United States, hacking back is a violation of the Computer Fraud and Abuse Act of 1986 which prohibits access into computers without authorization (US Congress, 1986). Moreover, legalizing hacking back under domestic law does not mean that defenders chasing attackers outside their network will not be violating laws in foreign jurisdictions. In addition to being legally questionable, widespread hacking back has the potential to significantly destabilize cyber-space. In fact, broadening the number and nature of actors authorized to perform cyber-offensive operations could increase the likelihood of incident misattribution resulting in collateral damage; that is, the targeting of innocent parties. Furthermore, hacking back could lead to a dangerous tit-for-tat between defender and attacker thus intensifying the risk of escalation. Finally, private actors could even abuse hacking back for illegal purposes. For example, a company could stage a cyber-attack directed at itself originating from a competitor’s servers to justify the subsequent unauthorized access of the competitor’s network and information.

Attribution

Private sector attribution of cyber incidents could complicate national cyber-deterrence in a number of important ways. To begin with, the findings of a private investigation could contradict government’s findings. This would generate confusion around the identity of the perpetrator of an attack and therefore weaken the defender’s ability to respond. Likewise, private investigations could accidentally obstruct ongoing law enforcement, espionage, or military operations. In fact, the publication of forensic analyses could disclose, and hence render ineffective, techniques or vulnerabilities currently used by the government to go after malicious actors. Reportedly, this is what happened when security firm Kaspersky Lab exposed key cyber aspects of an ongoing the United States-led counterterrorism operation in 2018 (Bing & Howell O’Neill, 2018). Additionally, commercial interests could have a negative impact on the quality of private sector attribution. First, private actors could feel a strong incentive to be the first to attribute an incident since doing so would generate large media coverage and valuable free publicity. However, the urge to be the first could also result in rushed investigations, inaccuracies, and misattribution. Second, commercial interests could make private actors somewhat biased in their public attributions. They could refrain from publicly attributing incidents to specific governments because they do not want to jeopardize their access to these countries’ profitable contracts and markets.

Entanglement

Some interdependencies inherent to entanglement could work against private sector contribution to national strategies of cyber deterrence. Many large ICT companies have a commercial interest in serving global customers, including foreign governments. Hence, they could prove very reluctant to be perceived as arms of a specific government. In fact, when the United States government determined that Russia-based cyber security firm Kaspersky Lab was too close to the Kremlin, it banned the use of the company’s products from the United States federal networks (National Protection and Programs Directorate, 2017). Other companies rely heavily on global supply chains and have a reasonable concern about being cut off from them. This is what happened to Huawei when it was added to the United States Department of Commerce’s Entity List. All in all, because of entanglement, private companies may resist sharing client or other confidential information with the national government. Likewise, they may hesitate to enforce sanctions which would penalize them financially. As pointed out by one interviewee, “companies basically do what maximizes profits and are unlikely to forego such opportunities unless leaned on explicitly, or unless their reputation with their primary customers [i.e., the United States government] makes them sensitive to guidance.”⁸

Norms development

Ceding the initiative of developing cyber norms to the private sector could have unintended consequences for governments. In fact, governments and the private sector could have divergent views, or a different agenda, with regard to a specific cyber issue. The debate on encryption in the United States is a case in point. The FBI has repeatedly advocated for the creation of backdoors enabling law enforcement to bypass device encryption. Private companies have consistently resisted the idea and actually embedded stronger forms of encryption in their products (Dave, 2016). It is apparent that the United States government would not be better off by letting the private sector establish a norm on encryption. Moreover, actors in the private sector and government officials could espouse different value systems. Governments have an interest in accessing people’s data for surveillance and intelligence purposes whereas private companies have a concern with protecting customer privacy and maintaining their trust. This particular dynamic was openly at play when Twitter decided to block United States intelligence agencies to access the analytics of its platform’s data (Riberio, 2016). Again, a cyber norm prioritizing privacy over surveillance may be problematic for governments.

Conclusion

This article set out to investigate the role of the private sector as a partner in national strategies of cyber deterrence. It began by developing a variation of the concept of deterrence called RCDC deterrence; that is, a form of deterrence which is simultaneously restrictive, comprehensive, dynamic, and complemental. It was argued that RCDC deterrence is especially suited to address the idiosyncratic characteristics of the cyber environment. After that, the article applied RCDC deterrence to identify and analyze areas of cyber deterrence where private sector contribution can be especially beneficial. These areas include hardening defenses and enhancing resilience, participation in cost imposition, creation of strategic interdependencies, and advancement of norms of appropriate behavior. Some important benefits of private sector contribution appear to be common to all areas. To begin with, the private sector can offer unique state-of-art-technologies, highly skilled human capital, and critical funding to compensate for a national government’s limited resources. Moreover, while government authority is often geographically limited, private actors’ visibility and reach can extend beyond national borders. In addition, compared to the somewhat cumbersome processes of policymaking characteristic of state bureaucracies, private sector processes of policymaking give these actors more flexibility and speed; key abilities given the fast-changing nature of threats in cyberspace.

Nevertheless, this article also found that private sector involvement in national strategies of cyber-deterrence could have unintended consequences. In particular, it identified a set of security, legal, and moral issues potentially arising from private sector contributions. These issues include threats to national security, expensive litigation and fines, risk of undue influence in democratic politics, and abuse for private gain. By highlighting both the opportunities and the challenges of private sector contribution to national strategies of cyber-deterrence, this article advocates for the need of a more structured and systematic scholarly debate on the nature and desirability of such contribution. Building on the analysis carried out in this work, three avenues for further research seem especially relevant.

One is studying the possibility of measuring the effectiveness, or lack thereof, of private sector contributions. Which contributions are likely to be more effective than others in enhancing national cyber deterrence? How to measure effectiveness? Are there synergies that can be exploited between contributions in different areas? This avenue for research will help decision-makers to prioritize areas of intervention and resource allocation.

A second opportunity for future investigation is exploring practical ways to address the security, legal, and moral issues identified in this article. What safeguards could be put in place to reduce threats to national security? How to assuage the legitimate legal and market concerns of private actors? What measures are needed to facilitate close public-private cooperation while maintaining democratic accountability and transparency in the process? This line of enquiry will offer viable ideas on how to incentivize and improve private sector contributions. It could also lead to policy recommendations for governments on how to best mobilize the private sector for cyber deterrence purposes.

A third avenue for further research is investigating the applicability of the findings of this work to national contexts other than the United States. How would private sector contribution look like in countries that do not possess a domestic ICT private sector as developed as the one in the United States? Would these countries’ reliance on foreign private entities only magnify the security, legal, and moral issues identified in this article? Alternatively, is a national policy of technological self-sufficiency a viable, or desirable, option? These comparative analyses will contribute to the identification of challenges and opportunities that a focus on the United States case might have overlooked.

Ultimately, the economic wellbeing, national security, and social cohesion of countries the world over will increasingly depend on a functioning and secure cyberspace. Meanwhile, actors in the private sector will continue to play critical roles in the development of the cyber domain. The kind of research advanced in this article will be key to provide decision-makers with the information they need to design policies and regulations aimed at maximizing the benefits of public-private cooperation in cyber-deterrence while mitigating its potential downsides.

Acknowledgements

The author would like to thank the colleagues, the interviewees, the anonymous reviewers, and the journal’s editorial team for their comments and advice during the different stages of this project.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Eugenio Lilli

Eugenio Lilli is currently an Assistant Professor and Program Coordinator of the Master in American Politics and Foreign Policy at University College Dublin. He received his Ph.D. from King’s College London, War Studies Department. His current research focuses on how advancements in Information and Communications Technology have affected U.S. national security in the areas of defense, homeland security, and foreign policy.

Notes

1 This author acknowledges the possibility of irrational actors and/or failures of rationality. However, the study of these issues is beyond the scope of this specific work.

2 Nonprofit entities can also contribute to national strategies of cyber-deterrence. However, their different non-for-profit nature makes their analysis beyond the scope of this work.

3 Author’s interview with a senior officer of a United States multinational technology company, 11th February 2020.

4 Author’s interview with a senior officer of a United States multinational technology company, 11th February 2020.

5 Author’s interview with a senior official working on cyber policy for a national government, 7th February 2020.

6 Author’s interview with a senior officer of a United States multinational technology company, 11th February 2020.

7 This section focuses on security, legal, and moral issues since these were the issues that arose more frequently in both the review of the literature and the elite interviews performed as part of this work.

8 Author’s interview with an expert in cyber security studies, 9th February 2020.