Abstract:
Deterrence has been at the core of the United States foreign security policy for years, but as we move deeper into the cyber age, it is growing more and more evident that deterrence simply isn’t as effective now, as it was before the age of computing. Many recent reports related to cyber deterrence, including this one, focus on the fact that cyber deterrence is exactly the opposite of any traditional form of deterrence.
The classic example of effective deterrence is nuclear deterrence, but difference in the cyber space is the fact that the threats can come from players even smaller than the state actors, all the way down to the individual. The pure scale of potential attacks and attackers is many times more than any previous form of malicious activity. Additionally, Lewis speaks about the anonymity of the Internet and how attributing attacks to players can be difficult.
Lastly, and arguably most important, is the fact that cyber crime and cyber threats are hard to retaliate and punish form. Deterrence is based on the idea to “impose intolerable costs if an opponent takes an unacceptable action,” (Lewis, p. 1) but the problem is that in the cyber domain, it is hard to create these intolerable costs. It is difficult to create punishments and retaliations because there isn’t an easy way to recognize or classify the severity of cyber attacks. Cross domain retaliation against cyber attacks, where a country will retaliate via other means like military or economic attack, is useless because it is nearly impossible to convert cyber crime to other domains. As Lewis puts it, “How many ATMs must Iran hack to justify a cruise missile response?” (p. 3).
Keywords: Deterrence, cross-domain deterrence, espionage
Institution:
Center for Strategic International Studies
Industry Focus:
Information & Telecommunication
Internet & Cyberspace