Deterrence theory formed the foundation of the narratives and the strategies that shaped the Cold War, and many now seek to apply classical deterrence to the cyber sphere. In essence, deterrence theory holds that maintaining a credible retaliatory capacity can prevent opponents from attacking, since they know that if they attack, they will be destroyed. But there is a lot of confusion about how deterrence would work in the cyber domain. With a recent Presidential Executive Order and Defense Department Cyber Strategy addressing cyber deterrence, it might be useful to consider some myths about the policy.
1. Deterrence will help us stop all our cyber adversaries from penetrating our cyber networks and infrastructure.
Not really. Deterrence is not a panacea. Deterrence is a strategy to dissuade and deter potential attackers, but it will never deter all actors. The success of deterrence comes down to our ability to convince our adversaries that their cyber intrusions come with too high a cost to them. It does not mean that the attackers won't find new or different targets.
2. Nuclear deterrence gives us the template for cyber security strategy.
Not necessarily. There are a number of significant differences between nuclear and cyber power. For example, the cyber "club" is much broader than the nuclear club, including non-state actors. Private companies are often on the front lines defending against cyber intrusions and attacks. Cyber deterrence demands a joint private-public deterrent response.
3. No Attribution, No Deterrence.
No. Attribution can be difficult and denied by skilled actors. However, gaining access to a network can still come with significant costs for an attacker, regardless of known origin.
4. Network Defense Is Not Deterrence.
No and See #3. A good defense can indeed deter certain adversaries and attacks – not all adversaries and attacks. Good "situational awareness" of the "crown jewels" of the network and the motives of attackers can be a key part to successful deterrence. This is what is often referred to as "deterrence by denial."
5. Deterrence Means "Hacking Back".
Not if you are a business and don't want to be in violation of the Computer Fraud and Abuse Act (18 USC 1030). Nor does the government and/or the Department of Defense have carte blanche — there is a rigorous process for any offensive cyber activity that might damage other networks. Just as in kinetic warfare, collateral damage and unintended consequences in cyber warfare can and do occur. The belief that there are no controls on government's offensive cyber activity is simply mistaken.
6. Resilience Is Unrelated to Deterrence.
Wrong. Being able to demonstrate that there are processes and resources in place to respond to cyber attacks and disruptions could discourage some actors if they believe their actions will be less impactful than anticipated.
7. Heavy Jail Sentences for Hackers Will Deter Cyber Criminals.
Perhaps, but not consistently. Knowing there may be serious consequences might deter some but probably not the most serious cyber criminals, especially since so many of them are beyond the reach of U.S. Law Enforcement.
8. It's Easier to Deter A "Rogue State"
Probably Not. The very fact that a state is not strongly linked into the international economic or banking system, like North Korea, actually can make cyber attacks more attractive to them. The less stringent the consequences, the less likely deterrent strategies will stop their activity. Sanctions and Denial of Service attacks against North Korea have not yet deterred its other cyber intrusions and disruptions aimed at other targets, especially in South Korea.
9. Naming and Shaming Can Be Effective.
Toss Up. The U.S. government named North Korea in the SONY hack and named China for commercial espionage. China agreed to stop non-government economic spying on the U.S. The jury is out as to whether we will see a marked, consistent change in behavior.
10. Legal Norms Do Not Have A Role In Deterrence.
No. Legal norms may actually have an impact on deterrence. The Tallinn Manual and the Budapest Convention have fostered some basic norms. While it is true that not all cyber actors will always adhere to these norms, they still can form a foundation for deterrent activities by cooperating states.
