Deterrence is an important part of warfare, often the most effective form of defending. Therefore, in the next couple of years we expect to see states reveal some of their offensive cyber capabilities more openly than they are doing today. The goal of deterrence is to make our opponents abstain from attacking, yet if the deterrence is too strong it may lure us into lowering our own attack threshold. The complex logic of cyber deterrence deserves a closer look.
Effective deterrence convinces our opponents that it is too costly to attack us. This evaluation is based on both material facts and perceptions about our skills and motivation. We can achieve deterrence through a strong defense, a convincing ability to turn the opponent’s potential success into a Pyrrhic victory, or a vast capability for retaliation. The strength of our deterrence can be backed up by vigorous information campaigns. However, in cyberspace virtually every system is breachable, attribution is difficult if not impossible, weapons are often used only once, and verifying anyone’s capabilities is challenging. Building effective deterrence requires applied ways of thinking.
Deterrence through strong defenses
The idea behind the majority of cybersecurity solutions is to build defenses that no attacker can break through. Smart defenses do not try to protect everything but concentrate on safeguarding the most essential assets in all circumstances. The success of this endeavor is difficult to estimate because most advanced attacks can camouflage themselves. They are often found only after a long period or not at all. Nevertheless, establishing a strong defense is worthwhile because defenses known to be solid will turn some potential attackers toward easier targets. Alongside technical aspects, a strong defense includes a workforce that knows how to act in a smart way.
Unfortunately, strong defenses motivate some cyberattackers. With enough resources and time, every system is penetrable. Victory tastes the sweeter the harder it is to achieve. In addition, gaining control—whether of military communications or SCADA systems in critical infrastructure—gives the attacker a powerful edge. The ability to demonstrate a strong defense, again, increases deterrence.
Deterrence through performance and action
Traditionally, effective perceptions of our capability, which contribute to deterrence, rise from military and other verifiable actions. Parading the equipment has been a way of convincing opponents as well as our own people about military might.
In cyberspace parading the equipment is not a good idea. The effectiveness of cyber weapons is always tied to context, and showing them may reveal systemic weaknesses to opponents. Concealing our weaponry is a better choice. Even if we use cyber weapons, we can plausibly deny their existence because of the difficulty of attribution. Parading the equipment has been left to hacktivists or criminals. States have only recently begun to acknowledge their involvement in cyberattacks.
Observable capabilities to prevent and preempt attacks may constitute a part of deterrence. However, it is challenging to prove that an event was prevented—because it presupposes that something that would have happened otherwise did not take place. Both strategies require extremely good intelligence and know-how to prevent attacks. If our opponent is unknown, for example, preemption attempts can turn against us: Hitting the wrong target creates a new enemy and can escalate the conflict.
Deterrence through retaliation
If we cannot build a strong defense, many choose to build a strong capability for retaliation. Even if the opponent can get through our defenses, we will hit back—and hit hard. Creating a credible offensive capability requires a different kind of thinking and investment than building defenses; ideally they support one another. In cyberspace, retaliation is restricted by our ability to recognize the opponent and know its systems. Yet just knowing that our capability exists may deter some potential opponents. Moreover, cyberattacks may be answered by physical actions, too.
Cyberspace is omnipresent in our society. Therefore, we can build deterrence only in cooperation with all levels of society. Ideally, up-to-date technology combined with skilled people creates credible deterrence—but the capability must be demonstrated. This need increases the importance of offensive capabilities. Due to the high number of cyberattacks we face each day, it is difficult to estimate when, against whom, and for how long cyber deterrence remains effective.