The Limits of Deterrence Theory in Cyberspace
Philos. Technol.
The Limits of Deterrence Theory in Cyberspace
Mariarosaria Taddeo 0 1 2
0 Mariarosaria Taddeo
1 The Alan Turing Institute , 96 Euston Road, London NW1 2DB , UK
2 Oxford Internet Institute, University of Oxford , 1, St Giles, Oxford OX1 3JS , UK
In this article, I analyse deterrence theory and argue that its applicability to cyberspace is limited and that these limits are not trivial. They are the consequence of fundamental differences between deterrence theory and the nature of cyber conflicts and cyberspace. The goals of this analysis are to identify the limits of deterrence theory in cyberspace, clear the ground of inadequate approaches to cyber deterrence, and define the conceptual space for a domain-specific theory of cyber deterrence, still to be developed. This article is part of a project on "Landscaping Cyber Detterrence" funded bythe John Fell OUP Research Grant, University of Oxford (grant number 151/063)
Cyberspace; Cyber conflicts; Defence; Deterrence; Retaliation; State; Stability; International Relations
1 Introduction
Historically, the design and deployment of new and more effective weapons (from
bombs and aircraft to chemical and nuclear weapons) have often posed the need to
define new strategies to deter their use. This is also the case when considering cyber
weapons. Their relatively low entry cost and the high chances of success make cyber
weapons an elective means for state and non-state actors to assert their authority, show
their power, and prove their capabilities in cyberspace.
This poses serious risks of escalation, for the increasing use of cyber weapons
invites frictions and tensions that may lead to the sparking of new cyber conflicts,
which could intensify and jeopardise international stability and the security of our
societies. For this reason, state and non-state actors, scholars, military strategists, and
policy makers have increasingly stressed the need to develop cyber deterrence as a
crucial step in any plan for international stability
(European Union 2014; International
Security Advisory Board 2014; UN Institute for Disarmament Research 2014; UK
Government 2014; European Union 2015)
. Nonetheless, applying traditional1
deterrence theory (henceforth simply deterrence theory) to cyberspace proves to be
problematic, when not ineffective. Cyber conflicts differ radically from violent (kinetic)
conflicts and define a scenario that is actually the opposite of the one for which
deterrence theory was developed.
Consider Morgan’s six elements of deterrence
(Morgan 2003)
. Deterrence works in
a scenario characterised by (1) a prevailing, kinetic military conflict; (2) the
applicability of rational choice models to identify strategies for the involved parties; (3)
positive attribution, as not problematic; (4) singular retaliation (more on this presently),
as sufficient to inflict severe punishment to the opponent; (5) the possibility of a clear
demonstration of the defender’s capabilities; and (6) full control over retaliation. To this
scenario, cyber conflicts oppose one characterised by (1) several state-run, non-kinetic
cyber operations; (2) multiple (state and non-state) actors; whose (3) cost–benefit
analyses vary depending on their nature; (4) non-symmetrical, multilateral interactions;
(5) ever-changing dynamics; and where (6) ambiguity (rather than certainty) shapes
strategies
(Sterner 2011)
(Haggard and Simmons 1987; Jervis 1988; Libicki 2011)
.
The differences between the kinetic and cyber scenario yield serious problems when
applying deterrence theory in cyberspace. While there is a general consensus on what
these problems are (for example, problems of attribution and proportionality), there is
much less agreement on whether and how they can be solved
(Kugler 2009; Tanji
2017)
. Some suggest that these problems are unsolvable and that the nature of
cyberspace is such that deterrence will ultimately be ineffective in this domain. In this
vein, Lan and colleagues stress that:
the anonymity, the global reach, the scattered nature, and the interconnectedness
of information networks greatly reduce the efficacy of cyber deterrence and can
even render it completely useless (Lan et al. 2010, 1).
The opposite view holds that deterrence could play a crucial role in averting cyber
conflicts and their escalation. The question is whether deterrence theory provides the
right framework for cyber deterrence or a new theory of deterrence—‘a new mind-set
and changed expectations’
(Sterner 2011, 62)
—should be developed to address the
specificity of cyber conflicts and cyberspace. I agree with this view and address this
question in the rest of this article.
In the next sections, I will analyse the core elements of deterrence
theory—attribution, defence and retaliation, and signalling—and the extent to which each of them
would be effective in cyberspace. I will argue that the limits of deterrence theory in
cyberspace are not trivial and indicate fundame (...truncated)