Cyber Deterrence is an Oxymoron for Years to Come

November 20, 2018 Topic: Security Blog Brand: The Buzz Tags: Cyber SecurityDeterrenceNATOMADCyber Warfare

Cyber Deterrence is an Oxymoron for Years to Come

For cyber deterrence to make any sense for state actors, they need some concrete indicators of others’ offensive cyber capabilities. Thus, in order to develop even a rudimentary cyber deterrence framework, states need some lessons learned from the effects of “cyber weapons” and cyber war.

For more than two decades after the end of the Cold War, Western states were able to redefine international security and associated rules related to the use of military force within the globalizing international system. During this period, between 1989/1991–2013, many traditional concepts of international politics and strategy were cast out on the trash heap of history. “Great-power politics,” “spheres of influence,” “defense” and “deterrence” were such concepts. They lost practically all of their political correctness and analytical usefulness with the winding down of the superpower confrontation and the dissolution of the Soviet Union in the early 1990s.

From then on, Western statesmen and strategic thinkers relied more on concepts such as “the liberal world order,” “engagement,” “democracy promotion,” “human security,” “humanitarian interventions” and “counterinsurgency operations.” Thus, between 1989/1991–2013, the Western security community lost a vocabulary on strategy that would be useful in the contemporary world in order to tackle existing and future security threats related to adversarial great power relations and a potential for a large scale war in Europe or Asia.

The loss of a framework for defense and deterrence within the West is bad enough for the conventional warfighting and nuclear realms. They are, however, the easy cases when compared to cyberspace. To date, we have witnessed zero cyber wars between states. Criminal acts committed in cyberspace do not constitute war. Nor do state-sponsored distributed denial of service (DDoS) attacks, knocking off web pages or online services. Similarly, spreading malign content in the social media is at most a nuisance—not even close to warfare.

Although cyberwar has been coming for the last twenty-five years, it has not entered the scene of statecraft even once. Thus, all of the argumentation, doctrine formulation and policy articulation related to cyber war is speculation at best, and science fiction at worst. As the 2015 published NATO Cooperative Cyber Defense Centre of Excellence report on Cyber War in Perspective: Russian Aggression against Ukraine noted: “everything we have seen so far falls well short of how national security thinkers—and Hollywood—have portrayed cyber war.” In the report, Martin Libicki also noted in his article titled “The Cyber War that Wasn’t,” “The most notable thing about the war in Ukraine, however, is the near-complete absence of any perceptible cyber war.”

Today we live in a world where the role of cyber war is much opaquer than was the case with nuclear war in the late 1940s and the next decades. During those times the brilliant minds focused on deterrence theory formulation actually had some empirical material to turn to. Although “Little Boy” and “Fat Man” dropped on Japan were low-yield devices compared with the development of nuclear weapons during the following decades, the scale of destruction caused by them made it obvious pretty soon that a new conceptual approach to warfighting was warranted—called deterrence. Despite this fact, both the Soviet Union and the U.S.-led NATO alliance prepared to use hundreds of nuclear weapons in Central Europe against each other years on end. In addition, the nuclear arms race post–1949 (when the Soviet Union detonated its first nuclear weapon) touched only two states: the United States and the Soviet Union. Even with these mitigating factors, it took almost twenty years to formulate a perspective on nuclear deterrence that was more or less shared by the two main protagonists of the bipolar confrontation. In the West, this shared understanding concerning nuclear weapons became known as the Mutually Assured destruction (MAD).

Enter cyber deterrence. As our societies, government organizations and military forces are becoming more and more cyberspace-reliant, it is natural for the statesmen and analysts to ponder the positive and negative aspects of this trend. For years, hubris about the upcoming cyber war has dominated the headlines. “Cyber-Pearl Harbors” or “critical cybersecurity problems” get a lot of media attention. Today, cyber war is defined as much by Hollywood as it is by national security decisionmakers and analysts. This fact reflects the problems that Western states (and others) have trying to square the circle on cyber deterrence: how to deter something that is difficult to define (cyber war/attack), hard to attribute to certain actors and has never happened so far?

Having lost a generation of deterrence experts and expertise after the end of the Cold War, many Western states are now jumpstarting research programs focusing on conventional and nuclear deterrence in a world of great power rivalries and power politics. This in itself is a task taking years in order to produce a credible deterrence framework with the associated military capabilities needed in Europe and Asia. In addition, many Western states are trying to integrate the cyber domain into this emerging “new” deterrence framework. This is almost an insurmountable task for the foreseeable future. The “nature” of cyberspace is so different from anything we have witnessed within our warfighting or deterrence paradigms in the past that forging a credible cyber deterrence framework is likely to be impossible—at least for years to come. There are at least three reasons for this.

First of all, having zero cases of cyber warfare in the past provides a wobbly foundation for deterrence theorizing. After all, how credible can deterrence be, when there is no shared understanding about existing cyber warfare capabilities and their real life effects? And credibility of the threat is a key aspect of deterrence.

Second, the problem of lacking empirical material on cyber warfare is multiplied by the very nature of offensive cyber activity: in order not to provide tools for one’s adversary to establish any form of effective cyber defenses, one cannot communicate anything about the existing (and projected) cyber capabilities at one’s disposal. The effectiveness of “cyber-weapons” is based on not communicating about the existing vulnerabilities within cyberspace in general and the adversary’s “cyber systems” in particular. Any effort to do so would decrease the effectiveness— and deterrent value—of existing “cyber weapons.” From a deterrence perspective, this is a major problem: trying to communicate about one’s cyber warfare capabilities would actually end up undermining one’s deterrent capability.

Third, the number of actors capable of some form of “cyber-attack” is so great—at least in the future—that any one framework of deterrence theory will not be able to capture them all. Even though 99.99 percent of cyber-attacks were criminal acts or hacktivist incidents, attribution will be a problem for the foreseeable future (read: who did it?). In addition, how to draw the line between criminal acts and warfare without information about the motivation of these cyber-attacks?

For cyber deterrence to make any sense for state actors, they need some concrete indicators of others’ offensive cyber capabilities. Thus, in order to develop even a rudimentary cyber deterrence framework, states need some lessons learned from the effects of “cyber weapons” and cyber war. The cases of nuclear war (1945) or the firebombing of cities (during World War II) are examples of the effects of concrete cases that influenced the way that states conceptualize the utility of certain weapons of war. Today we have no concrete cases of cyber warfare to draw lessons from. And it is possible that this lack of empirical material related to cyber warfare continues for years to come. While this is good news, it will also prevent the development and maturation of any meaningful cyber deterrence framework. States will not reveal their cyber weapon arsenal for deterrence purposes. They will reserve it for the possibility of waging cyber war.

Lt. Col. Jyri Raitasalo is military professor of war studies at the Finnish National Defence University. The views expressed here are his own.

Image: Reuters.