Researchers do not agree whether, when or how deterrence works. It is a risky policy that does not provide any predictability of behaviour, to which the European Union should not subscribe. The EU should instead develop stronger, multi-layered resilience in and for Europe. Such a policy would be protective rather than threatening, persuasive rather than dissuasive, defensive rather than deterring and active rather than opportunist.
The late, great strategist Colin S. Gray observed in 1996 that “deterrence is a subject on which probably far too many words have been written already”. Deterrence theory is based on a beautiful formula: when the costs of non-compliance are higher than the costs of compliance, an actor decides to comply. Therefore, by increasing the costs and the likelihood of costs of non-compliance, compliance can be achieved. Unfortunately, the theory and its functionality can neither be verified nor disproven. Deterrence policy cannot predict behaviour or provide certainty. We simply do not know if deterrence actually works or not. At best, deterrence theory is an ideal or hypothetical set of facts, principles or circumstances, or simply abstract thought. At worst, it becomes a dangerous dogma, an automatically taken speech-act, promoting belligerent policies and antagonistic behaviour.
Therefore, the willingness with which the European Union has embraced the concept of deterrence in its cyber policies is questionable. The oft-invoked central tenets of conventional and nuclear deterrence are fundamentally incommensurable with the cyber condition. Cyber incidents, operations and conflict still need to be prevented, of course: focusing on resilience offers the EU a more effective way to address current challenges by promoting respect for international law, defending European values and reducing the risk of escalation.
Deterrence Meets Cyber
Deterrence theory became particularly popular during the Cold War, when the existence of two superpowers with sufficient means to destroy each other was believed to help maintain international peace and security while ultimately saving life on the planet.
Nuclear weapons and the superpower ability of a so-calledsecond strikehave not disappeared. They have transformed. The conditions and the context for the application of deterrence in cyberspace are different.
In the nuclear setting, during the Cold War as well as now, the culture of zero tolerance prevails – failures of deterrence, at least in the purest sense, would have been unacceptable. A nuclear or any major military attack would have been met by countermoves, retaliation by a force de frappe – even when everything had been lost. In cyber affairs, nobody can uphold zero tolerance. Information and communication systems are inherently vulnerable, prone to technical incidents or human errors, never mind deliberate attacks.
Moreover, during the Cold War, superpower military confrontation took place in what was then considered the global periphery: Asia, Africa and Latin America. The two superpowers and their allies were careful not to endanger international peace and security in their northern hemispheric core area. Today, state and proxy cyber operations, both espionage and effect-creating, are the norm rather than exception.
Most widely tolerated are operations state intelligence, security and law enforcement agencies and armed forces conduct against universally-recognised extremist, terrorist or criminal organisations. State and proxy cyber operations within existing dyadic conflicts or against targets of lower value are contingently and tacitly tolerated. India and Pakistan, Russia against the other former Soviet republics, the US and Iran: cybered conflicts are considered better than conventional, biological or nuclear ones.
The most unacceptable operations seem to be the ones which jeopardise international order or national security. Therefore, operations such as the 2016 infiltration of the Democratic National Congress servers or the 2017 most likely Russian attempt to hack the Organization for the Prohibition of Chemical Weapons are considered dangerous and irresponsible and receive wide international condemnation. Similarly, attacks against, for example, strategic early warning and weapons systems would not be accepted without calls for responses and deterrence, i.e. punishment, to kick in.
The cyber realm is way too wide, crowded and multifaceted for the classical theory of deterrence to satisfy states’ political ambitions. The monochrome logic of deterrence, in particular the dominating tenet of punishment, won’t suffice to manage the new setting of uncertainty, blurred lines of responsibility, multiple thresholds and myriad actors. Furthermore, it is impossible to apply the operational logic of deterrence to the whole spectrum of the public sector, the private sector, civil society and the individual (end-users).
|Aspects||Nuclear realm||Cyber realm|
|Actors||Originally two (US and Soviet Union) Currently, five nuclear weapon states, and three to four (additional) states with nuclear weapons||193 countries, millions of private entities, 4 billion (est.) individual users|
|Cost calculations||Loss of life, physical destruction and economic losses foreseeable Value rationality estimated||No foundational basis to estimate the losses or costs No possibility to sufficiently estimate the value rationality of potential deterrers and deterrees|
|Decision-making||Assumed rational-calculative (Research literature challenges the assumption of rational-calculative decision-making)||No possibility to sufficiently count on the rational-calculative decision-making of potential deterrers and deterrees|
|Communication of deterrence capacity||Demonstrable and detectable material capacity Directed communication of intent possible||Potentially demonstrable and partially detectable material capacity, undetectable effect-creating capacity Direct communication of intent possible to identified actors; indirect (carpet) communication possible|
Table 1. Aspects of deterrence in the nuclear and cyber realms. Author’s compilation.
A European Way?
Why, then, do we have still more research papers and reports – such as the 2018 US Department of Defense Cyber Strategy and the Cyberspace Solarium Commission report – that call for cyber deterrence? It is difficult to explain the research and policy communities’ fascination with cyber deterrence. Political, professional and scholarly cybersecurity discourse, in general, takes a permissive and operational view of deterrence without elaborating its known problems – most notably, attribution, communication and equivalence of effects. The permissive literature calls for credible deterrence through new calculations, improved patterns of behaviour, and increased capacity to deter.
Deterrence is said to be proved to work because no nuclear war has been waged: the Russians or the Americans (or Indians or Pakistanis for that matter) have not attacked, for example. Likewise, cyber deterrence is argued to work when malicious behaviour in cyberspace has dropped, or, simply, any undesired activity has not taken place. Accordingly, deterrence is said to have failed if any of such undesired activity has taken place. Again, we simply do not know, nor can we ascertain, why decisions about war and peace, offense or peaceful relations, attacks or no attacks have been made. Deterrence theory claims to affect, even change, behaviour – but even for observable states of affairs this causation cannot credibly be proven.
Cyber deterrence, rather than having any real operational value, reflects a sentimental longing for predictability and comfort that the Cold War deterrence logic provided. Moreover, deterrence is a token, a canon, used in justifying and demanding more attention and resources for political and military responses and offensive capabilities. Despite the acknowledged the multi-faceted problems with deterrence, abandoning the concept seems a heresy. For example, after all but declaring the patient dead, Lucas Kello makes an about-face and declares cyber deterrence capable of rescue: deterrence in cyberspace is not intended to prevent all attacks, he argues, but to slow down the pace of unpeaceful activities. Without explaining how that cognitive-behavioural effect takes place, the reduced-pace argument does not qualitatively differ from other permissive views. Max Smeets and Stefan Soesanto notice the lack of scholarly enthusiasm for cyber deterrence, but conclude that new research focus is likely to “re-energize the topic”. Similarly, Aaron Brantly recognises the problems with deterrence, but concludes that “the solution to the deterrence problem is not abandoning it but expanding the range of alternative strategies not presently considered”. Yet, nothing necessitates this adherence. For decades now, Europe has resisted the temptation to resort to politics of threat, unilateral sanctions and countermeasures. The European value base, political thought, strategic culture and politico-military capacity were considered different, less aggressive, more cooperative and rule-based.
Yet, recently, in the aftermath of Russian operations in Ukraine, the new normal of state cyber operations and the failures to maintain, let alone enhance, the international, rules-based public order, even the Europeans have been listening to the siren song of deterrence. Poland, for example, considers investments in deterrence “indispensable” in its 2017 national cybersecurity policy; the French 2018 cyber defence review calls for an adoption of an “active stance of attack deterrence and coordinated response”; and at the 2019 CyCon conference, Estonian President Kersti Kaljulaid demanded readiness to “use deterrence tools” as reaction to malicious cyber operations.
The Council May 2019 Decision “concerning restrictive measures against cyber-attacks threatening the Union or its Member States” stresses the importance of clear signalling of the likely consequences of malicious cyber activities and seeks to influence the behaviour of potential aggressors in cyberspace in the long term. The so-called “cyber diplomacy toolbox” also adheres to the logic of deterrence. It does so with typically European tools which many may criticise as impotent, but which should be applauded as non-offensive and non-violent. The fine balance for the EU now is to widen the amount and effect of consequences without falling into the trap of threatening deterrence. At the same time, more emphasis should be put on enhancing organisational, national and regional resilience. As Matthias Schulze argues, “[D]eterrence by punishment is most likely a strategy doomed to fail”.
Towards Layered Resilience
Despite the efforts of responsible countries to design political and legal approaches to prevent harmful and malicious cyber operations from occurring, such a stable state is hardly fully achievable. Alongside global norms, treaties and agreements, then, it is useful to reduce the likelihood that attacks and operations will achieve their objectives by increasing European resilience (both cyber and informational).
Resilience as an actor-neutral measure should replace or at least precede punishment and serve as a warnings against brinkmanship in the European strategic lexicon. Robust, threat-neutral and de-escalatory resilience is better suited to accommodate unpredictability, a feature particularly relevant to the cyber context, than deterrence. Investments in resilience and good security practices, in turn, are likely to significantly improve the functionality and continuity of information and communication technology systems and services.
Indeed, instead of dreaming of the layered cyber deterrence regime the Solarium Commission recommends for the US, Europe should build a layered cyber resilience doctrine. Layered resilience covering the individual, the private sector and state entities, services, functions and infrastructure would reduce and cut short ad hoc and low-intensity cyberattacks and the risk of escalation. We can obtain data about and understand the success of resilience policy by applying methodologies and measures used in policy analysis proper to cyber- and information security. For example, increased mean times between incidents or decreasing severity of data breaches would let decision-makers and the public know what the returns of political (security) investments were. This argument echoes that made by Sean Lawson: cybersecurity policy should be (i) “based on more realistic understandings of what is possible that are informed by empirical research rather than hypothetical scenarios” and ii) “guided by principles of resilience, decentralization, and self-organization”.
Doesn’t all this now sound like deterrence by denial? Increased resilience has been shown to decrease the success rate of attacks. The fundamental difference between a policy of deterrence (by denial) and a policy of resilience is that the former is believed to affect the adversary’s decision-making while the latter is known precisely to reduce the success rate of attacks. The foci and objects of the two policies are very different. Only one of them, resilience, can be said to provide at least some crude predictability.
About the Author
Mika Kerttunen is Senior Researcher at Tallinn University of Technology, Centre for Digital Forensics and Cyber Security, and Adjunct Professor in military strategy at the Finnish National Defence University.