The efficacy of deterrence as a method of conflict management is highly disputed. Yet, deterrence persists as a go-to security strategy and is flourishing in the spheres of cyber and information warfare. The EU is now embracing deterrence and its political appeal to advance its cybersecurity posture. But the prudence of this move remains unproven, and it is counterintuitive to the EU’s ambitions as a positive and pacifying force in cyberspace.
What’s deterrence got to do with cyberspace? The many meanings of deterrence invoked by defence intellectuals debating how the logic and mechanisms of this central international security practice apply to the cyber realm can rightfully make one’s head hurt.
The recently published EU’s Cybersecurity Strategy for the Digital Decade (2020) calls on the EU to further define its cyber deterrence posture “to prevent, discourage, deter and respond to malicious cyber activities”. Such a broadly formulated aspiration invites reflection upon the semantics of deterrence in the EU’s discourse on the subject, as well as on the rhetorical power of an actor otherwise self-conscious about playing the “traditional security” card deploying deterrence.
What Does the EU Want in Cyberspace?
As with any security-speak, using the trope of deterrence is not politically neutral: both calling for deterrence and claiming one’s cyber toolbox contains an effective deterrent are actions with meaning in the international signalling game of intentions. Asking what the ritual invocation of cyber deterrence does for the EU as a security actor with particular capabilities, responsibilities and ambitions in regard to the future leads to two main conclusions.
First, deterrence as a generic shorthand for prevention of harm in cyberspace needs to be distinguished from deterrence as an articulation of a concrete and credible threat to prevent an enemy from doing something in order to be “efficacious”. While there is little reason to object to deterrence in the first sense of the term, including the application of the broad “prevention/denial by resilience” logic in cyberspace, the practical workings of cyber deterrence in the second sense of the word are rife with difficulties. This makes extending the already “deeply flawed strategy of deterrence” to the cyber domain an intriguingly puzzling move.
Second, the EU incorporating deterrence into its identity in the cyber domain reflects its attempts to project an image of itself as a serious actor in the realm of international security. Constructivist critics of the standard premises of rational textbook deterrence have pointed out that issuing deterrent signals can, among other aims, serve to maintain an actor’s self-identity. Deterrence is particularly valued for a “deterrer actor” with an ingrained deterrer identity. Attachment to and performance of deterrence can relieve such an actor’s anxiety in dealing with the fundamental transformations and ambiguities of international politics, not least in cyberspace.
Yet, the EU’s adoption of a deterrence profile in the cybersecurity context is curious, because it does not have a historically entrenched identity as a deterrer. Since the ontological security argument of an embedded deterrer identity is not there in the EU’s case, its attraction to cyber deterrence deserves deeper reflection. The EU’s desire to have deterrence in its toolbox for navigating the cyber threat landscape reiterates the power of deterrence in the practice of international security. Consequently, the ritual incantation of this ambiguous word must be taken seriously.
Cyber Deterrence: What’s in a Name?
Both “deterrence” and “cyber” are polysemic (capable of having many meanings) and notably busy concepts. Deterrence can refer to (i) core strategy in international security politics, (ii) an important concept and influential theory in International Security Studies or (iii) a powerful idea animating state identity and security management efforts. Referring to an actor’s ability to persuade another not to take a specific action by making its prospective costs outweigh its anticipated benefits – either by denial (the threat of effective defence) or by punishment (the threat of retaliation) – deterrence is marked by fundamental ambiguity. A series of diplomatic, political and military rituals are performed by deterrence practitioners in an attempt to mediate this ambiguity.
“Cyber” is an equally ambiguous umbrella term for all matters digital. “Cyber deterrence” might refer to (i) using cybermeans to dissuade a challenger from using cybermeans or attacking the defender’s cyber infrastructures; and/or (ii) using kinetic means to dissuade a challenger from using cybermeans or attacking the defender’s cyber infrastructures; and/or (iii) using cybermeans to dissuade a challenger from conducting a kinetic attack. The most general definition of cyber deterrence might be agreed to be: a strategy aimed at preventing attacks on defenders’ cyber infrastructure and/or preventing challengers from using their cyber capabilities. However, that still leaves us to grapple with the multidimensionality and multi-actorness of cyberspace, and the consequent implications for successful deterrence therein.
Scholars distinguish four layers in cyberspace: the physical layer (satellites, fibre optic cables, computers, servers); the logic layer (that is the central nervous system of cyberspace, namely Internet protocols, domain name systems, browsers, websites, software); the information layer; and the users. Attacks can also vary: they may be mechanical (e.g., cutting cables, bombing command-and-control centres); electromagnetic (jamming frequencies); or digital (intrusion of systems and networks). Invoking deterrence in cyberspace hence requires clarification: will deterrence cover the boxes and wires, protocols, information, inter-subjective social layer or all of the above? A policy of deterrence might seek to deter terrorist hacking, restraint of Internet freedom or electronic surveillance: all notably distinct modes of cyber deterrence. Credible signalling of capability and resolve to defend the physical and logic layers of the Internet requires diverse means, tools and modes of engagement against multifarious state and non-state actors.
Those advancing cyber deterrence postures would hence do well to reflect on exactly what and who they are seeking to deter, and how. Is the EU looking to buttress its profile in countering specific military and ‘grey-zone’ operations in the cyber domain, or is it, rather, reinforcing its general resilience against challenges to its networks, digital infrastructure and political legitimacy originating in the cyber realm? Is the emphasis of cyber deterrence on deterring cyberattacks against critical information systems, or denying putative aggressors access to information andnetworks? Is the Union’s emerging cyber deterrence posture also supposed to effectively deter cyber sabotage and digital disinformation? And how useful is it to think of cyber deterrence as a distinct domain when contemporary discussions on cross-domain deterrence as part of actors’ overall deterrence postures and strategies increasingly emphasise the inevitability of a cyber component?
Cyber Deterrence: Setting the EU Up For Failure?
The fundamental problems of deterrence theory – determining credibility of deterrent signals and whether they actually work – are further amplified in the cyber context. The trouble is that the credibility of a deterrent threat ultimately rests in the eyes of the would-be challenger. There are two related issues here: one common to deterrence in general and another more particular to the specifics of cyberspace.
The first “but” is that even when the deterrer does the right things the challenger may still attack. Further, in practice, it has been notably difficult to pin down the success of general deterrence and understand how exactly it does its “magic”. These stakes are further heightened in cyberspace due to its ambiguity, the multiplicity of actors operating therein, difficulties related to distinguishing hostile attacks from inoffensive mistakes and the problem of inconclusive attribution. Practicing deterrence in cyberspace is inherently challenging because of the lack of information about the capabilities and intentions of the many actors in cyberspace. This information would normally provide the basis for deterrence strategy (and for the assumptions of rational deterrence theory). Deterrence in cyberspace calls for a tailor-made approach – and custom tailoring for each of the large number of state actors, cyber proxies and autonomous non-state players involved.
The bulk of deterrence theory grapples with the questions ofif and under which conditions deterrence works, highlighting capabilities, credibility of the threat/intentions/commitment and effective delivery/communication of the messages to the challenger. This has, however, proven quite impossible to concretely determine in practice, considering that the proof of deterrence’s success is “nothing much happening”. Communicating intentions and the mutual interpretation of perceptions is all the more complicated in the social practice of cyber exchanges, compared to the more ordered, state-centric conventional and strategic/nuclear playing field. Cyberspace is the realm of uncertainty, ambiguity and interpretive indeterminacy par excellence: the domain of “unpeace” as per Lucas Kello. It is a space where mid-spectrum harm and international rivalry reign. Without matching the physical destructiveness of traditional war, it is still sufficiently more of a nuisance than conventional forms of peaceful rivalry. Deterrence strategy’s chances for effectiveness in cyberspace remain rather dim.
The Identity Politics of Cyber Deterrence
Actors resorting to deterrence to claim credibility in the realm of cybersecurity highlight deterrence’s persistence as an ontologically reassuring practice and a part of the authoritative strategic repertoire in international security politics. The ritual return to paths well-trodden while grappling with the challenge of novel (military) technologies helps international actors muddle through the ambiguities and uncertainties of the cyberspace.
As all rituals, the ritual-like practice of deterrence helps to organize and load the world symbolically, to establish a sense of control in confronting an environment with countless undetermined challenges and challengers. Resorting to calling for establishing a cyber deterrence posture for the EU is part and parcel of negotiating the EU’s authority and self in global cyber diplomacy. Observed through a ritual lens, the invocation of deterrence in the context of cyberspace is also an attempt by those invoking it to claim authority in this sphere and to overcome anxiety about the uncertainties against which they’re seeking to pre-emptively defend themselves – both the known and unknown unknowns. The ritual incantation of deterrence in cyberspace bespeaks of an attempt to work through this ambiguity, to take charge of this foggy space and to project power within it. Deterrence rituals are one of the conduits through which political identities and communities are made.
The EU’s take on cyber deterrence appears to combine deterrence by denial (through effective cyber resilience) and deterrence by delegitimization (via the increasing practice of naming and shaming offenders, thereby raising the reputational costs of the behaviour). But the EU should avoid the temptation to mimic other traditional security actors who have recently adopted cyber deterrence strategies, such as the USA, Russia, China and Israel. Rather than a punishment- and threat-driven deterrence posture, the EU’s distinctiveness and its added value in honing security in cyberspace could come from the bloc’s emphatic diplomatic initiatives to work out cybernorms regulatory frameworks.
This commentary builds on the author’s recent academic article, A ritual approach to deterrence: I am, therefore I deter, in the European Journal of International Relations.
Thumbnail image: Credits to Chris Slupski on Unsplash