Is Deterrence Possible in Cyberspace?

To the Editors (Richard J. Harknett writes):

In “Deterrence and Dissuasion in Cyberspace,” Joseph Nye reveals the difficulties in applying deterrence to cyberspace by extending the concept from its hard core of retaliatory dynamics and threat of denial to include entanglement (interdependence by another name) and norms.¹ This extension of concept still leaves Nye apparently dissatisfied: he concludes that deterrence in the Cold War was not as good as scholars and policymakers think it was, so perhaps they are holding cyber deterrence to an illusion-ary standard. Essentially, Nye suggests that both scholars and policymakers should cut cyber deterrence a break.

The management of cyber aggression does indeed need a break: a sharp break away from deterrence-centric thinking. Nye’s piece illustrates how we are facing a degenerative program moment or the friction one expects on the edge of a paradigm’s need to shift.² The evidence from real-world security dynamics suggests that deterrence is the wrong framework for explaining cyber aggression and for formulating policy. Rather than contorting deterrence, we need a line of research outside the deterrence paradigm. In 1998, Nye and Sean Lynn-Jones urged security studies scholars to be open continuously to deep reflection if they are to make a difference.³ The dominance of deterrence thinking is blocking such reflection and policy application.

Nye’s article walks through the very real limitations of both retaliatory and denial-based deterrent threats against cyber aggression. Punishment is made more difficult by the attribution problem, and denial is challenging because “cyber defenses are notoriously porous” and “offense dominates defense” (p. 56).

In short, if aggression sits below the threshold where serious military sanctions are credible but above the level where it can be deterred through “good cyber hygiene” (p. 57), the deterrence paradigm fails to address where recognizing security action is taking place.⁴ But rather than recognizing these limitations as indicators that new concepts may be needed, Nye’s response is to massage the retaliatory and denial problems and then suggest that interdependence and norms be reconceived as “means of deterrence and dissuasion.” In doing so, he reduces their considerable potential as stand-alone approaches. For example, he notes that breaking norms can lead to “reputational costs,” when denial fails (p. 60). But this is just the threat of punishment repackaged, which can succeed only if others impose costs through some behavioral change because of the aggressor’s poor reputation. The actions of President Bashar al-Assad in Syria’s brutal civil war may have damaged Assad’s reputation, but unless states change their behavior toward Assad because of his reputation for violating norms (essentially exacting a cost from him), the norm against mass murder counts for little. The causal factor here for Nye that might lead to deterred behavior remains not norms but retaliation, which Nye has already said should not be the basis for deterrence in cyberspace.

What Nye actually wants is “to reduce and prevent adverse actions in cyberspace” (p. 54). This worthy goal does not, and need not, equate with deterrence. Retaliation and denial are tools different from defense, entanglement, and norms. They are also distinct from counter capability and operations offense, compellence, and other nondeterrence security approaches that can challenge, reduce, and manage but not necessarily deter adverse actions. Once one maps national security goals to the reality of cyber operations, deterrence theory becomes more of an impediment than a stimulus to thinking about strategy.

Nye quotes Jon Lindsay’s finding that “deterrence works where it is needed most, yet it usually fails everywhere else” (p. 18), which implies that acts that might cross a clear traditional threshold are strategically relevant and “everywhere else” is not. In fact, “everywhere else” is fast becoming strategically relevant space. Cyberspace provides a new seam for traditional great power competition, the intensity of which will only increase as cyber actors leverage machine learning and artificial intelligence technology developments. If one examines the writings of Russian Gen. Valery Gerasimov and the Chinese People’s Liberation Army’s notions of informationized war,⁵ it becomes clear...