Deterrence and Cyber Strategy
In the 1930s, France built impressive fortifications called the Maginot Line to prevent German forces from crossing its eastern border. The line was so impressive that it deterred the Germans from a direct assault. Instead, they went around it.
The United States risks repeating this outcome in cyberspace. Deterrence works as well as it ever did in doing what it was designed to do: prevent a nuclear or conventional attack on the United States or its treaty allies. It has not worked well for deterring anything else, in part because U.S. opponents have developed techniques that, like the assault on France, allow them to circumvent it and degrade the security and global position of the United States. Espionage, crime, and cyber-enabled influence operations create tremendous strategic risk that a deterrence strategy is not adequate to manage, much less counter.
An effective international cyber strategy must have three elements: how to build resilience, how to create a collaborative defense, and how to produce accountability in cyberspace (and this should include a discussion of when and how to disrupt opponent operations). Invoking deterrence may make a strategy longer but not more useful.
Even a partial list of the failures of deterrence is impressive. The United States failed to deter Chinese expansion in the South China Sea, Chinese influence in Latin America and Africa, and most importantly, the Chinese technological cyber espionage that undergirds the Chinese military and political challenge to a U.S.-centric world. The United States did not deter Russia from using cyber means to interfere in its 2016 election and the elections of allies, nor did it deter the invasion of Ukraine. The United States did not deter Iran from gaining a predominant role in Iraq or in waging a low-level cyber war with Israel. If the people advocating deterrence were football coaches, they would be fired.
It is not a success for deterrence if an opponent does not do something it never intended to do, nor is it a success if opponents are untrammeled in carrying out damaging actions. China, Russia, and even Iran, are in varying degrees rational about the risks of attacking U.S. critical infrastructure—the one major incident, Colonial Pipelines, even saw the Russians offer a sort of apology for a criminal act. It is always possible that an authoritarian opponent may yield to temptation and undertake a major cyberattack that seems irrational given the risk it engenders for a broader conflict, but this has not happened.
To say deterrence has worked against cyberattacks is a profound misunderstanding of the nature of conflict today. Nuclear weapons have changed conflict among nuclear armed powers and make it necessary to ask in what scenarios would a cyberattack on critical infrastructure make sense. There are very few scenarios where the benefits of a major cyberattack outweigh the risks of a nuclear response. Given opponent fears of U.S. advanced weapons that could achieve strategic effect without resort to nuclear weapons, the “ceiling” limiting the use of cyber weapons for attacks on critical infrastructure may be lower than is generally assumed.
Cyber powers (with the exception of Russia’s attacks on Ukraine since 2014) have also been careful not to cross an implicit “use of force” threshold in using cyberattacks. This threshold means avoiding cyberattacks that cause casualties, death, or physical destruction (attacks that cause “logical” destruction of data and software remains a grey area). Actions that stay below this threshold do not provoke retaliation and are undeterrable.
Opponent calculations likely involve estimating what level of action would be disruptive without crossing the use of force threshold. They may also entail decisions on whether using a single attack, rather than a sustained cyber campaign, could disrupt fragile supply chains without provoking retaliation. The reason deterrence does not work is that there is demonstrably ample space for harmful action by opponents under this threshold.
If the United States only pretended to believe in deterrence while undertaking more active defensive measures, this would provide benefits that the current U.S. approach lacks. When the many positive developments in cyber defense made in the last few years make further progress, opponents might be more constrained as their risk/reward ratio shifts against them. But a strategy centered on deterrence is essentially a signal to opponents that they can continue damaging and coercive cyber action without penalty.
James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.