Deterrence in cyberspace: different domain, different rules
27 Jul 2016| and

Image courtesy of Flickr user The Official CTBTO Photostream

Cyberspace pervades everyday life. Our growing reliance on networks has increased the vulnerability of Australia’s national security, economy and society to malicious cyber actions. As a result, there’s a need to build trust and confidence in cyberspace, and the infrastructure and institutions that it enables and supports.

Deterrence policies and capabilities are often invoked as a means to create this stability. Australia’s recent Cyber Security Strategy, released in April 2016, stated that ‘Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack’. In launching the Strategy, Prime Minister Malcolm Turnbull further emphasised that ‘acknowledging this offensive capability, adds a level of deterrence’. This rhetorical trend is also evident in other international cyber strategies including those of our major allies and partners.

However, there are pit falls in that approach to cybersecurity. In our report, Deterrence in Cyberspace, released today, we explore those issues and provide recommendations for policymakers to address stability and security in cyberspace.

The use of deterrence to mitigate security threats is based on an assumption that states are rational, and make decisions based on cost-benefit assessments. On that assumption, one can deter a challenger by increasing the perceived costs of their action (deterrence by punishment) or decreasing the expected benefit (deterrence by denial).

However, threatening punishment is unlikely to deter malicious behaviour in cyberspace, for several reasons:

  •         Setting enforceable thresholds is difficult due to the spectrum of potential acts in cyberspace and the non-binary nature of many cyber capabilities. For that reason the difference between an ‘attack’ and below-the-threshold events, such as espionage and criminality, is often less obvious.
  •         Responding proportionately is also made difficult by the difficulty of controlling escalation in cyberspace and the lack of normative framework to guide a conventional response.
  •         It’s often difficult to quickly and accurately identify the responsible actor. Attributing blame risks inadvertent escalation with a third party and can expose valuable national cyber capabilities.

Instead, such threats have the potential to heighten international insecurity by inducing what we’ve dubbed the ‘credibility-stability paradox’. The reliability of a state’s commitment to enforcing its own deterrence policy statements is a significant symbol of its political and military power. If a state doesn’t follow through on a threat when its threshold is crossed, it directly reduces its credibility in the eyes of the international community, undermining its ability to both intimidate and negotiate in the future.

Conversely, making good on a threat in cyberspace can have drastic impacts on international stability. Retaliation, either inside or outside of cyber space, may spiral beyond the intended punishment, inflicting damage over and above what would be considered a proportionate response to the breach of a threshold. That risks a minor incident triggering a tit-for-tat escalation that devolves into a larger and more destructive conflict, further damaging international stability. So, as soon as a cyber deterrence threat is extended, a state faces the strategic dilemma of being forced to choose between maintaining its credibility or risking collateral damage.

That isn’t to say that offensive cyber capability shouldn’t be developed, but rather that it shouldn’t be developed for the purpose of making threats. The use of offensive cyber capabilities, in accordance with international law, to enable and support conventional military forces contributes positively to broader deterrence capability by reinforcing the lethality and effectiveness of armed forces as a tool of state power.

The report recommends methods to alter an adversary’s decision-making by withholding the perceived rewards of certain behaviour and building an international conflict reduction framework. Implementing a denial strategy in cyberspace requires strong, adaptive defences, resilient networks, and the use of other advanced techniques and technologies to reduce the perceived value of malicious behaviour. Denying enemies an advantage commensurate with the effort required to breach security should dissuade them from further attempts on the network. That supports cybersecurity generally and, if effectively conducted, can further enhance conventional deterrence postures and improve a state’s overall national security.

ICPC’s new report explores the nature of cyberspace, reviews the challenges it poses to deterrence by punishment and offers alternative approaches for policymakers seeking to establish stability in cyberspace. In a context of increasing network dependence and growing cyber tensions, setting a precedent of restraint, trust and international cooperation is essential. This will ensure Australia can continue to reap the economic and social benefits of a stable cyberspace.