As Secretary Hagel recognized, deterrence in this area is challenging because deterrence theory was developed for deterrence of kinetic attacks: deterring the application of force by the armies, air forces, and navies of one’s enemies, and in the nuclear era, the enemy’s strategic forces. However, with respect to deterrence, cyber warfare is in many respects unlike what has come before – it is not inherently kinetic. Accordingly, deterrence theorists and practitioners must adapt existing concepts and pursue tailored strategies to help achieve deterrence of cyber warfare with the goal that the result will be an increase in strategic stability in cyberspace. Indeed, there is a reasoned assumption among scholars such as Martin Libicki, who have highlighted the concern that cyber deterrence may not work as well as nuclear deterrence, that if this is the case, it illustrates the need for additional focus on this pressing challenge.⁴

The major question we address in this study is: in light of the challenges of applying deterrence theory to cyber warfare, how can the United States and its allies successfully deter major cyber attacks? Our central argument is that while deterrence theory faces major challenges when applied to cyber warfare due to the unique aspect of cyber technology, investments and efforts in three specific areas can help mitigate this challenge. Specifically, we recommend cultivating beneficial norms for strategic stability; continuing efforts in the area of improving cyber forensics and defenses, including regarding lower evidentiary standards for attributing cyber attacks and addressing harboring ‘independent’ attackers; and developing and communicating a clear declaratory policy and credible options for deterrence-in-kind so as to make escalation unavoidable and costly. The challenges to applying deterrence theory to cyber warfare relate to pronounced uncertainty with respect to, first, awareness and attribution of an attack and, second, the uncertain effects of any attack.

The difficulties surrounding attribution and control of its effects make deterrence of cyber warfare uniquely difficult. In some cases, lack of control makes the application of the weapon both enticing for the attacker but also risky due to blowback onto his own interests, his own society and economy, and those of his allies, and the risk of escalation by the defender, if, indeed, he is able to determine the attacker. Peter Singer of the Brookings Institution and others have identified this lack of attribution as the key factor that prohibits the direct and immediate application of deterrence theory to the cyber realm.⁵ If an attack is attributable, then traditional deterrence applies, including the possibility of a kinetic response. If an attack is not attributable, or the attacker believes it will be falsely attributed, it may be so enticing a weapon as to be irresistible.

This is an old problem – if you could do something bad and get away with it, would you? This issue has been considered in various guises by philosophers and political leaders throughout history. In Republic, Plato provides the example of Gyges’ Ring, which made its wearer invisible.⁶ Would a man wearing Gyges’ Ring be righteous; alas, no, he concluded. The temptation of being able to get away with something malicious without attribution would be too great, and even a moral man would be corrupted by such power. Cyber weapons give a state a Gyges’ Ring, and increasingly, we witness the consequences. The implications of this uncertainty illustrate the need to develop a tailored approach to improve the ability to apply deterrence to cyber warfare. The three efforts we identify in this book will help manage these challenges.

Second, the study offers a unique contribution by identifying a specific series of efforts that can be initiated or strengthened in order to improve the deterrence of cyber attacks. These solutions are drawn from lessons from fields such as biology as well as prior experiences dealing with threats such as terrorism and nuclear weapons. For example, microbial forensics provides important and useful examples for answering the critical ‘who did it?’ question. We argue that policymakers can learn from experiences in other areas, such as biological weapons and forensics, and in doing so develop an effective package of responses to improve deterrence of cyber warfare.

Third, cyber warfare is a major avenue of attack against the United States and has done significant damage to its national security interests, to the interests of allies, as well as to other states in international politics. Our study will help the United States address this growing and significant threat by improving its ability to deter cyber warfare. Cyber warfare is here to stay. It presents a growing challenge to the security of states and other international actors and is increasingly an element of conflict. Indeed, it should be considered as a component of conflict as any other arrow in the quiver of states. Its appeal is heightened because of the difficulty of attribution and the fact that it is widely usable as the norms for cyber warfare have not yet been firmly established. For example, in 2014, during the political crisis in Ukraine, a sophisticated cyber weapon known as ‘Snake’ or ‘Ouroboros’ was discovered.⁷ Snake is suspected to be of Russian origin and gives attackers full remote access to compromised Ukrainian systems. Threats such as this have led the Director of Intelligence James Clapper to identify cyber weapons as a major avenue of attack against the United States.⁸

An unfortunate fact of modern life is that there is a significant daily drumbeat of espionage-style cyber attacks against major military, intelligence, and civilian targets. The Norton Cybercrime Report puts the direct costs of cybercrime at $113 billion annually, with the United States’ costs coming in at $38 billion. Further, the Ponemon Institute estimates that the average annualized total cost – direct and indirect – of cyber attacks in the United States among 60 ...