- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
In most open source writings, Chinese analysts tend to discount the possibility of deterrence in cyberspace. Attribution, detection, and monitoring are hard. Attacks can come from state and non-state actors. Retaliatory cyber attacks have no certainty of outcome. All of these conditions combine to make it difficult to deter cyber attacks on national networks.
Given this skepticism, it was interesting to find a long, Sun Tzu-quote-filled discussion of cyber deterrence published on a website affiliated with People’s Daily. Like many other open source writers, Yuan Yi, a researcher at the Academy of Military Sciences, takes a very expansive view of deterrence in cyberspace. According to Dean Cheng, China traditionally views deterrence, or weishe (威慑), as both deterrence in the Western sense--threats intended to raise the costs high enough so a potential adversary does not act in the first place--and compellence--displays of military power or threats to use military power in order to compel an opponent to take an action or submit. In the vast majority of cases where Yuan’s article refers to deterrence, it appears to be talking about offensive cyber operations and compellence. So the strengths of cyber deterrence, in Yuan’s view, include the fact that cyberattacks are more humane than nuclear, chemical, or biological attacks; deterrence is cost effective because cyber weapons are cheap; deterrence methods are diverse because cyber weapons can target multiple types of systems; and deterrence uses are repeatable and flexible because, unlike nukes, cyber weapons can be used multiple times. Western analysts tend to associate all of these characteristics with cyber offense not deterrence.
The list of negatives that characterize cyber deterrence also mirrors what Western strategists have traditionally associated with the weaknesses of cyber weapons. Cyber deterrence, for Yuan, lacks credibility because cyber weapons have not yet been used in real warfare; the defense is dynamic and may eliminate vulnerabilities and thus make a weapon useless; the effects of a weapon may spread to connected networks and may even boomerang back to the attackers; states with low levels of connectivity provide few targets and are not easily deterred; and the distributed nature of networks makes the creation of a unified military force difficult.
After laying out these strength and weaknesses, Yuan describes four types of deterrence, three by appearance, the fourth by actual combat. Deterrence by appearance includes technical tests with widespread publicity about the results as well as the displays of cyber equipment. Displays can happen through doctrine, white papers, diplomatic pronouncements, newspapers, or other official channels. It can also occur through social media and may involve misinformation in an attempt to confuse the enemy and create a psychology of fear and restraint. Combat exercises are also a form of deterrence by appearance and may involve real or virtual troops. Yuan mentions Cyber Storm, the biennial exercise run by the Department of Homeland Security, as an example of deterrence by exercise.
Yuan argues that there are two opportunities for deterrence by combat operations. First, when one side believes the other is on the verge of initiating war, it may launch cyberattacks on critical defensive networks, thus conducting "preventive, restraining deterrence." The second is when the enemy is conducting cyberattacks on your side in a deterrent effort, then you must immediately launch "retaliatory, reprimanding deterrence." The types of attacks Yuan believes could be launched include disseminating propaganda on cell phones and interrupting television broadcasts as well as damaging telecommunication networks and power grids.
According to Yuan, a successful deterrence strategy requires preparation. Cyber forces must conduct comprehensive network reconnaissance and install backdoors and logic bombs to launch future attacks. Decision makers need to find the right intensity of the fight in cyberspace to achieve combat deterrence. Attacks that are too restrained will do little to dismay the enemy. Attacks that cause too much damage may provoke a conventional military response or bring international criticism. There should be a clear and controlled progression. Warnings should be issued, and attacks should move up a ladder of difficulty and impact, with scheduled breaks and resumptions when necessary. In addition, a clear deterrence strategy demands centralized command and unified planning. All military cyber forces must form a joint force, and Yuan argues that decision makers "must organize and coordinate amateur civilian cyberwar forces, particularly patriotic hackers."
While Yuan’s call for unified forces, centralized political control, and a clear escalatory ladder could provide for greater predictability in cyberspace, most of the article’s suggestions are highly destabilizing, especially the belief that cyberattacks are relatively low risk and the call for network reconnaissance and prepping the battlefield. The article is almost definitely not an authoritative overview of what the People’s Liberation Army thinks about deterrence but at the same time it is equally unlikely to be completely outside the mainstream. One of the outcomes of the Xi-Obama was supposed to be the creation of a cyber "senior experts group." It would be good if that group could meet soon, and start the discussion on the meaning of deterrence and other basic concepts.