Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and was a member of the Defense Science Board’s task force on cyber deterrence. You can follow him @Jason_Healey.
Whether in the White House Situation Room or around the water cooler of cybersecurity companies, there can never be too many conversations about cyber deterrence. All too often though, the conversation fall into two traps: one focuses on theories and tropes from nuclear war while the other assumes the United States will be the one doing the deterring.
As more information spills out about the Obama administration’s reaction to Russian cyber-based interference in the 2016 U.S. elections, a picture has emerged that cyber deterrence is not just theoretical and the United States was the one deterred. As Bruce Schneier has blogged, “the [United States] was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against [it].” Scholars and national security analysts must adapt their theories and policies to this new reality.
The first official U.S. position on cyber deterrence was the White House’s 2003 National Strategy to Secure Cyberspace, which issued a basic declaratory statement that when the nation was attacked “through cyberspace, the U.S. response need not be limited to criminal prosecution. The United States reserves the right to respond in an appropriate manner.” Since then, the United States has included something about deterrence in nearly every policy, such as the Comprehensive National Cyber Initiative (2008) and the Defense Strategy for Operating in Cyberspace (2011), up to the latest, Executive Order 13800 (2017).
But the number of policy statements crying for more deterrence are matched by implementation problems. Some experts argue deterrence is difficult, if not impossible. In the canonical book on the topic, Cyberdeterrence and Cyberwar, Martin Libicki noted nearly a decade ago that “attribution, predictable response, the ability to continue attack, and the lack of a counterforce option are all significant barriers.” Others, like Richard Harknett and Michael Fischerkeller contend that since adversary cyber forces are actively contending with one another, “if the United States is to shape the development of international cyberspace norms, it can do so only through active cyber operations.” Michael Sulmeyer more recently agreed, writing that deterrence is the wrong strategy entirely and the United States should not “change the calculations of adversaries” but rather “focus on disrupting their capabilities.”
I have argued that deterrence has been obviously effective for cyber operations above the threshold of death and destruction, as major cyber powers have avoided such attacks, but not below that threshold (where the ideas of Harknett, Fischerkeller, and Sulmeyer appear to hold). America’s adversaries additionally “probably feel quite confident they are hitting back, not first.” Deterrence threats may invite more aggression, not less.
Such theorizing must now take into account the ongoing revelations of the U.S. response to the Russian election interference in 2016. These demonstrate that cyber deterrence is not just real but the United States is on the receiving end of it.
In their extensive investigation of the Russian interference and U.S. response, David Corn and Michael Isikoff noted that in the White House discussions:
The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. […] “If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, [Director of National Intelligence James] Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure—and possibly shut down the electrical grid.
In addition, according to the new memoir by Obama advisor Benjamin Rhodes, as summarized by the New York Times, “Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations.” Many other senior Obama-administration principals provided additional details and confirmations to David Sanger, for his forthcoming book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age.
Few of the issues that deterrence theorists worry about, other than escalation risk, were an issue. There is no evidence the Russians made any specific threat, for example, and they did not need to brandish their cyber capabilities in a demonstration attack to make it credible or increase the value of the signal. Apparently, their access and perceived capabilities and intent alone were enough. Attribution likewise was not an issue as there was no doubt the Russians were behind both the election interference and electrical grid intrusions. The White House was concerned not just about the escalation from responding symmetrically with cyber means but from non-cyber tools (i.e., sanctions) as well.
Perhaps these are specific edge cases without general relevance to understanding the dynamics of cyber conflict and the role of deterrence. But more likely they are kicks to our theoretical shins, sharp reminders that the main cyber powers (and many others) are scrambling to hold each other’s critical systems at risk. This “constant state of ‘near ambush’” as Amy Zegart puts it is creating new realities and our conversations and theories on deterrence must now adapt.
There is now a well-documented instance of cyber deterrence. That example is part of most likely the most consequential cyberattack ever—the interference in the US presidential election of 2016. And for all the agonizing about deterrence theory and posture in the United States, it was the United States who was deterred.