Last week, Admiral Mike Rogers, commander of U.S. Cyber Command, testified before the Senate Committee on Armed Services. Most of the media attention (see this, this, and this) has focused on Rogers’ argument that deterrence is not working, and that defense in cyberspace will be "will be both late to need and incredibly resource intensive." As a result, Rogers argued, Cyber Command needs "to think about how can we increase our capacity on the offensive side to get to that point of deterrence."
The argument that additional offensive capabilities are critical to deterrence seemed to be widely accepted by the senators’ questioning Rogers. Senator Angus King went further, saying that it was not enough to have the offensive capabilities but that the public has to know about them. Alluding to Dr. Strangelove, the classic movie on the absurdities of the Cold War, King argued “If you build the doomsday machine, you’ve got to tell people you have it. Otherwise the purpose is thwarted."
Rogers’ opening comments and written testimony raise at least three follow up questions. First, in regards to the exchange with Senator King, is talking about offensive capabilities enough? For effective deterrence, do you also have to demonstrate that they would work? The United States and the Soviet Union conducted a combined 1745 known underground and atmospheric nuclear tests between 1945 and 1996, along with countless launch exercises from submarines, bombers, and missile silos. The physical effects of a nuclear weapon were well known to both sides. None of this is available in cyberspace. The effects, so far, are invisible and contested, and they may be unpredictable as attacks spill over into connected networks. You can’t march a cyber weapon in a parade and even if the United States, Russia, and China built cyber ranges where they launched practice destructive digital attacks, would the other side necessarily believe that their systems were vulnerable in the same way or could not be quickly reconfigured for defense?
Second, do we have any idea of how adversaries might interpret or react to the effort to develop a greater deterrence through offensive cyber capabilities? In his written testimony, Rogers implicitly suggests that U.S. efforts will not be destabilizing by making a comparison to the nuclear age: "Building these nuclear forces and the policy and support structures around them took time and did not cause a nuclear war or make the world less safe." But is this both a rosy remembering of Cold War history and an optimistic hope for future cyber conflict? Given that many defense analysts believe that offense has the advantage over defense in cyberspace, do efforts to develop deterrence through offense create a security dilemma and an arms race?
Finally, Rogers says in his written testimony that Cyber Command has gained "priceless experience in cyber operations" and insight into how force "can be employed in cyberspace." He also mentions that Cyber Command has "had the equivalent of a close-in fight with an adversary." Does it matter who that adversary was? Are the lessons learned from an encounter with one adversary applicable to other potential rivals in cyberspace? Is Cyber Command’s knowledge about fighting China’s People’s Liberation Army transferrable to fighting the Iranian Revolutionary Guard Corps?
The answer to all these questions is we do not know yet. We can assume, however, that Admiral Rogers knows that cyber deterrence, if it is to work at all, will not operate like nuclear deterrence. Nuclear deterrence was primarily a military strategy designed to prevent one completely unacceptable outcome—nuclear war with the Soviet Union. Cyber deterrence will be the use of political, economic, diplomatic, and military tools not to stop attacks entirely but instead to reduce the volatility and intensity of cyber conflicts. It will require flexibility, adaptability and a lot of thinking about how to tailor policies to specific actors. Offensive capabilities will be important, but they will only be one part of deterrence.