Earlier this year, US officials acknowledged that offensive cyberoperations had stopped Russian disruption of last year’s congressional elections. Such operations are rarely discussed, but this time there was commentary about a new offensive doctrine of “persistent engagement” with potential adversaries. Will it work?
Proponents of “persistent engagement” have sought to strengthen their case by arguing that deterrence does not work in cyberspace, but that sets up a false dichotomy. Properly used, a new offensive doctrine can reinforce deterrence, not replace it.
Deterrence means dissuading someone from doing something by making them believe that the costs to them will exceed their expected benefit. Understanding deterrence in cyberspace is often difficult, because our minds remain captured by an image of deterrence shaped by the Cold War: a threat of massive retaliation to a nuclear attack by nuclear means. However, the analogy to nuclear deterrence is misleading, because, where nuclear weapons are concerned, the aim is total prevention. Deterrence in cyberspace is more like crime: governments can only imperfectly prevent it.
Illustration: Kevin Sheu
There are four major mechanisms to reduce and prevent adverse behavior in cyberspace: threat of punishment, denial by defense, entanglement and normative taboos. None of the four is perfect, but together they illustrate the range of means by which it is possible to minimize the likelihood of harmful acts. These approaches can complement one another in affecting actors’ perceptions of the costs and benefits of particular actions, despite the problem of attribution. In fact, while attribution is crucial for punishment, it is not important for deterrence by denial or entanglement.
Because deterrence rests on perceptions, its effectiveness depends on answers not just to the question of “how,” but also to the questions of “who” and “what.” A threat of punishment — or defense, entanglement, or norms — may deter some actors but not others. Ironically, deterring major states from acts like destroying the electric grid may be easier than deterring actions that do not rise to that level.
Indeed, the threat of a “cyber Pearl Harbor” has been exaggerated. Major state actors are more likely to be entangled in interdependent relationships than are many non-state actors. And American policymakers have made clear that deterrence is not limited to the cyber realm (though that is possible). The United States will respond to cyberattacks across domains or sectors, with any weapons of its choice, proportional to the damage that has been done. That can range from naming and shaming to economic sanctions to kinetic weapons.
The US and other countries have asserted that the laws of armed conflict apply in cyberspace. Whether or not a cyber operation is treated as an armed attack depends on its consequences, not on the instruments used. And this is why it is more difficult to deter attacks that do not reach the equivalence of armed attack. Russia’s hybrid warfare in Ukraine, and, as the report by US Special Counsel Robert Mueller has shown, its disruption of the US presidential campaign fell into such a gray area.
Although ambiguities of attribution for cyberattacks, and the diversity of adversaries in cyberspace, do not make deterrence and dissuasion impossible, they do mean that punishment must play a more limited role than in the case of nuclear weapons. Punishment is possible against both states and criminals, but its deterrent effect is slowed and blunted when an attacker cannot be readily identified.
Denial (through hygiene, defense, and resilience) plays a larger role in deterring non-state actors than major states, whose intelligence services can formulate an advanced persistent threat. With time and effort, a major military or intelligence agency is likely to penetrate most defenses, but the combination of threat of punishment and effective defense can influence their calculations of costs and benefits. This is where the new doctrine of “persistent engagement” comes in. Its goal is not only to disrupt attacks, but also to reinforce deterrence by raising the costs for adversaries.
But policy analysts cannot limit themselves to the classic instruments of nuclear deterrence — punishment and denial — as they assess the possibility of deterrence and dissuasion in cyberspace. They should also pay attention to the mechanisms of entanglement and norms. Entanglement can alter the cost-benefit calculation of a major state such as China, but it probably has little effect on a state such as North Korea, which is weakly linked to the world economy.
However, “persistent engagement” can aid deterrence in such difficult cases. Of course, entering any adversary’s network and disrupting attacks poses a danger of escalation. Rather than relying just on tacit bargaining, as proponents of “persistent engagement” often emphasize, more explicit communication might help Stability in cyberspace is difficult to predict, because technological innovation there is faster than in the nuclear realm. Over time, better attribution forensics might enhance the role of punishment; and better defenses through encryption or machine learning might increase the role of denial and defense.
Cyberlearning is also important. As states and organizations come to understand better the limitations and uncertainties of cyberattacks and the growing importance of the Internet to their economic well-being, cost-benefit calculations of the utility of cyberwarfare might change. Not all cyberattacks are of equal importance; not all can be deterred; and not all rise to the level of significant threats to national security.
The lesson for policymakers is to focus on the most important attacks, recognize the full range of mechanisms at their disposal and understand the contexts in which attacks can be prevented. The key to deterrence in the cyberera is to acknowledge that one size does not fit all.
“Persistent engagement,” when viewed from this perspective, is a useful addition to the arsenal.
Joseph Nye is a professor at Harvard University.
Copyright: Project Syndicate
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
The past few months have seen tremendous strides in India’s journey to develop a vibrant semiconductor and electronics ecosystem. The nation’s established prowess in information technology (IT) has earned it much-needed revenue and prestige across the globe. Now, through the convergence of engineering talent, supportive government policies, an expanding market and technologically adaptive entrepreneurship, India is striving to become part of global electronics and semiconductor supply chains. Indian Prime Minister Narendra Modi’s Vision of “Make in India” and “Design in India” has been the guiding force behind the government’s incentive schemes that span skilling, design, fabrication, assembly, testing and packaging, and
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
As former president Ma Ying-jeou (馬英九) wrapped up his visit to the People’s Republic of China, he received his share of attention. Certainly, the trip must be seen within the full context of Ma’s life, that is, his eight-year presidency, the Sunflower movement and his failed Economic Cooperation Framework Agreement, as well as his eight years as Taipei mayor with its posturing, accusations of money laundering, and ups and downs. Through all that, basic questions stand out: “What drives Ma? What is his end game?” Having observed and commented on Ma for decades, it is all ironically reminiscent of former US president Harry