A recipe for deterrence in cyberspace

Event report

The discussion, led by Mr John Hering (Government Affairs Manager, Microsoft), attempted to answer key questions about the deterrence concept in cyberspace: what we mean by deterrence; weather we need deterrence and who are the actors to do that; whether the concept of mutually assured distraction can be applied to cyberspace; what partnerships already exist to bring about deterrence mechanisms.

Ms Frederick Douzet (Professor of Geopolitics, University of Paris 8, Director, Geopolitics of the Datasphere (GEODE)) started with a general sense of attribution, pointing out that it is more of a psychological process that rests on the perception of actors which may vary. In France, deterrence is used in connection with nuclear affairs. Douzet drew two tactics: threat of punishment and denial of potential gains. In order to ensure the credibility of future punishment in cyberspace, we need a proper attribution process. Thus, the denial tactic looks more promising for cyberspace, making the cost of attack too high.

Ms Joanna Świątkowska (Director, Cyber Security Specialist, UBS) echoed that we are trying to implant old Cold War terminology. She suggested looking at the denial by defence strategy as prospective, though this is still quite hard to implement. She also reminded about the rules of responsible behaviour in cyberspace, which we can use to stigmatise actors who are not following them. Finally, Świątkowska mentioned that strategy of fragmenting and isolating the national segments of cyberspace to diminish contacts, but noted this will not bring any gains in the end.

Mr Chris Inglis (US Cyberspace Solarium Commission) and Ms Elonnai Hickok (non-resident scholar, Carnegie Endowment for International Peace) spoke on the variety of actors that could suffer from cyber-attacks, and we must keep this variety in mind when building our deterrence strategies. Hickok considered deterrence a proactive measure that helps prevent harm before it happens.

Ms Katherine Fox (Diplomat, UK Foreign and Commonwealth Office) and Inglis insisted that cyber attribution now is much easier than it may seem for diplomats and it should be used depending on the aims of a particular state. Douzet reminded once again that if we speak about deterrence of misbehaviour in cyberspace, we have to concentrate on the norms that form international expectations, otherwise the perception of bad behaviour differs a lot.

As for the mutually assured destruction, Inglis noted this is the extreme form of deterrence due to the unique conditions of nuclear weapon. It worked when there were fewer players and high-cost entry. With cyber-weapons we have persistent actions, low-cost entry, and many players, including non-states.

Hickok and Douzet pointed to the necessity of drawing red lines for actions in cyberspace. While it can be tempting to draw them, we should keep in mind what the consequences will be if someone crosses them. Świątkowska recalled NATO’s commitment to invoke Art 5 for collective defence in the event of a cyber-attack. At least, there should be more transparency for the cyber capabilities of states in the form of public cyber strategies.

Finally, speakers discussed the importance of international co-operation in making cyber deterrence possible, including the Paris Call, as well as highlighted that industry and civil society play a significant role there as well.