The lack of empirical evidence of cyber warfare between states makes deterrence theorizing nearly impossible.
Western states largely renounced the concepts of defense and deterrence after the end of the Cold War. Instead, Western powers focused on expeditionary warfare—military crisis management, counterterrorist operations, and counterinsurgency operations. Today Russia and China pose a challenge to the Western-defined international security order. The United States and its allies in Europe have lost most of the analytical concepts that would be useful for the great-power politics to follow: defense and deterrence.
It will take years for the West to rediscover these concepts and to harness them for national security purposes. Moreover, truly understanding the concept of cyber deterrence will be even more difficult—as there is zero empirical material from cyber wars between states. Furthermore, the very nature of cyberwar prevents active communication about existing cyber warfare capabilities. This communication is necessary to convince one’s adversary about a cyber-retaliation in case of deterrence failure.
For more than two decades after the end of the Cold War, Western states were able to redefine the contours of international security and the associated rules related to the use of military force within the globalizing international system. During this period, between 1989/1991 and 2013, many traditional concepts of international relations and strategy were cast out onto the trash heap of history.
Great-power politics, spheres of influence, defense, and deterrence were such concepts. They lost practically all of their political correctness and analytical usefulness with the winding down of the superpower confrontation and the dissolution of the Soviet Union in the early 1990s. From then on, Western statesmen, stateswomen, and strategic thinkers relied more on concepts such as the liberal world order, engagement, democracy promotion, human security, humanitarian interventions, and counterinsurgency operations.
Thus, between 1989/1991 and 2013, the Western security community fell out of touch with a vocabulary on great-power strategy. Such a strategy would be useful today to tackle existing and future security threats related to adversarial great-power relations and a potential for a large-scale war in Europe or Asia.
The loss of a framework for defense and deterrence within the West is bad enough for the conventional warfighting and nuclear realms. They are, however, the easy cases when compared to cyberspace. To date, we have witnessed zero cyber wars between states. A criminal act committed in cyberspace does not constitute an act of war. Nor do state-sponsored Distributed Denial of Service (DDoS) attacks, knocking off web-pages or online services. Similarly, spreading malign content in the social media is at most a nuisance—not even close to warfare.
Cyberwar remains an abstract concept.
Although cyberwar has been coming for the last 25 years, it has not once entered the realm of statecraft. Thus, all of the argumentation, doctrine formulation and policy articulation related to cyber war is, at best, speculation, and science fiction at worst. As the 2015 report published by the NATO Cooperative Cyber Defense Center of Excellence, Cyber War in Perspective: Russian Aggression against Ukraine, noted: “everything we have seen so far falls well short of how national security thinkers—and Hollywood—have portrayed cyberwar.” In the report, Martic Libicki also noted—in his article titled The Cyber War that Wasn’t, “The most notable thing about the war in Ukraine, however, is the near-complete absence of any perceptible cyberwar.”
Today we live in a world where the role of cyberwar is much more opaque than was the case with nuclear war in the late 1940s and the next decades. During those times those focused on formulating deterrence theory had access to empirical evidence. Although “Little Boy” and “Fat Man” dropped on Japan were low-yield devices compared with the development of nuclear weapons during the following decades, the scale of destruction caused by them made it evident that a new conceptual approach to warfighting was warranted. This approach was named deterrence.
Despite this fact, both the Soviet Union and the U.S.-led NATO prepared to use hundreds of nuclear weapons in Central Europe against each other years on end. In addition, the nuclear arms race post-1949 (when the Soviet Union detonated its first nuclear weapon) touched only two states: the United States and the Soviet Union.
Even with these mitigating factors, it took almost twenty years to formulate a perspective on nuclear deterrence that was more or less shared by the two main protagonists of the bipolar confrontation. In the West, this shared understanding concerning nuclear weapons became known as the Mutually Assured Destruction (MAD).
Developing credible cyber deterrence framework is unlikely for the foreseeable future.
As our societies, government organizations and military forces are becoming more and more digitalized and cyberspace-reliant, it is natural for political leaders and analysts to ponder the positive and negative aspects of these trends. For years hubris about the upcoming cyberwar has dominated the headlines. “Cyber-Pearl Harbors” or “critical cybersecurity problems” get a lot of media attention.
Today, cyberwar is defined as much by Hollywood as it is by national security decision-makers and analysts. This fact reflects the problems that Western states (and others) have trying to square the circle on cyber deterrence: how to deter something that is difficult to define (cyberwar/attack), hard to attribute to specific actors and has never happened so far?
Having lost a generation of deterrence experts and expertise after the end of the Cold War, many Western states are now jump-starting research programs focusing on conventional and nuclear deterrence in a world of great-power rivalries and power politics. In itself, such an undertaking will take years to produce a credible deterrence framework with the associated military capabilities needed in Europe and Asia.
Additionally, many Western states are trying to integrate the cyber domain into this emerging “new” deterrence framework—a nearly impossible task for the foreseeable future. The “nature” of cyberspace is so different from anything we have witnessed within our warfighting or deterrence paradigms in the past. Forging a credible cyber deterrence framework is likely to be impossible – at least for years to come. There are at least three reasons for this.
First of all, having zero cases of cyber warfare in the past provides a shaky foundation for deterrence theorizing. After all, how credible can deterrence be, when there is no shared understanding about the existing – or future – cyber warfare capabilities and their real-life effects? And the credibility of the threat is a crucial aspect of deterrence.
Second, the problem of lacking empirical material on cyber warfare is multiplied by the very nature of offensive cyber activity: in order not to provide tools for one’s adversary to establish any form of effective cyber defenses, one cannot communicate anything about the existing (and projected) cyber capabilities at one’s disposal.
The effectiveness of “cyber-weapons” is based on not communicating about the existing vulnerabilities within cyberspace in general and the adversary’s “cyber systems” in particular. Any effort to do so would decrease the effectiveness – and deterrent value – of existing “cyber weapons.” From a deterrence perspective, this is a significant problem: trying to communicate about one’s cyber warfare capabilities would end up undermining one’s deterrent capacity.
Third, the number of potential actors capable of executing some form of “cyber-attack” is so great—at least in the future—that any single framework or theory of deterrence will not be able to capture them all. Even though ninety-nine percent of cyber-attacks are criminal acts or hacktivist incidents, attribution (i.e., identifying the responsible actor) will be a problem for the foreseeable future. In addition, how to draw the line between criminal acts and warfare without information about the motivation of these cyber-attacks?
For cyber deterrence to make any sense for state actors, they need concrete indicators of others’ offensive cyber capabilities. Thus, in order to develop even a rudimentary cyber deterrence framework, states need some lessons learned from the effects of “cyber weapons” and cyberwar. The cases of nuclear war (1945) or the firebombing of cities (during World War II) are examples of the effects of concrete cases that influenced the way that states conceptualize the utility of certain weapons of war.
To date, there are no concrete cases of cyber warfare to draw lessons from. It is possible that this lack of empirical material related to cyber warfare will continue for years to come. While this is good news, it will also prevent the development and maturation of any meaningful cyber deterrence framework. States will not reveal their cyber weapon arsenals for deterrence purposes. They will reserve it for the possibility of waging offensive cyberwar.