31 May 2019

Deterrence in Cyber, Cyber in Deterrence

By Rosemary Tropeano

The notion of deterrence in cyberspace has become a much-maligned piece of U.S. strategy. Deterrence has been criticized as being inappropriate given many of the cyber domain’s unique characteristics, such as low cost of entry, high number of non-state actors, and lack of clear attribution for attacks.[1] Despite this criticism, deterrence has remained a part of cyber strategy, with both the current National Cyber Strategy and the Department of Defense 2018 Cyber Strategy including deterrence as a major element.[2,3] Rather than pulling the cyber domain away from deterrence, current policy has brought cyber elements closer to the U.S.’s broader strategic deterrence strategy. Strategic deterrence now incorporates a well-defined role for cyber that is likely to expand in the future, and strategic deterrence has begun to play a role in cyber deterrence strategy. This is reflective of the broader trend of cyber playing an increasingly integral role in strategy, doctrine, and overall force structure, such as the U.S. Army’s push to prepare to fight in multi-domain environments, seeking to converge capabilities in the conventional domains with those in the electromagnetic spectrum and information environment.[4] Charting these strategies as they have evolved over the past two decades is one way to assess the strategic value of deterrence in cyberspace. While a singular cyber deterrence strategy may be unsuited to the domain, cyberspace must play a role in overall deterrent strategy.


Deterrence refers to the “[prevention] of adversary action through the presentation of a credible threat of unacceptable counteraction and belief that the cost of the action outweighs the perceived benefits.”[5] The use of threats, also called deterrence by punishment or deterrence by retaliation, is the cornerstone of U.S. nuclear deterrence. Increasing the cost of actions, also called deterrence by denial, is more frequently used in conventional deterrence.

Both types of deterrence have been components of U.S. cyber strategy since the first iteration of the National Strategy to Secure Cyberspace in 2003 and the National Military Strategy for Cyberspace Operations in 2006.[6] Reducing threats, increasing resilience to attack, and deterring malicious actors were priorities in the 2003 strategy and the National Cybersecurity Threat and Vulnerability Reduction Program.[7] This original iteration of cyber deterrence used prosecution and criminal penalties to deter malicious actors as a form of deterrence by punishment and increased network defense and resilience to raise relative costs any given cyberattack as a form of deterrence by denial. However, this limited the focus to the legal realm, and took many options away from the military and diplomatic elements of power. The scope of deterrence in cyberspace grew beyond legal penalties over the next fifteen years. The 2011 International Strategy for Cyberspace and the current National Cyber Strategy expanded the range of deterrence tools to include economic and diplomatic as well as legal measures, while retaining the 2003 strategy’s focus on increasing resilience and network defense. The U.S. now relies on sanctions and international coalitions as well as indictments and criminal penalties to deter malicious cyber activity.[8]

While deterrence has always had a place in cyberspace, the inverse has not always been true. The addition of cyber elements to the broader U.S. strategy of strategic deterrence is a more recent development as cyber has gained a larger role in over the last decade. The 2018 National Cyber Strategy placed cyber deterrence in the context of the U.S.’s overall deterrence strategy.[9] This was not the first time cyber appeared as a part of broader deterrence strategy: between the 2008 and 2012 versions of Operation Plan (OPLAN) 8010 (obtained through a Freedom of Information Act (FOIA) request), U.S. Strategic Command’s (USSTRATCOM) primary operational plan for deterrence, cyber elements became a more significant part of strategic deterrence.

What caused this shift? One factor is likely a simple increase in focus and awareness on cyber issues, largely due to an increase in cyber-related events. At the time OPLAN 8010-08 was written, U.S. Cyber Command had yet to be established, though its predecessor had already been aligned under U.S. Strategic Command.[10] Cyber threats had just appeared for the first time in the Worldwide Threat Assessment in 2008.[11] Increased breadth and sophistication of computer network operations over the next four years, along with rising concern over malicious state actors, intensified focus on cyber vulnerabilities. Several high-profile attacks, including those on U.S. economic infrastructure and defense contractors, confirmed those fears.[12] Simultaneous with this increasing concern, cyber was given an expanded role in the 2010 Nuclear Posture Review and subsequently OPLAN 8010-12. These strategic concerns around cyber have only increased since 2012, reflected by the inclusion of an overall deterrent strategy in the 2018 National Cyber Strategy. The Department’s 2018 Cyber Strategy goal of increasing cyber fluency among leaders and their staffs—to increase awareness of the cybersecurity implications of strategic decisions and leverage opportunities for strategic, operational, and tactical advantages in cyberspace—reflects the increased importance of cyberspace to all strategic planning.[13] As an ever-present threat, strategic thought across all domains will need to continue to incorporate cyber components. Strategic deterrence is no exception.
Patrick Shanahan speaks about the Nuclear Posture Review at the Pentagon (Jacquelyn Martin/AP)

This increased focus on cyber over the last decade has occurred alongside a broader re-conceptualization of the scope of strategic deterrence. Between 2008 and 2012, U.S. Strategic Command’s framing of deterrence moved from one focused on weapons of mass destruction to a wider set of asymmetric threats. OPLAN 8010-08, “Global Deterrence and Strike,” focused primarily on deterring and defeating attacks by a discrete set of adversaries and preventing weapons of mass destruction attacks on U.S. vital interests.[14] OPLAN 8010-12, “Strategic Deterrence and Force Employment,” retained the focus on deterring a specific set of adversaries but highlighted new threats “including [weapons of mass destruction] and threats to space and cyberspace.”[15]

The re-conceptualization of strategic deterrence occurred in the midst of the Obama administration’s effort to reduce the role of nuclear weapons in U.S. deterrence and defense strategies, exemplified by Obama’s 2009 speech in Prague pledging to work toward denuclearization and the “Prague Nuclear Agenda.”[16] Obama reaffirmed the U.S. commitment to nuclear nonproliferation and pledged the U.S. to reduce its reliance on nuclear weapons. The 2010 Nuclear Posture Review reinforced these commitments and changes.[17] Though the 2010 Nuclear Posture Review primarily focused on increasing the roles of conventional presence and ballistic missile defense in deterrence, cyber capabilities also saw an expanded role. The 2010 Nuclear Posture Review (NPR) states that U.S. capabilities in space and cyberspace enable strategic deterrence by protecting U.S. assets.[18] This is the role OPLAN 8010-12 delineates for cyber capabilities throughout its six-stage operational plan.
President Obama describing his nuclear-free vision in Prague. (Brookings)

The six-phase operational planning construct is the previously dominant Department of Defense model for campaign planning.[19] It consists of the eponymous six phases: Phase 1 (Shape), Phase 2 (Deter), Phase 3 (Seize initiative), Phase 4 (Dominate), Phase 5 (Stabilize), and Phase 6 (Enable civil authority).[20] Both OPLAN 8010-08 and OPLAN 8010-12 use this construct to lay out strategic deterrence operations.

OPLAN 8010-08 placed cyber and information warfare as a means for shaping the environment in Phase 0, operations that would be built upon for deterrence in Phase 1.[21] Cyber capabilities retain this role in Phase 0 of OPLAN 8010-12 as a part of “steady state operations.”[22] However, Phases 1, 2, and 3 in OPLAN 8010-12 expand the role of cyber in deterrence. In Phase 1, USSTRATCOM protects infrastructure from any identified threats and mitigates the effects of cyberattacks.[23] This role carries on through Phase 2 and expands to include conducting offensive cyberspace operations in Phase 3.[24] This focus on protecting infrastructure mirrors the role of protecting U.S. assets to enable strategic deterrence outlined in the 2010 Nuclear Posture Review.

Cyber’s role in protecting infrastructure also illustrates a trend toward increased focus on nonmilitary capabilities between 2008 and 2012. For example, consider the center of gravity analysis in those plans. A center of gravity is defined as the “source of power that provides moral or physical strength, freedom of action, or will to act.”[25] As an analytic tool, identifying centers of gravity can find sources of strength and weakness.

OPLAN 8010-08 identifies political will, supported by military intelligence capabilities including “global situational awareness; command and control; forward presence; security cooperation and military integration and interoperability; force projection; active and passive defenses; and strategic communication” as the U.S. center of gravity.[26] OPLAN 8010-12 identifies a nominally similar center of gravity, national leadership and decision-makers, but identifies nonmilitary capabilities such as a viable market economy as critical capabilities.[27] As the conceptualization of strategic deterrence moved past a primarily nuclear one, the U.S. began to focus on the role of nonmilitary capabilities in deterrence and prioritize their protection.

This expanding definition of critical capabilities suggests another potential role for cyber. The abilities for leadership to receive accurate information and to understand the meaning of that information are also identified as critical capabilities in OPLAN 8010-12’s center of gravity analysis.[28] The current environment of disinformation and influence operations may mean countering these operations are or will be incorporated into the broader deterrence model as well, carving out a further role for cyber operations in strategic deterrence.

Over the past decade, the U.S. has moved away from a conceptualization of strategic deterrence as primarily the providence of nuclear strategy. This can be seen specifically through the incorporation of cyber, but, as the center of gravity analysis shows, this conceptual change stretches across economic, diplomatic, and military dimensions. The emphasis on the role of nuclear weapons may rise and fall with changing administrations, as comparing the 2010 Nuclear Posture Review to the Trump administration’s 2018 Review shows. The 2010 iteration begins by stating the U.S. commitment to reducing the role of nuclear weapons.[29] Conversely, the 2018 Nuclear Posture Review states that policies were “established amid a more benign nuclear environment” and focuses on the value and necessity of U.S. nuclear capabilities.[30] Despite this, the U.S. is unlikely to fully untangle strategic deterrence from its new, expanded conceptualization.
Over the past decade, the U.S. has moved away from a conceptualization of strategic deterrence as primarily the providence of nuclear strategy.

It will become increasingly difficult to untangle cyber deterrence from strategic deterrence. The 2018 Nuclear Posture Review included attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities in significant non-nuclear strategic attacks that could provoke nuclear retaliation.[31] While inexplicit, this signals a U.S. willingness to defend key computer networks with nuclear capabilities. A pre-decisional draft of the 2018 Nuclear Posture Review outlined this more explicitly, stating a need for “limited and graduated options” to address non-nuclear strategic attacks, including cyber attacks, by Russia and China.[32] Though the language specifying the inclusion of cyber attacks was omitted from the final 2018 Nuclear Posture Review, it would have enforced cyber deterrence with nuclear capabilities and further blurred the line between the two strategies.
President Vladimir Putin and Chairman Xi Jinping. (Greg Baker/Reuters)

Given the increased role of the cyber domain in all operations, attempting to distinguish between cyber and strategic deterrence may become a futile exercise. It is becoming impossible for the Department of Defense to formulate strategy without considering and incorporating the role of cyber. Moving forward, this trend will force a further blurring of the lines between cyber and strategic deterrence. While deterrence may be an imperfect approach to preventing all types of cyber attacks, strategic deterrence can and must include a role for cyber.

No comments: