Upholding the NATO cyber pledge
- Dr. Tim Stevens
Cyber Deterrence and Resilience: Dilemmas in NATO defence and security politics.
A secure cyberspace is crucial for the functioning of all NATO member countries in an ‘information age’ characterized by ubiquitous digital technologies. Our dependence on information technologies has resulted in new and hitherto unknown vulnerabilities being exploited by state and non-state actors on a daily basis. Offensive cyber operations are conducted not only for criminal or commercial gain, but have become an influential factor in international politics. The growing appeal of cyber operations to states and non-state political actors has seen their scale and sophistication increase, showing that cyberspace is becoming normalized as a global environment of competition. States and non-state actors contest cyberspace in pursuit of power and influence. Whilst it might be argued that the effects of cyber operations – subversion, sabotage, manipulation, theft, disinformation – are nothing new, the speed and volume of their deployment are unprecedented. Considerations of cybersecurity are therefore deeply intertwined with all 21st-century political and military conflict. As stated by NATO Secretary General Jens Stoltenberg, ‘most conflicts and crises these days have a cyber dimension’, and it is ‘very hard to imagine a military conflict today without a cyber dimension.’1
To ensure NATO keeps pace with the dynamic landscape of cyber threats, the NATO member-states in 2016 signed the NATO Cyber Defence Pledge.2 In this expression of mutual defence and Allied solidarity, the member-states reaffirmed their commitment to ‘enhance the cyber defences of national infrastructures and networks’ by developing ‘the fullest range of capabilities’ to defend them. This document is framed principally in terms of defence and resilience – the ability to ‘bounce back’ from offensive cyber operations and to maintain operational functionality. There is no mention of ‘deterrence’ in the Pledge but it is this concept – one that characterises most of Cold War and general defence thinking – that has resurfaced in subsequent NATO discussions about how to uphold the Pledge.
This NUPI Policy Brief clarifies the key concepts of traditional deterrence and then explores how these apply to cyber deterrence. It identifies a range of problems inherent to cyberspace itself and to the translation of existing deterrence models to this domain. It proposes a range of alternative and complementary approaches to deterrence that can assist in developing a new framework for conceptualizing NATO Alliance cyber deterrence. These will all require rethinking cyber deterrence as a condition of success or failure: cyber deterrence must be reframed as an ongoing process, utilizing national and Alliance resources from multiple domains as a means to establish deterrence and resilience.
‘Deterrence is the art of producing in the mind of the enemy [...] the fear to attack.’3 It is the ability to create a perception in the mind of adversaries that you have the capacity to impose upon them significant costs or to limit their possible gains, should they undertake offensive action against you. Deterrence is an inherently coercive component of strategy that involves ‘the potential or actual application of force to influence the action of a voluntary agent.’4 Unlike its coercive twin, compellence, which seeks to alter the course of action upon which an actor has already embarked, deterrence seeks to dissuade the actor from pursuing that behaviour in the first place. It does so by altering the actor’s cost-benefit assessments of the various strategic choices available. If an actor perceives that the expected utility of a given action is outweighed by the likely costs, it will be deterred from behaving in that fashion, thereby preserving the status quo.
Deterrence is contingent upon whether an adversary perceives a threat as credible and thus the threats made against it should be considered a psychological issue, not a technical one. This psychological aspect is illustrated by considering the difference between two types of deterrence: deterrence-by-punishment and deterrence-by-denial.5 Deterrence-by-punishmentrelies upon the credible threat that overwhelming retaliation will be meted out against an adversary should it attack. Deterrence-by-denial hinges on the defender’s ability to deny an attacker’s desired ends. The former is purely coercive, whilst denial also incorporates elements of control. Denial in this sense aims to control a situation sufficiently that the opponent is denied certain strategic options, rather than being coerced towards particular behaviours.6
As a model of strategic interaction deterrence was deemed successful during the Cold War, as the superpower relationship predicated on nuclear deterrence never entered a nuclear warfighting phase, despite periods of strategic tension and escalation. The apparent success of nuclear mutual deterrence has come to shape subsequent debates about the nature of deterrence and its applicability to other strategic domains. However, the offence-dominance of nuclear weapons is not replicated in environments like cyberspace, nor indeed when conventional weapons are involved. For instance, deterrence-by-denial may occasionally require the demonstration of conventional offensive capabilities to dissuade an attacker – surely not an option with nuclear weapons.7 The simplicity of nuclear deterrence is also sharply at odds with the complexity of other forms of deterrence, where myriad actors, intentions and technological capabilities co-exist in a matrix of competing forces and possibilities.8 Therefore, a viable model of cyber deterrence cannot be derived directly from nuclear deterrence theory and practice, although Cold War history may continue to provide useful insights into strategic state-level interactions.9
Moreover, it is unlikely that cyber deterrence can prevent all attacks by cyber means. Instead of conflict prevention in line with the nuclear deterrence model, any cyber deterrence posture must seek to shape the conflict space, rather than expecting to dominate it entirely. Many, perhaps even most, offensive cyber operations are not high-level national security threats, but may often be better characterized as criminal actions which require inter-agency and public-private responses, frequently of a non-military and transnational character. Like other forms of crime, these are difficult to deter, and states do so imperfectly.10 This is not to draw a distinct line between criminal and strategic cyberattacks where one does not exist, but it does recommend clarity in identifying what actions and processes constitute national security threats and which do not. This has significant implications for managing expectations and for resource allocation and, therefore, for how the efficacy of cyber deterrence should be assessed. Any cyber deterrence posture should be underwritten by the understanding that the cyberspace environment is one of ‘offence-persistence’.11 Attacks are frequent, numerous, ongoing, ambiguous and evolving. Cyber conflict is in other words the ‘new normalcy’ in cyberspace.12 Yet, strategic cyberattacks are far more difficult to prosecute than is commonly imagined, with the majority of cyber operations being low-level, tactical or criminal.13
Cyber deterrence has been the object of substantial military, policy and academic literature.14 Proposals for cyber deterrence regimes are beginning to crystallise around a set of key operational concepts and considerations. Most practitioners and scholars point to the ‘attribution problem’ as a key burden in cyber deterrence, arguing that challengers can disguise themselves and thereby obscure the sources of attack, meaning that defenders must invest great forensic efforts to discover them.15 It has long been recognised by NATO allies that, in order for cyber deterrence-by-punishment to be effective, this potential lack of a ‘return address’ confounds the ability to demonstrate a credible deterrence posture.16
Given this potential obstacle, and the persistence of offensive cyber operations, recent discussions and NATO documents argue for a new deterrence posture better aligned with deterrence-by-denial than with deterrence by punishment.17 This would aim to diminish the damage and disruption intended by adversaries and reduce their incentive to attack. Knowing we will be attacked, the idea is that the most important action is to build resilience, the ability to perform critical functions regardless of attacks launched. Success in this field would be underpinned by strong proactive and reactive defensive capabilities.18 Within NATO, this idea of resilience is increasingly seen as the corollary of deterrence and reassurance, and as part of a comprehensive security strategy for the Alliance.19 However, how such resilience would work, and what this means for deterrence, is unclear.
While attribution certainly complicates the ability to present a credible cyber deterrent, anonymity is not a priori characteristic of cyberspace. Moreover, attribution problems do not necessarily prevent deterrence success. While it can be difficult to trace the source of a cyberattack, the attribution problem is not unique to the cyber domain. Armed attacks, for instance, are often carried out anonymously.20 Forensic analyses might take time – although investigation cycles are accelerating with the involvement of private companies in attribution activities – but there are other ways of circumventing the supposed attribution problem.
Attribution is contextual and should not rely solely on technical considerations. Indeed, ‘attribution is a matter of interpretation.’21 It is a political challenge as much as a technical one; very often there are solid reasons for seeing a given actor as involved in a cyber operation, even in the absence of evidence that would meet some putative legal standard.22 This was clearly demonstrated in Congressional hearings on alleged Russian interference in the 2016 US presidential elections. When asked whether they believed that Russia was behind these operations, even in the absence of a ‘smoking gun’, all witnesses testified ‘yes.’23 This conclusion was reached by considering a range of political, technical and strategic factors, all and any of which may change over time.
The ‘attribution problem’ may therefore not represent such an encumbrance to deterrence as is commonly supposed, and we should not exclude traditional notions of deterrence-by-punishment from present considerations. However, some further comments are necessary on specific conceptualizations of deterrence that may have applications in the cyber domain.
In an offence-persistent environment, deterrence cannot be situated purely with reference to discrete events, like pre- or post-event deterrence actions. Nuclear deterrence and many aspects of conventional deterrence are contingent on singular events, usually acts of war or combat strikes that are uniquely located in space and time. This cannot be the case with cyber deterrence, where we must think in terms of ongoing processes instead of events, and which are distributed in time and space. Traditional notions of territoriality and temporality are not always applicable in the cyber domain.24 This means that cyber deterrence must also be identified in its trans-event dimension, in addition to its pre- and post-event aspects.
Sometimes called ‘self-deterrence’, deterrence by entanglement refers to the existence of various interdependencies that result in a successful attack simultaneously imposing serious costs on the attacker and the victim.25 This line of thinking regards cyberspace as a global commons – which would mean that all states have an interest in reaping its benefits and will restrain their actions accordingly. There is today no formal acceptance that cyberspace is such a global commons, which militates against the entanglement argument in some respects.26 However, the interconnectedness of cyberspace and the potential for cascading effects and unforeseen outcomes in the form of ‘blowback’ must be considered by any attacker, particularly those dependent on highly developed information infrastructures.27
As with nuclear weapons, it is not only the weapon that needs to be understood but also those who have access to these weapons. Deterrence becomes a question not only of technical capability to act but also of an actor’s motives and intentions to act, and the social, cultural and political factors that shape them.28 From a norms-based perspective, deterrence is a consequence, inter alia, of political considerations like the value of the target and the scale-dependent cost of exploitation and retaliation.29 The failure to employ cyber deterrence successfully is not determined by the technical challenges of cyberspace, but by how the effects of these challenges are mediated through social context(s) and norms.30 However, the utility of norm-based deterrence against non-state actors is limited, where the ability to communicate norms becomes restricted and normative reciprocity cannot be expected.
The cumulative deterrence paradigm does not unrealistically seek to prevent cyberattacks from ever occurring. Instead, it takes for granted the inevitability of acts of cyber aggression and strives to shape and limit them by attacking the rival repeatedly in response to specific behaviours over a long period, sometimes even disproportionally to its actions.31 Restrictive in nature rather than absolute, it perceives deterrence as a spectrum, not a dichotomous, binary state. It is concerned with degrees of deterrence, instead of simply assuming its total presence or absence. Importantly, it is inherently cross-domain, in that deterrence activities are not to be restricted to cyberspace alone: they must also involve kinetic operations, in addition to the levers of diplomatic and political influence. This framework also incorporates aspects of compellence, because it seeks not only to deter adversarial behaviours but to shape those already in play.
This policy brief has drawn attention to the need to reconceptualize NATO’s cyber deterrence thinking and posture. Traditional models of deterrence, drawn from the nuclear and conventional deterrence thinking of many decades’ standing, are inadequate for addressing the challenge of deterring cyber threats in the 21st century. The dynamism of the environment, the range of threats, the multiplicity of state and non-state actors, and the technical challenges of attribution – all require a reorientation of deterrence posture and practice. This reconceptualization must focus on cyberspace itself in an intensification of attention to its idiosyncrasies, but should also be open to a relaxation of orthodoxy in its incorporation of new outlooks and ideas, some of which may strain the established boundaries of deterrence theory.
A future NATO cyber deterrence regime will need to look beyond the military aspect and consider the context of adversarial decision-making in its social and political dimensions. It must also connect cyberspace operations with those in other domains of national and NATO power in a deliberately cross-domain framework. Deterrence should be understood as a cumulative process of ongoing offensive and defensive operations that repeatedly demonstrate intent and capability as a means of generating credibility. This includes elements of compellence, as well as deterrence. Deterrence and resilience should be seen as integral components of this process, with significant overlap between each. Indeed, resilience can work as a form of post-event deterrence-by-denial, which, if successful, may reduce adversaries’ cost-benefit analyses. Such a new framework for cyber deterrence will accept that cyberattacks will happen, recognizing that this is not necessarily a ‘deterrence failure’ but may represent an opportunity to learn and adapt.
A renewed commitment to cyber deterrence and resilience will help to uphold the NATO Cyber Defence Pledge, but it will require revising our conventional models. Deterrence must be rethought, from a Cold War relic to a modern, flexible and dynamic process of national and Alliance operations. Cyber deterrence is not a static binary state of success or failure – it involves a whole range of possibilities for shaping the conflict environment. In this policy brief, we have indicated some avenues for exploration and conceptual development.
 Jens Stoltenberg (2016) Press conference following the North Atlantic Council meeting at the level of NATO Defence Ministers, 14 June. Available at http://www.nato.int/cps/en/natohq/opinions_132349.htm?selectedLocale=en[accessed 8 May 2017].
 NATO (2016) Cyber Defence Pledge, 8 July. Available at http://www.nato.int/cps/en/natohq/official_texts_133177.htm [accessed 8 May 2017].
 Joseph S. Nye, Jr. (2011) Nuclear lessons for cyber security? Strategic Studies Quarterly 5(4):18–38; Joseph S. Nye, Jr. (2013) From bombs to bytes: Can our nuclear history inform our cyber future? Bulletin of the Atomic Scientists 69(5): 8–14.
 For reviews, see: Tim Stevens (2012) A cyberwar of ideas? Deterrence and norms in cyberspace. Contemporary Security Policy 33(1): 148–170; Amir Lupovici (2014) The ‘attribution problem’ and the social construction of ‘violence’: Taking cyber deterrence literature a step forward. International Studies Perspectives 17(3): 322–342; Uri Tor (2017) ‘Cumulative deterrence’ as a new paradigm of cyber deterrence. Journal of Strategic Studies 40(1–2): 92–117.
 Jon Lindsay (2015) Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack. Journal of Cybersecurity 1(1): 53–67; Lucas Kello (2013) The meaning of the cyber revolution: Perils to theory and statecraft. International Security 38(2): 33; Lupovici, The ‘attribution problem’, 8.
 Marios P. Efthymiopoulos (2016) NATO Smart Defense and Cyber Resilience: A Methodological Approach to Adapting to Emerging Challenges. Fletcher School of Law and Diplomacy working paper 1/2016. Available at http://fletcher.tufts.edu/~/media/Fletcher/Microsites/Karamanlis%20Chair/PDFs/Karamanlis_WP_May_2016.pdf [accessed 8 May 2017]; Jamie Shea (2016) Resilience: a core element of collective defence. NATO Review. Available at: http://www.nato.int/docu/Review/2016/Also-in-2016/nato-defence-cyber-resilience/EN/index.htmhtm [accessed 8 May 2017] ; Kęstutis Paulauskas (2016) On Deterrence. Nato review. Available at http://www.nato.int/docu/Review/2016/Also-in-2016/nato-deterrence-defence-alliance/EN/index.htm [accessed 10 May 2017] ; Jason Healey and Leendert van Bochoven (2012) NATO’s Cyber Capabilities: Yesterday, Today, and Tomorrow. Smarter alliance initative, issuebreif, Atlantic Council Available at https://www.files.ethz.ch/isn/169072/022712_ACUS_NATOSmarter_IBM.pdf [accessed 10 May 2017]; Piret Pernik & Tomas Jermalavičius (2017) Resilience as Part of NATO’s Strategy: Deterrence by Denial and Cyber Defense. Forward Resilience: Protecting Society in an Interconnected World, Center for Transatlantic Relations, John Hopkins School of International Affairs
 David J. Betz and Tim Stevens (2011) Cyberspace and the State: Toward a Strategy for Cyber-Power. London: Routledge for the International Institute for Strategic Studies, pp. 94–95; Thomas Rid and Ben Buchanan (2015) Attributing cyber attacks. Journal of Strategic Studies 38(1–2): 4–37.
 Max Smeets (2017) A matter of time: On the transitory nature of cyberweapons. Journal of Strategic Studies, DOI: 10.1080/01402390.2017.1288107; see also Tim Stevens (2016) Cyber Security and the Politics of Time. Cambridge University Press.
 Nye, Deterrence and dissuasion, 58–60; Schuyler Foerster (2012) Strategies of deterrence. In: Scott Jasper, ed., Conflict and Cooperation in the Global Commons: A Comprehensive Approach for International Security. Washington, DC: Georgetown University Press, pp. 64–65.