Most of the discussion and research about cyber deterrence, is based on many of the same assumptions that are the foundation of absolute-nuclear-deterrence. In the cyber domain absolute deterrence translates to trying to stop any cyberattack from happening at all. This methodology does not work in practice due to the ease of launching cyber attacks, the potential anonymity of the aggressor, and the difficulty of accessing the scale of cyber damage. This paper argues that this approach doesn’t accurately model the cyber domain, and is not only preventing cyber deterrence from evolving, but it also is a poor strategic tool in theory and practice. The paper describes a more accurate set of assumptions than absolute-nuclear-deterrence called restrictive-cumulative-deterrence.
Restrictive-cumulative-deterrence acknowledges that cyber attacks will occur, and instead of trying to stop them from happening it tries to limit them. It does this by repeatedly attacking an adversary in response to antagonistic behavior for long periods of time. The response can even be disproportionate to the actions received. The continuous application of force is a central component of this strategy that informs the “learning” process” between both parties. The end goal is for this is for the adversary to carry out attacks that are lesser in scale, in order that minimize the risk of retaliation. The paper goes into more detail about the nature of cyber security threats, describes the failures of absolute deterrence, and outlines the components of restrictive-cumulative-deterrence.
