Caution in the Cyber Domain: Deterrence and Restraint in Cyberspace

“There are few more critical questions in the field of cyber security than the issue of how to prevent malicious cyber actions and the utility of deterrence in the cyber domain. For many, deterrence will protect us from an uncertain cyber future. Yet, the proliferation of scholars and academics conceptually stretching an age old or nuclear era concept to the new domain prevents the development of logics that might be more applicable and progressive in this transformative digital age. Put simply, cyber deterrence is logically problematic, empirically unsupported, and impractical to put into practice in cyberspace. The most powerful states in the world, conventionally or in terms of cyber power, are constantly attacked and probed, yet their capabilities do not deter the adversary given the conditions of the cyber framework. Building more powerful systems, making clear the threats and consequences of actions, or extending the threats to conventional actions will not save deterrence and make it work. Instead the concept of restraint offers a more viable perspective by which to understand cyber conflict dynamics and perhaps offers a better way to manage future interactions. This article explores the evolution of the concept, its application to the cyber domain, the problems with its implementation and logic, and the policy implications of our inability to move beyond the concept. By giving up the crutch of deterrence, strategists can finally focus on the important tasks required in the cyber domain – defenses, hygiene, understanding restraint dynamics, and shared norms and institutions that might make a cyber future a safe one.”