Is Cyber Deterrence Possible?

Protecting America in the cyber domain has become a more important issue as time has progressed. Since we rely so heavily on our networks for economic stability, national security, and military power, a breach of this network could have huge implications on the safety of the country. It is estimated that cyber espionage costs the US about 500,000 jobs and $100 billion every year. McKenzie claims that a cyber deterrence plan can help the US recover or prevent some of the damages that we suffer with the current system.

The paper discusses a major difficulty in cyber deterrence, one that wasn’t an issue with deterrence policies in the past, attribution. The problem is that in order to deter enemies from attacking a system, there needs to be some system in place to punish those who have attacked it. Without knowing the attacker’s identity, we cannot punish them. In the cyber domain, adversaries can easily spoof their location, making it appear as if they are locating somewhere else. This can fool the deterring party to believe the enemy is an entirely different state. Additionally, because of the anonymity of the internet, there is no way to associate a person’s real life identity to their online presence. There are many legal and political issues associated with attribution, as well as the technical issues that come with making it correct. Currently the US deals with these issues by using a variety of outside knowledge about a situation to determine the identity of an adversary. This is called all-source attribution. While this method may be accurate enough for internal usage, at some point we need to be able to publicly claim who the enemy is. Without doing so we cannot deter others from attempting to do the same. Additionally, there are problems with varying the response to different attacking parties. While we might threaten enemy states with military action, doing the same to in-state hacktivists seems to be an inappropriate response. At the same time, we have something less threatening than a government but more threatening than a hacktivist such as a terrorist organization. We have to find the correct level of response to each of these in order to have an effective deterrence plan. These are just a few of the problems we must address in order to maintain an effective cyber deterrence plan, which could stand to serve a huge economic benefit to the US.