Deterrence Is Not a Credible Strategy for Cyberspace (and What Is)

“Over the past 20 years,” US policy around defense has been dominated by deterrence-based strategies, motivated by Cold War-like “restraint and reaction.” As the cyber domain became more important, the defense community initially adopted a similar posture; unfortunately, however, cyberspace has many “unique characteristics” and brings with it a different “strategic context.” In particular, cyberspace has no borders and does not respect the notion of “Westphalian sovereignty”; as such, existing norms for air, sea, and territorial warfare do not apply to the new domain. As an evolving and omnipresent landscape, cyberspace lends itself better to “persistent engagement” than deterrence; specifically, constant action is required from leader like the United States in order to maintain power in cyberspace.

USCYBERCOM similarly contends that constant activity in the cyber domain will result in enemies concentrating more on defense rather than offense. This activity would result in the “United States [becoming] an active participant in an ongoing agreed conflict,” resulting in both sides maintaining conflict at a level below active warfare. Such an agreement would not necessarily be explicitly stated but would necessarily result in both counterparts “accepting restrictions,” a key step toward developing cyber norms. In an environment where adversaries are constantly testing the US in cyberspace, “robust” conflict in cyberspace is necessary to preserve US interests and ensure future stability.