During the Cold War, the concept of ‘mutually assured destruction’ explained the notion that a nuclear attack from one superpower would be met with retaliation from another. Because of the high cost of complete annihilation of both the attacker and defender, it deters superpowers from launching a nuclear strike.
The concept describes the deterrence of conventional warfare. Can the same principle be used in cyberspace?
- Deterrence means dissuading someone from doing something by making them believe that the costs to them will exceed their expected benefit
- Four major mechanisms prevent adverse behaviour in cyberspace: the threat of punishment, denial by defence, entanglement, and normative taboos
- Deterrence by denial: better cybersecurity will decrease the probability of a successful attack
- Deterrence by punishment: seeks to discourage an adversary from attacking because of retaliatory punishment
- Deterrence by entanglement: making an actor perceive that the costs (e.g., economic) far exceed the benefits because of mutual interdependencies
- Normative taboos: focuses on the creation of norms and rules for state behaviour in cyberspace
- None of these approaches work in isolation but together make it possible to minimise the likelihood of harmful attacks. Unlike the case of nuclear missiles which aims to prevent attack, the objective of cyber deterrence is to lessen the effects of attack.
- Many nation-states have made it clear that deterrence is not limited to the cyber realm, and cyber attacks could have physical consequences, “proportional to the damage that has been done”, which can range from “naming and shaming, economic sanctions and kinetic strikes”
- Punishment is possible against both states and criminals. However, when an attacker cannot be readily identified, the deterrent effect of punishment is less effective.
Why does this matter for businesses?
- Russia is believed to have supported criminals in carrying out strategic, pre-positioned supply chain attacks in the past. These attacks aren’t confined to other nation-states and can affect global supply chains – as can be seen in previous examples such as SolarWinds and NotPetya
- Understanding how deterrence in cyberspace works may help make sense of the actions and rhetoric around the current Ukraine - Russia tension
- Some mechanisms of deterrence may be instructive for how to prevent attacks, not through technical means but through denial, punishment, entanglement, or norms