A year ago, we published Deterrence by Denial, a highly acclaimed collection of essays that, according to Professor Jeffrey W. Knopf, “provides a long overdue exploration of deterrence by denial, which has always received less attention than deterrence by punishment.” The book, which assembles what Sir Lawrence Freedman calls a “stellar collection of contributors,” is and will continue to be a critical resource for students and scholars alike. To celebrate the anniversary of its publication, we’re publishing excerpts from each chapter. This is an excerpt from Chapter 8: “Can Denial Deter in Cyberspace?” by Professor Martin Libicki.
Good defenses can limit the damage from cyberattacks and facilitate recovery. They permit states to threaten cyberattacks with less fear of retaliation. The more hopeful case for good defenses is that they discourage others from attacking in the first place (sometimes known as deterrence by denial). But do they? The answer is complicated. First, it depends on the type of cyberattack at issue. Second, it depends whether it is the cyberattack being defeated or it is the effect that the cyberattack is trying to produce which is being denied. The argument is that the deterrence effect of defense is difficult to induce and discern, particularly in comparison to a contest in more traditional media. However, there seems to be more deterrence potential in denying to the attacker the effects being produced by the cyberattack. These principles apply across the gamut of cyberattacks. They apply with particular force to high-end cyberattacks carried out by one country against another country either against the latter’s critical infrastructure (strategic cyberwar) or against its fielded forces and their support systems (operational cyberwar).
This chapter first considers the direct deterrent effects of denial by discussing the distinction between discouraging investment in cyberattack capabilities versus discouraging the use of such capabilities: it is often difficult to predict how well cyberattacks may succeed until one actually invests in such capabilities to carry out a probe of the target system (which generally constitute most of the capabilities needed for an attack). The analysis focusses on canonical cyberattacks (those that work from penetration to subversion) but note that there are other cyberattacks (e.g., DDOS attacks). It then shifts from considering the attacker as a rational unitary actor to incorporate psychological issues and the relationship between hackers and their leaders. The latter half of the chapter pulls the lens back to examine the strategy of discouraging cyberattacks by defeating the attacker’s strategy, be it coercion or using cyberattacks to facilitate follow-up kinetic attacks.
Martin Libicki
Deterrence by Denial: Theory and Practice edited by Alex Wilner and Andreas Wegner is available in hardcover. It is also available in different ebook formats, which start at $19.99 to purchase and $9.99 to rent. Professors who wish to use this book along with others in the Rapid Communications in Conflict and Security Series for their classes should use the Cambria Book Cloud, which allows for the bundling of ebooks at only $9.99 per title for each student.