Does cyber deterrence work?

The Australian government has made a public display of announcing its capacity and intent to use cyber operations as a tool of foreign policy. First, as part of the 2016 cybersecurity strategy, Prime Minister Turnbull announced the use of “offensive cyber capabilities” to enforce the international rule of law. Then he acknowledged a “cyber” component to Australian and coalition efforts against the Islamic State. And earlier this month Foreign Minister Julie Bishop put cyber operations at the heart of her strategy for international cyber engagement by reminding the international community of Australia’s ability to use offensive cyber capabilities to attack adversaries.

It appears that these statements fit into an emerging Australian cyber-deterrence strategy. The presumed goal of such a deterrence strategy is to demonstrate capability and willingness to use force as a way of deterring adversarial actions. That is why we have seen an announcement of the capability by the prime minister, as well as a justification under international law, followed by the deployment of capabilities in the context of an authorised military action against a non-state adversary. In this context, the foreign minister’s statements could be seen as a follow-on and reminder to other potential adversaries.

Earlier this month Foreign Minister Julie Bishop put cyber operations at the heart of her strategy for international cyber engagement by reminding the international community of Australia’s ability to use offensive cyber capabilities to attack adversaries.

As the government crafts a policy of cyber deterrence as part of its broader cyber strategy, it is worth examining the efficacy of such an approach. After all, what is the value in attempting to deter activity that is objectively growing in scale? What are the levers of deterrence?

Examples of deterrence in other domains do not so neatly fit for the cyber realm. Broadly in nuclear deterrence, attacks are deterred by the promise of proportionate and in-kind counter-attack. It’s how we get to the theory of Mutually Assured Destruction. While this has allowed strategic stability to be achieved among nuclear powers, cyber operations do not present as clear a deterrent. Whereas nuclear capabilities have a predictable and severe impact, cyber operations exist upon a scale of severity, effect and are difficult to publicly demonstrate as well as maintain.

Attribution and even awareness that an attack has taken place (especially against critical infrastructure) is a persistent challenge for governments, and limits the ability to signal intent among states.

However the cyber capabilities of states do not exist within a vacuum. Other levers of state power like economic sanctions, law enforcement and diplomatic repercussions can be effective tools in responding to and deterring cyber attacks. Over the past several years the United States has been experimenting with such tools, in some cases attempting to leverage its economic weight and norm-setting powers to signal deterrence and intent to foreign actors attacking its corporate sector, conducting economic espionage and subverting its elections.

The cyber capabilities of states do not exist within a vacuum. Other levers of state power like economic sanctions, law enforcement and diplomatic repercussions can be effective tools in responding to and deterring cyber attacks.

One such example in the law enforcement realm was the indictment of five Chinese People’s Liberation Army (PLA) officers in 2014. The five Chinese officers were part of Unit 61398, a PLA military cyber unit engaged in large-scale hacking of US commercial firms, including Westinghouse and US steel companies. The criminal charges issued by the Department of Justice were the first issued against state actors for illegal cyber activities and came in the lead-up to a bilateral summit between President Xi and President Obama in Sunnylands, California. There is some evidence that the charges – and the signal from the United States that it intended to ‘name and shame’ suspected cyber actors from China – contributed to an agreement announced by President Xi and President Obama the following year.

Another example of state tools being used to respond to cyber attacks was the 2016 election. After a period of cyber-enabled information operations and activity orchestrated by Russia in the lead-up to the 2016 US presidential election, part of President Obama’s response was to personally ‘warn’ President Putin off from interfering in the election. After little progress, the United States escalated the diplomatic consequences by expelling Russian “intelligence operatives”, closing down several Russian compounds on US soil and imposing sanctions on Russian intelligence agencies and individuals associated with the hacking. Vice President Biden warned of additional covert cyber operations against the Russians. The impact of these actions and warnings should be questioned as Russian cyber hostilities against the United States. and its allies appear to expand.

Nonetheless, these examples demonstrate the range of tools and capabilities states possess that can impose costs and signal intent. The very nature of cyber capabilities, where the time and access actors have is continually shifting, suggests proportional response within the cyber domain may not be possible in every instance or can even be maintained against the growing range of actors. Strict deterrence through the use of cyber force may be unrealistic and even undesirable, whereas an approach of de-escalation based upon the deployment of the many tools of statecraft could be a more effective approach.

AUKUS inflection point: Building the ecosystem for workforce development

What does ‘economic security’ mean to Australia in 2024?

Bolstering the Quad: The case for a collective approach to maritime security

One year from the 2024 US presidential election: The stakes for Australia and the alliance

Does cyber deterrence work?

Commentary by