Embed Size (px)
Citation preview
Caleb Ziolkowski
What are the principle challenges to the development of deterrence in the cyberdomain?
Introduction
Cyber deterrence, building off of Robert L.
Pfaltzgraff, Jr.’s definition of deterrence, is “[t]he
ability to prevent someone from doing something they want to
do"1 in the cyber domain. Opinions on the difficulty and
means of achieving effective cyber deterrence vary widely.
Some, like Martin Libicki, find it painstaking and
incredibly different from traditional deterrence. Libicki
writes:
All this might lead to the belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modification. Not so. Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding.Attempts to transfer policy constructs from other formsof warfare will not only fail but also hinder policy planning.2
1 Robert L. Pfaltzgraff, Jr., “Conflict, War, and DeterrenceTheories: Part II,” a lecture delivered at Tufts University,December 12, 2013.2 Martin Libicki, Cyberdeterrence and Cyberwar, (Santa Monica, CA: RAND, 2009), xiii.
On the other hand, some, like Will Goodman, think that a
theoretical excavation of cyber deterrence can lead to an
over exaggeration of the complexity of the task at hand.
Goodman writes, "While deterrence in cyberspace does pose
challenges…[it] remains inextricably linked to the
geopolitics of the physical world. As a consequence, cyber
deterrence turns out to be simpler in real life than it
appears to be in many theoretical models."3 The question
remains. How difficult is it? Certainly, as Goodman
concedes, theoretically cyber deterrence is chock full of
thorny problems.
A list of the main ones includes: identifying the
source of the attack, known as attribution; ensuring
credibility in a domain where guaranteed responses are
difficult; the speed of change in the cyber domain,
especially with an eye to legislation; delineating the
public and private spheres’ respective responsibilities;
public and private cooperation; balancing civil liberties
with public sector control; ambiguity for those attacking 3 Will Goodman, “Cyber Deterrence: Tougher in Theory than inPractice?,” Strategic Quarterly, Fall 2010, 105.
and those attempting to deter or defend; and deficiencies in
the existing domestic and legal frameworks. The traditional
challenges to deterrence, in addition to these more cyber-
specific challenges, must also be considered. These
challenges appear so daunting that some experts recommend
exhausting other options before depending on deterrence.4
Looking in more detail at these challenges will help us
reach some tentative conclusions about the role and
potential of deterrence in the cyber domain.
In analyzing this issue of cyber deterrence it will be
helpful to run through the different levels of analysis to
organize the inquiry. The investigation will begin with the
international system level and then move to the didactic
level—this level focuses “on the nature of pairs of states
(dyads), that is, their mutual or shared characteristics,
and the interaction between these pairs of states.”5 Then 4 "Before contemplating deterrence as its primary response to the threat of state-sponsored cyberattacks, the United States may first want to exhaust other approaches, such as diplomatic, economic, and prosecutorial means." Libicki, Cyberdeterrence and Cyberwar, 176-7.5 Greg Cashman, What Causes War?: An Introduction to Theories of International Conflict (Kindle Edition: Rowman & Littlefield Publishers, 2013), kindle locations 7836-7837.
the unit level will be examined followed by the group and
individual levels.
International System Level
If traditionally the international system level has
been seen primarily as a state of anarchy, the cyber domain
can only be seen as more anarchic. At least partially due
to its novelty, many of the norms and laws established in
other domains are nascent or nonexistent. Unlike
traditional forms of conflict, there are widely diverging
opinions as to what actually constitutes cyber attack, cyber
crime, and cyber warfare.6 The realist assertion of anarchy
certainly is apt for this domain.
Two important caveats, however, merit attention. The
realist assertion—shared by virtually all realist schools—
that states are the primary actor appears, if not invalid,
severely weakened in this domain. Often super-empowered
individuals are cited as representing significant actors:7
6 Oona Hathaway et. al., “The Law of Cyber Attack,” (California Law Review, Vol. 100, No. 4, 2012), 819-22.7 Goodman, “Cyber Deterrence,” 10.
more on this below. Second, while international relations
may be a club from which one cannot withdraw,8 the same
cannot be said of the cyber domain—at least not to the same
degree. Individuals, corporations, and states ultimately
have a lot of control over the size of their cyber
presence.9 These represent two important differences in the
cyber realm.
At the international system level—to bring in something
of more concern to neoliberal institutionalists and
neoclassical realists—the current legal framework deserves
analysis. This framework is fragmentary. There is no
overarching coherence.10 More seriously, there is no agreed
upon definition for cyber aggression, as noted above. The
law of war—jus in bello and jus ad bellum—applies to only a “small
slice of the full range of cyber-attacks”11 and poses
difficulties in implementation.12 As far as legal regimes
8 Robert L. Pfaltzgraff, Jr., “Paradigms, Theories, and Levels of Analysis,” a lecture delivered at Tufts University, September 12, 2013.9 Libicki, Cyberdeterrence and Cyberwar, xiii.10 Hathaway et. al., “The Law of Cyber Attack,” 819.11 Ibid., 844.12 Ibid., 855-6.
that in some way directly address cyber-attacks—the UN,
NATO, the Council of Europe, the Organization of American
States, and the Shanghai Cooperation Organization—while
having showed interest in addressing cyber attacks, “these
efforts have fallen short of establishing a rigorous legal
framework that can effectively govern all cyber-attacks.”13
Another potential framework, that of international regimes
that indirectly regulate cyber attacks—such as the
international law governing telecommunications, aviation,
space, and the law of sea—likewise fails to address all but
a “small number of harmful cyber-attacks.”14 The lack of
effective law in the cyber domain adds to anarchy.
Didactic Level
Moving from the international systemic level to the
didactic level of analysis, where deterrence has
traditionally been analyzed,15 attribution possibly the most
cited difficulty in effective cyber deterrence. Martin
13 Ibid., 867.14 Ibid., 874.15 Cashman, What Causes War, kindle location 11118.
Libicki highlights some of these difficulties when he writes
that identifying an attacker poses tremendous difficulty
because (1) the attacker may simply say, "who, me?,” (2)
"mistaken attribution makes new enemies, and (3)...neutral
observers need to be convinced that retaliation is not
aggression."16 This all stems from the fact that, unlike
most conventional aggression, it can be very challenging to
identify the source of the attack. Routing a cyber attack
through the ip address of some third-party—ignorant of even
the existence of the attack—is not only quite easy for cyber
aggressors to accomplish but also quite difficult for a
would-be deterrer to trace back to its source.
Will Goodman pushes back against the idea that
attribution is as hard as many people intimate.
International cooperation can make this possible. But what
if another state does not cooperate? “In such instances,
victim states can, based on mutual legal aid agreements or
the inherent right to self defense, assign responsibility
for the attack to the non-cooperating state."17 An 16 Libicki, Cyberdeterrence and Cyberwar, xvi.17 Goodman, “Cyber Deterrence,” 10.
interesting case study that is often brought up in
discussions of attribution is Estonia. Many, Libicki
included, highlight the attack in 2007 as evidence of the
impossibility of attribution in the cyber domain.18
Goodman, rightly, says it is actually an example of how
attribution is not as difficult as many imply. He points
out that Russia failed to cooperate in helping Estonia even
though the two countries had a legal aid agreement.19
Therefore “[i]nternational law provides a basis for
assigning the culpability of the attacks to Russia even if
Russia did not officially direct them.”20
The problem, then, is not attribution in the case of
Estonia. It is a problem of geopolitical asymmetry. What
can Estonia do with aggression from Russia? Its most
feasible option, and the one it pursued, was to seek help
from NATO and establish the NATO Cooperative Cyber Defense
Centre of Excellence.21 The case of Estonia is, contrary to
what some posit, actually a good example of how attribution 18 Libicki, Cyberdeterrence and Cyberwar, 2-3.19 Goodman, “Cyber Deterrence,” 113.20 Ibid.21 Ibid., 114.
is often not the roadblock to deterrence in the cyber
domain. Geopolitical concerns can trump it. Some
attribution cases may be more difficult, though.22
An important point regarding international cooperation,
one that Goodman himself mentions, is that quid pro quos are
involved. If, say, the United States wants other countries
to aid cyber related investigations by sharing information,
then U.S. security agencies must be willing to help others
by opening up their systems as well. One may question
whether the FBI or other agencies are ready for such a
thing.23
There is one more part of attribution that must be
discussed: super-empowerment. Goodman admits that super-
empowered individuals appear impossible to deter, but
insists that since geopolitics and the cyber domain are
inextricably connected, and that the state is “supreme,” it
is less daunting. Putting pressure on the state from which
individuals base their attacks should reduce the problem,
22 Ralph Langner, “Stuxnet's Secret Twin,” Foreign Policy, November 19, 2013.23 Goodman, Will, “Cyber Deterrence,” 122.
provided a favorable balance of geopolitical power. 24 The
validity of this assertion may be questioned. First, there
are times when other countries have been blamed only to find
out later that the attack was actually domestic in origin.
An example comes from February 1998 when two California
teens along with an Israeli hacked unclassified Department
of Defense networks; initially Iraqis were suspected. The
notion that states are completely “supreme” in their
domestic cyber domain seems at least partially at odds with
the initial false attribution.
Another example that could cast doubts on state control
of the cyber domain comes from China. China, frequently
thought of as one of the main culprits of cyber attacks, not
only suffers a great deal of foreign-originated cybercrime
itself, but also “data triangulation from multiple sources
indicates domestically originated attacks are no less
severe.”25 China seems to have problems controlling its
domestic cyber domain. Are there states that are simply not
24 Ibid., 112.25 Nir Kshetri, “Cyber-Victimization and Cybersecurity in China,” Communications of the ACM, Vol. 56 No. 4, 35-37.
“supreme” in their cyber domains? In defining a state Max
Weber says it is a "human community that (successfully)
claims the monopoly of the legitimate use of physical force within a
given territory."26 When considering cyber, have all states
“successfully” made this claim in the cyber domain? Is it
possible to have failed states in a single domain, where
super-empowered individuals easily evade the state’s wishes
and use force against domestic and international targets,
including foreign states? If this is the case, is it
realistic to expect a country like China—obsessed with
portraying the image of controlling its domestic affairs—to
admit that the state is not in complete control? Do all
countries control their cyber domain in the same way they
monopolize force, as Weber’s definition requires? Failed
states have proved fertile ground for terrorism. This could
be true for states failing in the cyber domain. These are
serious questions representing grave challenges in the cyber
domain.
26 Max Weber, “Politics as a Vocation,” Essays in Sociology, pp. 77-128 (New York: Oxford University Press, 1946), 78.
Yet, in spite of these concerns, Will Goodman’s
argument that geopolitics and the power of states—which will
likely grow in the cyber domain as time goes by to
compliment their dominance in other domains—to control
groups and individuals within their boarders certainly makes
issues of attribution less daunting than many portray them
to be. Many cases with super-empowered individuals will
also involve states that do exercise enough control to
warrant some of Goodman’s optimism. It is important to
remember, conversely, that in Goodman’s analysis—while
attribution becomes less of a challenge—achieving
geopolitical symmetry becomes essential. 27 This is not
feasible for many states.
As far as attribution is concerned, at this point in
time there are certainly some serious difficulties for
deterrence, including issues of super-empowered individuals
and a lack of a desire for cooperation between national
security agencies. It must be remembered, however, that in
the cyber domain major technological change can come
27 Goodman, “Cyber Deterrence,” 109-10.
quickly. Current technological difficulties in attribution
may be of minor significance in the near future.28
Another topic that bridges the international system
level and the didactic level is the ambiguity that pervades
cyber aggression. Martin Libicki notes, "No one knows how
destructive any one strategic cyber war attack would be."29
One of the things that theoretically made nuclear deterrence
so effective was “assurance;” in the case of nuclear weapons
and U.S.-Soviet relations, this meant the guarantee of
mutual destruction. In the cyber domain, however, attackers
can only guess as to how their attack will work. Imagine,
for instance, one state simply wants to test another state’s
cyber defenses but ends up bringing down critical systems.
It is highly likely the attacked state will assume that
inflicting severe damage was the original intent and respond
accordingly. If they attempt to respond in the cyber-
28 Stuart Baker, “The Attribution Revolution: A five-point plan to cripple foreign cyberattacks on the United States,” http://www.foreignpolicy.com/articles/2013/06/17/the_attribution_revolution_plan_to_stop_cyber_attacks#sthash.egfHQvkT.dpuf29 Libicki, Cyberdeterrence and Cyberwar, xv.
domain, however, they too will have to try to account for
the unpredictability of cyber. A calculation of
effectiveness for a cyber attack is far more difficult than
for a conventional attack. Another related issue is that
cyber attacks quickly lose efficacy. “Attacking and
retaliation in cyber both have the problem of subsequent
attacks (using similar methods) being less effective.”30
It is clear, with all this ambiguity, that there is
plenty of room for misunderstanding. It is not clear,
however, if this difficulty of predicting the results of an
attack makes deterrence more difficult. For one thing, it
likely makes cyber at best a supplement for conventional
attacks—it is not dependable enough to be an integral part
of a vital operation.31 There are arguments that even an
operation like Stuxnet, which captured the imagination of
analysts because of the amazing reach of cyber power, was
really the result of a failure of the real program and
represented only a temporary setback for Iran.32 This
30 Libicki, Cyberdeterrence and Cyberwar, xvii.31 Ibid., xx.32 Langner, “Stuxnet's Secret Twin.”
uncertainty in cyber efficacy brings to mind Robert Osgood,
who argued, “up to a point, the element of uncertainty in
nuclear deterrence...may contribute to caution and
restraint.”33 Like Osgood warns, however, too much hope
should not be put in this uncertainty.
Another challenge at the didactic level is credibility.
Greg Cashman writes, “[T]he central problem in deterrence
theory is how to make threats credible.” 34 This can be very
challenging in the cyber domain. Thomas Schelling's method
of solving the credibility problem was the fear of things
getting out of hand.35 This seems difficult to apply to the
cyber domain. The idea that a rational state would be
willing to go to full-scale war over a relatively mild
cyber-attack would leave many potential cyber aggressors
incredulous.
Goodman says that, traditionally, credible deterrent
declarations depend on certainty, severity, and immediacy.36
33 James E. Dougherty and Robert L. Pfaltzgraff, Jr., Contending Theories of International Relations, 356.34 Cashman, What Causes War?, kindle locations 11339-11341.35 Dougherty and Pfaltzgraff, Contending Theories of International Relations, 359.36 Goodman, “Cyber Deterrence,” 107.
The immediacy component seems especially difficult—even if
attribution can be accomplished, doing so requires time.
Likewise, as pointed out above, an overly severe threat may
actually render the threat less credible in cyber space.
Goodman, however, holds that immediacy and severity are not
as important in this domain. Cyber attacks are usually not
nearly as grave as nuclear attacks or even most conventional
attacks; the response to a cyber attack should be
commensurate.37 Likewise, the necessity of immediacy was
based on the premise that in a nuclear war the counterattack
must happen before all the capabilities to counter are
destroyed or disabled. In the cyber domain, this level of
destruction—such that it wipes out all counter-attacking
capabilities—is highly unlikely. Therefore, the requirement
of credibility for the cyber domain is only based on
certainty, according to Goodman.38 This brings us back to
the centrality of attribution. If adequate time will result
correct attribution, the credibility of a deterrent
declaration seems more tenable. Libicki, as mentioned 37 Ibid., 108.38 Ibid.
above, does note that, if attribution drags on too long, it
could be difficult to convince neutral observers “that
retaliation is not aggression.”39 This, however, seems
manageable.
The didactic level can, theoretically, be seen as
containing cyber deterrence challenges so intractable as to
be prohibitive. Yet, some of the thorniest issues, such as
attribution and credibility, when looked at from the lens of
geopolitics, appear less daunting—as long as a state enjoys
at least geopolitical symmetry with those states it hopes to
deter.
Unit Level
The unit level, and differences between states, has the
potential to greatly affect the way different states respond
to the demands of the cyber domain. For the purpose of this
paper focus will mostly be given to the U.S. domestic
situation, but a comprehensive study of myriad countries
would surely be fruitful.
39 Libicki, Cyberdeterrence and Cyberwar, xvi.
Moving to the unit level of analysis but returning to
the topic of law as a potential framework for dealing with
cyber attacks and cyber crime, U.S. domestic law provides
some insight into how the unit level affects states’
behavior in the cyber domain. Domestic law, given the
limited applicability of international frameworks, often
represents the best option for such a framework. Indeed,
domestic criminal law is an “important tool for combating
cyber attacks, including those that cross international
borders.”40 The main drawbacks, however, include the lack
of updates to meet the modern challenges of cyber attack and
the severe limits of due to a dearth of extraterritorial
reach.41 At the unit level, like the international level,
many states, like the United States, do not have a suitable
domestic legal framework to address most foreign-based cyber
attacks; domestic legal reform is an important challenge in
cyber deterrence.
The rate of innovation was mentioned earlier as a
potential boon to attribution efforts; it can also pose 40 Hathaway et. al., “The Law of Cyber Attack,” 883.41 Ibid.
unique challenges. There are serious questions about the
ability of legislation and Washington to keep pace with
these changes. Paul Rosenzweig notes that some people
“argue that the pace of threats on the Internet is so swift
that the designation and demand for compliance structure
adopted by the legislative proposal would, inevitably, be
too far behind in addressing actual threats."42 Beyond
simply getting the legal machine to move quickly enough,
there are legitimate concerns over the ability of national
leaders to anticipate important changes and trends in this
domain. As the Center for Strategic and International
Studies Commission on Cyber Security said, "Devising a
national strategy [for cyber] has proved to be difficult for
many reasons, the most important of which has been the pace
and direction of change in the international environment
exceeded our expectations and our ability to predict the
direction that change would take."43 Any talk of effective
42 Paul Rosenzweig, “The Internet ‘Kill Switch’ Debate,” Lawfare, February 2, 2012.43 Center for Strategic and International Studies Commissionon Cybersecurity, “Rebuilding Public Private Partnerships,” 12.
cyber deterrence must come to grips with the adaptability
and agility that such a policy must exhibit.
Delineating the responsibilities of the public sector
and private sector at the unit level also merits
consideration. Some clamor for more government guidance and
involvement. However, hasty reactions should be avoided.
The private sector is just as interested in eliminating
cyber attacks and cyber crime as the government is; power
companies do not want to see the grid down any more than the
government does.44 Only when two conditions are met should
presidential direction be necessary, according to
Rosenzweig. First, when the government has information the
private sector lacks and, second, when “the private sector
won’t voluntarily act on the government’s knowledge if the
government shares it.”45 The Center for Strategic and
International Studies sees the need for government
involvement and potential direction limited to only critical
infrastructures. They write,
44 Rosenzweig, “The Internet ‘Kill Switch’ Debate.”45 Ibid.
To focus the defense of cyberspace, we have identified four critical cyber infrastructures: energy, finance, the converging information technology and communications sectors, and government services...thesecritical cyber sectors are large, interconnected national networks that are the most vulnerable to broaddisruption by cyber attack.46
A melding of these two recommendations seems to provide a
reasonable way forward. Government intervention should be
limited to simply sharing information lacking in the private
sector. More active direction is needed only when there is
a threat to critical infrastructure and there are concerns
that the private sector cannot or will not take appropriate
action even if they have the pertinent information.
Along the same vein, the traditional relationship and
cooperation between the public and private sector matters
greatly.
Securing cyberspace requires government and the privatesector to work together. The private sector designs, deploys, and maintains much of the nation's critical infrastructure...cyberspace cannot be secured by the government alone. There is a bifurcation of responsibility."47
46 Center for Strategic and International Studies Commissionon Cybersecurity, “Rebuilding Public Private Partnerships,” 44-5.47 Ibid., 43.
Given the gravity of this relationship, differences between
states at the unit level—otherwise known as intervening
variables—will matter, as a neoclassical realist would
readily assert. As noted by President Toomas Hendrik Ilves
of Estonia speaking at Fletcher in September, some countries
have very “robust” public-private partnerships.48 These
countries do not run into nearly as many difficulties with
cooperation between the public and private sector—a fact
that can be leveraged to nefarious ends if desired.49
Others have a tradition of separation where private firms
often prefer to simply absorb losses than risk damage to
their reputation and share prices.50 This reticence results
in a lack of communication and obfuscation of the severity
of cyber-aggression. It is quite clear that a very close
private-public relationship has its benefits in cyber space
and states with a tradition of separation are finding their
current systems in need of adapting. 48 Toomas Hendrik Ilves, “What Keeps Me Awake at Night: Worries and Challenges for a Small European Ally,” speech delivered at Tufts University, October 9, 2013.49 Ibid.50 Amitai Etzioni, “Cybersecurity in the Private Sector,” Issues in Science and Technology, Fall 2011, 58-62.
This adaptation is not without its difficulties. The
frequent changing and reshuffling of personnel on the
government side of the equation wears away at the trust
between these two sectors. "Large, diffuse groups with a
floating population are not conducive to building trust.
Trust is also damaged when senior officials from government
agencies do not cultivate it and when government plans and
processes are opaque or inadequate."51 Further, there is a
lack of a clear vision for what must be accomplished and no
“articulated strategic initiative to guide private-sector
efforts.”52 To round off the difficulties countries like
the United States face in coordinating the private and
public sectors, the government feels it must share
information with everyone or no one—there is no middle
ground—and “there are the usual issues related to a
fragmented government that does not speak with a single
voice or act as a unified entity."53 Will Goodman makes the
51 Center for Strategic and International Studies Commissionon Cybersecurity, “Rebuilding Public Private Partnerships,” 45.52 Ibid.53 Ibid.
argument that tying cyber security to the pragmatism of
geopolitics can resolve many theoretical problems. When
examining public-private cooperation, however, it becomes
clear that sometimes practice has serious problems that most
theories fail to predict.
Continuing the unit level analysis and delving further
into the public-private relationship, concerns over civil
liberties adds more difficulty. In the United States,
companies are afraid to cooperate, in some cases, because of
the questioned legality of sharing private information.
When laws have been proposed to give them indemnity in such
situations, they have been killed in the legislature.
Whenever the topic [of cybersecurity] is raised, alarmssound from both sides of the political aisle. On one side, the intelligence community stresses that protection from cybersecurity threats is essential to national security, even if some personal liberties are sacrificed. On the other side, adamant proponents of personal privacy online seem to view themselves as someincarnation of Cassandra, announcing prophecies of the demise of privacy that fall on deaf ears.54
54 Carol M. Hayes and Kesan, Jay P., “At War Over CISPA: Towards a Reasonable Balance between Privacy and Security” (August 1, 2012). Illinois Public Law Research Paper No. 13-03; Illinois Program in Law, Behavior and Social Science Paper No. LBSS13-04. Available at SSRN: http://ssrn.com/abstract=2135618 or
Neo-classical realists would be quick to point out this
intervening variable. The foreign policy that the U.S.
government can pursue is highly dependent on a domestic
debate about values.
After assessing the unit level, we see there are a lot
of real challenges, especially for countries with relatively
cumbersome legal systems, complicated domestic politics,
concerns over civil liberties, and a tradition of a
meaningful separation between the public and private
sectors. Simply from the point of view of attempting to
implement practical, effective cyber deterrence measures,
these issues represent serious challenges for which answers
are not immediately forthcoming.
Group and Individual Level
Though many things could be examined at the group and
individual level, attention should be given to something
that they both share in common: the rational actor model.55
http://dx.doi.org/10.2139/ssrn.2135618, 1.55 Cashman, What Causes War?, kindle locations 1597, 3768.
Given that deterrence—cyber or otherwise—depends on
predicting or at least anticipating how potential aggressors
will make their choices, the rational actor model has often
been at the center of this calculus. Greg Cashman says,
“Several political science models—expected utility theory,
rational choice theory, and the rational actor model— all
incorporate this idea of procedural rationality.”56 The
idea that actors (be they groups or individuals) will
basically perform “cost-benefit analyses” when attempting to
make a choice—for instance, if the costs of committing a
cyber-attack will outweigh the gains of doing so—is of
central importance to deterrence. At the very least, the
decisions that they make must be consistent with the outcome
of a cost-benefit analysis, even if they do not make the
mental calculation in this way.57 The major problem,
however, is that this model has been challenged on several
fronts.58 Though not unique to cyber deterrence, having a 56 Ibid., kindle locations 1596-1597.57 Christopher H. Achen and Duncan Snidal, “Rational Deterrence Theory and Comparative Case Studies,” World Politics, Vol. 41, No. 2 (Jan., 1989), 164.58 Dougherty and Pfaltzgraff, Contending Theories of International Relations, 358.
model whereby one can attain a reasonable degree of
confidence in anticipating the decisions of other actors is
an essential challenge of any deterrence scheme.
Several scholars have found deficiencies with the
rational actor model. Greg Cashman points out that
“information failures due to self-deluding policies stretch
the limits of rationality and point to cognitive biases.”59
Robert Jervis finds that the rationale behind nuclear
deterrence was completely derivative of Western society—
ethnocentric—and therefore deficient.60 Cyber deterrence
must be sure to avoid this charge. Jervis also points out
that group dynamics, such as internal bargaining, “can
undermine the assumption that the state acts as a rational
actor.”61 Christopher Achen "rejects deterrence theory as
logically incoherent.”62 Further, different situations can
also affect people’s ability to behave rationally. Patrick
59 Cashman, What Causes War?, kindle locations 11019-22.60 Dougherty and Pfaltzgraff, Contending Theories of International Relations, 358.61 Robert Jervis, “Rational Deterrence: Theory and Evidence,” World Politics, Vol. 41, No. 2 (Jan., 1989), 204.62 Dougherty and Pfaltzgraff, Contending Theories of International Relations, 358.
M. Morgan cites crisis as a real impediment for traditional
deterrence.63 These are only some scholars who find the
rational actor model wanting.
Further, the assault on the model is not limited to
International Relations theorists. Baba Shiv, of Stanford’s
Graduate School of Business, ran an experiment that showed
attempting to remember a seven-digit number vastly reduced
people’s ability to make a rational choice.64 The
conclusion is that the more mental demands made of a person,
the less rational their subsequent decisions tend to
become.65 When thinking about individuals or groups tasked
with the responsibility to make decisions that affect
millions of peoples’ lives, one would be surprised if this
limitation were not somewhat applicable. Barry Schwartz
claims research has shown that the human brain can only
effectively take account of seven variables at one time.66
63 Ibid.64 Baba Shiv, “Heart and Mind in Conflict: Interplay of Affect and Cognition in Consumer Decision Making,” Journal of Consumer Research, 26 (December), 1999, 278-282.65 Ibid.66 Barry Swchartz, The Paradox of Choice : Why More Is Less (New York:Harper Perennial, 2003).
Just imagine how many variables are involved in many of the
decisions national leaders must make; some important
variables may be ignored due to cognitive limitations.
Again, there are warnings about the rational actor model.
As a response to some of these arguments against the
rational actor model, the work of Keith Payne, among others,
may provide a way forward. Payne admits that the model has
not always been applied well leading to “expectations of
foreign thinking and behavior” that are “grossly
inaccurate.”67 He argues, however, that one of the main
reasons for this failing is not that most actors on the
international stage are irrational, but rather they appear
to be unreasonable to those operating with different goals
and value systems. Payne writes,
Rationality does not imply that the decision-makers’ prioritization of goals and values will be shared or considered “sensible” to any outside observer. The goals and values underlying decision-making do not needto be shared, understood or judged acceptable by any observers for the decision-making to be rational. Nor does “rational” imply that any particular moral
67 Keith Payne, The Fallacies of Cold War Deterrence and a New Direction, (Lexington: The University Press of Kentucky, 2001), 6.
standards guide the route chosen to realize preferred goals and values.68
Rationality, rather, “is a mode of decision-making that
logically links desired goals with decisions about how to
realize those goals.”69 Payne, conjuring up echoes of
Winston Churchill speaking about Adolf Hitler, goes on to
argue that one must truly “know the enemy” to “gain a useful
understanding of an opponent’s beliefs, will, values, and
likely cost-benefit calculations under specific
conditions.”70 This echoes the warnings of Raymond Aron
"that deterrence must be situtation-specifc if it is to have
any real hope of effectiveness" in the post-Cold War
environment.71 If deterrence in the cyber domain is going
to be effective, it must be tailored to specific situations
and actors at the individual and group level.
Conclusion
68 Ibid., 8.69 Ibid., 7.70 Ibid., 111.71 Dougherty and Pfaltzgraff, Contending Theories of International Relations, 385.
After analyzing the challenges of deterrence in the
cyber domain at the international system, didactic, unit,
group, and individual levels, it is clear that these
challenges are nothing short of substantial. Some of the
problems, like attribution, may get much easier with
technological advancement. Will Goodman offers at least a
partial way forward when it comes to problems of the
didactic level, like super-empowered individuals, and some
of the anarchic elements of the international system. Many
of the issues at the state level—like the civil liberties
versus security debate—are not theoretically intractable,
but do demand serious compromise from different domestic
groups; if the problem of cyber aggression is serious
enough, however, middle ground will likely become more
attractive. At the group and individual level, more
detailed, situation-specific research could provide a way
past many of the problems levied at the rational actor model
and allow effective deterrence policies to be developed,
tailored to specific actors, as Keith Payne argues. Cyber
deterrence, though by no means easy, may not be impossible,
but at every level of analysis there are issues to be
addressed. As Keith Payne argues,72 pointing out the
challenges of deterrence can be met with resistance by those
who would prefer to more or less continue on the same path
with only minor alterations, but if progress is to be made—
and security to be increased—these challenges must be
addressed.
72 Keith B. Payne, Deterrence in the Second Nuclear Age (Lexington: The University Press of Kentucky, 1996), 160.
Works Cited
Achen, Christopher H. and Duncan Snidal. “Rational
Deterrence Theory and Comparative Case Studies.” World
Politics, 41, 2 (1989), pp. 143-69.
Baker, Stuart. “The Attribution Revolution: A five-point
plan to cripple foreign cyberattacks on the United
States.” Foreign Policy, June 17, 2013.
Cashman, Greg. What Causes War?: An Introduction to Theories of
International Conflict. Kindle Edition: Rowman & Littlefield
Publishers, 2013.
Center for Strategic and International Studies Commission on
Cybersecurity. “Rebuilding Public Private
Partnerships.”
Dougherty, James E. and Robert L. Pfaltzgraff, Jr.
Contending Theories of International Relations, 5th Edition. New
York: Longman, 2001.
Etzioni, Amitai. “Cybersecurity in the Private Sector.”
Issues in Science and Technology, Fall 2011, pp. 58-62.
Goodman, Will. “Cyber Deterrence: Tougher in Theory than in
Practice?.” Strategic Quarterly, Fall 2010, pp. 102-35.
Hathaway, Oona, et. al. “The Law of Cyber Attack.”
California Law Review, 100, 4 (2012), pp. 819-85.
Hayes, Carol M. and Jay P. Kesan. “At War Over CISPA:
Towards a Reasonable Balance between Privacy and
Security.” Illinois Public Law Research Paper No. 13-03;
Illinois Program in Law, Behavior and Social Science
Paper No. LBSS13-04, August 1, 2012. Available at SSRN:
http://ssrn.com/abstract=2135618 or
http://dx.doi.org/10.2139/ssrn.2135618.
Ilves, Toomas Hendrik. “What Keeps Me Awake at Night:
Worries and Challenges for a Small European Ally.”
Speech at Tufts University, October 9, 2013.
Jervis, Robert. “Rational Deterrence: Theory and Evidence.”
World Politics, 41, 2 (1989), pp. 183-207.
Kshetri, Nir. “Cyber-Victimization and Cybersecurity in
China.” Communications of the ACM, Vol. 56 No. 4, 35-37.
Libicki, Martin. Cyberdeterrence and Cyberwar. Santa Monica,
CA: RAND, 2009.
Langner, Ralph. “Stuxnet's Secret Twin.” Foreign Policy,
November 19, 2013.
Payne, Keith. Deterrence in the Second Nuclear Age. Lexington: The
University Press of Kentucky, 1996.
________. The Fallacies of Cold War Deterrence and a New Direction.
Lexington: The University Press of Kentucky, 2001.
Pfaltzgraff, Robert L., Jr. “Conflict, War, and Deterrence
Theories: Part II.” Lecture delivered at Tufts
University, December 12, 2013.
________. “Paradigms, Theories, and Levels of Analysis.”
Lecture delivered at Tufts University, September 12,
2013.
Rosenzweig, Paul. “The Internet ‘Kill Switch’ Debate.”
Lawfare, February 2, 2012.
Shiv, Baba. “Heart and Mind in Conflict: Interplay of
Affect and Cognition in Consumer Decision Making.”
Journal of Consumer Research, 26, December (1999), pp. 278-
292.
Swchartz, Barry. The Paradox of Choice: Why More Is Less. New York:
Harper Perennial, 2003.
Weber, Max. “Politics as a Vocation.” Essays in Sociology.
New York: Oxford University Press, 1946.
