Academic journal article Prism : a Journal of the Center for Complex Operations

Cyber Deterrence by Engagement and Surprise

Academic journal article Prism : a Journal of the Center for Complex Operations

Cyber Deterrence by Engagement and Surprise

Article excerpt

The conventional deterrence strategies of denial and punishment do not factor in the unique characteristics of the man-made cyber domain. This domain needs a new and holistic deterrence strategy that involves prompt and direct cyber responses that are sudden, dynamic, stealthy, and random so that adversaries can be defeated mentally and virtually. This article offers such an approach that I refer to as "deterrence by engagement and surprise."


Released in January 2017, Department of Defense Joint Publication 3-0 defines deterrence as "the prevention of action by the existence of a credible threat of unacceptable counteraction and/or belief that the cost of action outweighs the perceived benefits."1 To make it effective, deterrence should depend on capability, credibility, and communication:

* capability helps to destroy what the adversary values most highly, thus making the cost of an attack exceed the benefit that an adversary could gain;

* credibility can be achieved via the demonstration of the willingness to use capability;

* communication requires capability, the willingness to use capability, and that credible consequences be made known to an adversary.

Simply put, deterrence is a coercive approach used for the purpose of avoiding a war or preventing the escalation of a war. It is used as a strategy to help achieve goals, and varied means can be adopted and diverse capabilities can be used to support such a strategy.

Our current deterrence strategies are heavily influenced by the nuclear and conventional deterrence models- deterrence by denial and deterrence by punishment. Strategist Herman Kahn held that defensive capabilities should be greatly enhanced to limit damage caused by an adversary, so that retaliation by the adversary can be countered, and a credible and real threat can be generated against the adversary during a conflict. In this sense, the capability to defend oneself for survival is a key element. This approach lays the foundation for deterrence by denial, which intends to scare an adversary away by denying his ability to inflict sufficient harm to justify the risk of retaliation.

Strategist Thomas Schelling, however, argued for the deterring effect of uncertainty in a stable balance of terror. He used uncertainties as the magic of threats since an adversary may fear irrationality or accident. As well explained by former Deputy Assistant Secretary of Defense Keith Payne, stable deterrence, which provides reliable, predictable, and mutual deterrence, "could be orchestrated to proceed from mutual prudence born of mutual vulnerability."2 It is a strategy of having the other party be ultimately "persuaded to exercise self-control" because of the irreversible and disastrous consequences that may ensue without self-control. Payne retains, during the Cold War, the basic ingredients of this theory were the U.S. capability to threaten nuclear retaliation against the Soviet Union as well as the vulnerability of U.S. society to Soviet nuclear attack.3 In this sense, uncertainties are involved in the outcome of this strategy as one does not directly control an adversary, who makes decisions on how to act and what to do. This approach lays the foundation for deterrence by punishment.

In the cyber domain, deterrence by punishment does not work well owing to the complexities of attribution and the challenges of stealth operations. To have a measure in place, deterrence by denial brings in responses from diplomatic, military, economic, political, legal, ethical, and other instruments of national power. If it is well prescribed, this approach can make an adversary feel the pressure and pain from multiple domains, thereby deterring further action in the cyber domain. However, this approach requires a well-orchestrated and near-perfect collaboration from all relevant domains-something that is difficult to achieve within a short period.4

The current DOD cyber strategy calls for a holistic approach, asserting that the deterrence of cyberattacks against U. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.