NO.

34 AUGUST 2019 Introduction

Cyber Deterrence is Overrated

Analysis of the Deterrent Potential of the New US Cyber Doctrine and Lessons
for Germany’s “Active Cyber Defence”
Matthias Schulze

Proponents of active, offensive cyber operations argue that they could have a deter-
rent effect on potential cyber attackers. The latter would think twice about attacking
if a digital counter-attack might be the consequence. The idea that offensive cyber
capabilities should have a deterrent effect was one reason why the new US cyber
doctrine was adopted in 2018. The same assumption is implicit in the debate about
cyber counterattacks (“hack backs”) in Germany. Yet these assessments are based on a
superficial understanding of deterrence. Cyber deterrence by the threat of retaliation
works differently than that of nuclear deterrence. Problems of attribution, displays
of power, controllability and the credibility of digital capabilities increase the risk of
deterrence failure. Thus, the German cyber security policy would be well advised to
increase its “deterrence by denial”, cyber security and the resilience of its systems.

Currently, German cyber operators have a cyber attacker could, at least in theory, be
no legal mandate to conduct disruptive deterred from an attack against Germany, if
cyber operations outside of German net- digital retaliation via “hack back” would be
works in peace time. For this reason, the consequence of such behaviour. This
Germany has been debating active cyber mirrors the argument that the presence of
defence or “hack backs” for the last few offensive cyber capabilities might create a
years. Active defence is designed to counter deterrent effect. A similar justification was
cyber intrusions by striking back at the used for the establishment of the Bundes-
originator with digital means. These retalia- wehr Cyber and Information Domain
tions could be conducted by state entities, service, a functional service of the armed
not private entities – in stark contrast to forces in 2016. However, the effectiveness
the US debate. Proponents of active defence of cyber capabilities for deterrence is the
argue that German state hackers should be subject of much debate in academic litera-
able to penetrate networks of opponents ture. The question thus arises as to whether
to stop ongoing cyber attacks in real time, cyber deterrence by hacking back or by
delete data or deactivate computers. punishment is an appropriate strategy for
There is another, more implicit argu- Germany.
ment in the debate for active cyber defence:
 Deterrence Deterrence is based on Rational Choice
Theory. The assumption is that actors weigh
Deterrence is the potential use or threat the costs and benefits of their actions and
of punishment to achieve a change in be- rationally choose the less costly option. The
haviour of an opponent. Deterrence is theory has been criticized because actors
based on the formula that the offensive never have all objective information and
behaviour (X) of an attacker (A) can be can therefore never fully assess the con-
changed by the defender (D), if he is threat- sequences of their actions. Furthermore,
ening him with negative consequences (Y). they often act irrationally, rely on bounded
The logical formula for deterrence is: Do rationality, or act according to norms or
not do X, because otherwise consequences habits. Deterrence works only in the head
Y will follow. The cost of Y must outweigh of the attacker, where one has no insight.
the gains to be expected from an attack X. So it is ultimately a guessing game: “I be-
This form of deterrence always contains an lieve that you believe that I believe” and so
element of coercion and is therefore called on. The logical problem with all deterrence
“deterrence by punishment”. It differs from theories is that you never know if deter-
“deterrence by denial”, which aims to in- rence works, until it fails.
crease the cost of attacks by hardening
systems and increasing resilience so that
attacks no longer seem worthwhile. Unless Cyber Deterrence
otherwise stated, I mean deterrence by
Transferring a deterrence strategy to the
punishment when speaking of deterrence
cyber domain is regarded as problematic by
in this paper.
cyber security researchers. Nuclear deter-
In order for deterrence to work, at least
rence was assumed to be successful due to
three conditions must be met:
unique conditions, i.e. the particularities
∎ The threat of consequences must be
of the bi-polar world and the extraordinary
clearly communicated and understood
damage potential of nuclear weapons,
by all parties (“signaling”).
which made defence strategies less feasible.
∎ Both actors must have as complete
In the bipolar world of the Cold War, de-
information as possible about the capa-
terrence was symmetrical and applied by
bilities, intentions and ideally the
roughly equally strong actors who were
thought processes of their counterparts
able to assess their motives sufficiently
in order to be able to rationally assess
well. Cyber deterrence is multipolar and
costs and benefits.
takes place between asymmetric opponents.
∎ The threat of punishment must be
Cyber capabilities are mostly opaque and
credible, i.e. technically feasible and
easily proliferate. In this respect, cyber
backed by political resolve.
deterrence can fail more easily and is there-
Successful deterrence requires the threat
fore not a reliable policy option.
of punishment to be communicated in a
clear, audible and, above all, credible man-
ner. Deterrence is considered successful if Attribution Problem
A does not perform an action, i.e. a cyber-
Successful attribution is the most important
attack. The causality of a non-event cannot
prerequisite for deterrence, as it provides
be proven logically. One can never say
legitimacy and the threat of punishment
exactly whether it was the threat of punish-
with a certain strategic gravitas. However,
ment that led to the change in behaviour,
it is often unclear who is behind cyber in-
or whether there were other reasons for
cidents. Consequently, no one can be iden-
it. Consequently, deterrence is sometimes
tified who can be threatened with punish-
considered to be a myth in academic
ment. The attribution problem describes
literature.
the difficulty of apportioning responsibility

SWP Comment 34
August 2019

2
of cyber attacks to an actor who has not critical systems off the network as a pre-
previously communicated his intention and caution, or redirect the harmful network
left no confession. traffic. DDoS attacks are therefore only of
The attribution problem affects both limited use as a potential punishment. The
sides: When A cyber attacks D, D does not same problem exists with 0-day capabilities,
automatically know that it was A. If D re- i.e. attacks that are based on unknown and
taliates digitally, again A does not neces- therefore unpatched vulnerabilities. The
sarily know that it was D. There is barely a more frequently they are used, the greater
target in digital space that is attacked by the probability that they will be exposed
only one actor. Misperceptions are there- and thus made available to the entire
fore quite common. There is also the risk world. With a patch for the vulnerability,
that attackers may act under a false flag or the capability loses its effectiveness.
claim to be responsible for attacks they did This has two implications: 0-day capabili-
not carry out. In escalating geopolitical ties cannot be credibly demonstrated with-
conflict situations, however, the role of the out compromising their effectiveness. They
attribution problem is probably overrated. are therefore only suitable for threatening
If, for example, servers are flooded in South punishment to a limited extent. The excep-
Korea during a conflict episode with North tion would be if an attacker had several
Korea, it is easier to see who benefits from hidden backdoors for accessing an enemy
this (“cui bono”) than it is with covert espio- system. Then 0-day attacks could be used
nage operations. For effective deterrence, for “signaling”. Second, a defender can re-
however, attribution must be incontestable, purpose a published 0-day ability and direct
accurate and immediate. The more time it against the attacker. This suggests the risk
that elapses between incident and attribu- of blowback for any attacker A, whether by
tion, the less legitimate a cyber retaliation D, or by any third party that repurposes the
by D. malware.

Demonstration Problem Proportionality and

Appropriateness
An attacker must be able to weigh up the
costs of a potential punishment by D. Deterrence fails if the threat of punishment
Thus, A must be able to assess the damage is not considered credible. Deterrence fail-
potential of D’s cyber capabilities. For this ure often leads to the use of capabilities
very reason, military parades display kinetic and thus escalation. This raises questions
weapons to the world and weapons tests are about the proportionality, effectiveness and
conducted for the whole world to see. This accuracy of cyber retaliation capabilities.
transparency principle, however, does not How much objective damage must be in-
readily apply to cyber capabilities. Demon- flicted so that A considers the costs of
strating of cyber capability for reasons of further offensive action to be too high?
damage threat jeopardizes the functioning How does D know whether A considers
of the capability. If a defender knows about threats against certain assets to be particu-
the attack vector, he can adapt, which then larly painful or not? A and D most likely
makes an attack less useful. Offensive cyber have different perceptions about what
abilities follow the law of diminishing re- assets are considered especially sensitive.
turns: any deployment of ability increases These different perceptions make propor-
the chances that it will be less effective in tional reactions difficult. There is no inter-
the future. national consensus on how proportional
A low-threshold Distributed Denial of cyber retaliation might be conceived. Thus
Service (DDoS) attack may succeed the first there is an increased risk of escalation.
time. However, if the attacker knows that The damage caused by cyber retaliation
retaliation is imminent, he or she can take must be appropriate. If the damage threat-

SWP Comment 34
August 2019

3
 ened by D is too great, the probability of a owned by A, A can take this off the grid as
renewed retaliation by A increases. It is well a precaution. It is difficult to find the right
researched in political science, that escala- measure for potential damage that is nei-
tion spirals are often a consequence if a ther too precise nor too vague, especially as
retaliation is perceived as inappropriate or the risk of deterrence failure is high. Fur-
too painful. In these cases, deterrence fails. thermore, the risk of escalation increases in
If the threat of punishment is considered asymmetric contexts. This makes cyber
not costly enough and thus not credible, capabilities seem unreliable as a deterrent.
deterrence does not work either. Determin-
ing the correct measure is highly complex High and Low-Level Deterrence
and also a function of the attribution prob-
lem: the lower the chance of being caught, There is no international consensus as to
the greater the threat of punishment by D what cyber activities can be considered
must be, if A is to be convinced that an legitimate for deterrence (political vs.
attack is not worth the potential cost. An- economic espionage vs. sabotage). Depend-
other issue is that particularly costly assets ing on the intensity of the activities, the
are usually well protected, which makes chances of success for deterrence may vary.
effective retaliation harder. High level deterrence is aimed at prevent-
ing cyber activities that reach the threshold
Lack of Controllability of an armed attack. This includes the worst-
case scenario of a digital surprise attack on
The damage potential of cyber capabilities strategic infrastructures, in which people
is unreliable and difficult to control. It is die and high-grade physical destruction is
complicated, although not impossible, to the result (“digital Pearl Harbor”). Such an
limit cyber capabilities to one target and to event has never happened in the more than
avoid collateral damage, for example in thirty-year history of cyber-conflicts. The
uninvolved third countries. This is particu- reason is that its consequences could not be
larly true in time-critical situations. The measurable, costs would be too high, and
effectiveness and thus the exact damage an attacker would probably face blowback
potential of cyber capabilities are often effects.
difficult to determine in advance. The First, such an attack would most likely
potential damage is largely determined by be considered an act of war under interna-
the configuration of the target system. In tional law and would legitimize, for exam-
this respect, it is often impossible to anti- ple, acts of (collective) self-defence. Such
cipate how long a cyber attack can disrupt a cyber attack would therefore probably
a system, for instance. escalate into a physical conflict, which is
This fact complicates the proportional why states refrain from these activities in
and controlled use of such capabilities. peacetime. Secondly, due to the inter-
This in turn increases the risk of deterrence dependent and highly networked Internet
failure. Even attacks such as Stuxnet (2010), infrastructure, it cannot be realistically
which were carefully tailored to specific guaranteed that one’s own systems would
targets, also infected other systems world- not be similarly affected. In view of this,
wide. Collateral effects such as WannaCry states have no interest in carrying out such
or NotPetya (both 2017) are habitual in strategic attacks in peace time, unless they
cyber conflicts. No one can realistically can really gain something politically. Here,
estimate where else a certain system con- an implicit norm of restraint is effective,
figuration is in use. which is also noticeable in various inter-
On the other hand, threat of punishment national norm-setting bodies. In other
can be made too specific. If, for example, D words, deterrence can also work through
is about to respond to a cyber attack on a norms that put a taboo on inappropriate
dam by A with a retaliatory strike on a dam behaviour.

SWP Comment 34
August 2019

4
 However, this reluctance does not exist state actors such as Russia or China. Deter-
in the case of low-level incidents, below the rence of non-state actors follows the logic
threshold of an armed attack. States deliber- of criminological deterrence, which aims to
ately design their cyber activities in such a reduce the frequency and intensity of in-
way that they remain below this threshold cidents without being able to prevent them
and thus do not have an escalating effect. altogether.
This category includes cyber espionage, There is another problem with non-state
hybrid measures, cybercrime, hacktivism actors: not all of them act according to the
and vandalism, which account for a large same rational principles to which states,
proportion of all cyber activity. It is con- presumably, would act. Hackers, for exam-
sidered unlikely that deterrence will be ple, are not necessarily driven by rationale,
effective in low-threshold incidents such as but also by cognitive and normative motiva-
espionage. There is a high likelihood of not tions, such as the desire to gain fame and
being caught, especially since states are have fun (“Lulz”).
not interested in punishing espionage, from
which they themselves benefit. Credibility and Escalation

Non-State Actors The threat of punishment not only needs to

induce an accurate estimate of the expected
Low-level cyber activities are also commit- costs, it must also be credible. If A does not
ted by non-state actors. This is a major dif- believe that D, firstly, is technically capable
ference from deterrence in the nuclear age, of causing precisely measured costs with
where only states possessed nuclear capa- digital means or, secondly, lacks the poli-
bilities. The spectrum of actors ranges from tical will or resolve to endure the risk of
script kiddies with low level skills to cyber escalation, deterrence fails.
criminals with medium abilities to cyber The credibility problem is even greater in
mercenaries with considerable capabilities. cyber conflicts. Intentions and political will
In addition, there are so-called proxy actors are often unclear, as much of government
who attack targets either independently, or cyber activity is carried out by intelligence
on behalf of a state. services and falls under cyber espionage.
Deterrence only works if the motivation, Thus, intention and political will remain
interests, skills and return address of the hidden in many cyber-incidents. The intru-
opponents are known. With many “ad- sion into systems for espionage or sabotage
vanced persistent threats” much of this purposes cannot be clearly distinguished
information remains opaque. Therefore, from one another by the defender. This
they cannot be effectively deterred. Theo- increases the risk that D perceives a rela-
retically, an effective deterrence policy tively harmless act of espionage as an
would need to be tailored to each opponent attempt at sabotage, and thus overreacts.
among the thousands of cyber actors. This Furthermore, states are unable to objective-
is impossible even for great cyber powers. ly assess their relative cyber-power. Cyber
It is well known from terrorism research capabilities cannot be counted like tanks
that deterrence by punishment works, if at or warships. As “Rational Choice Theory”
all, only against states, but not necessarily deterrence requires as complete informa-
against non-state actors. Here, deterrence tion as possible, which also includes an
can produce a converse effect: the use of assessment of relative strength. This fails
repressive force to combat terrorism often because of the secrecy and dual-use nature
leads to more terrorism due to the per- of cyber capabilities, which can be used for
ceived injustices. The same can be observed offensive and defensive purposes.
in digital space. Not even offensively domi- Moreover, not all states are politically
nant states such as the USA are in a posi- willing to engage in a “tit for tat” escalation
tion to deter cyber attacks by non-state or dynamic of mutual retaliatory strikes. In

SWP Comment 34
August 2019

5
 game theory, such conflicts are referred to “defending forward”, “persistent engage-
as “chicken games”. In the classic scenario, ment” and “preparation of the battlefield”.
two actors race directly towards each other The doctrine gives the US Cybercommand
in the car; the one who swerves first is the greater scope for offensive action, for which
“chicken”, the coward. In democracies, the no presidential authorization is required.
electorate usually does not support aggres- Defending forward means that networks
sive foreign policy. Therefore, the executive are no longer defended in one’s own perim-
often has less leeway to credibly threaten eter or territory, but on the systems of po-
punishment. However, credibility also tential attackers. This potentially includes
depends on past decisions and the reputa- unwitting third parties worldwide. Attacks
tion of a government. If the government against opponent systems are primarily
has reacted hesitantly to aggression in the used to gain intelligence in order to detect
past, their future threats of punishment are enemy attacks and burn capabilities at an
less credible. early stage.
The problem with gradual escalation in “Persistent engagement” means binding
cyberspace is that the damage of the re- enemy forces by permanently exposing
taliatory attack must be somewhat higher them to attacks by American hackers. Op-
than that of the previous attack. Since it is ponents would constantly have to defend
difficult to determine proportionality, there themselves against American intrusion at-
is a risk of collateral damage. It is unclear tempts so that – according to the theory –
how escalation dynamics function in cyber- they no longer have resources for their own
space. There is no clear consensus among offensives. Since no other state has such
scholars about whether cyber capabilities large personnel resources as the USA, the
can reach a similar level of escalation as costs for attackers would be increased in
physical weapons, or whether they are in this way. The doctrine clearly mentions
principle de-escalatory. Some commenta- China and Russia as potential targets for
tors argue that digital means tend to limit these measures.
escalation because physical effects are diffi- Defending forward and persistent en-
cult to produce, and the damage potential gagement are operational strategies that by
is more limited. Empirically, escalation is themselves are not designed for strategic
the most likely outcome of a deterrence deterrence. However, it can be argued that
policy that predominantly relies on the use the third concept, the “preparation of the
of offensive means. battlefield”, might have deterrent effects.
Opponent networks are to be penetrated
in order to implant so-called back doors
Deterrence and “Persistent or logic bombs which can be exploited in
Engagement” in the US Doctrine future conflicts. A logic bomb is malware
that lurks undetected in a network until it
Deterrence is thus not easily transferable is activated at a later point in time. This
to the digital domain. Hawks and national implies a concrete threat of punishment.
security advocates, however, disagree and An opponent would then always have to
believe that, in case of doubt, the posses- ask themselves whether they have un-
sion of fearful cyber capabilities produces covered all the attack vectors of the Ameri-
deterrent effects. They advocate a stronger cans or whether they overlooked a hidden
offensive, because although the US is a back door in their own network. In view
formidable cyber power, it could not deter of this uncertainty, attackers could refrain
Russia from influencing the 2016 US presi- from serious cyber attacks, for example
dential election with cyber capabilities. In against critical infrastructures. Russia has
response to this deterrence failure, the recently complained vociferously about
Pentagon introduced a new cyber doctrine attempts by American hackers to penetrate
in 2018. This contains new concepts such as the Russian power grid in order to implant

SWP Comment 34
August 2019

6
backdoors. The Kremlin also warned against Cyber Deterrence by German
an escalation in the cyber area. This is an Active Defence?
indication that the USA’s new cyber doc-
trine, which is even more offensive than its Whether the mere possession of German
predecessor called “active defence”, might cyber offensive capabilities would have a
be fuelling escalations. Whether it does so deterrent effect is doubtful. All the prob-
empirically remains to be seen. lems of attribution, demonstration, propor-
“Persistent engagement” was applied tionality and controllability of cyber retali-
during the Midterm Elections of 2018. ation described above still apply. Further-
A central hub of low-level Russian cyber more, it is hard to believe that Germany
activity, the “troll factory” or Internet Re- would be prepared to enter into a dynamic
search Agency in St. Petersburg, was tempo- of escalation in cyberspace and then possess
rarily disrupted. However, it resumed its the necessary resolve. The culture of re-
activities shortly afterwards. Tactically, the straint in foreign and security policy is still
operation may have been a success. How- very pronounced. The population is critical
ever, it is doubtful whether this form of of a more active foreign policy or the as-
deterrence has a strategic, i.e. long-term sumption of greater responsibility. This is
effect. It is to be expected that other cyber particularly true if the use of force is in-
powers will now also invest more offensive- volved, whether physical or digital.
ly and train more personnel in order to Germany would probably have a credi-
withstand or outmanoeuvre such “persis- bility problem, if it were to adopt a deter-
tent engagement”. rence-by-punishment posture. A strong
The result would be an intensified arms opponent would want to test whether Ger-
race with the aim of always being able to many is politically prepared to use active
mobilize more cyber forces than its rival. cyber defences as a deterrent and is willing
It remains to be seen whether persistent to endure the consequences of an escala-
engagement will work against more than tion. So far, Germany lacks a political
a handful of opponents at the same time. strategy on how to deal with such a situa-
Low-threshold attackers cannot be stopped tion. It would have to be tailored to all rele-
in this way either. vant cyber threats and include the afore-
Persistent engagement is a NOBUS strate- mentioned elements of threat communica-
gy – nobody but US – and thus cannot tion as well as measures to provide propor-
be easily replicated by other cyber powers. tional and effective cyber reaction tools.
However, if all cyber powers were to pursue Additionally, political will is required to use
such a doctrine and start placing back doors cyber capabilities as a form of punishment,
everywhere, global cyberspace would be even in the face of a probable escalation
highly volatile. Backdoors are not exclusive dynamic. Whether this actually exists is
and can potentially be exploited by any doubtful.
knowledgeable attacker. The cost of such Since an escalation strategy and political
an offensive policy for collective security resolve for deterrence by punishment does
would probably be higher than the theo- not exist, “deterrence by denial” is a better
retical gain in national security. The new strategy for Germany. This conclusion can
doctrine thus goes far beyond the concept be derived from the deficits of deterrence
of “active cyber defence” of the Obama by retaliation itself. It fails inter alia be-
era. The concept was to react offensively to cause targets are too easily attackable. The
cyber attacks, but only to stop them at their bottom line is that it is always cheaper for
source. This is also the concept that the the attacker to exploit weaknesses than not
German government is currently consider- to do so.
ing in a modified form. The first step towards an effective deter-
rent system should therefore be to increase
cyber security and resilience in order to

SWP Comment 34
August 2019

7
 make cyber attacks more costly. Of course, be successful either. As long as Germany
deterrence by denial faces several problems has no escalation strategy and is not pre-
itself, so this will not be easy. As a second pared to endure the possible consequences
step, deterrence that accompanies foreign of an offensive cyber deterrence policy,
policy measures should be extended. There this approach should be avoided. Instead,
is much to suggest that deterrence, if at all, German policy should continue to focus
only works in concert with other measures on “deterrence by denial” by hardening
– at best within the framework of an inter- systems and building resilience.
national cyber regime that does not yet
exist. This would include international
© Stiftung Wissenschaft diplomacy, deterrence through norms or
und Politik, 2019 international interdependence or entangle-
All rights reserved ment, but also through regimes and orga-
nisations that subject state behaviour to
This Comment reflects
rules. The efforts of cyber foreign policy
the author’s views.
should be intensified in this direction.
The online version of However, this is a long way off.
this publication contains Cyber-conflicts are largely unregulated.
functioning links to other Established norms for appropriate behav-
SWP texts and other relevant
iour and red lines do not yet exist. Conse-
sources.
quently there is a high risk that deterrence
SWP Comments are subject will fail and trigger an escalation dynamic.
to internal peer review, fact- Germany should therefore consider wheth-
checking and copy-editing. er it wants to participate in this game,
For further information on and whether it is prepared to endure any
our quality control pro-
negative consequences. Cyber security by
cedures, please visit the SWP
website: https://www.swp- resilience is in any case the more long-
berlin.org/en/about-swp/ lasting strategy, since it works against all
quality-management-for- opponents in the same way, and does not
swp-publications/ need to be tailored to specific opponents.

SWP
Stiftung Wissenschaft und
Politik Summary
German Institute for
International and The existence of offensive cyber capabilities
Security Affairs alone does not act as a deterrent, especially
if it is not credibly communicated that
Ludwigkirchplatz 3–4
10719 Berlin there is a willingness to use them. There
Telephone +49 30 880 07-0 are many pitfalls that make deterrence by
Fax +49 30 880 07-100 punishment an ineffective policy concept
www.swp-berlin.org with many risks. The risks of deterrence
[email protected]
failure are more prevalent than in the ana-
ISSN 1861-1761
logue world. Deterrence by punishment is
doi: 10.18449/2019C34 most likely a strategy doomed to fail.
If even the more active cyber powers like
(English version of the US regularly fail with cyber deterrence,
SWP-Aktuell 39/2019) then a German cyber deterrence policy –
due to the traditional restraint in foreign
and security policy – cannot be expected to

Dr Matthias Schulze is Associate in the International Security Division at SWP.

SWP Comment 34
August 2019