Rhetoric over reality? Assessing the success of deterrence in cyberspace: Israeli and US cyber security approaches between 2008 and 2018

Abstract

In April 2007 Estonia suffered a series of cyber-attacks in which hundreds of thousands of computers were used to cripple dozens of government and corporate sites. The attacks appeared to originate from Russia, although no country claimed responsibility. Regardless of the origin or reasons for the attack the consequences were far-reaching. States with advanced cyber postures began rapidly adopting measures to increase their cyber security to avoid similar attacks on their national interests, including creating specific cyber security policies and strategies. By 2008 at least twelve states had adopted deterrence theory into their strategies for cyberspace despite a lack of evidence of its efficacy in the cyber domain. Yet by 2018 several states had begun moving away from deterrence.

With a focus on the approaches of two states leading developments in cyber strategy - the United States of America and Israel - this thesis considers the extent to which states employing deterrence as a strategy for cyberspace considered it successful between 2008 and 2018. It explores the context in which each case defined and adopted deterrence in comparison to the requirements for classic deterrence, and considers how this context influenced perceptions of success or failure of deterrence for cyberspace. It finds that while Israel's approach arguably meets the classic requirements of deterrence and considers its approach successful, the Israeli definition of success as cyclical and requiring 'refreshing' through the regular use of violent force is not necessarily an approach other states can, or indeed should, adopt. Neither is the US approach a potential model for other states, although the reasons differ: the US has not come close to meeting the requirements of classic deterrence and its pivot in 2018 away from deterrence was based on an assessment that the theory had failed rather than realisation it had never been fully implemented.

Cyberspace is a rapidly evolving domain and states are seeking theory to supplement their security approaches. This research shows the variation between states of conceptions of success influences the design, implementation and expectations of deterrence practices. And, most importantly, despite a decade of efforts to create deterrence in cyberspace neither case has demonstrated the ability to deter increasing numbers of cyber-attacks from progressively more sophisticated threat actors. Hence deterrence is at best a supplement to existing strategies focused on resilience. At worst, attempts to create deterrence may lead to escalation or unintended conflict.