Why Cyber Deterrence Doesn't Work
Posted March 8, 2016
On February 25, 2016, the Center for International Strategy, Technology, and Policy hosted Dr. James Lewis for a discussion on cyber deterrence. This visit was generously funded by the Carnegie Corporation of New York, which awarded the Sam Nunn School of International Affairs funding for a scenario-based project on the dynamics of command, control, and coordination in cyber-conflict escalation.
Dr. Lewis opened with a background on the current the cyber security landscape and the role deterrence plays in it. Deterrence in cyber security relies on attribution to determine the perpetrator of an attack, and these capabilities are continuing to improve. For example, attribution capabilities for the United States have grown from about ⅓ accuracy to ⅔ accuracy since 2007. Its intention is to make attribution capabilities clearer, in order to deter future attacks. There are inherent problems with using attribution as a deterrence strategy, as states need to be able to issue credible threats of retaliation, which Dr. Lewis contended is very difficult. For example, cyber retaliation may not be enough of a response, and he contended that what other nations would fear is a material conflict with the United States. Additionally, it is problematic to calculate a proportional material response to a cyber-attack. In the current academic discussion, retaliatory response is necessary, but it is difficult to determine appropriate retaliation. Dr. Lewis also addressed the dilemma of proper level of transparency in retaliatory threats. By clearly defining “the line”, it allows cyber attackers to operate all the way up to the line and challenge the United States’ resolve to retaliate.
Dr. Lewis is a senior fellow and program director at the Center for Strategic and International Studies (CSIS). Before Joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His government experience includes work on Asian politico-military issues, as a negotiator on conventional arms and technology transfers, and on military and intelligence-related technologies. Lewis led the U.S. delegation to the Wassenaar Arrangement Experts Group on advanced civil and military technologies and was the rapporteur for the UN Group of Government Experts on Information Security for their successful 2010 and 2013 sessions. He was assigned to U.S. Southern Command for Operation Just Cause, U.S. Central Command for Operation Desert Shield, and to the U.S. Central American Task Force. Dr. Lewis also served as Project Director for the Commission on Cybersecurity for the 44th President.