Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace

Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace, Brian M. Mazanec and Bradley A. Thayer. Palgrave Press, 2014, 95 pp.

Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace leaps headlong into the ongoing debate among cyberanalysts seeking to offer an effective framework for understanding cyberwarfare and a set of implementable solutions for the United States—all in a brief 78 pages of text. Brian M. Mazanec, a US government analyst, and Bradley A. Thayer, a university professor, describe the purpose of their monograph in writing, "The major question we address in this study is: in light of the challenges of applying deterrence theory to cyber warfare, how can the United States and its allies successfully deter major cyber-attacks?"

Answering this question lies at the very heart of many recent works on the subject. Cyberdeterrence and Cyberwar, Inside Cyber Warfare: Mapping the Cyber Underworld, Cyber War: The Next Threat to National Security and What to Do about It, and Conflict and Cooperation in Cyberspace: The Challenge to National Security are but four of many works that have sought to address this very question during the past five years. Thus, Mazanec and Thayer's contribution to the study of cyberdeterrence is not new, but neither is it merely the latest work in a field with a glut of monographs and edited volumes on the subject.

In laying the groundwork for the recommendations that come at the end of the monograph, the authors begin by effectively making a case for the threat posed by cyberwarfare. However, in defining their key concepts, Mazanec and Thayer often conflate cyber crime, cyber espionage, and cyberwarfare by calling all of these events cyberattacks (either computer network exploitation or computer network attack). The lack of distinction is common in the broader debate surrounding discussions of cyberwarfare and may be the result of a field not yet reaching an agreed upon nomenclature. Establishing a set of widely accepted concepts and terms will go a long way to offering greater clarity to this very young domain of warfare.

Throughout the work, the authors lament the "attribution challenge" explaining that it is difficult and time consuming to determine the party responsible for a cyberattack. The weakness of this argument is that nation-states (or even violent nonstate actors) are, in fact, more capable of determining responsibility than commonly acknowledged. This argument also presumes an attacker will seek anonymity, when in reality they may not. In no other domain of warfare is there a concern for the attribution challenge. This is with good reason. When states go to war, they generally desire for an adversary state to know who has initiated the fight—albeit after a successful attack. It is in the realms of cyber crime and cyber espionage where nonstate actors and nation-states seek to create an attribution challenge for the intended victim. Unfortunately, the authors do not make such distinctions, which would have offered greater clarity of purpose. As Panayotis A. Yannakogeorgos points out in Strategies for Resolving the Cyber Attribution Challenge, it is important to create different standards for cyber crime, cyber espionage, and cyberwarfare.

There is a second weakness in this work. In attempting to apply principles developed for nuclear deterrence to cyberspace, the authors offer generalizations of these concepts that are either incorrect or remove important granularity from the concept. For example, the authors describe "deterrence by punishment," which may be deterrence by threat or compellence—the latter resulting from the failure of deterrence. The authors' definitions are ambiguous, and by introducing uncertainty, the authors appear to conflate key deterrence concepts. This critique does not suggest that Mazanec and Thayer do not offer some useful insights. In offering a brief description of a rather large topic, there will inevitably be areas left uncovered. The brevity of this monograph is its greatest asset and primary weakness.

The set of conclusions the authors offer is largely consistent with the recommendations offered by other analysts looking at cyberwarfare. For Mazanec and Thayer, developing effective cyberdeterrence largely centers on two developments: a need to develop effective declaratory policy and a need to develop offensive cyberweapons.

As with other forms of warfare, the authors suggest the United States should develop declaratory policy that establishes American redlines for specific forms of cyber- attacks. They see such redlines as working to establish international norms and serving more effectively to deter an adversary. Mazanec and Thayer also suggest any declaratory policy should include a provision that clearly articulates the US position toward a state that hosts "independent" cyberattackers—as Russia and China are known to do. This would include any direct or indirect support to nonstate actors that engage in any form of cyberattack and would include, much as with terrorism, a list on state sponsors. Finally, the authors suggest Washington needs to lead the way in establishing international cooperation that expands and spreads state responsibility.

While Mazanec and Thayer give very limited attention to offensive cyberweapons, they do suggest that the United States should develop a "full spectrum" of military assets capable of deterring and responding to cyberattacks. Such a spectrum, according to the authors, includes such ideas as empowering third parties to enforce redlines and the issuance of letters of marque and reprisal.

The most effective means of improving their analysis is straightforward: expand the monograph to provide greater clarity of central ideas and concepts. At 78 pages of text, the work is a bit too brief. Mazanec and Thayer might also consider incorporating greater discussion of classical deterrence concepts: signaling, strategic ambiguity, escalation, de-escalation, limited cyber options, and others. With a solid foundation of literature available, there is now room for analysts in the cyberwarfare field to flesh out concepts that, to this point, remain vague.

Well written, straightforward, and brief, Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace offers interested readers a means of dipping their toe into the water of cyberwarfare studies. While they may not offer the most comprehensive look at the topic, Mazanec and Thayer provide prospective readers with a sufficient introduction to cyberwarfare and give newcomers a foundational understanding of a topic growing in importance.