Cyber's Impact on Risk Mitigation and Integrated Deterrence

TOPIC SPONSOR: AF/A10

From an arms control risk mitigation perspective, how do strategic cyber capabilities differ from nuclear capabilities and other systems with the potential to deliver strategic effects on which the United States has implemented its deterrence architectures?  How might offensive and defensive cyber capabilities be implemented into existing or new risk mitigation frameworks (e.g. arms control treaties and agreements) in order to manage strategic stability? How might the integration of cyber capabilities into future treaties and agreements impact DAF's integrated deterrence posture as well as the Department's arms control implementation and compliance activities?

• Grimsley, Maj. Charles W., "Medieval Weapons and Moving Targets: The Law of Armed Conflict v. Evolving Cyber Threats," AFGC thesis, 2025.
  • Grimsley explains that to successfully implement cyber capabilities into new risk mitigation frameworks, the international community must first establish a consensus on basic Law of Armed Conflict (LOAC) terms, such as defining what legally constitutes an "attack" or a "civilian object" in cyberspace. The paper argues that traditional treaty law is currently inadequate to manage rapidly evolving technological capabilities. To resolve this and manage strategic stability, Grimsley recommends that future agreements and international consensus must drastically update LOAC by expanding the definition of "civilian object" to explicitly protect civilian data. Legally protecting civilian data would establish clear boundaries, deter the targeting of civilian networks, and allow nations to deliver authorized, proportional responses to sub-threshold aggression.
• Soesanto, Stefan, "Cyber Deterrence Revisited," Published as an AU Press Perspectives on Cyber Paper, 2022, 49 pgs.