Cyberdefence: Deterrence vs Pre-emptive Strategies


I recently wrote a paper on the development of U.S. cyberpolicy in which I noted an interesting shift in the rhetoric being employed from one of anti-terrorism in the Bush Administration’s National Strategy to Secure Cyberspace, to Cold War rhetoric in the Obama Administration’s Cyberspace Policy Review. This shift seemed to be in line with recent assertions that the U.S. is engaging in a cyber arms race. An obvious reason for this emphasis on an increase in cyber capabilities is so as to be able to use the strategy of deterrence so popular in the Cold War. This would then imply that the Obama administration has abandoned the Bush Doctrine of pre-emptive attack, and was returning to a superpower-centric vision of world order. However the reason the the Bush Doctrine was taken on in the first place was due to the changing nature of global power; a stalemate had developed precipitated by the unwillingness of nations to initiate nuclear war; the Soviet Union had collapsed and Russia was now an ally of the States; and 9/11 demonstrated that perhaps the greatest threat to national security could come from unpredictable and perhaps irrational non-state actors who were not averse to risks and did not want to maintain the status quo. Cold War-style deterrence only works against an adversary who has something to lose. Pre-emptive action was therefore the safest alternative, striking in ‘anticipatory self-defence’ before the adversary can strike you.

A preemptive cyber-strike makes no sense for several reasons: firstly, the aim of a pre-emptive strike is for the superior power to thwart an imminent attack by a growing power before this power reaches its fully potential an attack capabilities. However in the case of cyber capabilities, the U.S. is not the strongest power- China is far more developed. Secondly, attribution is a very difficult issue in cyberattacks; it is easier to attribute blame through political motivation than through examining the cyber trail. Therefore it is difficult to pre-empt an attack when it is not clear even after the fact where it might have originated from or to what ends. Even if this could be ascertained, the likelihood of the attackers being state-sponsored or even working independently so as to allow plausible deniability, makes any kind of national response difficult. And finally, a full-scale debilitating cyber attack is unlikely to occur by itself; this would not disable the ability of an enemy to retaliate. It would mostly likely occur in one of two scenarios: in conjunction with a kinetic attack, with the aim of confusing communication and computer-based military functions enough that they would not be able to respond to a physical attack; or it would be used discretely as a form of espionage, in which case a physical retaliatory attack would be excessive, and a similar cyberattack may not currently be within U.S. cyber capabilities.

Therefore a strategy of deterrence would seem to be the best option, building up the U.S.’s cyber capabilities so that no one will challenge them. However the U.S. is already far behind China, and not in a position to deter anyone. If anything it is China who is leading in the cyberspace race. Therefore, it would seem that the U.S. is adopting a strategy of straight-up defense, in the hope of detecting and minimising the damage of a cyberattack, until its capabilities are developed enough to match that of China. The Obama Administration may be using Cold War rhetoric to inspire a sense of urgency and competition in its citizens, to arm against an attack from China, but this is not a cyber arms race in the way this rhetoric would have us understand it. It is more a race to catch up.