The United States’ reliance on networked systems and the high costs associated with cyber attacks have led many leaders in the US government and the Department of Defense (DOD) to prioritize protecting our critical networked infrastructure. Part of that focus is trying to develop a strategy for deterring adversaries from attacking our networks in the first place. This effort has led to much debate around the question of whether cyber deterrence is possible.

Answering this question is difficult since the number of adversary groups capable of attacking US networks is large and our ability to deter each group will vary...

The next step in determining if cyber deterrence is possible is understanding and defining what actions the United States is trying to prevent. Senior civilian and military leaders often use the term cyber attack incorrectly when discussing malicious actions against our critical infrastructure. In 2013 Air Force general William M. Fraser III told the Senate Armed Services Committee that US Transportation Command was “hit by almost 45,000 cyber attacks during 2011, and quadruple that number [in 2012].”⁶ In this case, General Fraser used an extremely broad definition of cyber attack.

Because malicious cyber actions can be grouped in many ways...

The first step in defining an effective deterrent strategy is establishing policy at the national and DOD levels. One of the most important policy documents is the 2010 US National Security Strategy (NSS) signed by the president.⁹ The NSS is intended to outline the president’s national priorities and provide high-level guidance for US agencies and departments to follow. This document also serves as an indicator to our international partners and adversaries of areas where we plan to focus our attention. It addresses several of the seven attributes necessary for effective deterrence. First, the NSS defines our national “interest.” It makes...

Now that we have a basic definition of deterrence and the attributes necessary for success, the next step is to look at the challenges associated with applying those principles to cyberspace. One of the biggest barriers to effective cyber deterrence is the concept of attribution. Intelligence expert Bob Gourley maintains that “you cannot deter unless you can punish and you cannot effectively punish unless you have attribution.”¹⁷ Attribution in the cyber domain is possible, but in some circumstances it can be difficult and time-consuming. The complex structure of the Internet, immature political and legal policies, and global nature of the...

Current US strategy falls short on several key attributes necessary for effective deterrence: deterrent declaration, penalty measures, credibility, and fear. National strategy does a decent job of making clear to our adversaries that we have a strong interest in protecting and defending our networks but falls short with its deterrent declaration. While designing, acquiring, and operating more secure systems are essential, deterrence by denial is a passive strategy—and insufficient on its own to achieve cyber deterrence. A critical part of a deterrence strategy is, first, promoting a strong deterrent declaration that makes clear to adversaries the severe penalties of...