Acts of cyber aggression have continued to increase to levels not seen before, and they have driven policy issues in the executive branch of governments around the world. Most cyber warfare strategists and military experts, as well as national security policy makers, agree it is extremely difficult to control the widespread proliferation of cyber weapons in the arsenals of modern militaries and terrorists around the world. That position has substantially impacted discussions, research and analysis into many aspects of cyber deterrence.
Current cyber deterrence thinking seems to focus on three specific areas:
1. Penalties and Retaliation (Traditional deterrence approach)
2. Interdependency (What hurts one hurts all)
3. Futility (Limited impact due to resiliency and defenses)
One example that clearly demonstrates the complexity and difference from other national security threats is the use of insiders. Historically, our security approach centered on external threats that have been separated by geographic boundary. This threat model is outdated when it comes to cyber security. The only thing that differentiates a cyber weapon from a security testing tool is the intent of those behind the event or events.
One of the most concerning areas evolved out of a call by a military official who made statement that we would treat all acts of cyber aggression as a law enforcement issue and not an act of military aggression. This position is very dangerous and should be discouraged.
Developing and implementing a comprehensive cyber deterrence program will not be easy and will require the cooperation of the computer industry and others in the private sector. Traditional national security strategies of deterrence may have little impact on the supercharged proliferation of cyber weapons. Deterrence is further hampered by the significant issues surrounding the current and near term capabilities for definitive attribution (determining those behind the attack). In that cyber deterrence is directly dependent upon the nature of the attack as well as who is behind the attack, deterrence measures must be based on the numerous attack groups (example, cyber criminals, cyber terrorists, hacktivists, rogue-nations and others).