Despite a growing amount of scholarly and policy attention to cyber threats, little progress seems to have been made in building effective deterrence against them. State and non-state actors continue to act with an unacceptable level of impunity in using the internet for malicious purposes. This paper by Dr Joe Burton, Visiting Researcher at NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) and Senior Lecturer, New Zealand Institute for Security and Crime Science, University of Waikato, addresses these issues by posing two related questions: given the diversity of actors, threats and motivations involved, is deterrence against cyber-attacks possible? And if it is, how can effective cyber deterrence be built and sustained? These questions are important to both academic and policy debates. If progress is not made on deterring malicious activity online, the costs and consequences of cyber-attacks will continue to grow and continue to cause instability within the international system. The academic debate on cyber deterrence also appears to be unresolved, with some analysts advocating the view that the deterrence concept should be stretched, some that it should be ditched altogether, and others that cyber deterrence should be a limited approach applicable only to state actors and high-level strategic threats.
The overarching argument of this paper is that cyber deterrence is possible if the concept is conceived more broadly. To enhance cyber security, cyber deterrence should be a comprehensive strategy that considers the full spectrum of cyber threats and moves beyond narrow conceptions of national and military security. This is not an argument that a blanket approach to cyber deterrence should be applied to all cyber security threats across all sectors, or that military-strategic cyber deterrence is redundant. Instead, deterring diverse cyber threats requires that deterrence be tailored and customised to different actors across the societal, state and international spectrum. Traditional conceptions of deterrence may still have utility in deterring high-level strategic threats (and are arguably already doing so) but will likely not have an impact in an increasingly diverse and complex cyber security landscape.