Strategic Cyber Deterrence.
Abstract: Abstract The world has witnessed two cyber wars, the first between
Estonia and Russia in 2007 and the second between Georgia and Russia in 2008. In both of
these wars, the same problem existed and will continue to proliferate as without imposed
costs and/or denied benefits, state and non-state actors will further develop and refine
capabilities that have the ability to take advantage... read moreof cyber vulnerabilities. The scope
of this study is to understand the nature of cyber war and its purpose in order to develop
a theory of cyber deterrence. An initial challenge surfaced because of a lack of
definitional consistency for terminology in the cyber domain. To address this challenge, I
relied upon time-tested Clausewitzian ideals to define cyber war as the continuation of
state policy by cyber means. The principal research question focused on developing
requirements for cyber deterrence theory that are applicable to cyber war. The
requirements that emerged were grounded in preceding deterrence theories and forged from a
vulnerability-based assessment of the existing cases of cyber war. I closely analyzed
exploited and unexploited vulnerabilities to help inform the requirements for cyber
deterrence by denial. This permitted me to reverse engineer what actually occurred to
design a theory that may prove more relevant to deterring cyber war in other cases. In the
course of the case studies, I learned that cooperation appears to play a larger role in
cyber deterrence than earlier forms of deterrence theory. This inspired a theory of cyber
deterrence based upon denial, punishment, and cooperation. Four hypotheses informed by
basic deterrence, criminal justice deterrence, and nuclear deterrence theories were rooted
in a critical question regarding the cyber domain: How is cyber deterrence possible if
attribution, offensive capabilities, defensive capabilities, or cooperative relationships
are either missing from or inadequate to deter a malicious actor? The hypotheses,
structured on the triadic components of denial, punishment, and cooperation, were tested
using the two cases of cyber war. What I discovered in the process of analyzing and
evaluating the cases and then synthesizing this with the literature left me with neither a
full account of what is possible nor an account of what is not possible. Instead, the
analysis indicated the presence of a middle ground where cyber deterrence becomes
conditional and/or variable in its effectiveness based on attention or inattention to the
triadic components. This means that cyber deterrence requires tailoring for different
classes of actors based on their kinetic and non-kinetic capabilities. It also means that
the elements, which comprise the triadic components, require constant attention because of
the rapid pace of technological developments. Because of these developments, capabilities
and vulnerabilities constantly expand and contract, which indicates that the effectiveness
of cyber deterrence is perhaps more conditional as a function of time than previous
Thesis (Ph.D.)--Tufts University, 2012.
Submitted to the Dept. of Diplomacy, History, and Politics.
Advisor: Robert Pfaltzgraff, Jr..
Committee: Antonia Chayes, and William Martel.
Keywords: International relations, Military studies, and Information technology.read less