DEterrence is the process of persuading someone to refrain from doing something by convincing them that the costs will outweigh the expected benefits. Understanding deterrence in cyberspace is often difficult because many people are still influenced by a Cold War-era notion of deterrence. However, a comparison with nuclear deterrence is misleading because the purpose of nuclear weapons is ultimate prevention. Deterrence in cyberspace is more akin to crime prevention: governments can only do this imperfectly.
Threat of punishment, denial by defense, entanglement, and normative taboos are four main techniques for reducing and preventing unwanted behavior in cyberspace. None of the four is ideal, but taken together they show the range of options available to reduce the possibility of harmful activity. Despite the challenge of attribution, these approaches can complement each other in influencing actors’ opinions on the costs and rewards of specific actions. While attribution is necessary for punishment, it is not necessary for deterrence through denial or entanglement.
The United States and some other countries have asserted that the laws of armed conflict apply in cyberspace. It is the effects of a cyber operation, and not the instruments used, which determine whether it should be qualified as an armed attack. Therefore, attacks that do not achieve equivalence are more difficult to deter. As US Special Adviser Robert Mueller’s report revealed, Russia’s Hybrid War in Ukraine, as well as its interference in the US presidential election, has fallen into a gray area.
Although the problems of attribution of cyberattacks and the multiplicity of enemies in cyberspace do not rule out deterrence and deterrence, they suggest that punishment should play a lesser role. States and criminals can be punished, but the deterrent effect is reduced and blunted when an attacker cannot be detected quickly.
According to the Identity Theft Resource Center report (2021), the total number of data breaches in 2021 was 1,291 compared to 1,108 breaches in 2020. Cybersecurity experts predict that global cybercrime will cost $10.5 trillion per year by 2025. threats, states must establish effective and robust procedures to maintain effective deterrence.
The threat of Cyber Pearl Harbor can be directly traced to the development of the World Wide Web (WWW) in the 1990s. Cyber Pearl Harbor is described by Sean Lawson and Michael K Middleton (2019) as “physical repercussions catastrophic cyber-attacks on key infrastructure”. As governments are threatened by innovative dimensions of warfare, terms such as “cyber wars,” “cyber attacks,” and “cyber intrusions” have permeated state security discourse.
As a national security topic, cyberattacks are at the center of high-level diplomatic discussions. During a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of 16 US critical infrastructure targets that must be protected against cyberattacks.
A Cyber Pearl Harbor is still a far-fetched possibility. Low-stakes cyber operations conducted by state and non-state actors and high-stakes cyber operations involving large countries are, however, commonplace.
As a national security topic, cyberattacks are at the center of high-level diplomatic discussions. During a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of 16 critical US infrastructure targets that must be protected against cyberattacks. Energy, nuclear power, healthcare, chemicals, information technology and defense industry were among the industries on the list.
The conference reflected US national security concerns as well as vulnerability, as it occurred shortly after a major cyberattack on the Colonial Pipeline in May 2021.
Deterrence in cyberspace is a difficult task. In his article, Deterrence and Deterrence in Cyberspace, Joseph Nye explains that deterrence through denial will be more effective than deterrence through punishment because governments and non-state actors have access to cyberweapons. He cited a cyber attack on JPMorgan Chase bank in 2012, which led to the compromise of personally identifiable information (PII) of 76 million households and seven million organizations.
Russia was blamed for the incident. The attackers, however, were recognized by the US Department of Justice in 2015 as a sophisticated criminal network led by two Israelis and a US citizen.
The issue of attribution in cyberspace frequently leads to a blame game between governments. In 2021, the United States accused China of being “the world’s number one source of cyberattacks”. China responded by accusing the US of being “the world’s biggest source of cyberattacks”. Western governments use terms like “very likely” to accuse rivals of cyber attacks without presenting solid evidence.
Because of the ambiguity surrounding attribution, nations resort to deterrence through denial. The effectiveness of deterrence through denial alone is a key question for policy makers. Maintaining excellent cyber health and a strong cyber infrastructure can help protect against cyberattacks from both states and non-state entities. However, it cannot completely eliminate the possibility of cyber attacks.
In the Global Cyber Security Index, Pakistan is ranked 79th. Some recent large-scale cyberattacks in Pakistan have targeted financial and energy systems, including K-Electric, the Federal Board of Revenue (FBR), and the National Bank of Pakistan (NBP).
There have also been reports of foreign security agencies engaging in cyber warfare. In 2020, the ISPR alleged that Indian intelligence agencies were involved in cybercrime against Pakistani government officials and the military.
Amnesty International reported in 2021 that India used Pegasus spyware against Pakistan. In November last year, world times published an article on how a group of Indian hackers carried out cyberattacks against government and security services in Pakistan and China.
In the event of an attack on critical infrastructure in Pakistan, retaliatory actions are contemplated in the Pakistan National Cyber Security Policy 2021.”[It] will view a cyber attack on Pakistan CI/CII as an act of aggression against national sovereignty and defend itself with appropriate response measures. Therefore, the primary deterrence strategy of the policy is to deny the benefits to the attacker. This is insufficient to maintain total cyber warfare.
An effective defense may be necessary for an asymmetric cyber attack, but to deter a large scale symmetric cyber attack, cyber defense combined with non-cyber retaliatory means would provide a more effective deterrent. As a result, state cybersecurity strategies and nuclear doctrines include retaliatory measures.
The 2018 U.S. Department of Defense Cyber Strategy is offensive and calls for the creation of a deadly joint force to combat malicious cyberattackers.
It is difficult, but not impossible, to maintain deterrence in cyberspace. Reducing cyber vulnerabilities requires a strong cyber security infrastructure. Along with implementing policies and strengthening the regulatory system, more investment in emerging technologies is needed. This will help strengthen cyber defenses, develop an effective deterrence posture and improve Pakistan’s indigenous cyber capability.