State and Non-State Cyber Deterrence: Theoretical Expectations and Practical Constraints

For decades deterrence theory has proven adaptable and responsive to systemic and technological change. Traditional approaches to deterrence have evolved in response to the proliferation of nuclear weapons and missile technology, to shifts in global polarity, to the rise of authoritarian states and international terrorist organizations, and to other security concerns, like piracy, human trafficking, and transnational organized crime. Today, technological developments in algorithmic and computational power, digital networks, and cyberspace more broadly challenge deterrence anew, often in novel and peculiar ways. In cyberspace, coercive paradoxes abound. Under the right conditions, for instance, digital weakness can prove itself a strength, and digital strength, a weakness. Moreover, online, the distinction between criminality, espionage, and warfare is necessarily blurry, complicating military, civilian, and non-state responses. And questions abound regarding identification, attribution, and retaliation in cyberspace. The proposed paper is derived from a SSHRC-funded project on state and non-state cyber deterrence. It does two things. First, the paper explores several tactical concerns states and militaries will encounter in applying deterrence theory and practice to cyberspace. These challenges include: disaggregated state responses; technological limitations to “probabilistic attribution”; synthesizing offense, defense, and denial; balancing hardware and software necessities; contemplating undetected deterrence and defensive failures; tackling the power of weakness and weakness of power; and addressing the nexus between Artificial Intelligence, security, and cyber deterrence. Second, the paper explores cyber deterrence below the state. Cyberspace is inherently non-state in nature, made up of the billions of digital interactions between non-state actors. Accordingly, the paper suggests ways in which individuals, firms, NGOs and other non-state actors can apply the logic of coercion to protect their own digital assets.