With cyber operations serving as an instrument of foreign policy, it is fair to posit that cognitive factors that account for behavior in the physical domain are equally applicable to cyberspace.
While national cyber security strategies have proliferated worldwide in the past decade, most have been overwhelmingly focused on resilience at the expense of political values. This paper addresses the challenges that have arisen from an overly technical focus on cyber security that has failed to consider the application of value sets in strategy creation.
Born in the 1990s, the thinking on cyber deterrence was nurtured by the U.S. Department of Defense in numerous war-gaming exercises. Hitting puberty in the aftermath of the distributed denial-of-service campaign against Estonia in 2007, cyber deterrence matured after Stuxnet and received peak attention from policymakers and academics from 2013 to 2016 during the golden age of ‘cyberwar’ scholarship. From 2016 onward, the interest in cyber deterrence started to fade to the extent that it is now intentionally neglected. The figure below captures this short life cycle by quantitatively visualizing the number of articles, book chapters, and research reports written on ‘cyber deterrence’ and ‘cyberdeterrence’ between January 1990 and January 2020.
Threats to national and economic security emanating from cyberspace are all too real, but public disclosure of incidents of the theft of intellectual property (IP) is exceedingly rare. Former National Security Agency Director and the first Commander of Cyber Command Keith Alexander has labeled China’s theft of U.S. intellectual property through cyber means “the greatest transfer of wealth in history.” Few experts in the field dispute that conclusion. In November 2015, National Counterintelligence Executive William Evanina estimated that cyber-enabled economic espionage cost the U.S. economy $400 billion per year, with 90 percent of the theft originating in China.
In a recent article in Contemporary Security Policy, Florian J. Egloff reflects on the contested nature of public attributions of cyber incidents and what role academia could take up.
In the last five years, public attribution of cyber incidents has gone from an incredibly rare event to a regular occurrence. Just in October 2018, the UK’s National Cyber Security Centre publicized its assessment of cyber activities conducted by the Russian military intelligence service (also known by its old acronym, the GRU). Clearly, publicizing activities that other political actors like to keep secret is a political act – but what kind of political act is it and what happens when a government publicly attributes?