Professional Documents
Culture Documents
LIBICKI TrickyTerrain 2009
LIBICKI TrickyTerrain 2009
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms
This content is licensed under a RAND Corporation License. To view a copy of this license, visit
https://www.rand.org/pubs/permissions.html.
RAND Corporation is collaborating with JSTOR to digitize, preserve and extend access to
Cyberdeterrence and Cyberwar
Tricky Terrain
Disarm
18th-century
land combat
19th-century
naval combat
Air combat
Nuclear
circa 1930
Cyber combat
combat
Defend Deter
RAND MG877-9.1
175
1 Quester, 1986, pp. 82–104, argues that British fear of air attack—there was considerable
panic after the Zeppelin raids in World War I—explained a great deal about Britain’s capitu-
lation in Munich.
2 Overy, 1995.
and prosecutorial means. At very least, the topic needs far more careful
consideration than it has received to date.
Beyond deterrence lies combat in cyberspace, little of which is
intuitive and less of which is straightforward. Ambiguity is ubiquitous.
Every success in that medium relies on deception. Whoever declared
the electron to be the “ultimate precision weapon” had or should have
had his tongue planted firmly in his cheek.3 In that medium, even
the basic questions of journalism may lack answers: Who attacked?
Where did they come from? What did they damage? How did they do
it? When did the attack take place? Why did they bother? Cyberspace
may be digital, but digital clarity is a property of high-definition televi-
sion, not cyberwar.
To someone locked in a fight to the death, such ambiguities pose
operational difficulties of the sort that apply to all weapons. Whether
problematic weapons are useful depends on what it costs to employ
them and what their likely effects are. By this criterion, cyber might
look good. Cyberweapons come relatively cheap. Because a devastating
cyberattack may facilitate or amplify physical operations and because
an operational cyberwar capability is relatively inexpensive (especially
if the Air Force can leverage investments in CNE), an offensive cyber-
war capability is worth developing. An attacker can use them without
worrying overly much about whether its own side suffers more than
the target does, assuming a few reasonable precautions: Avoid creating
self-replicating code (e.g., worms); make sure that the system you break
is not something you or your friends actually use (without knowing
it); etc. How much the military services should spend to build up an
operational cyberwar capability is a classic how-much-is-enough issue.
At this point, it appears that the operational corps should be small and
elite, while the intelligence and planning cells should receive the most
manpower and resources—a “measure twice, cut once” philosophy.
If combatants are not locked in a death struggle, the operational
difficulties of cyberdeterrence; cyberwar; and, to a lesser extent, opera-
tional cyberwar risk becoming strategic difficulties—and all that fog-
3 From testimony on June 24, 1996, by John M. Deutch, Director of the Central Intel-
ligence Agency, before the Senate Permanent Committee on Investigations.
giness is not just about accuracy. If these elements are misused, the
warrior risks fighting the wrong foe at the wrong time in the wrong
place (e.g., in real space when cyberspace would have been less bloody)
for the wrong reason.
Cyberdeterrence ought not to be confused with nuclear deter-
rence: Retaliation is so horrifying that none dares get close to test-
ing it. Neither should it be confused with criminal deterrence: The
law has a clear legitimacy advantage over the lawless. In an anarchic
world, cyberattack and cyberretaliation might resemble the dynamic
that governs rival urban gangs, mutually suspicious desert clans, or the
Hatfields and McCoys—until someone escalates.
The dynamics of cyber confrontations also come perilously close
to theater. Much depends on whether a confrontation plays out in the
shadows, involving sysadmins, spooks, and presidents, or whether it
plays out in the sunlight, where the whole world is watching. What
may be a strategic minuet in the first case could well descend to farce
in the second. What is actually happening can matter less than what
people believe is happening.
Can the United States avoid cyberdeterrence and cyberwar alto-
gether? Perhaps there is a foe so foolish as to attack the world’s stron-
gest military power by causing great annoyance to its society (perhaps
by turning off everyone’s lights, were it possible) and, in effect, asking:
What are you going to do about it? The United States should probably
be able to answer that query.
Whether any nation answers such a question in cyberspace,
through less hostile means (e.g., prosecution, diplomacy), or through
more violent means, however, would depend on a great many factors,
not least of which is the confidence its leaders have in what really hap-
pened and why. Cyberretaliation—with all its difficulties—should not
be the only response in the repertoire.