Cyber deterrence is overrated: analysis of the deterrent potential of the new cyber doctrine and lessons for Germany's "active cyper defence"

Abstract

Proponents of active, offensive cyber operations argue that they could have a deter­rent effect on potential cyber attackers. The latter would think twice about attacking if a digital counter-attack might be the consequence. The idea that offensive cyber capabilities should have a deterrent effect was one reason why the new US cyber doctrine was adopted in 2018. The same assumption is implicit in the debate about cyber counterattacks ("hack backs") in Germany. Yet these assessments are based on a superficial understanding of deterrence. Cyber deterrence by the threat of retaliation works differently than that of nuclear deterrence. Problems of attribution, displays of power, controllability and the credibility of digital capabilities increase the risk of deterrence failure. Thus, the German cyber security policy would be well advised to increase its "deterrence by denial", cyber security and the resilience of its systems. (Autorenreferat)