Taking Stock of Cyber Deterrence

Andreas Haggman

Former UK Secretary of State for Defence Philip Hammond attempted to fomulate a strategy of cyber deterrence. Image: Ministry of Defence (OGL)

Former UK Secretary of State for Defence Philip Hammond attempted to fomulate a strategy of cyber deterrence. Image: Ministry of Defence (OGL)

In September 2013, then UK Secretary of State for Defence Phillip Hammond issued a statement addressing certain aspects of the UK’s national cyber security strategy. The main announcement was the creation of the Joint Cyber Reserve Unit, the UK armed forces’ dedicated cyber defence force, with recruitment to begin almost immediately. Though this is an important development, one part of the statement is particularly noteworthy. Hammond asserted that ‘simply building cyber defences is not enough: as in other domains of warfare, we also have to deter. Britain will build a dedicated capability to counterattack in cyberspace and if necessary to strike in cyber space.’

This focus on deterrence deserves careful dissection because it indicates that UK policy in the cyber era is reminiscent of previous historical eras. After all, deterrence is not a novel concept, nor is it limited to the military realm. The father of modern deterrence, however, must be Giulio Douhet. In his The Command of the Air, first published in 1921, Douhet outlines the essential features of airpower that endure to this day, and expresses hope that the mere presence of an air force would act as a deterrent against aggression.[1] These lines of thinking eventually evolved into the classic deterrence case study: the Cold War. Whereas previous build-ups of military forces – for example the naval arms race preceding the First World War – had failed to avert conflict, the mutually assured destruction engendered in large nuclear arsenals with second-strike capability has been lauded as a primary factor as to why the United States and Soviet Union never engaged in war with each other. It is this situation which Hammond is trying to echo; one where the UK will not have to engage in cyber war because other actors are deterred by the UK’s cyber capabilities.

Unfortunately, Hammond’s strategy is misjudged. Deterrence during the Cold War arguably worked because the US and Soviet Union explicitly deterred each other. Deterrence had a target and the public rhetoric in both countries made specific reference to the other country as the enemy being deterred. Hammond’s statement makes no specific reference to the UK’s enemies, not even to a type of actor, which makes it vague and untargeted. If it aims to emulate the stalemate of the Cold War, such vagueness seems to be a critical failure of a strategy of cyber deterrence.

Proposed below are two policy recommendations intended to address this perceived weakness in the UK’s cyber deterrence strategy.

Deterrence in cyberspace requires more than just technical capabilities. Image: Ministry of Defence (OGL)

Deterrence in cyberspace requires more than just technical capabilities. Image: Ministry of Defence (OGL)

Firstly, future statements regarding the UK’s cyber capability should contain less ambiguity. That is not to say that the UK military should be completely transparent regarding its cyber capabilities; indeed, as with many technologies paramount to national defence, secrecy regarding specific technical details is still desired. Instead, where less ambiguity is required is in the intended target of statements. By simply and explicitly including which actors the UK’s capabilities are aimed at, or which capabilities they are intended to counter, those actors, or actors with those capabilities, would know that they are potential targets for the UK. This would lead to the UK’s threats, and its overall stature as an actor in cyberspace, become more respected, if not feared. Note that the recommendation is not that UK statements single out individual actors, at least not state actors – such statements would only cause tension and inflame distrust on the international arena. However, there is nothing wrong with pointing out that capabilities are targeted against state actors in general. The states concerned would be wary enough to understand the sentiment of the statement. On the other hand, singling out non-state actors such as terrorist organisations is fine, even encouraged, because it sends the message that these are being targeted specifically. Such specificity is without risk as there are no diplomatic or trade relationships to jeopardise. With less ambiguity in public posturing, the UK would achieve more credibility in its national cyber security strategy.

Secondly, in order to reduce such ambiguity about intended targets, these targets need to be actually identified before a strategy is developed. It is impossible to formulate a strategy, let alone implement a strategy, before it is known who the strategy is aimed at. As Clausewitz put it, ‘the means must always include the object in our conception.’[2] Developing ‘dedicated capabilities’ only has some worth if these capabilities are targeted at someone. What is required, therefore, is a thorough appraisal of who the UK’s enemies are. This appraisal must be both a general one and one specific to cyberspace, as there may well be significant differences between the two. The actors which pose a threat to the UK in cyberspace are potentially more diverse, dispersed and disjointed than those in analogue space. On the other hand, the threats present in analogue space may well have cyber capabilities which likewise make them threats in cyberspace. Evaluating these and ranking their threat is critical to determining how the UK national cyber security strategy should be formulated.

With a recent reshuffle in government the time is ripe to undertake such an appraisal. The upcoming Strategic Defence and Security Review provides an ideal vehicle through which to conduct the appraisal and disseminate the findings (where appropriate). This also lends scope for inclusivity as to who partakes in the appraisal. It is necessary to include both civilian policymakers, particularly from the Foreign Office, as well as the military which controls the cyber capabilities.

Conducting a strategy of cyber deterrence is a bold step forward, but one the UK is woefully unprepared, though not unequipped, to take. Significant thought needs to be put into underlying assumptions and assessments before a deterrence strategy can be successfully implemented. Present UK policy leave a lot to be desired in this area, and it is hoped effective remedies are soon forthcoming.


[1] Giulio Douhet, The Command of the Air, trans. Dino Ferrari (London: 1943), p. 154

[2] Carl von Clausewitz, On War, trans. J. J. Graham (Ware: 1997), p. 22

Leave a Reply

Your email address will not be published. Required fields are marked *