The recently reported activities by U.S. Cyber Command around the 2018 midterm elections were sorely needed, and according to press reports were effective. Some have criticized them as not having deterrent value, but that fails to recognize their tactical and operational value. Tactically they reportedly stopped the Internet Research Agency and perhaps the Russian government in their attempts to manipulate the elections and Americans' perceptions of their validity. Operationally they helped train the forces of U.S. Cyber Command and their mission partners at NSA, FBI, DHS, CIA, State, and others, as well as their private sector partners, in the conduct of time-sensitive real-world operations.
However, the question of deterrence is an important one. There have been a number of articles on how deterrence works, and lamenting the lack of a deterrence strategy. But a strategy developed without actual experience will likely be flawed, particularly in a domain as poorly understood as cyber. Instead, the U.S. should identify the things that matter most to cyber actors and figure out how to decrease their incentive to act. Here are two sets of potential deterrence measures that address the nation’s principal cyber adversaries.
China has been using cyber means to steal U.S. defense and private sector secrets since at least 2002. Their long-standing and ongoing theft of intellectual property to provide advantage to Chinese commercial entities is well-documented in the public domain. One potential deterrent measure could be that, when the U.S. can determine to its satisfaction that a Chinese state-sponsored cyber actor has stolen commercial information, the U.S. will ban all Chinese companies in that sector from selling in the U.S. market. A second potential measure could make it illegal for U.S. companies to work with any Chinese companies in the affected sector. It may be possible to get other like-minded nations to participate in both of these measures, which would extend the effect beyond America's borders and increase its deterrent value.
Russia is using cyber means to undermine democratic institutions in the U.S. and elsewhere, and according to the unclassified U.S. Intelligence Community Assessment released in January 2017, at the behest of President Putin. So far it has been all benefit, with little to no cost. There are measures that could be taken to change that balance by going after the things that Putin thinks are important—support from the intelligence services, military, and oligarchs; control of the flow of information to the Russian people; and his money, reportedly stashed overseas. The U.S. and UK have taken some initial steps in going after the oligarchs, but that could be ratcheted up to have greater impact on their finances, causing them to exert pressure on Putin. Additionally, there are literally dozens of ways to get truthful information in front of the Russian people, things that Putin doesn't want them to see (like videos of the funerals for Russian soldiers killed in Ukraine). Getting such information to the Russian people and letting Putin know it will continue until Russian behavior changes is another potential measure that could change the cost-benefit calculation.
Deterrence needs to move out of the theoretical plane and into the real world. If the U.S. imposes costs on its cyber adversaries in the areas that matter most to them, it will change their decision calculus. This must be the foundation for any U.S. deterrence strategy.