A study at Tel Aviv University examines why the US abandoned “cyber deterrence” in 2018 and moved to Defend Forward and Persistent Engagement
A cyber attack (cyber warfare) is an offensive action taken by an organization or state to penetrate the enemy's cyberspace (the computer systems and networks in which it stores data and conducts online and interactive communication), disrupt it, steal information, and even damage the operation of critical systems and infrastructure. Unlike other spaces, it is much more difficult to identify attackers operating in cyberspace. The unique nature of cyberspace – its secrecy, innovation, and spread – makes it difficult to employ traditional strategies, including deterrence; the most basic components of deterrence, such as signaling to the adversary and demonstrating capabilities, are difficult to implement in this space.
The question is: Why did the Americans adopt a cyber deterrence strategy in the early 2000s – and replace it with another in 2018?
Dr. Amir Lupovitz, a senior lecturer at the School of Political Science, Government and International Relations and a research fellow at the Interdisciplinary Cyber Center at Tel Aviv University, is a deterrence researcher, including in the field of cyber. According to him, “Classical studies examine the conditions under which deterrence is successful, how the aggressor can be induced to refrain from actions that are undesirable for the defender. I study the social context (e.g. language and culture) in which the parties operate. My goal is to try to understand not only how the social context shapes the parties’ understandings of strategy, but also what causes the various actors to adopt a deterrence strategy and how they choose to do so.” Dr. Lupovitz began to explore these issues in his doctoral thesis, in which he developed the “deterrence community” – a research framework that made it possible to show how identities, ideas and practices shaped the behavior of the powers in the Cold War.
Currently, with the assistance of a grant from the National Science Foundation, Dr. Lupowitz is researching social constructs that affect deterrence in cyberspace. “The argument is that it is difficult to convey a deterrent message to attackers in cyberspace because their identity is often unknown. But in my view, it is not only cyberspace and its technical characteristics that play a role here, but also social constructs that may change over time. For example, because actors tend not to see cyberattacks as violent acts, it is difficult for them to launch retaliatory responses and justify them.”
The study of issues related to social constructions and identity led Dr. Lupowitz to become interested in the term ontological security – a concept that developed in the 60s in the field of psychiatry and psychology and dealt with the preservation of self-identity (“who am I”) and expanded to the field of the state and international relations in relation to the preservation of collective identity. According to him, “Unlike physical security, which is essentially survival, ontological security concerns the security of the ‘I’ – the ability of the ‘I’ to feel certainty, continuity and order. Therefore, for example, a sense of home is a central component of ontological security. The idea is that not only individuals can feel this in relation to themselves but also states. Therefore, for example, when routine is disrupted and the home can no longer serve as a place of safety – as is the case during the war in Israel – the threat is not only to physical security but also to identity, and the result is collective uncertainty and anxiety.”
Cyberspace challenges the sense of home for residents and citizens of countries, which was previously provided by the idea of sovereignty.
Cyber technology also creates a variety of challenges to the ontological security of individuals and states. According to Dr. Lupowitz, “cyberspace challenges the ‘sense of home’ of states, which was previously provided by the idea of sovereignty. There is a place that is ours, free from external control, and the state should and can be responsible for protecting it.”
The goal of Dr. Lupowitz's latest research, which is still ongoing and is based on an examination of American strategic documents and statements by government officials (for example, in the US Department of Defense and its cyber units), is to examine the connection between ontological security, deterrence, and cyber in the US. One of the research questions is why in the early 2000s the Americans adopted a cyber deterrence strategy, even though at the time various researchers and experts doubted its effectiveness and ability to prevent cyber attacks.
According to Dr. Lupowitz, “The research framework of ontological security helps us understand the choice of the cyber deterrence strategy in the US, as the goal was not only to provide physical security for Americans, which, as mentioned, was questionable, but also to demonstrate continuity with the past. I found that relying on the deterrence strategy – which has been prominent in recent decades in the US – allowed the administration to continue to adhere to the narrative according to which the state provides security to the public as it has done in the past in various spaces. In this way, it supposedly reduced the uncertainty associated with the challenges that cyber creates.”
However, in 2018, the US cyberspace deterrence strategy was replaced by strategies of Defend Forward and Persistent Engagement – which involve penetrating enemy networks (countries such as China and Russia) in order to gather information about their plans and thus neutralize threats to the country’s infrastructure and interests. This follows changes in the perception of the essence of cyber, as explained by researchers Michael Fischerkeller and Richard Harkent, one of the architects of the new strategies. “According to them, deterrence is based on the idea of sovereignty – the ability to distinguish between our territory and that of the adversary. But this does not apply to cyberspace. Although their opinion against a cyberspace deterrence strategy has been known for a long time, they were only able to influence American policy towards the end of the second decade of the 2000s,” concludes Dr. Lupowitz.
More of the topic in Hayadan:
