The problem in the cyber realm, of course, is how is deterrence-by-denial supposed to function when the signalling is largely down to mere rhetoric? A prime minister simply saying ‘you will not succeed’ may not be enough. How could Moscow know it would not ‘succeed’ if it did ‘unleash’ its full cyber potential? And, moreover, just how much energy would Russia waste anyway – and what ‘costs’ would it incur – if it did launch a major cyber attack that did not ‘succeed’? Where is the jeopardy? A few hours only of a few hackers’ time might be wasted in an attack that could anyway be deniable. Thus, even if the UK’s cyber defences are, indeed, sound, Russia’s cyber agencies would lose very little by testing them.
While deterrence-by-denial is intuitively the least problematical form of cyber deterrence that the UK could employ, it may be seen to lack credibility. The UK’s cyber defensive capabilities can never be communicated effectively so they cannot be relied upon to prevent Russia attempting a major cyber assault. Deterrence-by-denial thus seems not to be practical.
In defending itself against the Russian cyberthreat, the UK can also theoretically apply the more offensively geared notion of deterrence-by-punishment. That is, if Moscow continues with its current cyber activity against the UK or if other, more serious, attacks appear ‘imminent’ or actually take place, then the UK could threaten to respond with ‘punishing’ cyberattacks of its own. The idea here being that if Moscow did fear such punishment then it would exercise restraint; it would be deterred.
This process, again, relies on signalling. In nuclear deterrence terms, this would be achieved by rhetorically threatening to reply to any adversary’s proposed pre-emptive nuclear strike with an even more devastating nuclear counter-strike. This would make use, in essence, of some ‘rocket-rattling’. Such a communication of capabilities would serve to enhance credibility (Schelling 1966, 36–49). But cyber sabre-rattling does not, of course, work quite so well. The rhetorical communication might be there in terms of, for instance, GCHQ officially declaring that it has significant ‘counter-state offensive cyber capabilities’ (UK Parliament 2017, 44). This was headlined as, ‘British cyberweapons could paralyse hostile states’ (Elliot and Haynes 2017). Certainly, this message that the UK does have the power to ‘paralyse’ the likes of Russia through its own offensive cyber capabilities is being assiduously broadcast. The aforementioned report from the ISCP says it noted ‘the advantage [that] the UK’s development of a strong offensive cyber capability will confer in terms of an effective deterrent’ (UK Parliament 2017, 44). The principle document relating to the cyber capabilities of the UK’s armed forces also highlights their ‘offensive’ potential.5 Indeed, the military and GCHQ combined their cyber capabilities in 2014 by forming the National Offensive Cyber Programme. Overall, the statement of threat in official government documents is that the UK could, quote, ‘retaliate’ [see below] with its own cyber capabilities if subject to or threatened by a serious Russian cyberattack (Wintour and Walker 2017). Such an admission that it had offensive cyber assets did put the UK in a unique position. It became the first country in the world to advertise that it had such a potential (as was duly noted in Russia) (Savchenko 2017, 153). This remained the case until September 2018 when the White House announced, in a new National Cyber Strategy (2018), that it would lift its own ban on both the civil and military use of offensive cyber.
Again, though, the problem with offensive cyber as a deterrence-by-punishment tool is its credibility. How is any state actor to be successfully coerced into changing its behaviour in the cyber realm by a UK cyber capability whose actual effectiveness will largely remain moot until actually deployed? If Moscow has no way of knowing about the potential of UK offensive cyber and whether it could overcome Russian defences, then the UK warnings will have no traction. Indeed, how can it be ascertained if, in any cyber exchange, Russia is actually capable of ‘escalation dominance’? That is, can Moscow respond to any UK offensive use of cyber with an even more destructive one of its own? Hence, the question once more is, just how practical would any UK cyber deterrence-by-punishment capability be if it is both of an unknowable effectiveness and risks inviting a yet more devastating Russian counter-response?
Moreover, the threatened use by the UK of offensive cyber faces a series of both legal and ethical constraints that will inhibit its applicability as a tool of deterrence. If Foreign Secretary Hunt accuses Russia in its cyber activity of ‘operat[ing] without regard to international law or established norms’ (Wintour 2018) then it would seem incumbent on the UK to do so itself.
Cyber deterrence-by-punishment: the legal and ethical dilemmas
There is a reason why the UK was alone in advertising that it had an offensive cyber capability and why the US considered it illegal until late 2018. The fact is that international law is unclear as to the legality of any state employing cyber as a deterrence-by-punishment tool. As Wheeler puts it, ‘reaching an international consensus on what triggers a country’s right to self-defence in cyberspace requires a coherent, common understanding on where to draw the line between nefarious economic or intelligence activities and true cyberattacks’ (Wheeler 2018, 41). Such a consensus is proving difficult to generate. Firstly, it would be difficult, of course, to say at what specific point the UK could begin to use its cyber offensive capability in response to any Russian cyberattack suffered. And then there is the thorny question of attribution (Tsagourias 2012). If the UK chose to take reprisal cyber action then it would have to be very sure of the source of the initial attack. The ‘victim state’, as Attorney General Wright himself noted, ‘must be confident in its attribution of that act’. He continued, ‘without clearly identifying who is responsible for hostile cyber activity, it is impossible to take responsible action in response.’ Wright also, however, said that the UK, if it decided to take reprisal action, had ‘no legal obligation’ to produce evidence to the international community to confirm who the attacker was (Wright 2018). While such a stance is taken because producing evidence would ‘reveal sensitive capabilities’ it would also, of course, call into question the UK’s ability to obtain international approval for its actions and thereby still operate within international law (UK Parliament 2017, 44).
But even if the UK did decide to take unilateral action using its offensive cyber capabilities, it would still be bound, as noted earlier, by the laws of armed conflict. As such, any act of deterrence-by-punishment could only ever be used in order to either persuade the adversary to desist from what it is doing or to convince it not to carry out any future such attacks. Where the use of armed force is concerned, this has an instinctive logic. But there is less clarity where cyber warfare is concerned. A Russian cyber operation, for instance, that was not designed to be destructive may have inadvertently become so and any damage wrought may have come about by accident. And what if, by the time the UK had launched a reprisal cyberattack, Russia had already stopped its original cyberattack but second-order effects were still continuing?