Norms of Cyber Behavior

In his paper, Deterrence and Dissuasion in Cyberspace, Joseph Nye covers the challenges of deterrence in cyber warfare. Nye defines deterrence as anything that prevents an action by convincing the actors that the cost of an action outweigh its benefits (Nye 53). Nye argues this broad definition better captures the breadth of options available to states to prevent cyber attack, and he discusses four of these options, including “threat of punishment; denial by defense; entanglement and normative taboos” (Nye 46) in his paper. From these four options, Nye argues there is no “one-size-fits-all” (Nye 71) deterrence strategy for cyber attacks, and that traditional understandings of deterrence theory must adapt to respond to emerging technological threats.

The bulk of Nye’s paper is spent explaining four possible types of cyber warfare deterrence: “threat of punishment; denial by defense; entanglement; and normative taboos” (Nye 46). The first two – “threat of punishment” and “denial by defense” – fall into traditional understandings of deterrence (Nye 55). Punishment for a cyber attack could entail response in in kind, with economic sanctions, or with physical force (55). Denial by defense could entail heightened monitoring of threats and creation of cyber security, intended to convince attackers an attack was too costly to execute (57). Both these strategies are limited by the fact that the originators of cyber attacks are often anonymous (50-51) and “persistent” (57), making it difficult to respond to all potential cyber attacks effectively.

The second two deterrence strategies, “entanglement” and “normative taboos” (46), fall into a broader model of deterrence. Entanglements of modern states’ interests reduce the likelihood of attack because an attack could be detrimental to the attacker’s state as well (58). Entanglement is a particularly strong deterrent between large, economically dependent states (58). “Normative taboos” (46) reduce the likelihood of attack because an attack damages the prestige and “soft power” of the attacking state (60). Norms against attacks on civilian infrastructure may be particularly strong deterrents (61). Taken together, these four strategies could be used to prevent cyber attacks.

Of all the strategies, I was most interested in the “normative taboo” method of deterrence. Last week, we had an interesting discussion normative (“humane”/”inhumane”) constraints on bioweapons. To me, creating and enforcing norms for cyberwarfare is even more challenging, because the real-life consequences of virtual actions often feel more remote than those from real-life actions. People are often more willing to pirate a movie than steal a physical copy; kids are often more willing to bully their peers online than in person. And unlike the case of nuclear bombs or deadly pandemics, we haven’t yet seen large scale destruction from cyber attacks. I am interested to learn more about establishing cyber warfare norms from the other readings – and from all of your exciting replies! — Grace