1. Key Policy Questions and related issues:
What is the potential for deterrence in cyberspace?
What are existing models/approaches to deterrence in cyberspace?
How might other stakeholder groups be involved in supporting deterrence?
2. Summary of Issues Discussed:
Speakers all recognized a common understanding of “deterrence” that refers to dissuading adversaries and bad actors from taking certain actions. As cyberspace has gained prominence as a domain of conflict in recent years, there is clear need to apply this same thinking to the digital domain in order to discourage attacks and encourage responsible behavior. Different approaches to deterrence that were highlighted included deterrence by punishment, deterrence by denial, and deterrence via benefits for responsible behavior.
Speakers also all recognized that underscoring any effective deterrence model needs to be a clear set of normative expectations, making ongoing international efforts to establish such expectations in cyberspace especially important – including the dialogues at the United Nations, as well as multistakeholder agreements like the Paris Call for Trust and Security in Cyberspace. The ability to credibly attribute cyberattacks was also cited as a prerequisite for effective deterrence. In addition, especially when it comes to issues of deterrence by denial – or making attacks themselves more difficult to conduct – industry, particularly the technology industry, has an important role to play in ensuring they are developing and maintaining secure products and services to reduce the overall threat surface.
While there was consensus around the need for deterrence approaches that reward responsible behaviors and improve defensive security, there was some division among speakers, as well as those attending the session, about the benefits of deterrence by punishment. Examples included sanctions against individual actors, as well as a range of credible threats of offensive actions to be taken online and off in response to discourage violations. Some worried that this model could drive an arms race and proliferation of capabilities, while others emphasized that rules do need to enforced to dissuade malicious actors.
7. Reflection to Gender Issues:
There was no direct discussion of gender during the session