Nadiya Kostyuk - Deterrence in the Cyber Realm: Public versus Private Cyber Capacity
From Katie Gentilello
Can cyber deterrence work? Existing scholarly works argue that deterrence by punishment using cyberattacks is ineffective because the difficulty of attributing the origin of cyberattacks makes the threat of future attacks less credible. However, these works have told us relatively little about the deterrence ability of public cyberinstitutions (PCIs), defined as publicly observable proactive efforts aimed at signaling a country’s level of cyber offensive and defensive capability. This research shows that middle powers (that have scarce cyber arsenals) can use PCIs to deter cyber attacks that cause significant damage to their economy and prosperity; however, this deterrent capability is rather limited. Using an incomplete-information model, we demonstrate that PCIs only deter adversaries that are susceptible to the costs created by these institutions. Despite this limited deterrence ability, middle powers tend to over-invest resources in these cyberinstitutions: Weak cyber states tend to over-invest to convince strong cyber adversaries that they are strong, whereas strong cyber states over-invest so that adversaries do not believe that they are weak states pretending to be strong. By doing so, states reduce their overall cybercapacity. We establish the empirical plausibility of these results using election interference campaigns as examples of strategic attacks. Our focus on the strategic use of PCIs as a deterrent represents a departure from existing literature—which has focused only on cyberoperations—and has important policy implications.