Current scholarship explains the shortcomings of cyber deterrence through the difficulty involved in proving who launched an attack-what scholars refer to as the 'attribution problem'. This paper identifies an additional intelligence-centric impediment to cyber deterrence. Cyberat-tacks yield effects in a manner that is indirect, while offensive cyber operations are multi-stage and multipurpose. These characteristics complicate analytic judgments about the culpability of the attacker, whereas deterrence requires that states retaliate with measures which are timely, clear, and proportionate. The paper uses three cases studies - the 2016 Russian election interference campaign, WannaCry, and NotPetya-to illustrate how the indirectness and ambiguity of cyberattacks and offensive cyber operations obscure the motivations, goals, and culpability of the attacker. It concludes that these characteristics discourage states from adopting punishment-based deterrence strategies because they lengthen the temporal and epistemological requirements of attribution analysis.
展开▼
