Cold War assumptions about deterrence won't work when it comes to deterring cyber threats today, says a new analysis from James Andrew Lewis, director of the Center for Strategic and International Studies' technology and public policy program.

For one thing, Cold War nuclear deterrence accepted a large degree of collateral damage as the inevitable result of nuclear retaliation. However, the scope of collateral damage was predictable, while a cyber counterstrike could have unanticipated effects in a networked environment, causing damage in an unpredictable manner in countries that might not be in, or even near, a target country, Lewis writes.

That uncertainty "will limit the willingness of leaders" to authorize cyber counterstrikes, thus undermining the credibility of U.S. deterrence, he adds.

Moreover, potential cyber attackers may not be easily deterred, or share an understanding with the United States on how to process deterrence signals. Overt deterrence threats against Iran or North Korea could escalate tensions rather than decrease them.

Even China, which is less risk adverse than those countries, "will have a different conceptual framework for conflict and international relations than was the case with the Soviets," Lewis writes. Deterrence must operate in the space between a credible threat and a threat that raises existential risk too high, and so in the latter case, provokes an escalation. That space "could be smaller than was the case in the Cold War," he adds, due to easily-provoked Chinese government fears about its own survival.

Moreover, the United States itself hasn't clearly indicated its own cyber deterrence doctrine and practices so that would-be deterrees understand the reasoning behind implicit warnings created by changes in U.S. force status or readiness posture, according to Lewis.

"It is not even clear if potential opponents share a common lexicon of terms for cyber warfare," he adds. Although some aspects of deterrence are intuitively grasped by opponents, the credibility of cross-domain deterrence threats (such as threatening kinetic response against a cyber response) benefit from active communication, Lewis writes.

Moreover, military threats may be of limited utility as a deterrence threat. Though not useless, they "may need to be buttressed by political actions that go beyond classic, force-based deterrence.

This points to the need for engagement, norms, and understandings on a framework for cyber conflict," Lewis writes.

For More:
- read Lewis's paper, "Cross-Domain Deterrence and Credible Threats" (.pdf)

Related Articles:
Lewis: U.S. not in a cyber war 
U.S. electrical grid probed but not yet attacked, says paper 
Is the threat of cyber war exaggerated?