Safeguarding Political IT-Infrastructures – Deterrence Revisited

When in 1998 one of the first cyber operations, Moonlight Maze, was recorded, the concept of cyberspace as a battle space for nation states was nothing more than an idea floated among a few researchers and sci fi authors. An indeed, except for the cyber attack disrupting everyday life in Estonia in 2007, cyber means were mainly used for economic and political espionage until roughly 2009. The game changer was the 2010 discovery of the alleged joint U.S.-Israeli cyber operation "Olympic Games" targeting a nuclear enrichment facility in Natanz, Iran. Followed by highly disruptive operations such as Shamoon and the Sony Hack as well as Black Energy 3 targeting the Ukranian power grid, Olympic Games – or Stuxnet how it became to be known – represents a major shift from the usage of cyber means for political and economic espionage towards sabotage. The most recent turning point took place during the 2016 U.S. presidential election, where interference by cyber means was supposed to disrupt and meddle with the elections, the core of democracy. Since then, we have witnessed an increasing number of cyber operations targeting democratic processes, targeting the French election, the British parliament and the independence movement in Spain. Apparently, due to the lack of (convincing) international agreements and (credible) deterrence, democratic processes and the underlying political IT-infrastructures have become valid targets in international conflict escalation. Though the cyber domain is an entirely new and very much different battle space, it makes sense to revisit the core literature of deterrence – if one wishes to deter those attacks in the future. While this unique domain – and challenges such as attribution – tend to favor deterrence-by-denial over deterrence-by-retaliation, -norms or -entanglement, it is worthwhile to adapt all those concepts. Concepts such as brinkmanship or the famous “chicken game” might yield unexpected solutions. At the same time, simple mistakes can be avoided. If the head of state of a country that had been successfully attacked with a cyber operation for example claims that this attack never took place and no sanctions should be implemented against the aggressor – deterrence simply fails, inviting the aggressor to go for round two. Cyber operations increasingly targeting the heart of democracy, such as the democratic process of elections, necessitate that we revisit all available concepts – which includes deterrence theory – to come up with strong safeguards to protect democracy in cyberspace.