| The world has witnessed two cyber wars, the first between Estonia and Russia in 2007 and the second between Georgia and Russia in 2008. In both of these wars, the same problem existed and will continue to proliferate as without imposed costs and/or denied benefits, state and non-state actors will further develop and refine capabilities that have the ability to take advantage of cyber vulnerabilities.;The scope of this study is to understand the nature of cyber war and its purpose in order to develop a theory of cyber deterrence. An initial challenge surfaced because of a lack of definitional consistency for terminology in the cyber domain. To address this challenge, I relied upon time-tested Clausewitzian ideals to define cyber war as the continuation of state policy by cyber means.;The principal research question focused on developing requirements for cyber deterrence theory that are applicable to cyber war. The requirements that emerged were grounded in preceding deterrence theories and forged from a vulnerability-based assessment of the existing cases of cyber war. I closely analyzed exploited and unexploited vulnerabilities to help inform the requirements for cyber deterrence by denial. This permitted me to reverse engineer what actually occurred to design a theory that may prove more relevant to deterring cyber war in other cases. In the course of the case studies, I learned that cooperation appears to play a larger role in cyber deterrence than earlier forms of deterrence theory. This inspired a theory of cyber deterrence based upon denial, punishment, and cooperation.;Four hypotheses informed by basic deterrence, criminal justice deterrence, and nuclear deterrence theories were rooted in a critical question regarding the cyber domain: How is cyber deterrence possible if attribution, offensive capabilities, defensive capabilities, or cooperative relationships are either missing from or inadequate to deter a malicious actor?;The hypotheses, structured on the triadic components of denial, punishment, and cooperation, were tested using the two cases of cyber war. What I discovered in the process of analyzing and evaluating the cases and then synthesizing this with the literature left me with neither a full account of what is possible nor an account of what is not possible. Instead, the analysis indicated the presence of a middle ground where cyber deterrence becomes conditional and/or variable in its effectiveness based on attention or inattention to the triadic components.;This means that cyber deterrence requires tailoring for different classes of actors based on their kinetic and non-kinetic capabilities. It also means that the elements, which comprise the triadic components, require constant attention because of the rapid pace of technological developments. Because of these developments, capabilities and vulnerabilities constantly expand and contract, which indicates that the effectiveness of cyber deterrence is perhaps more conditional as a function of time than previous deterrence variants. |
