Measuring Policy Effectiveness of Cyber Deterrence and Defensibility
Author: Mr. Jason Healey (Columbia University’s School of International and Public Affairs)
Publication Preview
The United States needs more effective metrics to determine if integrated cyber deterrence is working (as called for in the 2023 cyber strategy for the Department of Defense (DOD)) as expected and to separate these effects from those of improving the overall defensibility of the Internet (as called for in the White House’s National Cybersecurity Strategy). Fortunately, cyber deterrence is not like nuclear deterrence. Because of repeated interactions over time, it should be possible to measure to what degree deterrence is working to moderate the behavior of nation-state threat actors, not just–as with nuclear weapons–when it has failed.
This paper briefly examines the history of active cyber defense and deterrence, as well as earlier ideas on measuring effectiveness of cyber deterrence, before proposing new frameworks to measure if US government efforts at integrated deterrence and defensibility are succeeding at the strategic level. The main framework is based on relatively simple curves of adversary activity over time. In brief, measures to improve defensibility might be working if there is a downward trend (or decrease in slope) in the frequency and severity of general cybersecurity incidents. Such a decrease would likely tell us little about the success of integrated deterrence, which would require a downward trend (or decrease in slope) of frequency and severity of incidents by determined state threat actors.
If integrated deterrence is as successful a strategy as anticipated by DOD, the impact should be substantial enough to show up as a strong downward turn. Anything less may suggest that a strategy of integrated deterrence is insufficient and may need to be bolstered, supplemented with other strategies, or replaced. Without trendlines, DOD and policymakers cannot easily know. Though this approach may seem obvious, there have been few serious efforts, at least outside of classified channels.
Download Publication
Comments