Revisiting Deterrence in the Cybernetics War Era

Translated by Silvia Toro

It was 2010 when the world realized that the dangers of technology went far beyond what had previously been anticipated. That year, Iran's nuclear enrichment program was severely compromised by a cyberattack. What soon became known as Stuxnet was a computer worm that exploited four so-called zero-day vulnerabilities to target an Iranian nuclear facility. It was not the first nor last cyberattack, but it contributed decisively to making cybersecurity a central issue on the international stage. Despite claims about who might have been responsible for the attack, no international actor suffered any consequences. What might initially have been considered a technical problem related to software and operational security clearly highlighted theoretical issues specific to international relations. Scholars were faced with a fundamental question: do we have the tools to prevent a similar attack from happening again? Are the traditional models we have developed applicable to the current reality? In essence: Does deterrence work in the cyber domain?

The concept of deterrence has taken on a central role over the last decade. Following the development and evolution of nuclear capabilities, theories of deterrence have changed over time. Leading scholars such as Schelling and Jervis have addressed growing concerns about threats and escalation. Different types of deterrence have been theorized to represent the technological and geopolitical landscape.

Today, the international scenario has changed profoundly: cyber weapons are becoming increasingly dangerous, while the bipolar order has been replaced by a multipolarity in which non-state actors are increasingly involved. The application of deterrence to the digital domain is the subject of debate, but there is still no universally accepted theory. As cyberspace continues to challenge traditional concepts of state security and power projection, the need for adaptable and comprehensive deterrence frameworks has never been more urgent.

Deterrence before cyberspace
The first scholar to tackle the concept of deterrence was Bernard Brodie. He was the first to highlight how deterrence had been mistakenly identified with the ability to win a war. As the world approached the possibility of total war, Brodie argued that deterrence should not be understood as the ability to achieve military victory in a conflict, but rather as the ability to prevent conflict itself by convincing potential adversaries that the costs of aggression would outweigh the benefits. He warned that technological advances were inexorably leading to a state of almost intolerable mutual threat.

Later, in 1960, Thomas Schelling applied principles of econometrics and psychology to realism, presenting deterrence as a bargaining game. John von Neumann had already developed the concept of Mutual Assured Destruction (MAD) to describe how nuclear weapons had dramatically raised the costs of conflict between nuclear powers such as the United States and the Soviet Union. Schelling, further developing this model, emphasized the importance of the credibility of threats. Deterrence, according to Schelling, is not based solely on the means available, but on the ability to convince the adversary of the willingness to use those means.His theory developed into a stable bipolar order, in which deterrence was considered to be largely dependent on the credibility and rationality of the actors.

Over time, numerous criticisms have been raised against these theories, particularly for their excessive reliance on the assumption of rationality on the part of actors. These criticisms led to the development of new models that integrated elements of cognitive psychology and behavioral studies. Robert Jervis highlighted how cognitive biases, such as overconfidence, confirmation bias, and mirror-image perceptions, could influence cost-benefit calculations. He argued that deterrence depends not only on the balance of power, but also on perceptions of power itself, which are often shaped by psychological and organizational factors. This change in perspective highlighted how errors in judgment, as well as intentional decisions, could frequently drive the escalation of conflicts, calling into question traditional theoretical frameworks of deterrence.

Today, technological advances have once again led to an evolution in deterrence theories. Because cyber weapons and cyber attacks differ significantly from traditional domains of warfare, classical deterrence theories struggle to be applied. However, theorizing remains crucial, as deterrence is generally less costly than warfare and prevent material damage and human casualties, especially when cyber attacks are combined with conventional weapons.

Cyber deterrence can be said to be effective when an adversary decides not to act aggressively. It functions as a strategic framework designed to prevent hostile cyber actions, seeking to apply traditional principles of deterrence to the digital domain. Although there is no single, comprehensive theory of cyber deterrence, some fundamental principles and paradigms can be identified in the literature.

Goodman argues that deterrence by denial and deterrence by punishment are key elements of deterrence. Denial consists of preventive measures, while deterrence by punishment represents the offensive aspect, based on retaliation, interdependence, and counterproductive actions. Denial measures may discourage a potential attack, but if the adversary does not suffer any penalty, they will tend to continue attacking until they find an effective approach. Further problems arise from uncertainty about proportionate retaliation, given the perceived lower severity of the consequences of cyberattacks and the difficulties associated with attribution.

The same discrepancies between deterrence theories and the cyber domain are also addressed by other scholars. In his work Is Cyber Deterrence an Illusory Course of Action?, after analyzing deterrence by denial and punishment, Iasiello highlights how one of the most significant problems with cyber deterrence is the difficulty of attributing cyber attacks to specific actors. This difficulty is further compounded by anonymity, which compromises the ability to respond effectively and undermines the credibility of deterrent threats.

A similar opinion is expressed by Aaron F. Brantly in The Cyber Deterrence Problem. He identifies a further critical element in the diversity of actors present in cyberspace. Attacks, espionage, and theft can be perpetrated by a multitude of actors against almost any target. An explicit signal sent by one state to another, while still relevant, may not be sufficient to deter attacks that occur at different levels but are of equal or greater importance. Brantly also points out that states often use proxies to conduct cyber operations, which weakens deterrence based on the threat of punishment unless there is sufficient evidence to prove the direct involvement of the instigating state rather than the third-party actor.

Conclusion

As the cyber domain evolves, theories of international relations must also adapt. Technological transformations continue to challenge existing models, making further paradigm shifts likely. The emergence of new technologies, such as quantum computing, will have profound implications for cybersecurity, which are still difficult to assess in terms of greater protection or new vulnerabilities. The future of cyber deterrence will therefore depend on the ability to anticipate and govern these changes before the innovations themselves redefine the rules of digital conflict.

Mondo Internazionale APS - Riproduzione Riservata ® 2025