There is much confusion about the role of deterrence in cybersecurity. We often hear that deterrence is irrelevant in cyber conflict, but this could not be further from the case. Deterrence shapes the way that cyber conflict is expressed.

It is true that deterrence is NOT a good policy for stopping cyber intrusions or attacks. But then again, deterrence is generally not useful for PREVENTING conflict. It is, however, useful for shaping how and where conflict occurs.

A castle may successfully deter a cavalry from mounting a siege. It does not prevent the chevauchée from laying waste to the countryside. Deterrence constrains the expression of politics, much like the bank of a river channels the flow of a river.

In the IR literature this has been described in terms of the "stability-instability paradox" and "designing around deterrence." At the operational level of war, this same logic drives the innovation of specialized offsets: "rock paper scissors" across platforms, tactics, domains.

Deterrence, perversely, becomes a cause of cyber conflict:
1. As an alternative to costly war and/or escalation
2. As a source of intelligence about deterrent capabilities and interests
3. As a set of barriers to be bypassed or subverted by stealth and clever stratagems

Thus we should stop saying that deterrence (punishment, denial, cross-domain, extended, general, whatever) does not work for cyber. In some ways it works too well. Deterrence cannot prevent conflict--a matter of opposed wills--only its expression--the means chosen for conflict.

This may seem paradoxical for cyber and intel conflict. Deterrence cannot stop it, and even encourages it, but cyber and intel operations are extremely sensitive to deterrence nonetheless. The imperative for OPSEC reflects the importance of deterrence.

I very much understand the impulse to disparage deterrence. As a matter of policy, I do NOT support relying solely on deterrence for cybersecurity (or counterintelligence), but rather on defense, prevention, resilience, or regulation depending on the nature of the case.

The rejection of deterrence in US cybersecurity debate is also very much caught up in the promotion of new doctrine for "defend forward" and "persistent engagement." Let's be careful not to mistake instrumental speech for explanatory concept.

And of course the golden age of deterrence theory focused on preventing a very specific kind of conflict--nuclear war--even as deterrence in practice promoted all kinds of arms racing, proxy wars, and intelligence contests.

Cyber conflict can be leveraged to deepen our understanding of deterrence, not as an excuse to reject or ignore it. Intel and cyber practice suggests that deterrence tends to promote creativity and complexity in the way that conflict is expressed. Be careful what you wish for.