Deterring Cyber Coercion: The Exaggerated Problem of Attribution

Can cyberattacks be deterred? As the capability and associated damage potential of cyber weapons rises, this question will become ever more important to publics and their policymakers around the world. The principal obstacle to deterring cyberattacks via the threat of retaliatory punishment is usually taken to be such attacks’ ability to be made technically untraceable: absent a ‘return address’ for the aggression suffered, how could the victim of such an anonymous attack know where to direct its retaliation? Such concerns are overblown, however, for they conflate two distinct variables within the deterrence calculus: aggressor identity and aggressor interests. In fact, once cyberattack is understood as the coercive political act that it is, the ‘anonymity problem’ for cyber deterrence dwindles. This is because, in seeking to advance a cause via cyber coercion, an attacker must necessarily reveal a set of interests that it values. Such interests can then be held at risk by the party seeking deterrence, even if the attacker’s identity itself remains concealed.