On Friday, February 13, President Obama will travel to Silicon Valley to engage with business and academic leaders in the tech community as part of a push to ensure a robust national cybersecurity posture that emphasizes strong defenses and resilient networks. 

This approach to cybersecurity is addressed in the recently published 2015 National Security Strategy, and creates a strong foundation for deterring adversaries by denying them the benefits of hacking.

A hacker that targets the United States on behalf of an adversary should live with the fear that at any moment they may be snatched from their home or killed with an airstrike. Anything less does not pose enough hurt to serve as a credible deterrent.

The strategy further references imposing costs on “malicious cyber actors,” but stops short of advocating for a critical component of effective deterrence: coercion. 

A hacker that targets the United States on behalf of an adversary should live with the fear that at any moment they may be snatched from their home or killed with an airstrike. Anything less does not pose enough hurt to serve as a credible deterrent.

During the Cold War, the notions of violence, punishment, and suffering as means to coerce an adversary were part of the public discussion about nuclear deterrence. In this age of growing cyber threats, the time has come to reintroduce the technical and moral aspects of coercion into the national debate.

Although the differences between nuclear effects and cyber effects are huge, decades of nuclear deterrence theory provides an intellectual basis to start discussing deterrence in cyberspace. In Thomas Schelling’s classic work on deterrence, "Arms and Influence," he states that in addition to traditional roles, force can also be used to hurt. 

As he argues, “To inflict suffering gains nothing and saves nothing directly; it can only make people behave to avoid it….The power to hurt is bargaining power. To exploit it is diplomacy -- vicious diplomacy, but diplomacy.” 

If the United States truly wants to deter devastating cyber attacks, is it ready to engage in this “vicious diplomacy?”

In cyberspace, the key difficulty in deterrence is attribution; tying an attack back to an attacker. Positive attribution with a high level of confidence is not quick or easy, but over a period of weeks or months, good forensics and intelligence can often find the source. This long potential timeline between attack and punishment raises questions about both the deterrent value of the punishment and the national willingness to impose punishment so long after an event has occurred. Additionally, when the source of the attack is determined, it may not be the best target for retaliation. 

When we consider punishment, or the threat of punishment, for a cyber attack, who should be our target? Do we punish the hacker that carried out the attack, the entity that directed and benefited from the attack, or both? The answer always depends on the situation, but options exist for both, if we are willing to use them.

Deterrence that targets the hackers themselves must consider punitive options that instill existential fear. 

Hackers must consider the risk to themselves as so severe that they are unwilling to launch strategic cyber attacks against the United States, and unwilling to sell exploits to others that might do the same. 

This does not apply to hackers conducting security research, or those participating in legitimate exploit markets, but rather to the small subset of elite non-state hackers that knowingly offer their services to adversaries of the United States. 

A hacker that targets the United States on behalf of an adversary should live with the fear that at any moment they may be snatched from their home or killed with an airstrike. Anything less does not pose enough hurt to serve as a credible deterrent.

Deterrence that targets the adversaries who direct the hacking must consider punitive options that impose costs greater than the benefits gained from hacking. Coercing the majority of hackers to not attack the US will impose some cost by drying up the supply of available skilled hackers, but for a well funded adversary, this cost increase is not a strong enough deterrence.

Current U.S. nuclear and conventional deterrence provides a credible punitive capability against state actors considering attacks against critical U.S. infrastructure, but other entities, such as foreign companies that severely threaten U.S. economic interests, must be dealt with more creatively. Options include seizing assets, banning companies and products, denying travel of executives and their families, completely destroying a company’s data, and arresting anyone involved in the hack, but coercion cannot involve choosing just a few of these options. 

For deterrence to work, adversaries must know that the U.S. will choose all of these options, and more. They must understand that their personal suffering, and the suffering of their business will be far beyond any potential benefit of targeting the United States.

The tools of conflict have changed, but the human response to suffering, or more specifically, to avoid suffering is still the basis of coercion. 

The United States declares various cyber attacks as “unacceptable,” but despite our rhetoric, our national strength and resilience has allowed us to de facto accept the attacks and move forward. As the effects of cyber attacks increase, we must decide if some cyber attacks truly are unacceptable and begin the debate about whether we willing to engage in vicious diplomacy to deter them.

Enrique Oti is an officer in the United States Air Force and a National Security Affairs Fellow at the Hoover Institution.  The views expressed in this paper are those of the author, and do not reflect the views of the United States Air Force or the Department of Defense.