Research Questions Can demonstrations ("brandishing") of cyberwar capabilities serve as effective deterrents, both broadly and in the nuclear realm? If so, under what circumstances? What are the limitations of such an approach to deterrence?

       Deterrence is possible only when others know or at least have good indications of what the U.S. military can do, something that underlies U.S. nuclear deterrence strategy. Cyberattack capabilities resist such demonstration. No one knows quite what would happen if a country suffered a full-fledged cyberattack, despite the plethora of skirmishes. While cyberattack capabilities cannot easily be used to shape the behavior of others, this does not mean they cannot be used at all. This report explores ways that cyberattack capabilities can be brandished and under what circumstances, both in general terms and in the nuclear context. It then goes on to examine the obstacles and sketches out some realistic limits on the expectations. There is both promise and risk in cyber brandishing, but it would not hurt to give serious thought to ways to enhance the U.S. ability to leverage what others believe about its capabilities. Recent events have certainly convinced many others that the United States can do many sophisticated things in cyberspace (regardless of what, if anything, it has actually done). Applying brandishing as a strategy would take considerable analysis and imagination, inasmuch as none of the various options presented here are obvious winners. But brandishing is no panacea and also may not work; it could even backfire if misinterpreted as, say, a bluff. It is unlikely to make a deterrence posture succeed if the other elements of deterrence are weak.

       Key Findings Brandishing a Cyberattack Capability Would Declare Its Possession and Suggest Consequences Possession of nuclear weapons is generally obvious, and the consequences are well understood. The same does not hold true for cyberweapons. Possession is likely not obvious, and the ability to inflict serious harm is debatable. Even if demonstrated, what worked yesterday may not work today. But difficult does not mean impossible. Advertising Cyberwar Capabilities May Be Helpful Successful brandishing might back up a deterrence strategy; dissuade another state from conventional mischief or even from investing in the ability to do so; and might reduce the state's confidence in the reliability of its information, command and control, or weapon systems. In a nuclear confrontation, brandishing might help persuade another state that the brandisher will stay the course, thereby persuading the other state to yield. There Is Both Promise and Risk in Cyber Brandishing Brandishing may not work and may even backfire. For example, it may suggest the tendency to shy away from violence or may even be read as bluffing. Since cyberattacks are essentially single-use weapons, they are diminished in the showing. Penetrating a system is not the same as getting it to fail in useful ways. Brandishing is an option that may also not work. It is no panacea, and it is unlikely to make a deterrence posture succeed if the other elements of deterrence (e.g., the will to wage war or, for red lines drawn in cyberspace, the ability to attribute) are weak.

       Table of Contents Chapter One

       No May Day Parades

       Chapter Two

       The Broad Effects of Brandishing Cyberattack Capabilities

       Chapter Three

       Brandishing Cyberattack in a Nuclear Confrontation

       Chapter Four

       Conclusions

       Research conducted by International Security and Defense Policy Center National Defense Research Institute RAND National Security Research Division

       The research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.

       This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

       Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

       The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.