Signalling Cyber Deterrence Through D3FEND

Abstract

States employ cyber deterrence strategies to safeguard their sovereignty in cyberspace. Cyber deterrence encompasses various means to prevent serious cyberattacks. This multifaceted approach incorporates various instruments of state power, including diplomatic, informational, military, economic and legal mechanisms. While all these instruments contribute to a state's overarching deterrence strategy in cyberspace, cyber-specific means offer the most rapid deployment options for countering cyberattacks. The challenge lies in credibly signalling cyber capabilities while preserving their secrecy and effectiveness. This challenge can be countered by carefully curating disclosed information, thereby maintaining the state´s strategic advantages and operational integrity. This research examines the technical implementation of deterrence signalling through a concrete example. By analysing the MITRE D3FEND framework, we aim to demonstrate practical application of cyber deterrence signalling and bridge theoretical concepts with operational cybersecurity practices. The MITRE D3FEND framework is a tool designed to describe cybersecurity countermeasure components and capabilities, and relationships between these elements. The research question posed is whether this framework can be used to signal cyber deterrence. This study evaluates the D3FEND framework's categories to determine which features can be signalled without compromising their effectiveness. Through qualitative content analysis, we develop evaluation criteria based on academic cyber deterrence literature. Each category of the D3FEND framework is methodically assessed against the evaluation criteria, to identify the signalling potential of the framework. The main findings of the study show that, of the seven categories of the D3FEND framework, the “Harden” category contains the most elements that can be used in cyber deterrence signalling, while the “Model” and “Deceive” categories have the fewest. The evaluation helps discern not only the elements to be signalled, but also those aspects of the defence, the exposure of which must be avoided. This research contributes to the academic discourse on cyber deterrence by elucidating the technical aspects of deterrence signalling, thereby offering a novel approach to bridging theoretical frameworks with practical cybersecurity implementations.