In February 2016, Thailand’s Ministry of Defense approved several new strategies on cyber security. This national framework is comprised of three core strategies: defense, deterrence, and cooperation. The defensive strategy focuses on strengthening national and military networks and cyber systems that will be employed to support military operations. Under the cooperation strategy, the Ministry will enhance domestic and international cooperation on cyber-preparedness and response. However, the most concerning strategy is deterrence, which entails the use of retaliation through the cyber realm.
Prominent during the Cold War, the concept of deterrence aims to prevent attacks by threatening to punish potential adversaries if they cross a red line, thereby influencing their cost-benefit calculations. The Ministry hopes to utilize this logic in cyberspace, in part by developing intelligence and cyber-weaponry to identify vulnerabilities in an enemy’s computer system to launch a crippling counterstrike following a cyberattack against Thailand. However, it remains debatable if and how deterrence can be applied to cyber warfare.
It is difficult to define red lines in cyberspace, in the first place, due to secrecy and low visibility. Given the cyber attribution challenge, assigning blame to a state is also extremely difficult because the major players in cyberspace are often non-state actors. Retaliation is challenging as well. Unlike massively destructive nuclear weapons, for instance, cyber weapons may appear more like offensive conventional weapons: they stand to be less destructive (making their use less “unthinkable”) and require more advance intelligence to have any effect (e.g., requiring espionage to prepare the battlespace). Therefore, this strategy could increase suspicion among other countries, leading them also invest more in cyber weapons. A cyber arms race may in turn increase the potential for further conflict.
Granted, several great powers are inclined to pursue a deterrent strategy in cyberspace, (e.g., the U.S., Britain, Germany, and France). But, they have still been widely criticized for this approach, due to doubts about the applicability of deterrence in this domain and its potential escalatory effects.
The Thai case for deterrence through retaliation or punishment is even more dubious. Thailand is the fifth most vulnerable country in Asia for cyber security risks, and it remains unclear which potential adversaries would be Thailand’s target for such a cyber deterrence strategy. Apart from the issue of Muslim insurgency in the south, Thailand has on-and-off skirmishes with neighboring countries such as Myanmar and Cambodia. Yet these conflicts have primarily been securitized and exploited in order to internally consolidate leaders’ powers in each country, rather than as a result of long-standing interstate disputes.
Indeed, one of the underlying reasons of the country’s own vulnerability is the usage of pirated software – a popular target for malware and cybercrime. Thai government websites have also been attacked by non-state groups such as the Thailand F5 Cyber Army and the Burmese Blink Hacker Group. However, these attacks may be better described as “hacktivism,” as they were acts of protest against certain decisions or policies made by the authorities.
Under the deterrence strategy, the Ministry would play a major role in online monitoring and employ information operations against those who defame the Thai Monarchy. Insulting the monarchy is a crime in Thailand, so many agencies are already involved in the criminal justice process. Given the involvement of several different agencies, and the military’s privilege claims of secrecy (leading to questions about accountability and transparency), it is unnecessary and inappropriate for the military to take on a greater role in this issue.
Simply put, there is no real need for Thailand to adopt cyber retaliation or punishment measures. The country is not threatened by any specific countries against whom cyber deterrence would work, and retaliation in this domain is probably ineffective against threats from most non-state actors. Furthermore, employing a cyber deterrence strategy may worsen Thailand’s relations with its neighboring countries by causing them to become skeptical about Thailand’s intentions. The development of cyber weaponry also raises questions about possible abuses of such technology as an instrument of domestic surveillance by the military. Although the military has called on the public to trust its strategies, Thai citizens are wary of whether such strategies could lead to the intrusion of their privacy.
The Ministry should carefully (re)consider cyber deterrence in the years ahead. Above all, it is crucial that the civilian side of the country’s national security apparatus be given an opportunity to contribute to the discussion. Unfortunately, the Ministry’s strategies have only emerged in public after key decisions have already been made. Civilian leaders and the broader populace should be part of the discussion, especially while these new strategies and technologies are being developed.
Jittip Mongkolnchaiarunya is a master’s degree candidate in International Affairs concentrating on international security policy at Columbia University’s School of International and Public Affairs. She is currently interning at the Sydney Cyber Security Network, the University of Sydney.