‘War is cruelty, and you cannot refine it,’ said William Tecumseh Sherman.1 As we have previously argued in this journal, cyber war is war.2 Whether it is cruel and unrefined depends on the manner in which it is waged.3 While this is not solely up to the United States, US policy can have big effects. Yet, if US policy on offensive cyber war is influential, it is also inchoate. While some vagueness about when and how the United States would conduct offensive cyber operations is necessary, its general policy on this matter warrants debate. This article is meant to inform such a debate.
In part, US circumspection betrays an instinctive aversion to offensive cyber war. Notwithstanding its unsurpassed abilities to disrupt computer systems, the United States has approached the subject warily. The US Department of Defense, for example, recently called the increase in cyber attacks ‘a dangerous trend in international relations’.4 Official statements have consistently stressed that US goals concerning cyber war are defence and deterrence. For a power that has repeatedly engaged in offensive conventional warfare since the end of the Cold War, such wariness is striking – and merited.
US ambivalence toward cyber war is both strategic and normative, the implication being that what is bad for the United States is also bad for the world. Washington insists that any cyber operations it might conduct would be ‘in a manner consistent with US and international law’.5 Perceiving cyber war as war implies the applicability of the laws of war, specifically the principles of non-aggression, non-intervention, proportionality, discrimination and respect for neutrality.6 Compliance with all these norms could be challenging when initiating and conducting offensive cyber war. Case in point: the United States and Israel are said to have created and inserted the Stuxnet worm to interfere with the control of centrifuges used by Iran to enrich uranium. However justified by the imperative of preventing Iran from building nuclear weapons, it is fair to ask if this act of cyber war was lawful, especially in light of the unintended collateral effects it reportedly had. More broadly, harming non-combatants and civilian life, which can occur when infecting non-military computer systems, raises especially vexing issues, at least for the United States – thus its defensive posture.
There are several obvious reasons for US wariness about offensive cyber war. Firstly, US military, intelligence, economic, governmental and societal functions are highly dependent on computer systems, and vulnerable to their disruption and degradation. Put starkly, having led and benefited enormously from the ‘digital revolution’, the United States regards cyber war as counter-revolutionary. Moreover, once begun, the course a cyber war might take would be hard to predict, control or contain. It could trigger kinetic hostilities, visit indiscriminate harm on non-combatants, escalate far beyond what the belligerents intended, and cause grave economic damage.7 Finally, US superiority in conventional military capabilities limits the need for cyber war, whereas enemies could use cyber war as an asymmetric answer to such superiority. In other words, cyber war could level the battlefield to the US disadvantage.
At the same time, the United States regards cyber war during armed conflict with a cyber-capable enemy as probable, if not inevitable. It both assumes that the computer systems on which its own forces rely to deploy, receive support and strike will be attacked, and intends to attack the computer systems that enable opposing forces to operate as well. Thus, the United States has said that it can and would conduct cyber war to ‘support operational and contingency plans’ – a euphemism for attacking computer systems that enable enemy war fighting. US military doctrine now regards ‘non-kinetic’ (that is, cyber) measures as an integral aspect of US joint offensive operations.8 Even so, the stated purposes of the US military regarding cyber war stress protecting the ability of conventional military forces to function as they should, as well as avoiding and preventing escalation, especially to non-military targets.
Apart from its preparedness to conduct counter-military cyber operations during wartime, the United States has been reticent about using its offensive capabilities. While it has not excluded conducting cyber operations to coerce hostile states or non-state actors, it has yet to brandish such a threat.9 Broadly speaking, US policy is to rely on the threat of retaliation to deter a form of warfare it is keen to avoid. Chinese criticism that the US retaliatory policy and capabilities ‘will up the ante on the Internet arms race’ is disingenuous in that China has been energetic in forming and using capabilities for cyber operations.10
Chinese criticism is disingenuous
Notwithstanding the defensive bias in US attitudes toward cyber war, the dual missions of deterrence and preparedness for offensive operations during an armed conflict warrant maintaining superb, if not superior, offensive capabilities. Moreover, the case can be made – and we have made it – that the United States should have superiority in offensive capabilities in order to control escalation.11 The combination of significant capabilities and declared reluctance to wage cyber war raises a question that is not answered by any US official public statements: when it comes to offence, what are US missions, desired effects, target sets and restraints – in short, what is US policy?
To be clear, we do not take issue with the basic US stance of being at once wary and capable of cyber war. Nor do we think that the United States should advertise exactly when and how it would conduct offensive cyber war. However, the very fact that the United States maintains options for offensive operations implies the need for some articulation of policy. After all, the United States was broadly averse to the use of nuclear weapons during the Cold War, yet it elaborated a declaratory policy governing such use to inform adversaries, friends and world opinion, as well as to forge domestic consensus. Indeed, if the United States wants to discourage and limit cyber war internationally, while keeping its options open, it must offer an example. For that matter, the American people deserve to know what national policy on cyber war is, lest they assume it is purely defensive – or just too esoteric to comprehend.
Whether to set a normative example, warn potential adversaries or foster national consensus, US policy on waging cyber war should be coherent. At the same time, it must encompass three distinguishable offensive missions:
- wartime counter-military operations, which the United States intends to conduct;
- retaliatory missions, which the US must have the will and ability to conduct for reasons of deterrence; and
- coercive missions against hostile states, which could substitute for armed attack.12
Four cases serve to highlight the relevant issues and to inform the elaboration of an overall policy to guide US conduct of offensive cyber war. The first involves wartime counter-military cyber operations against a cyber-capable opponent, which may also be waging cyber war; the second involves retaliation against a cyber-capable opponent for attacking US systems other than counter-military ones; the third involves coercion of a ‘cyber-weak’ opponent with little or no means to retaliate against US cyber attack; and the fourth involves coercion of a ‘cyber-strong’ opponent with substantial means to retaliate against US cyber attack. Of these, the first and fourth imply a willingness to initiate cyber war.
Counter-military cyber war during wartime
Just as cyber war is war, armed hostilities will presumably include cyber war if the belligerents are both capable of and vulnerable to it. The reason for such certainty is that impairing opposing military forces’ use of computer systems is operationally compelling. Forces with requisite technologies and skills benefit enormously from data communications and computation for command and control, intelligence, surveillance and reconnaissance (ISR), targeting, navigation, weapon guidance, battle assessment and logistics management, among other key functions. If the performance of forces is dramatically enhanced by such systems, it follows that degrading them can provide important military advantages. Moreover, allowing an enemy to use cyber war without reciprocating could mean military defeat. Thus, the United States and other advanced states are acquiring capabilities not only to use and protect computer systems, but also to disrupt those used by enemies.
The intention to wage cyber war is now prevalent in Chinese planning for war with the United States – and vice versa. Chinese military planners have long made known their belief that, because computer systems are essential for effective US military operations, they must be targeted. Chinese cyber capabilities may not (yet) pose a threat to US command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) networks, which are well partitioned and protected. However, the networks that enable logistical support for US forces are inviting targets. Meant to disable US military operations, Chinese use of cyber war during an armed conflict would not be contingent on US cyber operations. Indeed, it could come early, first or even as a precursor of armed hostilities.
For its part, the US military is increasingly aware not only that sophisticated adversaries like China can be expected to use cyber war to degrade the performance of US forces, but also that US forces must integrate cyber war into their capabilities and operations. Being more dependent on computer networks to enhance military performance than are its adversaries, including China, US forces have more to lose than to gain from the outbreak of cyber war during an armed conflict. This being so, would it make sense for the United States to wait and see if the enemy resorts to cyber war before doing so itself? Given US conventional military superiority, it can be assumed that any adversary that can use cyber war against US forces will do so. Moreover, waiting for the other side to launch a cyber attack could be disadvantageous insofar as US forces would be the first to suffer degraded performance. Thus, rather than waiting, there will be pressure for the United States to commence cyber attacks early, and perhaps first. Moreover, leading US military officers have strongly implied that cyber war would have a role in attacking enemy anti-access and area-denial (A2AD) capabilities irrespective of the enemy’s use of cyber war.13 If the United States is prepared to conduct offensive cyber operations against a highly advanced opponent such as China, it stands to reason that it would do likewise against lesser opponents. In sum, offensive cyber war is becoming part and parcel of the US war-fighting doctrine.
The nature of US counter-military cyber attacks during wartime should derive from the mission of gaining, or denying the opponent, operational advantage. Primary targets of the United States should mirror those of a cyber-capable adversary: ISR, command and control, navigation and guidance, transport and logistics support. Because this mission is not coercive or strategic in nature, economic and other civilian networks should not be targeted. However, to the extent that networks that enable military operations may be multipurpose, avoidance of non-military harm cannot be assured. There are no sharp ‘firebreaks’ in cyber war.14
Avoidance of non-military harm cannot be assured
Normatively speaking, cyber war during an armed conflict would presumably not constitute aggression any more than the underlying conflict would.15 However, norms of proportionality, discrimination and respect for neutrality could come under pressure.16 With or without cyber war, these proscriptions are not absolute: in essence, combatants are bound to avoid attacks that harm civilian populations or neutrals unless militarily exigent. Civilians engaged in supporting war-making, and neutrals that are aiding the enemy, are fair game, provided any harm to them is unavoidable in order to degrade their contributions to war-making. Law-of-war standards should inform counter-military cyber war, not preclude it. Strictly speaking, enemy violation of the laws of war – for instance, targeting non-combatants without military justification – does not remove the obligation to observe these standards.
Although the problems of proportionality, discrimination and respect for neutrality are not unique to cyber war, they can be exacerbated by the difficulty inherent in controlling the course, paths and effects of cyber attacks. As important as norms may be to the United States, its desire to avoid cyber-war escalation is at least as important. For both reasons, the United States favours tight command and control (C2). Authority to conduct offensive cyber operations flows from the president via the secretary of defense to military commanders for execution. Once ordered, cyber war is directed by regional combatant commanders, who oversee virtually all US military operations in their respective theatres, in collaboration with US Cyber Command, which is responsible for delivering actual effects.17 The assignment of teams from Cyber Command to the combatant commanders enables the latter to integrate cyber-war actions into joint operations.18
Even with effective C2, there is a danger that US counter-military cyber operations will infect and damage systems other than those targeted, including civilian systems, because of the technical difficulties of controlling effects, especially for systems that support multiple services. As we have previously noted in these pages, ‘an attack that uses a replicable agent, such as a virus or worm, has substantial potential to spread, perhaps uncontrollably’.19 The dangers of collateral damage on non-combatants imply not only the possibility of violating the laws of war (as they might apply to cyber war), but also of provoking escalation. While the United States would like there to be strong technical and C2 safeguards against unwanted effects and thus escalation, it is not clear that there are. It follows that US doctrine concerning the conduct of wartime counter-military offensive operations must account for these risks.
This presents a dilemma, for dedicated military systems tend to be harder to access and disrupt than multipurpose or civilian ones. China’s military, for example, is known for its attention to communications security, aided by its reliance on short-range and land-based (for example, fibre-optical) transmission of C4ISR. Yet, to attack less secure multipurpose systems on which the Chinese military depends for logistics is to risk collateral damage and heighten the risk of escalation. Faced with this dilemma, US policy should be to exercise care in attacking military networks that also support civilian services. The better its offensive cyber-war capabilities, the more able the United States will be to disrupt critical enemy military systems and avoid indiscriminate effects.
Moreover, US offensive strength could deter enemy escalation. As we have argued before, US superiority in counter-military cyber war would have the dual advantage of delivering operational benefits by degrading enemy forces and averting a more expansive cyber war than intended. While the United States should avoid the spread of cyber war beyond military systems, it should develop and maintain an unmatched capability to conduct counter-military cyber war. This would give it operational advantages and escalation dominance.
Such capabilities might enable the United States to disrupt enemy C4ISR systems used for the control and operation of nuclear forces. However, to attack such systems would risk causing the enemy to perceive that the United States was either engaged in a non-nuclear-disarming first strike or preparing for a nuclear-disarming first strike. Avoiding such a misperception requires the avoidance of such systems, even if they also support enemy non-nuclear C4ISR (as China’s may do).
In sum, US policy should be to create, maintain and be ready to use superior cyber-war capabilities for counter-military operations during armed conflict. Such an approach would deny even the most capable of adversaries, China included, an advantage by resorting to cyber war in an armed conflict. The paramount goal of the United States should be to retain its military advantage in the age of cyber war – a tall order, but a crucial one for US interests.
While the United States should be ready to conduct cyber attacks against military forces in an armed conflict, it should in general otherwise try to avoid and prevent cyber war. (Possible exceptions to this posture of avoidance are taken up later in the cases concerning coercion.) In keeping with its commitment to an ‘open, secure, interoperable and reliable internet that enables prosperity, public safety, and the free flow of commerce and ideas’, the United States should seek to minimise the danger of unrestricted cyber war, in which critical economic, governmental and societal systems and services are disrupted.20 Given how difficult it is to protect such systems, the United States must rely to a heavy extent on deterrence and thus the threat of retaliation. To this end, the US Defense Department has stated that a would-be attacker could ‘suffer unacceptable costs’ if it launches a cyber attack on the United States.21 While such a warning is worth issuing, it raises the question of how these ‘unacceptable costs’ could be defined and levied. Short of disclosing specific targets and methods, which we do not advocate, the United States could strengthen both the deterrence it seeks and the norms it favours by indicating what actions might constitute retaliation. This is especially important because the most vulnerable targets of cyber retaliation are computer networks that serve civilian life, starting with the internet.
By definition, cyber retaliation that extends beyond military capabilities, as required for strong deterrence, might be considered indiscriminate. Whether it is also disproportionate depends in part on the enemy attack that precipitated it. We can posit, for purposes of analysis, that an enemy attack would be aimed at causing severe disruptions of such economic and societal functions as financial services, power-grid management, transport systems, telecommunications services, media and government services, along with the expected military and intelligence functions.
In considering how the United States should retaliate, the distinction between the population and the state of the attacker is useful. The United States would hold the latter, not the former, culpable, and thus the rightful object of retaliation. This would suggest targeting propaganda and other societal-control systems; government financial systems; state access to banks; political and economic elites on which the state depends; industries on which the state depends, especially state-owned enterprises; and internal security forces and functions.
To judge how effective such a retaliation strategy could be, consider the case of Russia. The Russian state is both sprawling and centralised: within Russia’s economy and society, it is pervasive, heavy-handed and exploitative; power is concentrated in the Kremlin; and elites of all sorts are beholden to it. Although the Russian state is well entrenched and not vulnerable to being overthrown, it is porous and exposed, especially in cyberspace. Even if the computer systems of the innermost circle of Russian state decision-making may be inaccessible, there are many important systems that are not. Insofar as those who control the Russian state are more concerned about their own well-being than that of the ‘masses’, targeting their apparatus would cause acute apprehension. Of course, the more important a computer system is to the state, the less accessible it is likely to be. Still, even if Russia were to launch indiscriminate cyber attacks on the US economy and society, the United States might get more bang for its bytes by retaliating against systems that support Russian state power.
Of course, US cyber targeting could also include the systems on which Russian leaders rely to direct military and other security forces, which are the ultimate means of state power and control. Likewise, Russian military and intelligence systems would be fair game for retaliation. At the same time, it would be vital to observe the stricture against disabling nuclear C2 systems, lest the Kremlin perceive that a US strategic strike of some sort was in the works. With this exception, the Russian state’s cyber vulnerabilities should be exploited as much as possible.
The United States could thus not only meet the standard of ‘unacceptable costs’ on which deterrence depends, but also gain escalation control by giving Russia’s leaders a sense of their vulnerability. In addition to preventing further escalation, this US targeting strategy would meet, more or less, normative standards of discrimination and proportionality.
US cyber-war-deterrence policy should answer two more questions: what attacks would be considered cyber war and could trigger retaliatory cyber war? And must an attacker’s identity be absolutely certain for retaliation to occur? To take up the first, while a sharp line cannot be drawn, the most logical criterion for determining whether a cyber attack is an act of war is the degree to which it is destructive (or severely disruptive).22 Cyber espionage is an increasingly common part of the world’s second-oldest profession – spying – and is typically meant to avoid detection, and thus noticeable disruption. States may gripe about it, but they abide it, especially if they also do it. Likewise, cyber theft by criminals or government agents is harmful and prosecutable, but its destructiveness does not rise to the level that would justify a retaliatory act of war, as meant here.
To illustrate, the alleged Chinese hacking of US government personnel records, evidently in search of files on people who have held sensitive national-security jobs, was massive, sophisticated and possibly consequential; but it could not be, and was not, considered an act of war. This does not preclude some sort of US reprisal, perhaps a comparably bold robbery. (Presumably, the United States would not want China to know of such retaliation, lest it be foiled.) What is precluded in this case, by our way of thinking, is a US response so destructive or disruptive that it would cross the threshold from cyber espionage to cyber war – thus war. Admittedly, the line between intensely harmful theft and cyber war is woolier in reality than in theory. But the points stand that not all hacking is cyber war; that when it comes to espionage, states will be states; and that retaliation should be broadly in kind.
Attribution is a thornier problem, requiring a more subtle solution. On the one hand, retaliating with less than absolute certainty that the target state was the attacker obviously runs the risk of harming the innocent. On the other, declaring that retaliation depends on absolute certainty would weaken deterrence, especially if an attacker thinks it can use a roundabout attack path or rely on deniable agents to do the attacking. If this dilemma seems insoluble in the abstract, there may be a practical solution: the identity of the state responsible for an attack on the United States serious enough to justify retaliation might be obvious by virtue of the context – for instance, tension, confrontation or armed hostilities – and the fact that few actors would be capable of such an attack. One cannot exclude the possibility that a capable third party might try to exploit a crisis to conduct an attack for which another state would suffer retaliation; however, counting on US misattribution would be a huge gamble to take. Deterrence is, after all, in the eye of the would-be attacker. A 4-in-5 chance of knowing who attacked produces a 1-in-5 chance of the attacker getting away with it.
Attribution is a thornier problem
While circumstantial evidence does not rule out mistaken identity and thus mistaken retaliation, neither does it require the United States to retaliate. How the United States actually reacts to a specific attack, and what it says about its standard for retaliation in order to create strong deterrence, are two related but significantly different matters. It is best to limit declaratory policy to the effect that the United States would be confident of its attacker’s identity before retaliating.23 To buttress this, it could also convey confidence in its ability to identify the culprit.
In sum, US policy to support the legitimacy of retaliation for a cyber attack might include making known that the United States can and may conduct devastating retaliation for a cyber attack;24 concentrating the development of options, doctrine and plans on the goals of disrupting and degrading the cyber aggressor’s state (as opposed to its population), thus allowing compliance with norms of discrimination and proportionality while also enabling escalation control; treating all state systems, including security systems, as within the target set, with the exception of systems for nuclear C2; and retaliating in kind against a state deemed responsible for a destructive cyber attack, but not for stealing secrets. These policy provisions would apply not only in the event of attacks on the United States, but also on allies with which it has binding common defence ties, such as NATO and Japan.
US policy would make a sharp distinction between counter-military offensive cyber war during armed conflict and the conduct of wider cyber war, whether or not during an armed conflict. For the former, it would be prepared to act as required by military–operational demands; for the latter, it would show great restraint unless attacked, in which case it could unleash major assaults on the attacking state.
Coercing an adversary incapable of strong retaliation
Given that retaliation and counter-military cyber war require copious offensive capabilities, questions arise about whether these means could and should also be used to coerce hostile states into complying with US demands without requiring the use of armed force. Examples include pressuring a state to cease international aggression, intimidating behaviour or support for terrorists; or to abandon acquisition of weapons of mass destruction; or to end domestic human-rights violations. If, as some argue, it is getting harder, costlier and riskier for the United States to use conventional military force for such ends, threatening or conducting cyber war may seem to be an attractive alternative.25
Of course, equating cyber war with war suggests that conducting or threatening it to impose America’s will is an idea not to be treated lightly. Whereas counter-military cyber war presupposes a state of armed conflict, and retaliation presupposes that the United States has suffered a cyber attack, coercion (as meant here) presupposes neither a state of armed conflict nor an enemy attack. This means, in essence, the United States would threaten to start a cyber war outside of an armed conflict – something US policy has yet to address. While the United States has intimated that it would conduct cyber war during an armed conflict and would retaliate if deterrence failed, it is silent about using or threatening cyber war as an instrument of coercion. Such reticence fits with the general US aversion to this form of warfare, as well as a possible preference to carry out cyber attacks without attribution or admission.
Notwithstanding US reticence, the use of cyber war for coercion can be more attractive than the use of conventional force: it can be conducted without regard to geography, without threatening death and physical destruction, and with no risk of American casualties. While the United States has other non-military options, such as economic sanctions and supporting regime opponents, none is a substitute for cyber war. Moreover, in the case of an adversary with little or no ability to return fire in cyberspace, the United States might have an even greater asymmetric advantage than it does with its conventional military capabilities.
However appealing cyber war may be as an alternative to armed conflict, especially where there is no fear of retaliation, the United States must consider whether the use or, by extension, the threat of cyber war for the purpose of coercion is consistent with norms it values, especially its opposition to cyber war in particular and support for the laws of war in general. As noted, coercion implies the possibility of first use, which could be viewed as aggressive, unless of course the adversary is itself already engaged in some other form of aggression. Arguably, cyber coercion amounts to intervention in another state’s internal affairs. If directed at civilian or multipurpose systems, it could be considered indiscriminate. And in the absence of both armed conflict and enemy cyber attack, proportionality could be hard to defend.
This raises the question of whether the laws of war should apply to coercive cyber war (and cyber war in general). Specifically, must the target of a cyber attack be a military capability? Because cyber war is war, the answer would be yes if cyber attacks worked the same way that kinetic attacks do. But they do not. In theory, cyber war can destroy things; but in actuality, attacks rely on computer instructions that can cause things to destroy themselves. Stuxnet broke centrifuges because the centrifuges were built to execute potentially self-destructive sequences. Otherwise, cyber attacks are essentially disruptive: they keep things from working. In this sense, cyber war is generally not violent. Moreover, its direct effects can be reversed, and far more quickly than those of physical war. An attack against the computer systems of military forces that are not at war may be troublesome, but any degradation is temporary, and physical hardware is left intact.26 Unless cyber attacks are a prelude to armed conflict, and hence more pre-emptive than coercive, there is time to mend any ruptures, so long as the country being threatened is not itself at war with a third party. Hence, the threat of a cyber attack on military forces is unlikely to be very persuasive or produce much coercive leverage.
By contrast, many systems that support civilian and economic needs produce services every day around the clock, in peacetime no less than in war. If electric power is out for a week, that would be a week during which little economic activity took place (not to mention a very uncomfortable week, unless the weather cooperated). If bank records are scrambled, people lose access to their money, possibly forever if accurate records cannot be recovered. If government payments are delayed, people living on the edge may go hungry. Being comparatively accessible and vulnerable, civilian systems are more inviting targets than military ones.
People living on the edge may go hungry
The advantage of targeting civilian rather than military systems to maximise the peacetime impact of a cyber attack immediately raises a yellow card about using cyber war for coercion. This is especially so for countries that claim the moral high ground and seek to discourage cyber war in general, such as the United States. Still, if the alternative to conducting or threatening a cyber attack on civilians is a choice between using kinetic force and doing nothing in the face of enemy aggression or other hostile behaviour, then coercive cyber attack on civilian services is merely a bad option among worse ones.
Apart from such normative considerations, the coercive value of the threat of cyber war is diminished by the difficulty of brandishing offensive capabilities, either by describing or demonstrating them. There is currently no state that regularly boasts about its cyber-war capabilities; indeed, states regularly blame attacks on others or on hackers beyond their control. The release of classified US National Security Agency (NSA) files by Edward Snowden in 2013 might have embarrassed the US government, but also, ironically, helped it to broadcast how deeply the NSA can supposedly burrow into the systems of others.27 Apart from incidents like these, offensive capabilities can only be inferred from anodyne policy statements or from claims made by others about the extent and authorship of this or that cyber-espionage intrusion.28
The more obvious a country’s capabilities in cyberspace, the more concern they merit among leaders of states that may be targeted for coercion. Still, the United States could not count on such leaders to heed threats or admit they were afraid. They might instead seek to buy time, to resist political demands, or even to publicise threats to put the onus back on the would-be bully – hardly an enviable position for the United States, given its stated concerns about cyber war. The vaguer the threat, the easier it is to ignore. Yet, making a bald threat could be uncomfortable for the United States.
For these reasons, simply shrugging off the threat is a more plausible strategy for a US adversary in the case of a threatened cyber attack than a kinetic one. Moreover, even target states that lack access to sophisticated local providers of cyber-security services have some basic options to tighten computer-system security: they might remove key information from certain servers, limit access rights, re-authenticate users, disable certain network services, isolate critical sub-networks or install cyber-security software. The time required for such defensive measures can be measured in days and weeks, rather than the months and years required to erect comparably effective physical defences. The longer the potential victim can ward off an attack, the less damage it can expect if attacks come. Perhaps most importantly, states without cyber-war retaliatory capabilities may also depend less on computer systems than more sophisticated ones do. North Korea is an obvious example of a state with rudimentary means to strike back which, owing to its backwardness, may have little to fear from a US cyber attack.
As with threatening cyber war for coercion, the actual delivery of a cyber attack against a vulnerable state may not have the desired impact on its regime’s decision-making, unless of course that state were heavily reliant on computer systems. Even then, there is little evidence that coercive cyber war works. The case of Russian attacks on Estonia suggests that even a sophisticated, computer-reliant target might get its back up rather than succumb in the face of cyber attacks. Moreover, there are not many states that are at once US adversaries, incapable of retaliation, and so computer-reliant that they would yield to coercion even if attacked. Iran may be one; however, the United States would be taking a large gamble in expecting Iranian leaders to cower in the face of US cyber war.
The dynamics of cyber coercion reflect the ambiguity of information associated with any cyber attack, quite possibly to the advantage of the target. The attacker may know what systems it has penetrated and what first-order effects might be generated from such a penetration; but its information on whether the penetrated system is still usable may be iffy, particularly if the system under attack has no real-time connection with the attacker. The target may not know exactly what was penetrated or how, but it should have a better idea than the attacker about the failure modes of the likely targets. It should also have a better idea than the attacker about how resilient its systems are, what the recovery path and lead times may be and, most importantly, how well it can withstand the systems’ being down. Alternatively, it may be that neither side has much clue about resilience and recovery, because cyber attacks of the sort that call for resilience and recovery have so far been quite rare.29 But such opacity could work to the disadvantage of the attacker.
One of the reasons that a target might believe that it can ignore a US threat to carry out a cyber attack is because it knows that such an attack would not be costless for the United States. Any cyber attack carries risks, especially if carried out in peacetime, and not in retaliation. For instance, it might attract world opprobrium. If the attack and attacker were publicised or obvious – a given in any cyber attack that followed a threat – responsibility would also be obvious. In addition, an attack risks angering and mobilising populations of the target state in ways that render concessions politically less likely than if a threat had been made without an attack. If cyber-war retaliation is infeasible, the target may respond in other, harmful ways. Again, think of Iran, with its network of terrorist proxies, agents and extremists.
Sometimes, coercion is a matter of pounding away until the target state complies. Examples include economic sanctions, blockades, support for regime opponents and recurrent, clandestine physical attacks. However, this is a losing game if the instrument is a cyber attack. Although casual opinion may be that the attacker holds all the cards, if it hopes to win concessions, it needs the target to fold, not simply suffer. Once again, having been exposed to the attacker’s capabilities and strategy, the target can modulate the disruption over time. While perfect security is unattainable, there is a huge difference between the severe damage that can be done by a cyber attack on an unprepared system and the chronic pain arising from attacks on a system that has been battle-hardened.
In sum, while it might be appealing as an alternative to physical force, the use or threat of cyber war against a weak adversary raises questions of norms and efficacy, not to mention bad publicity in the event of either success or failure. Were the United States to limit its risks by restricting itself to low-grade or narrowly targeted cyber war, it would sacrifice efficacy. If, instead, it made threats or launched major attacks for the sake of efficacy, it would be seen as violating the laws of war, as well as its righteous opposition to cyber war. More fundamentally, US policymakers need to consider whether they really want to pursue a form of warfare which can, by their own admission, work to the United States’ ultimate disadvantage.
The inefficacy and risks associated with attempting to coerce even states without cyber-retaliatory capabilities have a silver lining for the United States. If states believe they can gird themselves against and ride out cyber attacks, call out the attacker for international denunciation and largely ignore coercive threats, they will feel less compelled than if threatened by physical force to acquire cyber-war capabilities of their own. This would be a good thing.
Coercing an adversary capable of strong retaliation
While the utility of threatening or using cyber war to coerce an adversary with little or no retaliatory capability is limited mainly by norms that are in the US interest to bolster, the utility of such coercion against an adversary with strong capabilities is further limited by the prospect of retaliation. This does not preclude attempting to coerce another cyber power if the stakes are high enough to justify the risk. In any case, the heavy dependence of the US government, economy and society on computer systems implies the possibility of the United States experiencing great harm in the event of retaliation, irrespective of US offensive superiority. For the foreseeable future, the prospect of such harm would weigh heavily against any US coercive threat toward at least the major cyber powers, such as China or Russia. An opponent’s knowledge of this would in turn undercut the credibility and thus the utility of a US threat to engage in coercive cyber war.
Even with misgivings about using cyber war to coerce a capable adversary, the United States could still make such a threat. Apart from the general inadvisability of making empty threats when national security and credibility are on the line, especially for a world power, bluffing is unlikely to be a fruitful tactic. A capable adversary surely would both tighten its network defences and gear up for retaliation. Furthermore, even a major cyber attack could not destroy the enemy’s ability to retaliate (in contrast to nuclear and conventional ‘counterforce’ weapons that can degrade an enemy’s ability to retaliate). Moreover, a public threat, or a comparable private threat leaked by the adversary, would put the United States on record as threatening to initiate the very form of warfare it wants to discourage, to little or no avail.
Are there, nonetheless, conditions under which the United States could coerce a capable adversary by the threat or use of cyber war? Or does mutual deterrence entirely preclude such measures by (or against) the United States? It is worth recalling that, during the Cold War, mutual nuclear deterrence did not dissuade the United States from invoking the threat to use nuclear weapons to deter a Soviet conventional attack on NATO. Apart from whether that threat was truly credible, the context was perceived Soviet conventional superiority, the prospect of cataclysmic US defeat and Soviet conquest of Europe. Equivalent circumstances are hard to imagine in today’s world, vis-à-vis China or Russia. And if such circumstances arose, it hardly seems likely that US cyber war would measure up to the larger stakes, or the larger threat.
Perhaps the United States could threaten or use low-grade cyber war against a capable adversary, thinking – or hoping – that its retaliatory threshold would not be crossed. However, in order to lower the risk of retaliation, the United States would have to lower the severity of the attack, and thus the utility of using, much less threatening, cyber attack. In general, pin prick cyber war offers doubtful benefits in return for avoiding the violation of norms the United States favours. In the case of a capable adversary, moreover, low-grade cyber attacks risk not only retaliation but escalation, presumably outweighing the benefits. As a general proposition, if the United States were to wage offensive cyber war, it should do so robustly, and for major purposes and effects. Against an adversary capable of both retaliation and tightened defence, such cyber war would be most imprudent.
Non-state actors and covert operations
Swelling ranks of increasingly sophisticated non-state actors are engaged in cyber attacks. The purpose of most of them is theft or the promotion of a political cause. Some actors, such as well-resourced extremist organisations, could conduct disruptive attacks – acts of cyber war. Although US policy cannot ignore this growing problem, it is less severe than state threats. In any case, comparable principles apply. The United States should be prepared to conduct cyber attacks on non-state adversaries that threaten it, assuming they have computer systems worth attacking. Avoiding collateral damage harmful to non-combatants is as important in this case as it is in inter-state warfare. Although the United States should be prepared to retaliate against non-state attackers, they tend to be more elusive, less vulnerable and less susceptible to deterrence than states. The threat or use of US cyber war for coercion is even less promising against non-state actors than against states.
The United States might find itself in situations in which it needs to conduct cyber attacks that it wants to deny. In such cases, it has the option of using covert operations based on presidential direction to intelligence agencies rather than the armed services. We have argued in this journal that the risks inherent in waging cyber war make it prudent for the United States to use only one line of authority and control for that purpose – from the president via the secretary of defense to appropriate military commanders.30 If cyber war is war, as we believe, the United States should not, and need not, bypass its military chain of command for the sake of deniability.
* * *
Cyber war is war, even if more refined and less cruel than Sherman could have imagined. Being both vitally dependent on and a champion of ‘an open, secure, interoperable, and reliable Internet’, the United States should have – and seemingly has – a general aversion to cyber war, on both normative and strategic grounds. In keeping with that aversion, as well as with the difficulty of controlling cyber war once begun, the United States should resort to such warfare only when failure to do so could have grave consequences.
If cyber war is war, the United States should observe the laws of war governing discrimination and proportionality, just as it has a profound interest in others observing them. At the same time, because the effects and course of cyber war are not entirely controllable or predictable, the United States must recognise that these norms, in particular, are difficult to monitor and police. Therefore, while US policy should be to promote these norms internationally – which implies living by them – their application cannot be unrealistically strict.
Cyber war against military targets during armed conflict or in retaliation for cyber attack meets the standard of treating cyber attacks as acts of war, to be conducted only when not doing so would have grave consequences. Such warfare would also be broadly consistent with the norms of discrimination and proportionality. At the same time, if the resort to cyber war is indicated by such circumstances, the United States should be prepared to act robustly, inasmuch as tentative or pin prick cyber war may entail less gain than risk, including the risk of failure.
Accordingly, for cyber war on military targets during armed conflict, the United States should attain and maintain offensive superiority in order to offset its cyber vulnerabilities, retain its overall military–operational advantage and gain escalation control. For retaliation, the United States should have and be ready to use capabilities to visit ‘unacceptable costs’ on systems critical to the operation and control functions of the attacking state, while attempting to avoid any damage to wider societal and economic well-being. For the sake of deterrence, the United States should effectively indicate that the ‘confidence’ it feels in its own attribution capabilities is sufficient to justify retaliation when warranted.
The US use of cyber-war threats for purposes of coercion could do violence to the general US opposition to cyber war, the position that such war is genuine war and the standard that only grave circumstances warrant it. Moreover, cyber war for the purpose of coercion is on the whole an unpromising concept against weak adversaries: it might fail, undermine beneficial norms, lead to international scorn (whether coercion works or not) and cause non-cyber responses. Against strong adversaries, it could also lead to damaging retaliation and escalation, from which there could be no winner.
In sum, general US offensive policy should be to avoid cyber war except as a military operation carried out against enemy forces during armed conflict or in retaliation for attack. For these two purposes, the United States should be second to none in its ability to wage cyber war, and to make it count when no choice remains.
1 William Tecumseh Sherman, letter to the mayor and city council of Atlanta, 12 September 1864, available at http://history.ncsu.edu/projects/cwnc/items/show/23.
2 Lawrence J. Cavaiola, David C. Gompert and Martin Libicki, ‘Cyber House Rules: On War, Retaliation, and Escalation’, Survival, vol. 57, no. 1, February–March 2015, pp. 81–104.
3 Broadly speaking, we define cyber war as being destructive or harmfully disruptive; thus, it would not include cyber espionage or cyber theft.
4 US Department of Defense (DoD), ‘The Department of Defense Cyber Strategy’, April 2015, p. 2, http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf.
6 See Oona A. Hathaway et al., ‘The Law of Cyber-Attack’, California Law Review, vol. 100, 2012, pp. 817–86.
7 The difficulty of control potential for both vertical and horizontal escalation is addressed in depth in Cavaiola, Gompert and Libicki, ‘Cyber House Rules’.
8 See, for example, Vice Admiral Ted N. Branch, ‘A New Era in Naval Warfare’, Proceedings, vol. 140/7/1,337, July 2014, http://www.usni.org/magazines/proceedings/2014-07/new-era-naval-warfare.
9 The US government has never admitted that it was in collaboration with Israel in attacking the computer program that controlled Iranian uranium-enrichment centrifuges.
10 Chinese Defense Ministry spokesman Geng Yansheng, as quoted in Joshua Philipp, ‘China Wars of “Internet Arms Race” as US Military Starts Fighting Back in Cyberspace’, Epoch Times, 30 April 2015, http://www.theepochtimes.com/n3/1340042-china-warns-of-internet-arms-race-as-us-military-starts-fighting-back-in-cyberspace/.
11 See Cavaiola, Gompert and Libicki, ‘Cyber House Rules’.
12 See David C. Gompert and Hans Binnendijk, ‘The Power to Coerce’, RAND Blog, 10 July 2014, http://www.rand.org/blog/2014/07/the-power-to-coerce.html.
13 See Norton A. Schwartz and Jonathan W. Greenert, ‘Air–Sea Battle’, American Interest, 20 February 2012, http://www.the-american-interest.com/2012/02/20/air-sea-battle/.
14 Cavaiola, Gompert and Libicki, ‘Cyber House Rules’, p. 81.
15 For discussion of the applicability of the laws of war to cyber war, see Martin C. Libicki, Crisis and Escalation in Cyberspace (Santa Monica, CA: RAND, 2012), pp. 29–36.
16 The use of third-party, and possibly neutral, servers cannot be excluded.
17 These arrangements are explained in Cavaiola, Gompert and Libicki, ‘Cyber House Rules’, pp. 88–94.
18 More specifically, Cyber Command’s ‘Cyber Mission Force’ would provide Combat Mission Forces and Cyber Protection Teams for integration into combatant commands’ plans and operations. In parallel, a National Mission Force would operate directly under Cyber Commad. DoD, ‘The Department of Defense Cyber Strategy’, p. 6.
19 Cavaiola, Gompert and Libicki, ‘Cyber House Rules’, p. 89.
20 DoD, ‘The Department of Defense Cyber Strategy’, p. 1.
22 Depending on the context, the United States might find that it is in its interest to regard a certain cyber attack as an act of war and another of equal destructiveness as not an act of war.
23 A related question is whether to retaliate against a state which uses or encourages non-state agents to wage cyber war against the United States. While this will certainly depend on the circumstances, the general US posture should be to hold states responsible for attacks perpetrated by persons under their sovereign control.
24 The United States has been careful not to say that retaliation for a cyber attack would be in the form of a cyber attack, thus keeping open the option of conventional military reprisal.
25 See Gompert and Binnendijk, ‘The Power to Coerce’.
26 The affected software may need to be replaced or repaired (because it would otherwise be subject to re-attack). Replacement is relatively inexpensive. Repair can be expensive, but leaving vulnerabilities unpatched may be far more costly.
27 Whether or not these materials are accurate, what matters is that they are regarded as true by others.
28 Recent observations that today’s hackers are not taking great pains to cover up their national origins may be part of a strategy by countries to gain implicit credit for clever hacks they may still explicitly deny carrying out. Or, it may reflect the increasingly obvious conclusion that national (in contrast to personal) attribution has no consequences and thus is not worth making much effort to avoid.
29 More information is available on how long it takes for organisations to overcome infections, but systems can be run while infected if they need to be.
30 See Cavaiola, Gompert and Libicki, ‘Cyber House Rules’.