ADVERTISEMENT

Nobody Knows Where the Red Line Is for Cyberwarfare

Nobody Knows Where the Red Line Is for Cyberwarfare

A common explanation for why the Soviet Union never used nuclear weapons during the Cold War was the expectation that any attack would likely prompt a devastating nuclear response. The fear of mutually assured destruction was enough to keep both the USSR and the U.S. from launching a nuclear attack, even as they spent decades building up huge stockpiles of weapons.

Cyberweapons are different. Cyberattacks by both governments and private hackers have exploded in recent years. Many of these are financially motivated, but others involve espionage or, in several high-profile cases, the sabotage of physical infrastructure. There’s broad agreement that at some point a cyberattack would be considered an act of war. Yet no one knows quite where the line is.

Nobody Knows Where the Red Line Is for Cyberwarfare

The situation is more dangerous than ever. Russia’s bloody invasion of Ukraine raises the specter of cyberattacks starting an escalatory spiral that results in an all-out war with the U.S. The Biden administration has already warned Russian President Vladimir Putin against targeting 16 sectors at the heart of U.S. economic and national security, including energy and finance. “We will respond with cyber,” Joe Biden told reporters last summer after meeting Putin face to face in Geneva. The president didn’t lay out exactly what that would entail but added, darkly, “he knows.”

On May 4-5, cyber experts from the Biden administration, the military, and academia are gathering at Vanderbilt University to discuss the new contours of modern conflict at an event organized by Brett Goldstein, a former senior Pentagon official and computer scientist who’s now special adviser to Vanderbilt’s chancellor. Goldstein says that in the next 5 to 10 years the U.S. should develop a strategy of cyber mutually assured destruction—or cyberMAD—as a form of deterrence. “It is essential that we take lessons from the success of nuclear MAD concepts,” he says, warning that U.S. vulnerabilities are only going to grow.

The Department of Defense is preparing a new cyber strategy this year that’s likely to include a more prominent role for deterrence. U.S. officials and policy experts have been debating whether it’s better to dissuade attacks with the promise of retaliation in cyberspace or elsewhere, or to try to prevent them by taking offensive cyber measures that cut off rivals’ ability to carry them out. The Biden administration’s strategy will be based on integrated deterrence—the concept that attacks can be prevented by threats of economic penalties or other responses that rely on various levers of U.S. power.

Lawmakers from both parties and experts from outside government are pushing for their own vision of deterrence. A two-year, congressionally mandated bipartisan effort that concluded last year, the Cyberspace Solarium Commission, favors a variation of the theme “layered cyber deterrence,” which combines a focus on hardening technical defenses against attacks with the promotion of international norms against, say, cyberattacks targeting civilian infrastructure.

Goldstein’s faith that the threat of catastrophic response could prevent state-sponsored cyberattacks makes him an outlier. Deciding when to respond would be fraught, because determining who has carried out any breach can be tricky. The best hackers often mask their identities. Russian hackers, for instance, have left bread crumbs suggesting they’re North Korean or Iranian, cybersecurity experts have said. Officials say they’ve become better in recent years at determining responsibility for attacks.

Unlike nuclear weapons, which haven’t been used since World War II, the tools of cyberwarfare are widely available and used regularly for attacks of varying seriousness. “Redlines are notoriously difficult to define in cyberspace,” Emily Goldman, a cyber strategist at U.S. Cyber Command, wrote in a 2022 paper for the journal The Cyber Defense Review. She argued that sanctions, criminal indictments, and other deterrent measures have proven ineffective: “More of the same will not produce different results.”

General Paul Nakasone, the leader of the U.S.’s 6,000-person military Cyber Command and one of the speakers at Goldstein’s event, has dismissed the nuclear parallels. “Cyber deterrence is not nuclear deterrence,” he told Congress in April. For the past several years he’s overseen an increase in the Pentagon’s continuous offensive cyber operations outside U.S. borders, under a strategy he’s described as “defending forward.”

Nobody Knows Where the Red Line Is for Cyberwarfare

The U.S. began changing its approach when Russian interference in the 2016 presidential election led U.S. leaders to overcome their reluctance for counteroffensive cyberattacks, according to Jonathan Reiber, who authored the government’s 2015 cyber strategy when he was the chief strategy officer for cyber policy at the Department of Defense. In 2018, Congress changed the legal definition of offensive cyber operations, classifying them as traditional military activity. That same year the Trump administration issued a classified policy memo that some U.S. lawmakers said essentially delegated authority to the Defense Department to conduct them without the White House signing off.

Nakasone told Congress that both the legal change and the policy memo have been “very helpful.” The Biden administration is reviewing the memo, and proponents of the “defend forward” strategy worry it could decide to restrict Cyber Command’s ability to act effectively.

One problem with using the threat of cyberattacks as a deterrent is that cyber superiority is inherently ephemeral, according to Nakasone. While a nuclear arsenal’s power is persistent, cyberweapons rely on exploiting vulnerabilities in code, which can be patched and disappear as quickly as they’re found. So, unlike nuclear weapons, Nakasone’s cyber arsenal and access routes must change all the time. The U.S.’s ability to find and exploit such vulnerabilities is significant, but its ability to carry out attacks on specific targets may ebb and flow.

Nobody Knows Where the Red Line Is for Cyberwarfare

Some academics argue that “defending forward” is a euphemism for the U.S. waging its own attacks. In a paper for the Atlantic Council in March, cyber coercion expert Jenny Jun argued that the strategy leaves “much room for misjudgment and misinterpretation” about how the U.S. will respond and that instead of being a deterrent, it could encourage adversaries to strike first rather than wait to be compromised themselves.

Amid such uncertainty over the nature of cyberwar, Erica Lonergan, a senior director on the Cyberspace Solarium Commission, says that debates over deterrence have become unhelpfully “binary.” The best way to prevent major cyberattacks may not be to threaten or execute cyber operations, she says, but to rely on other instruments of national power. In 2018 the Trump administration listed using nuclear weapons as a potentially appropriate response to a non-nuclear strategic attack, a category that could include a catastrophic cyberattack. The Biden administration reserves the right to choose how it responds, including with military force, and insists a cyberattack against any NATO ally could trigger a joint response from all 30 countries.

One challenge is that the lack of a clear definition of cyberwarfare has tempted countries to test the limits, carrying out smaller attacks under the assumption they won’t be enough to provoke a major response. Some experts warn that the U.S.’s ability to establish norms surrounding such attacks has been undermined by its own history of cyberattacks, digital spying programs that targeted civilians—including allied leaders—and the Stuxnet attack that targeted Iran’s nuclear facilities more than a decade ago, a campaign widely believed to have been carried out by the U.S. and Israel.

Michael Daniel, a former cybersecurity coordinator under the Obama administration, says the U.S. could do a lot more to deter the proliferation of cyberattacks that fall below the threshold of war in cyberspace. “The question is, can you use the government’s national power to reduce the volume of malicious activity in cyberspace and reduce its impact on the United States?” he says.

A small, and potentially temporary, comfort is that Russia’s war with Ukraine has so far resulted in less cyberwarfare than many experts expected. One theory as to why, put forth by Lennart Maschmeyer, a cybersecurity researcher at ETH Zurich, is that they aren’t as effective as many people believe. He’s studied the impact of Russian cyberattacks against Ukraine since 2014. “They have really achieved almost no measurable strategic impact,” he says. Another explanation could be that Russia didn’t plan any, because it anticipated swift military victory. That could change as the war grinds on, and recent research from Microsoft indicates Russia has been using “destructive and relentless” cyberattacks against Ukrainian services and institutions.

It’s also possible deterrence is working and Russia has been fearful of carrying out cyberattacks outside of Ukraine because that could trigger NATO’s Article 5, the collective defense clause, and draw other nations into the conflict. For Goldstein, this hesitance points to a strategic opportunity. “We may be seeing the early bones of what deterrence could look like,” he says.

Read next: Outpouring of Resentment on Chinese Social Media Is Overwhelming Censors

©2022 Bloomberg L.P.