Last month, the Biden administration released the latest National Cybersecurity Strategy (NCS), a roadmap that offers new policies to defend the country from digital threats.
While restrainers are usually more interested in tanks, bombers, and nukes, cyber capabilities are important too. From a restraint perspective, the NCS shows promise: recommending investments to improve security without raising tensions while working with states on things like sharing intelligence. But that’s where the good news ends.
The NCS breaks with the past by encouraging offensive operations to “disrupt and dismantle threats.” It rejects the Obama administration’s approach of seeking restraint. It also clarifies the previous confusion between the Trump administration’s Cyber Command vision and Cyber Strategy in favor of the former: an approach that seeks to use offense as a way of communicating resolve. While the NCS overall shows promise for restrainers, its approach to threat disruption needs to be clarified and limited to prevent escalation and blowback.
WHAT’S THE DEAL WITH THREAT DISRUPTION?
When a strategy proposes disrupting cyber threats — actors who damage, disrupt, and steal from our own computer networks — because sometimes defense isn’t enough, you’ve got to hit back. It never says deterrence, but let’s be honest: this is deterrence. You’re going beast mode on an attacker to show attacking wasn’t worth it in the first place.
So, if you must attack, here are seven ways to do it. First, you can kick out some of their diplomats and ban their politicians from traveling here. Second, you can try to arrest the attackers though this too will require international coordination, especially if you don’t have an extradition agreement. Third, you can tell the world and cyber-shame them, effectively engaging in IR-cancel culture (whether this works of course, depends on whether the country in question cares). Fourth, you can snitch and share the attack details with others, making it less likely to succeed again. Fifth, you can do economic sanctions (like we do for everything else). Sixth, you can launch a cyberattack of your own on the adversary’s systems, which would be subject to the same rules governing international humanitarian law (so don’t go attacking civilians please). Finally, you can stop being polite and launch an actual military strike.
The Biden administration has walked the line between preserving the status quo and shifting toward restraint and the National Cybersecurity Strategy reflects that.
The problem with the NCS is that it’s too wide and too deep. It says everything’s on the table and doesn’t acknowledge that these tools aren’t equal: some are way riskier than others. Furthermore, it states that the punishment should be so intense that other states give up on launching cyberattacks completely. And more specifically, it says both cyberattacks and kinetic military action are potential responses, which means lethal force is an apparently appropriate response to something that’s never been proven to kill anyone.
Launching cyber attacks on states is risky for three reasons: escalation, misattribution, and splash damage. First, escalation is the risk that the other states respond to our counterattack with more retaliation, leading to a cycle of costly attacks. After all, states all weigh costs and benefits subjectively; there’s no guarantee what we consider proportional would be seen as such by the other. In 2010, for example, the United States and Iran engaged in expensive and destructive attacks against each other when they would have both been better off de-escalating. While the malware in question, Stuxnet, may have succeeded in crippling hundreds of centrifuges, the setback was temporary, and Iran actually increased the number of centrifuges during the same time period. In response, Iran escalated by launching cyberattacks on the US financial industry, achieving what then-Defense Secretary Leon Panetta called “probably the most destructive attack the private sector has seen to date.”
Second, misattribution is the risk of attacking the wrong country. While figuring out the culprit is doable, it’s more art than science. For example, hackers attacked networks at the 2018 Winter Olympic Games with forged code to frame North Korea when the real culprit was likely Russia. Had the United States jumped the gun with a counterstrike, it would have hit the wrong country. Finally, large-scale cyberattacks often harm civilians. An example of this is Russia’s 2015 attack on the Ukrainian power grid which caused outages for hundreds of thousands of Ukrainians. These kinds of attacks are bad because they don’t distinguish between military and civilians and end up damaging necessities like hospital systems.
WHAT SHOULD WE DO INSTEAD?
The biggest issue with this approach is that the assumptions are wrong. The biggest culprits in cyberattacks aren’t other states, it’s organized crime. Second, risks matter. Imagine if we struck Iran in response to a cyberattack or attacked North Korea because we didn’t realize Russia did it. Finally, cyber operations aren’t traditional warfare. It’s espionage, and it’s not well-suited for killing people or stealing territory. All the malware in the world won’t help you take over a city.
The federal government should instead rely on a restrained toolkit: law enforcement, public shaming, and intelligence-sharing. The United States has successfully used law enforcement, such as collaborating with Romania to arrest members of the criminal Bayrob Group. Public shaming of North Korea and Russia in the WannaCry and NotPetya attacks, respectively, may not have stopped those actors, but they have helped limit the number of rogue states to a very small group. Lastly, the United States can share how to recognize and disrupt an experienced attack so the weapon is less likely to hurt other countries. For example, it provides regular details on indicators to spot a WannaCry attack.
The Biden administration has walked the line between preserving the status quo and shifting toward restraint and the NCS reflects that. It’s withdrawn from Afghanistan, America’s longest war, while reducing drone strikes in the Middle East. At the same time, it pursued containment and rhetorical escalation with China. The NCS’s split between defensive investments and offensive operations just highlights how the Biden administration is threading the line.
There’s no reason why the broader principles of restraint — recognizing the costs of escalation and miscommunication and deploying prudence in the use of force — can’t apply to cybersecurity as well. The NCS is at its best when it recognizes the limits and risks of what we can do. Its proposal to go on the attack and disrupt threat actors can do great harm if not assessed prudently in terms of costs and benefits. If cyber is to be an effective component of a restraint grand strategy, the urge to go on the attack must be restrained as well to avoid the grave costs of escalation and miscalculation.
Yameen Huq is a cybersecurity professional and a researcher at the Quincy Institute of Responsible Statecraft. Previously, he was a consultant specializing in analytics, cybersecurity, and strategy for public and private-sector clients.