July 2, 2024
The world is at a pivotal crossroads for conflict in the cyber domain. As new technologies accelerate the cat-and-mouse game of cyber offense and defense, real-world conflicts provide important case studies for deterrence and response. But they also reveal a lack of strategic clarity when it comes to defining and signaling the thresholds or red lines for provocations in the cyber domain.
Deterrence—in both the kinetic and cyber domains—requires a reasonable expectation that aggressors will face consequences. Red lines must be understood, communicated, and credible. Ambiguity undermines deterrence and encourages aggressors to test the limits of what they can get away with. The cyber domain is no different. Unless bad actors fear consequences for their malign conduct, they will be emboldened.
Former U.S. National Cyber Director Chris Inglis wrote last year in FP Analytics’ Digital Front Lines report that timely cyber attribution in the ongoing war in Ukraine mobilized those impacted and minimized the harm caused. Attribution is critically important, because it can embarrass malign actors who care about their international reputation and help educate would-be victims about the steps they should take to protect themselves. Sanctions, too, can impose meaningful consequences on those who profit from cybercrime or harbor cyber criminals.
“For cyber deterrence to succeed, there must be more meaningful consequences than attribution and sanctions alone. Nations also need to be willing and able to use their cyber capabilities to impose costs on malicious cyber actors…”
For cyber deterrence to succeed, there must be more meaningful consequences than attribution and sanctions alone. Nations also need to be willing and able to use their cyber capabilities to impose costs on malicious cyber actors. It is equally important to carefully calibrate and communicate the thresholds that will invite these consequences.
Because cyberattacks often exist in the “gray zone” between peace and war, there is no clear, universal playbook or escalation ladder for responding to these attacks. Responses in the cyber domain are not necessarily symmetrical or proportionate to the initial attack, for better or for worse. For example, the United States responded to North Korean cyberattacks on Sony in 2014 and the WannaCry global ransomware attack in 2017 with criminal charges and sanctions against the perpetrator. On the other end of the spectrum, in 2019, the Israel Defense Forces responded to a Hamas cyberattack with a kinetic strike. Both scenarios raise an important question for broader cyber warfare strategy: Would the cyber attackers have acted as they did if they had known what the consequences would be?
Deterrence is predicated on the notion that attacks should be prevented rather than responded to, and telegraphing intent is a central part of this strategy. We see this clearly in the domain of kinetic conflict, for example, with Article 5 of the NATO treaty, which serves as a bright line that adversaries cannot cross without facing severe and immediate consequences.
No similar bright line currently exists within the cyber domain. It is possible to imagine a cyberattack that inflicts more damage than a kinetic attack under certain circumstances; however, many would consider only the latter an act of war. The obvious consequence is that state-based actors—and their proxies—readily engage in cyber warfare because they view it as low-risk and high-reward, compared to other tactics that could be used to achieve the same strategic ends.
But lack of clear and agreed consequences also increases the risk of miscalculation. A defender may be the victim of a cyberattack so egregious that the relevant government feels it warrants a serious response, potentially in the physical domain. Absent this knowledge, the attacker might judge that the offense falls short of the triggering threshold, which could result in an escalatory response that could spiral into open conflict. Had the red lines been clearer, the attacker may have judged the cyberattack to be not worth the cost, thus avoiding the scenario altogether.
As the cyber threat landscape continues to evolve, so, too, should our deterrence strategy. Red lines will be more credible if backed by collective capabilities—cyber and otherwise—such as those of the intelligence alliance known as the Five Eyes, made up of Australia, Canada, New Zealand, the United Kingdom, and the United States.
As the international community seeks to shape the rules and norms of cyberspace, now is the time to be clear in articulating thresholds to help avoid escalatory miscalculation in an increasingly fraught environment.