As cyber attacks become more devastating, countries are entertaining the idea of responding to them with conventional armed forces.
It is difficult to determine how seriously countries take the threat of “kinetic” responses to digital attacks. Still, the ambiguity about when and if cyberattacks should be responded to with military force only increases the risk that things will go terribly wrong.
What is the problem?
In 2018 Air Marshal Phil Osborne of the UK Ministry of Defence, offered a strategic military approach to responding to serious cyber attacks:
“We will need to provide a deep and persistent understanding of a potential adversary’s strengths, weaknesses, and options, and then develop, present, and exploit our own capabilities for advantage, defense, and deception. These capabilities must themselves be flexible and able to be deployed and used at the ‘last safe moment’ to avoid being physically or virtually locked in.” he said.
“Our goal should be first to understand, to solve, and then if necessary to act first, through physical and virtualto provide a decision advantage and then an operational advantage by seeking rapid but controlled exploitation of vulnerabilities and proactive rejection of opportunities.”
Countries have long used the pre-emptive strike doctrine to justify who initiates wars. Now that one reserves the right to act first in the physical and virtual, they advocate a policy of aggression. There are circumstances when provocation forces a country to take up arms, but such cases are few and should remain. When considering cyber attacks – or a simple threat case of warthis creates the potential for minor events to escalate into major disasters.
Consider US President Joe Biden said in a 2021 address to the Office of the Director of National Intelligence (ODNI):
“You know, we’ve seen how cyber threats, including ransomware attacks, can increasingly cause harm and disruption in the real world. I can’t guarantee it, and you’re as informed as I am, but I think it’s more likely that we’ll end up – well, if we find ourselves in a war, a real brutal war with a major power, it will be a consequence of a major cyber breach. And it’s growing exponentially — the possibilities.”
It should be noted that an active “shooting war” with another major power has the potential to turn into a nuclear Armageddon (this concern is already relevant in connection with the conflict between Russia and Ukraine). It’s hard to imagine any cyber attack worth taking such a gamble on.
more precisely, NATO establishes rules for when cyber operations (CO) may constitute a use of force against member countries. Specifically, NATO says:
“[I]f COs produce effects that, if caused by traditional physical means, would be considered a use of force under Article 2(4) of the UN Charter or an armed attack under jus ad bellum, then such COs may also be considered a use of force or an armed attack.” .
The seriousness of a cyber attack classified as an “armed attack” against a NATO member cannot be overstated. This is the pinnacle of high stakes in the world war arena.
Perhaps the situation is less alarming than it seems. Sun Tzu famously said that all war is based on deception. Are countries using increasingly bellicose language in the hope that it will act as a deterrent to those considering catastrophic cyber attacks? Or is multinational gun-rattling over cyber-attacks a mere threat with no follow-up?
Do you need people at the helm?
Some positions in government are considered so important that they require a lifetime of career experience to achieve them. One example is the rank of general in the military and the authority to oversee large-scale operations in theaters of war. Another example is the Supreme Court justices who interpret the law of the land for more than 320 million citizens. The weight of these positions and the far-reaching consequences of their decisions separate them from elected representatives who serve under limited terms. Although rotating officials can perform many of the functions of a representative democracy, there are some aspects of the state that they cannot.
Military generals and Supreme Court justices have long held positions in their fields. They are lifelong experts who are often regarded as top performers in their profession. Their decisions are not subject to democratic voting or the will of the people. Simply put, they are positioned as trusted leaders whose leadership represents the final say on matters of national importance.
However, there does not appear to be a similar measure of professional importance for observing the short path from a major cyber attack to a military response. Elected officials, most of whom have no experience in cybersecurity or military operations, use their statements to set public expectations. They often rely on the advice of the heads of relevant government agencies, many of whom are political appointees. However, appointed heads of these agencies routinely leave their positions whenever new leadership from another party takes control. Unlike military generals or Supreme Court justices, they never accumulate the lifelong experience necessary to prepare for the difficult responsibility of making life-or-death decisions.
National cyber attack analysis and response measures are unevenly distributed across government agencies. It is unclear which agency will ultimately determine the origin of the cyberattacks or formulate a response. Internationally, the world’s governments cannot agree on a single policy for responding to cyber attacks. NATO has broadly defined cyber activity which affect national sovereignty as the use of force, but what that means is open to individual interpretation. There have been attempts to solve this problem in the private sector as well. During RSA 2017 Microsoft urged Digital Geneva Convention. This same idea is often debated today, without much showing in the way of progress.
What if we do nothing?
If we continue on our current course, it is almost certain that one nation will eventually use a cyber attack to justify using its military against another. After years of promises to do so, it would be difficult for the country to do otherwise. This unfortunate situation gives bad actors a great opportunity to escalate tensions between countries. Threat actors regularly hide their activities using the tactics, techniques and procedures of other adversaries (TTPs). They can now pose as state-sponsored actors hoping to cause trouble between countries.
Deceptive cyber attacks can lead to false attribution and disastrous consequences
Consider a hypothetical situation where one nation wants to start a conflict between two others. Suppose country A knows that country B will respond with force to a cyber attack because they have been promising to do so for years. Country A decides to launch a highly disruptive cyber campaign against Country B, but makes the attack appear to be from Country C. Country B does not have formal procedures to accurately identify cyber attacks before responding, and launches military action against Country C. Or can this happen? There is nothing obvious to prevent this.
Attribution of cyber attacks this is known to be a difficult task. Threat studies from the world’s most advanced cybersecurity firms often avoid naming the origin of the attack at all. The complex nature of major threat groups like Conti hampers attribution efforts. Conti is widely reported to be a Russian threat group, but it is widely publicized problems after the invasion of Ukraine show that it may not be supported by the state. Is Conti operating out of Russia because of its lax cybercrime laws, or are they secretly operating under the direction of the Russian government? Should Conti’s attack be considered an attack by Russia?
Other sophisticated Advanced Persistent Threat Teams (APTs) openly advertise themselves as mercenaries. By employing sophisticated threat groups to carry out cyberattacks on other countries, governments can maintain plausible deniability. All these factors make it possible for countries to place the blame for a cyber attack on the wrong actor. How can a country be sure that it has been attacked by others and not by adversaries using the TTP of previous state-sponsored attacks? What’s to stop countries from simply running their shadowy cyber operations as private enterprises to create the illusion of separation? In cyberspace, evidence is easy to forge, attack paths are widespread, data is heavily encrypted, and culpability is often unclear.
Responding to Cyber Attacks: What Can Be Done?
Those waiting for a global agreement or a digital Geneva convention may still be treading water when the next state-sponsored cyberattack hits the headlines. Trying to implement solutions at the global level – when similar proposals have not succeeded at the national level – seems misguided. While there is no simple solution to combating cyberattacks at the state level worldwide, there are some steps that can improve the current situation.
Placing the proverbial “fences” in the government’s response to cyberattacks could help prevent any corresponding response from getting out of hand. It is important to balance the country’s need for a broad response capability with policies that prevent unnecessary escalation. One approach might be to enforce requirements that insist on proportional responses. Maybe something like: “We will not respond with military force unless a cyber attack directly results in loss of life”. This leaves countries with a wide range of response options without immediately opening a Pandora’s box of global war.
in the end Realpolitik dictates that countries will do whatever is necessary when their sovereignty is threatened. Until this point, it doesn’t matter what treaties, policies or laws are in place in the event of a truly catastrophic cyber attack. However, constant threats of a military response to serious cyber attacks inadvertently put the country in a straitjacket where they must respond with force to save face. Toning down belligerent rhetoric allows countries to keep their options open without making it obvious how harsh their response might be. As former US President Teddy Roosevelt famously advised, “Speak softly and carry a big stick; you will go far.”