By Sara Mishra

Despite its breadth and depth, the United States’ 2022 National Defense Strategy relegates a significant problem in cyberspace to a mere side note. The strategy mentions that in “the cyber and space domains, the risk of inadvertent escalation is particularly high due to unclear norms of behavior and escalation thresholds” but makes no recommendation. For some time now, scholars have argued against clearly defining thresholds for retaliation in the cyber domain. States, including the United States, have relied on this ambiguity to allow for a wide variety of retributory attacks. However, the United States’ historic behavior provides observational evidence that there are unofficial or private thresholds for U.S. responses to cyberspace conflicts.

The ambiguity that is intended to allow for a range of actions is leading to a lack of transparency around thresholds for potential responses. This opacity undermines deterrence-oriented strategies, because when the intended retaliatory attacks are obscured, the adversary cannot fathom the consequences of their actions. This impedes the ability of the United States to deter cyber attacks.

EVIDENCE OF UNOFFICIAL CYBER THRESHOLDS

Until this point, the United States has relied on several strategies for responding to cyberattacks, ranging from cyber espionage to ransomware damages. After discovering an attack, investigations and attributions typically occur, followed by public statements about the responsible parties. When the United States responds to a cyberattack, it sometimes distinguishes the attacker(s) as an individual or as a group; sometimes the U.S. government demonstrates that the attackers are part of a sustained campaign on behalf of a nation-state.

If the United States can penalize the responsible party or parties through criminal codes or sanctions, it typically employs these responses. For example, the Obama administration issued sanctions against several North Koreans when they hacked Sony Pictures Entertainment in 2014.  The United States otherwise identifies the culprits based on public accusations and statements that imply culpability in instances in which attackers are accused as part of a state-sponsored incident. This scenario occurred in 2022 when the U.S. Department of Justice indicted four Russian nationals working for the Russian government. It would appear there are unofficial or secret thresholds that the United States uses to determine whether to take retaliatory actions against states, because public facing statements do not specifically outline these potential responses.

DETERRENCE EMPLOYED AS A U.S. STRATEGY

The National Defense Strategy specifically mentions that the U.S. Department of Defense seeks to “employ an integrated deterrence approach that draws on tailored combinations of conventional, cyber, space, and information capabilities, together with the unique deterrent effect of nuclear weapons.” This statement underpins the arguments made by those in the United States who claim that cyberattacks require a diverse arsenal of retaliatory tactics. For example, when considering how to aid the Ukrainians in the ongoing war against Russia,  Senator Angus King called for the United States to “share whatever we possibly can in terms of helping them to prepare and defend, and… keep all options on the table for our response to a cyberattack.” What U.S. policymakers are missing, however, is that the lack of parameters for cyber engagements increases the chances of unintended escalation in cyber warfare.

ADVERSARIAL DETERRENCE LEADS TO INACTION

The four main tenets of deterrence theory are attribution, location, response, and transparency. It is transparency, or “the enemy's knowledge of our capability and intent to counter with massive force,” that remains unaddressed by statements like Senator King’s. Although it is important to keep options open, such flexibility does not address the potential danger of escalatory dynamics. Without advanced calibration and signaling, the possibility remains that the United States might decide to launch a retaliatory attack that is too forceful, inciting additional retribution from the adversary. It is the fear of this possibility that can deter the United States itself from taking action.

In 2018, cyber researcher Jason Healey pointed out that the United States was deterred from taking action against Russia after the 2016 election. He cited commentary from White House discussions in which a participant acknowledged wanting to avoid a “tit-for-tat” approach to cyber affairs with Russia due to fear of retaliation. While some might say the United States was afraid of the Russian response in cyberspace, arguably, the government was actually afraid of losing control of escalatory dynamics. The United States had every option on the table available to them, so if they were outdone in one domain, they could rely on their advantages in another.  Without a clear understanding of which specific tactics would constitute an “appropriate” response, the United States chose inaction. This type of paralysis is likely created, at least in part, by a fear of escalation that could prove to be more dangerous than signaling a specific type of response in advance of a conflict in cyberspace. Essentially, because the United States is leaving its retaliation options ambiguous, it becomes much more difficult to predict if or how escalation may occur when the adversary reacts. The result is that the United States then refrains from selecting an intended response.

THE THREE DILEMMAS

Three dilemmas that pose a challenge to clearer signaling around thresholds are the “Acheson dilemma,” the “menu dilemma,” and the “decision dilemma.” The Acheson dilemma refers to the tendency of adversaries to direct attacks on targets outside the deterrent environment. For example, if hospitals were off limits for conflict, then the opponent might attack parking lots near hospitals. The menu dilemma refers to the tendency of adversaries to analogize potential response options to a menu of choices. For example, if ransomware attacks and distributed denial of service (DDOS) attacks result in sanctions, but phishing campaigns are simply shut down, then an adversary may decide to pursue more phishing campaigns because that option carries less severe consequences. The decision dilemma relates to whether decision-makers can set a threshold that would include violence in response to the disruption or destruction of data. For example, is it worth it to physically attack a state that is hacking medical devices in the United States if the disruption could result in fatalities?

ADVANCING PAST THE THREE DILEMMAS

It is possible to overcome the limitations of the three dilemmas. To address the Acheson dilemma, it is important to clearly signal which targets are allowed to be considered within the scope of attack. This is what U.S. President Joe Biden did in his discussions with Russian President Vladimir Putin. President Biden declared sixteen areas of critical infrastructure as off limits from potential conflicts. However, to deter adversaries, it is important to go a step further to make it clear that the United States has plans to defend the off-limits targets. Furthermore, President Biden must clarify what retaliation options are intended for targets outside the boundaries he creates. It should be clear that whether the target is off-limits or accepted as viable, there are consequences to adversarial aggression.

Additionally, it is important to turn the menu dilemma on its head by offering retaliatory options that will cause states to reconsider sponsoring cyberattacks against the United States. While U.S. officials tend to leave all options on the table, it would benefit them to clarify which types of attacks will beget which types of response. In this way, the adversary knows that whatever attack they sponsor, there will be clear and enforceable negative consequences.

To address the decision dilemma, the United States can plan a variety of non-kinetic responses. However, it ultimately makes sense for the adversary to have clarity surrounding the possibility of escalation to physical force. Then, if the opposing party decides it is worth it to escalate, there will be established warnings in place that the United States can reference as justification for the use of force.

CONTRADICTORY POLICY ANALYSIS

Beyond the thought that ambiguity is useful since it allows for the maintenance of a variety of retaliatory options in cyberspace, there are other arguments for why deterrence theory cannot be successfully employed in the cyber domain. One such claim is that because it is easier to attack than to defend, and because attribution is so challenging, it is not possible to deter attackers by improving defenses or seeking to intimidate the target. There are those who argue for “integrated deterrence,” which is meant to “expand the nuclear deterrence paradigm” and consists of “deterrence regimes across all domains and across the spectrum of competition [that work] by leveraging all instruments of national power.” However, some contend that the “solution to the deterrence problem is not abandoning it, but expanding the range of alternative strategies not presently considered.” Furthermore, renowned scholar Joseph Nye challenges the idea that full attribution is required for deterrence to function, describing it as “a matter of degree.” While there may be challenges to deterrence in cyberspace, it is still a relevant strategy in contemporary politics.

CONTEMPORARY POLICY ANALYSIS

The United States should strive to create policies that clearly delineate which types of responses will be established for which types of potential attacks. If it is as straightforward as limiting kinetic responses to kinetic attacks, then so be it. That clarity will at least provide the United States with a basis upon which it can start determining specific cyber responses, rather than inadvertently siding with inaction. The 2023 White House National Cyber Security Strategy declared: 

“To effectively constrain our adversaries and counter malicious activities below the threshold of armed conflict, we will work with our allies and partners to pair statements of condemnation with the imposition of meaningful consequences. These efforts will require collaborative use of all tools of statecraft, including diplomatic isolation, economic costs, counter-cyber and law enforcement operations, or legal sanctions, among others.” 

This is a generic statement that describes one threshold—armed conflict—but it mentions no specifics about the different scenarios that might occur if it is crossed. Furthermore, it is important that there not only be a list of possible reactions, but an actual cause-and-effect relationship that is created and then transparently communicated in a cyber strategy. 

The Biden administration has created an entire bureau at the State Department dedicated to cyberspace. The newly-minted Bureau of Cyberspace and Digital Policy includes a Policy Unit–called the International Cyberspace Security team–dedicated to “promot[ing] cyberspace stability and security and protect[ing] U.S. national security interests in cyberspace.” While it would appear that this administration is focusing on the “tools of statecraft” and improving clarity surrounding tactics below the threshold of armed conflict, there is still ambiguity in the cyber domain about when the United States will rely on “tools of defense.” This lack of clarity undermines deterrence.

CONCLUSION

Although there may be challenges to determining escalation thresholds, it is important to develop clearer signals to bolster our deterrence strategies in cyberspace. Transparency is a key component of deterrence, and if the administration seeks to rely on statecraft solutions, it will still have to clarify when to take defensive measures against the adversaries of the United States. Some may argue that transparency could lead the United States to over promise and then come up short with its responses. However, it is possible to create flexible thresholds and signal what those thresholds are to adversaries.

This gradation signaling is worthwhile because the consequence of not communicating an intended response is potential fear of the opponent’s reaction, which could paradoxically lead to inaction. Thus, it is better for the U.S. defense posture if policymakers proactively determine cyber escalation thresholds and communicate them to potential adversaries. Only then will the United States be prepared when adversaries inevitably choose to wage aggressive campaigns in cyberspace.

“Joint Operations train against cyber war” is by Georgia National Guard and is licensed under CC BY 2.0.