Will cyber saber-rattling drive us to destruction?

As cyberattacks have grown increasingly destructive, nations are entertaining the idea of responding to them with conventional military forces.

It is difficult to determine how serious countries are when they threaten “kinetic” responses to digital attacks. Yet, the ambiguity over if or when cyberattacks should be answered with military force only increases the risk of things going terribly wrong.

What’s the problem?

In 2018, Air Marshal Phil Osborn, from the UK Ministry of Defence, suggested a strategic military approach when responding to severe cyberattacks:

“We will need to secure a deep and persistent understanding of a prospective opponent’s strengths, weaknesses and options, and then develop, preposition and employ our own capabilities for advantage, defence and deception. Those capabilities must of themselves be agile, and capable of ‘last safe moment’ deployment and employment to avoid being physically or virtually fixed,” he said.

“Our aim should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”

Nations have long used a preemptive strike doctrine to justify who initiates wars. Now, when one reserves the right to act first across the physical and virtual, they are advocating a policy of aggression. There are circumstances where a provocation forces a country to take up arms, but these cases are few and should remain few. When cyberattacks – or the mere threat of – are considered casus belli, it creates the potential for minor events to spiral into major catastrophes.

Consider what US President Joe Biden said in 2021 in his address to the Office of the Director of National Intelligence (ODNI):

“You know, we’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world. I can’t guarantee this, and you’re as informed as I am, but I think it’s more likely we’re going to end up — well, if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence. And it’s increasing exponentially — the capabilities.”

It bears mentioning that an active “shooting war” with another major power has the potential to escalate into a nuclear Armageddon (a concern already on the table with the conflict between Russia and Ukraine). It is difficult to imagine any kind of cyberattack worthy of initiating such a gamble.

More to the point, NATO is laying down rules for when cyber operations (CO) may constitute a use of force against member nations. Specifically, NATO says:

“[I]f COs cause effects that, if caused by traditional physical means, would be regarded as a use of force under Article 2(4) of the UN Charter or an armed attack under jus ad bellum, then such COs could similarly be regarded as a use of force or armed attack.”

The seriousness of a cyberattack classified as an “armed attack” against a NATO member cannot be overstated. It is the apex of high stakes in the arena of global warfare.

Perhaps the situation is less alarming than it appears. Sun Tzu famously said that all warfare is based on deception. Are countries using increasingly combative language in hopes that it will act as a deterrent to those considering catastrophic cyberattacks? Is the multinational saber-rattling over cyberattacks merely a threat with no follow-through?

Are the right people at the helm?

Some positions in government are seen as so crucial that they require a lifetime of career experience to attain. Becoming a general in the military and being vested with the authority to oversee large-scale operations in theaters of war is one example. Another example are Supreme Court justices, who interpret the law of the land for over 320 million citizens. The gravity of these positions and the far-reaching impact of their decisions separate them from elected representatives, who serve under term limits. While rotating officials can carry out many functions of a representative democracy, there are some aspects of the state they cannot.

Military generals and Supreme Court justices have held a long tenure within their respective fields. They are lifelong experts who are often regarded as top performers within their professions. Their decisions are not subject to a democratic vote, nor answerable to the will of the people. Simply put, they are positioned as trusted leaders whose guidance represents the final say on matters of national importance.

Yet, there does not appear to be a similar measure of professional gravitas overseeing the short path from a major cyberattack to a military response. Elected officials, most without cybersecurity or warfare experience, set public expectations through their statements. They often rely on advice from the heads of relevant government agencies, many of whom are political appointees. Yet, the appointees in charge of these agencies regularly rotate out of their positions whenever new leadership from another party takes control. Unlike military generals or Supreme Court justices, they never accrue the lifelong experience needed to prepare for the heavy responsibility of life-or-death decision making.

National cyberattack analysis and response measures are ambiguously spread across various government agencies. It is unclear which agency would ultimately determine the origin of cyberattacks or formulate response actions. At the international level, world governments cannot agree on a unified policy for responding to cyberattacks. NATO has broadly defined cyber activities that affect national sovereignty as a use of force, but what that means is open to individual interpretation. There have been attempts by the private sector to address this issue as well. During RSA 2017, Microsoft called for a Digital Geneva Convention. This same idea is often discussed today, without much to show in the way of progress.

What if we do nothing?

If we continue upon our present course, it is almost certain that one nation will eventually use a cyberattack to justify using its military against another. After promising to do so for years, it would be difficult for a country to do otherwise. This unfortunate situation offers bad actors a golden opportunity to escalate tensions between nations. Threat actors regularly obfuscate their activities by using other adversaries’ tactics, techniques, and procedures (TTPs). Now, they can pose as state-backed actors hoping to stir up trouble between countries.

Deceptive cyberattacks could lead to false attribution and catastrophic consequences

Consider a hypothetical situation where one nation wants to start a conflict between two others. Suppose country “A” knows that country “B” will retaliate with force to a cyberattack, because they’ve promised to do so for many years. Country A decides to launch a highly destructive cyber campaign against country B, but makes the attack appear to come from country “C”. Country B has no formal processes requiring cyberattacks to be positively identified before reacting, and launches a military action against country C. Could this happen? There is nothing explicitly in place to prevent it.

Attribution of cyberattacks is a notoriously difficult task. The threat research papers from the world’s most sophisticated cybersecurity firms often avoid naming the origins of an attack altogether. The complex nature of major threat groups, such as Conti, hinders attribution efforts. Conti is widely reported as a Russian threat group, but its highly publicized problems following the invasion of Ukraine indicate it may not be state-backed. Does Conti operate from Russia due to its lenient cybercrime laws, or are they surreptitiously operating under the direction of the Russian government? Should a Conti attack be considered an attack from Russia?

Other sophisticated advanced persistent threat groups (APTs) openly advertise themselves as mercenaries. By hiring experienced threat groups to conduct cyberattacks on other countries, governments can maintain plausible deniability. All these factors make it possible for nations to blame a cyberattack on the wrong actor. How can a country be certain they were attacked by another, rather than adversaries using the TTPs of previous state-backed attacks? What prevents nations from simply running their shadowy cyber operations as private enterprises, to create the illusion of separation? In cyberspace, evidence is easily forged, attack paths are widely distributed, data is heavily encrypted, and culpability is often unclear.

Responding to cyberattacks: What can be done?

Those waiting for a global agreement, or a Digital Geneva Convention, may still be treading water when the next state-backed cyberattack makes headlines. Trying to implement solutions at a global level – when similar proposals have not succeeded at the national level – seems misguided. While there is no simple solution for addressing state-based cyberattacks worldwide, there are some steps that can improve the current situation.

Placing proverbial “guardrails” on government responses to cyberattacks could help avert any corresponding retaliations from spiraling out of control. It is important to balance a nation’s need for broad response capabilities with policies that prevent unnecessary escalation. One approach could be implementing requirements that insist on proportional responses. Perhaps something like: “We will not respond with military force unless a cyberattack directly results in the loss of human life”. This leaves countries a wide range of response options without immediately opening the Pandora’s box of global warfare.

Ultimately, Realpolitik dictates that nations will do whatever is necessary when their sovereignty is threatened. To this point, it matters little what treaties, policies, or legislation is in place should a truly catastrophic cyberattack occur. However, continually threatening military responses to serious cyberattacks inadvertently puts a country into a straitjacket, where they must respond with force to save face. Toning down bellicose rhetoric allows nations to keep their options open without explicitly revealing how severe their responses may be. As former US president Teddy Roosevelt famously advised, “Speak softly and carry a big stick; you will go far.”