AIUI, there is this general understanding that a cyberattack is a cyberattack and a kinetic attack (i.e., bombing) is a kinetic attack, and you don’t respond to a cyberattack with kinetic means. This is why, for instance, Russia andChina have carried out decades of cyberattacks on the United States and yet the U.S. has never responded by sending B-2s to hammer Moscow or Beijing.
But at what point does a cyberattack cross the threshold and become an ‘actual’ act of war? Does it have to kill an actual person first (i.e., suppose a Russian hack caused an American hospital to lose power and kill patients on ventilators?)
Whenever the estimated cost of a war would be less than the cost of inaction. Great Powers tend to operate on Realpolitik and disregard ideology, religion or honor.
So cyber attacks might insult our honor and piss us off, but they don’t actually constitute a loss or risk of loss to justify the guaranteed and quite massive loss certain to be induced by attacking a nuclear power. Or even fighting a limited war. Or any war - the economy generally doesn’t react well to it, and it’s being held together by bubblegum and shoestrings.
I tend to put cyber-warfare in the same category as spying and disinformation. Even when a spy kills someone it’s not an automatic act of war, there’s a measured and proportionate response (that might include something like killing a spy).
Whenever it crosses the line into assassination or highly damaging sabotage, I’d expect a military response. There’s obviously an enormous gray area. Say someone damaged the control systems at an aging water-treatment plant causing a few people to catch a waterborne illness, and a medically vulnerable person died. I feel confident blaming it on enemy action, but is the causative link clear enough to retaliate, or is it too confounded by the other factors?
Or let’s say a cyberattack disabled a US ballistic missile radar system. If that were due to a physical strike such as a bomb, NORAD would be on a hair trigger to launch nukes. But what if it was a cyberattack that just disabled it for 10 minutes or so? That’s still a big deal. You could even call it a crisis. But is it big enough to start WW3 over?
The short answer is I don’t know but I think about it often.
This is probably one area that’s less doctrinally ambiguous than the rest. Generally, an attack on strategic deterrence capabilities would be viewed as cause for a strategic (WMD) response. “Launch on warning” was probably the first manifestation of this: if a nuclear armed adversary attacks us, odds are good they’re attacking our ability to respond first – a counterforce opening attack. We would launch immediately on the general principle of “use it or lose it”, meaning adversaries know a counterforce opener is still the start of World War III.
If there’s a widespread counterforce cyber attack (that neutralizes part of command/control/communications) that can be attributed to an enemy as clearly as launch tracks from their missile fields, I would venture the National Command Authority might feel like a use-it-or-lose-it situation. The difference being that our weapons aren’t destroyed in their silos, just disabled, but how long they’re disabled and whether the cyber attack fits into an ongoing strategic escalation may justify a WMD response.
Maybe. I got out of the strategic warfighting business long before this “cyber warfare” business, and I was never more than a software weenie who only got to see grand strategy as database records.
So, everything you said is true. But that chain of events is based on an assumption of a decisive loss of function.
What if they only took BMEWS down for 10 minutes, didn’t tell anyone, and took responsibility for it 2 weeks later? Still a WMD response? I can only go by intuition but I would guess ‘no’.
North Korea, China & Russia can do a lot of damage in a war. However if Syria does hacking, the US would be more likely to use military force to respond to it.
I’m working on a dissertation on this topic. Let me get back to you in about two years.
The US (and I imagine other countries) has put out statements saying we reserve the right to respond to cyber attacks with kinetic attacks, but no one really knows what the threshold is. There has been some research in this area, and some proposed guidance like the Talinn Manual, but we still haven’t settled on the “rules” yet.
Interesting, I look forward to your input on this topic. I wonder if the lack of defined policy is itself a policy. Basically madman 101. Stategically, you probably wouldn’t want to tell your adversaries exactly how far they can hit you before you hit back.
A tough question. But, as the always excellent Yes, (Prime) Minister pointed out in its Salami Tactics episode (when to go nuclear), it always was a tough question.
I’m working my way through all the theories on deterrence. It’s surprisingly complex (to me at least). I’m a cyber guy, not a polisci guy, so I have a lot of catching up to do on the international relations side of things.
As a cyber guy I know that it’s damn near impossible to stop a cyber attack from a determined adversary. So I’m starting to lean toward the unfortunate conclusion that the doctrine of assured destruction may be the best deterrence for cyber attacks. It works, albeit in a terrifying way, in the nuclear arena. You can’t stop a nuclear attack, so you make sure your adversaries know you’ll destroy them in return if they start it. Similarly, since you can’t stop a cyber attack, you may have to resort to threatening kinetic retaliation against anyone who tries it.
My WAG is it is the point where a subsequent series of cyber retaliations would not be as damaging as the original cyber attack. Generally if one is attacked the “appropriate response” is to retaliate in such a way that is, at least, equally destructive. If the US is attacked, they don’t have to do “one and done” retaliatory attacks. They can do as many as it takes for the other country to regret their decision.
If, say, Iran, wants to retaliate against a country for hacking it’s nuclear materials production, they can do that through proxy physical attacks against allies of the originating attacker. It doesn’t even have to be direct. It’s costly in itself to have to move a bunch of assets around to protect an ally.
Justified by who? I suppose a government would consider it ‘justified’ when (after being attacked) they cannot launch an appropriate cyber-warfare response on the attacker.
I was under the impression that the vagueness of the threshold was on purpose, to discourage attackers from going up to the threshold but not crossing it.
Of course, I don’t know much about the topic, but I find it rather interesting.
I have to cop to my relative ignorance here. From my reading so far I gather that there are different theories on whether you want to be very clear on what will trigger a response or maintain ambiguity. I’m still mostly working the cyber side of the question. What are the likely attacks an adversarial state would use, what would be the expected impact, etc. I hope to do my research on the factors that impact whether the American populace would support a kinetic response to a cyber attack.
I think if Iran had attacked US nuclear weapons related factories the same way the US (probably) attacked Irans nuclear fuel processing plants with Stuxnet there would probably have been a military reponse.
For China and Russia the bar is much higher because of the tiny detail of 1000s of nuclear weapons pointed at the US. I mean if there was something really serious like the water plant being hacked and tons of people dying they’d kind of have to be a response. I don’t know if it would be possible to tell Russia “Look we need to respond to this, we are going blow up some peripheral bit of of you military infrastructure nothing critical or close to home, just suck it up and don’t hack us again. No one wants nuclear war” I certainly wouldn’t want to find out.
From what I gather, there’s basically a constant cyberwar going on at all times, and the US is in the thick of it, both defensively AND offensively. But it’s mostly information gathering, disinformation, etc… basically spy stuff.
I think at the point that it becomes directed outside of that “endemic” cyberwarfare background, and goes into destroying things like critical safety systems, major telecommunications carriers or major financial institutions, then the door starts swinging open for more conventional warfare responses. I mean, some foreign country manages to f-up the water for Manhattan by some sort of cyber attack? Unless you’re a nuclear armed country, you’re probably getting a visit from the USAF or USN in the near future.
Weapons of mass destruction are what make this so weird; nobody really wants to find out that Russia or China would indeed nuke the mainland US over some relatively trivial act of war. And Russia and China know this- why else would they be SO assholishly belligerent to the US and other countries?