At the time, though, the White House did not outline any details on the nature of the weapons to be used, or even how significant the new offensive cyber operations would be for the federal government. But the message was clear: the United States would no longer have its hands tied in the cyber realm, as they were under the Obama Administration, which was often criticized for slow and timid responses to evidence of cyber hacking.
What’s worrisome, however, is that the U.S. specifically pointed to two of the world’s most powerful state actors – Russia and China – as its primary adversaries in cyberspace, and not a rogue nation like Iran or North Korea. In other words, the threat of a terrorist organization carrying out a cyber attack on the U.S. homeland now appears to be much less than that of a major nation-state carrying out a coordinated attack against the U.S. infrastructure. What would happen, for example, if China decided to launch a cyber attack on the U.S. in the aftermath of a nasty trade war?
With the easing of the rules of engagement in cyberspace, the U.S. military would largely be free to engage in any action that falls below the important threshold known as the “use of force.” In other words, as long as the U.S. military or cyber defense team decided that a threat was imminent against the U.S, grid (or any network deemed to be critical), it could launch a cyber attack that did not result in death, destruction, or extreme financial damage.
Potential for escalation
Now that other nations realize that the U.S. and Europe are changing their stance from defense to offense, will they follow suit? Presumably, both Russia and China will follow soon with public statements of their own. And with regard to other state and non-state actors, the risk is that they will develop asymmetric non-cyber weapons of their own that will provide a deterrent. One current fear in the U.S., for example, is that rogue nations will threaten EMP attacks against the national power grid in order to instill fear within civil society.
The real risk of escalation is something that military planning experts refer to as “cross-domain escalation.” What this means in practical terms is that a cyber war suddenly morphs into a kinetic conflict and even cyber attacks under a minimum threshold level might escalate quickly. Since cyber weapons are generally non-lethal, they might require the use of additional “kinetic force” to make a real statement to the adversary.
In other words, the threat of a strategic bomber flying overhead makes much more of a deterrent than the threat of offensive cyber operations. If your nation knocks out my nation’s power grid with a cyber weapon, am I limited to responding in kind (with my own offensive cyber operations), or can I act unilaterally with a strategic bombing strike in retaliation? Given the difficulty of attribution when it comes to cyber attacks, it’s far too conceivable that a so-called “false flag” event might provoke one nation to attack another nation by mistake.
Going forward, the world will very much be in uncharted territory. Without the right civilian oversight of military operations, we could soon be headed for a world in which cyber attacks are the new normal, and the rush to develop offensive cyber operations as a deterrent leads to a cyber arms race just like the old nuclear arms race that once threatened to engulf the world in a mushroom cloud.