As states become less inhibited about utilising cyber as a component of state power, policymakers will be increasingly challenged to develop proportionate responses to disruptive or destructive attacks. Already, there’s been significant pressure to ‘do something’ in light of the allegedly state-sponsored attacks on Sony Pictures Entertainment, the Sands Casino in Las Vegas and Saudi Aramco. But finding a timely, proportionate, legal and discriminatory response is complicated by the difficulty in assessing the damage to national interests and the frequent use of proxies. Perpetrators have plausible deniability, frustrating efforts to assign responsibility. Past experience suggests that most policy responses have been ad hoc.
In determining the appropriate response to a state-sponsored cyber incident, policymakers will need to consider three variables: the intelligence community’s confidence in its attribution of responsibility, the impact of the incident and the levers of national power at a state’s disposal. While these variables will help guide responses to a disruptive or destructive cyberattack, policymakers will also need to take two steps before an incident occurs. First, they will need to work with the private sector to determine the effect of an incident on their operations. Second, governments need to develop a menu of pre-planned response options and assess the potential impact of any response on political, economic, intelligence and military interests.
Even as the number of highly disruptive and destructive cyberattacks grows, governments remain unprepared to respond adequately. In other national security areas, policy responses to state-sponsored activity are well established. For example, a country can expel diplomats in response to a spying scandal, issue a demarche if a country considers its sovereignty to have been violated, and use force in response to an armed attack. Clear and established policy responses such as these don’t yet exist for cyberattacks for two reasons. First, assessing the damage caused by a cyber incident is difficult. It can take weeks, if not months, for computer forensics experts to accurately and conclusively ascertain the extent of the damage done to an organisation’s computer networks. For example, it took roughly two weeks for Saudi authorities to understand the extent of the damage of the Shamoon incident, which erased data on 30,000 of Saudi Aramco’s computers. Although this may be quick by computer forensics standards, a military can conduct a damage assessment from a non-cyber incident in as little as a few hours.
Second, attributing cyber incidents to their sponsor remains a significant challenge. Masking the true origins of a cyber incident is easy—states often use proxies or compromised computers in other jurisdictions to hide their tracks. For example, a group calling itself the Cyber Caliphate claimed responsibility for taking French television station TV5 Monde off the air with a cyberattack in April 2015, and used the television station’s social media accounts to post content in support of the self-proclaimed Islamic State. Two months later French media reported that Russian state-sponsored actors, not pro–Islamic State groups, were likely behind the incident. Even when attribution is possible, it isn’t guaranteed that domestic or foreign audiences will believe the claim unless officials reveal potentially classified methods used to determine the identity of the perpetrator, damaging intelligence assets in the process. Under pressure, responses are likely to be made quickly with incomplete evidence and to attract a high degree of public skepticism. This creates clear risks for policymakers. Quick damage assessments could lead to an overestimation of the impact of an incident, causing a state to respond disproportionately. Misattributing an incident could cause a response to be directed at the wrong target, creating a diplomatic crisis.
Policymakers should consider three variables before developing a response. First, they should understand the level of confidence that their intelligence agencies have in attributing the incident. Although there have been great strides in the ability of intelligence agencies to attribute malicious activity, digital forensics aren’t perfect. The degree of attributional certainty will have a direct impact on the action taken. For example, if the level of attribution is low, policymakers will be limited in their choice of response even if the severity of the attack is high. They may choose a less valuable retaliatory target to limit the odds of escalation and international criticism. There may also be instances where there’s such little evidence for the source of the attack that the victim may choose not to respond.
Second, policymakers should assess the cyber incident’s effects on physical infrastructure, society, the economy and national interests. Questions include: What was the physical damage caused by the affected systems, and was there any impact to critical infrastructure? What type of essential services are affected? Has the incident caused a significant loss of confidence in the economy? What was the incident’s impact on national security and the country’s reputation?
Third, policymakers should consider the range of diplomatic, economic and military responses at their disposal, from a quiet diplomatic rebuke to a military strike. Responses need not be limited to cyberspace—nothing bars a state from using other channels, though each carries its own risks.
Cyber responses can be taken in addition to diplomatic, economic and military activity. However, they would most often be delivered covertly and could be difficult to develop quickly unless a government had prepared capability against a specific target, likely involving prior cyber espionage, an unparalleled understanding of a target’s vulnerabilities and a custom exploit kit at its disposal. As an example, Stuxnet reportedly took years to develop and deploy. An overt cyber response can be unappealing as states may lose the ability to launch similar responses against other targets. Although states may outsource their responses to a proxy, doing so could limit their control over the response and lead to escalatory activity. Therefore, policymakers are likely to concentrate on other levers of power, alongside whatever they may do covertly.
Given the pressure governments will feel to respond to significant cyberattacks, policymakers need to develop a response framework before a disruptive or destructive cyber incident occurs. Although each response will be case specific, a framework will enable policymakers to quickly consider their options. I suggest such a framework for response in a publication released today with the Council for Foreign Relations.