The potential for a U.S.-Russia cyberwar made headlines this week when officials divulged military cyber operations against Russia’s power grid. This revelation shows that U.S. cyber strategy regarding Russia has shifted from defense (placing probes on control systems) to offense (inserting malware inside the systems themselves). General Paul M. Nakasone evokes traditional deterrence strategy in describing the need to “defend forward.” But as the Kremlin’s rapid response shows, the line between deterrence and escalation is thin. Due to the complexity and novelty of cyber, the U.S. should move towards predictability and clarification of expectations.
No Precedent for Cyber Escalation
There is currently no system of cyber escalation to match traditional forms of military escalation. The 2018 U.S. National Cyber Strategy states that it aims to “deter malicious cyber actors and prevent further escalation,” but the conventional military strategy offers little guidance here. In conventional warfare, tit-for-tat escalation allows a state to demonstrate the extent of its resolve, and gives its adversary the chance to consider whether further action is worth the expected harm. Escalation takes clear, physical forms: equipment or troop movement, as in Poland earlier this week, and measures such as missile strikes or bombings.
The predictability of conventional escalation makes a cost-benefit analysis relatively easy. In a cyberwar, escalatory patterns are in uncharted territory. An attempt to signal resolve in order to deter further aggression may catalyze unknown long-term reactions.
Economic & Physical Damage
The targeting of the Russian power grid is a response to interference in the 2016 election, and a warning against further attempts. National Security Advisor John Bolton declared that it is intended to signal to adversaries that “it’s not worth your while to use cyber against us.” The issue here is that this offensive posture threatens inflicting economic and physical damage in response to damage done to American sovereignty, which is not easily measurable. This is dangerous because the benefit of a cyber escalation or attack must be balanced against the predicted cost of an adversary’s response. The actual form of a cyberwar is still unknown, so both sides are unable to consider long-term reactions that may result in consequences too great to bear.
America’s ability to wreak havoc on the Russian power grid, if utilized, may result in both economic and physical harm to the people of that country. This use of cyber weapons to undermine adversaries’ critical infrastructure is becoming more common. In 2010, the U.S. and Israel deployed the Stuxnet worm, destroying one fifth of Iran’s nuclear centrifuges. In 2015, Russian hackers hit Ukrainian energy companies with malware, cutting off power to 80,000 customers. It is important to consider that these historical precedents demonstrate how cyber operations can have real-world effects, but in neither case did these attacks see an equivalent retaliatory response.
What Costs Are We Willing to Inflict (and Bear)?
American society has accepted cyber risk as a part of everyday life. According to the Pew Research Center, 64% of Americans have personally experienced a major data breach. The ubiquity of hacks means that nearly every type of company—ranging from Equifax to Target —is impacted. Furthermore, the analysis of cyberattacks’ economic cost is clear: the White House Council of Economic Advisors estimates that in 2016 the nation lost between $57 and $109 billion from hacks and data breaches. Clearly, society and businesses have internalized cyber risk. It remains to be seen whether a similar acknowledgement has occurred on the state level.
The costs of targeting the Russian power grid would be shouldered largely by the civilian population and businesses. Moreover, the burden would fall disproportionately on the most vulnerable—those too poor to afford back-up sources of power and those reliant on hospital facilities. The reality of the civilian cost of a cyberattack has not yet been driven home. Without this knowledge, the U.S. cannot achieve clarity about the extent of damage it is willing to inflict in a future cyberwar.
Since a clearly stated cyber escalation system does not yet exist, the scope of actions and reactions between the U.S. and Russia in a potential cyberwar remains unpredictable.
The potent combination of uncertain costs and lack of strategic precedent means that use of cyber capabilities as deterrent mechanisms will accelerate tensions. A Russian countermove is inevitable, if it hasn’t already occurred. Escalation without being able to predict a retaliatory response will continue until a dramatic demonstration of some kind definitively communicates the bounds of either country’s tolerance for cyber-induced damage.