Whether the United States will face an asymmetric, hybrid, or symmetric conflict in the coming years, cyber will assuredly take a place at the forefront of tactics used by opponents. As has already been seen in everything from headlines following the Office of Personnel Management (OPM) breach to the Air-Sea Battle (ASB) Concept Document of the Department of Defense, attacks stemming from the cyberspace can threaten a range of critical U.S. systems including national economic levers, military infrastructure, and the privacy that protects everyday citizens.
A complicating factor of cybersecurity for civilian and military leaders alike is the veritable blank slate that exists when developing policies and strategy. For those considering the plunge into cyber strategy and its real-life military consequences, one concept that must be at the forefront of their minds is that of escalation. Whereas escalation in conventional operations may follow a clear, logical set of steps, cyber operations have yet to meet this same standard.
For one, cyber operations can act as an antecedent to or a part of kinetic operations. As stated in the White House’s International Strategy for Cyberspace and supported by the Department of Defense’s Law of War Manual, “There is no legal requirement that the response in self-defense to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.” While this is not an unreasonable policy as evidenced through the physical damage that can be caused through cyber attacks, it does create the potential for a norm that is far more aggressive and escalatory than any corollary existing in other realms of war.
Compounding this fluidity is the lack of a coherent incentive-disincentive policy for cyber operations. Due to the complexity of cyber and its untested place in a larger theater of war, offensive forces are currently given a greater amount of leeway to probe the boundaries of what is and is not acceptable to defensive nations. These probes exist with low levels of risk to the offensive nation, and will likely hold in times of relative peace, despite the fact that information gleaned from probes could be used in future conflicts. The United States might have a clear policy for conventional espionage, but the physical distance and almost universal ignorance about the intricacies of cyber on the policymaking stage render these antiquated laws moot.
Lastly, the concept of targeting is difficult in what is an inherently networked space. One does not have to look far to see unforeseen consequences stemming from “silver bullet” tactics that are often accompanied by incomplete knowledge or the lack of a “better option.” One of the most prevalent and particularly relevant corollary policies is that of economic sanctions. Just as the average Russian citizen has paid a price for a strangled economy following the invasion of Ukraine, so too will citizens in a regime facing large-scale offensive cyber operations. Depending on the particular circumstances surrounding a cyber campaign, those on the defensive might face an environment more similar to that of total war than scalpel-like cyber operations often referenced by leaders.
As hopefully evidenced by these points, it is not so difficult to see the so far limited actions occurring in the cyber realm becoming a key part of a larger conventional war. The underlying fluidity of escalatory actions and the lack of total comprehension at the hands of leaders are driving components of instability in any conflict. When considering the fact that some of the most likely culprits of cyber attacks facing the United States are otherwise peaceful, but competitive actors on the world stage, escalation, intended or otherwise, could mean global conflict.
Government and military attempts to codify the role and responses to cyber thus far have not fully recognized its legitimacy as an extant tactic of warfare. When these realities begin to be digested, the delineation of cyber and kinetic operations, the establishment of coherent incentive incentives and disincentives, and the realistic bounds of targeting must be considered.
Adin Dobkin is an Adjunct Fellow at the American Security Project specializing in national security and military affairs. In addition to serving in the legislative branch, he is the Communications Director for the Military Writers Guild — a coalition of military officers, civilian analysts, and authors dedicated towards the field of arms through the written word. The opinions expressed in this article are his alone. Adin can be found on Twitter at @AdinDobkin