Cyber operationsQuestioning the effectiveness of offensive cyber operations
Great-power competition in the twenty-first century increasingly involves the use of cyber operations between rival states. But do cyber operations achieve their stated objectives? What are the escalation risks? Under what conditions could increasingly frequent and sophisticated cyber operations result in inadvertent escalation and the use of military force? The answers to these questions should inform U.S. cybersecurity policy and strategy.
Great-power competition in the twenty-first century increasingly involves the use of cyber operations between rival states. But do cyber operations achieve their stated objectives? What are the escalation risks? Under what conditions could increasingly frequent and sophisticated cyber operations result in inadvertent escalation and the use of military force? The answers to these questions should inform U.S. cybersecurity policy and strategy.
In a new Cato Institute report, Brandon Valeriano and Benjamin Jensen write that in the context of recent shifts in cybersecurity policy in the United States, their paper examines the character of cyber conflict through time.
Data on cyber actions from 2000 to 2016 demonstrate evidence of a restrained domain with few aggressive attacks which seek a dramatic, decisive impact. During that period, attacks did not beget attacks, nor did they deter them. But, they ask, if few operations were effective in compelling the enemy and fewer still led to responses in the domain, why would a policy of offensive operations to deter rival states be useful in cyberspace?
The authors demonstrate that, while cyber operations to date have not been escalatory or particularly effective in achieving decisive outcomes, recent policy changes and strategy pronouncements by the Trump administration increase the risk of escalation, while doing nothing to make cyber operations more effective. “These changes revolve around a dangerous myth,” they write: “offense is an effective and easy way to stop rival states from hacking America. New policies for authorizing preemptive offensive cyber strategies risk crossing a threshold and changing the rules of the game.”
Cyberspace to date has been a domain of political warfare and coercive diplomacy. Valeriano and Jensen argue that an offensively postured cyber policy is dangerous, counterproductive, and undermines norms in cyberspace. Many have promoted the idea of a coming “Cyber Pearl Harbor,” but instead the domain is littered with covert operations meant to manage escalation and deter future attacks. “Cyber strategy and policy must start from an accurate understanding of the domain, not imagined realities,” they write.
They urge senior leaders throughout the U.S. federal government to consider a more prudent and restrained approach to cyber operations. “We argue for a defensive posture consisting of limited cyber operations aimed at restraining rivals and avoiding escalation. At the same time, the United States should focus on protective measures to make U.S. systems less vulnerable and on sharing intelligence with allies and partners. A policy of restraint that maintains control over the weapons of cyber war is strategically wise.”
— Read more in Brandon Valeriano and Benjamin Jensen, The Myth of the Cyber Offense: The Case for Restraint, Policy Analysis No. 862 (Cato, January 2019)
