ARGUMENT: Cyber red linesEmpty Threats and Warnings on Cyber

On 9 July, President Biden warned Russian President Vladimir Putin that the United States will take “any necessary action,” including imposing unspecified “consequences,” if Russia does not disrupt ransomware attacks from its soil. Jack Goldsmith write in Lawfare that the problem with this warning is that the United States has been publicly pledging to impose “consequences” on Russia for the latter’s cyber actions for at least five years—usually, as was the case here, following a hand-wringing government deliberation in the face of a devastating cyber incident. This talk has persisted even as adverse cyber operations have grown more frequent and damaging. It is ineffective and, in the aggregate, self-defeating.

Biden’s warning on 9 July is the latest in a series of verbal threats against Russia by the Biden team since the 2020 election – and similar threats were regularly issues by the Trump and Obama administrations.

Goldsmith writes:

What is the point of this talk? How many times does the United States need to send the message? What is the message sent by sending so many messages?

Any such message should have been sent only once. The reason to send it would be to establish red lines that, if crossed, would be met by a response more painful than the gains of the action. But this is clearly not what has been happening. The persistent braggadocio about how powerful our capabilities are and how we will use these weapons if Russia does something bad is met, time and time again, with another Russian operation, and then more warnings and threats. 

Yes, writes Goldsmith, the United States is also imposing retaliatory pain on Russia in “secret,” as we sometimes learn after the fact. But the combination of puffed-up threats, news reporting on government uncertainty about how to respond to cyber operations from Russia, a covert retaliatory operation, and then the next revelation about an unexpected and very damaging cyber operation sends a clear message of extraordinary weakness.

Amazingly, the United States is in exactly the place it was five years ago when the Russians interfered in the 2016 election. It still has not figured out how to impose costs on the Russians that outweigh the Russians’ perceived benefits from these cyber operations. Whatever combination of public and secret sanctions it has been imposing clearly is not doing the trick. The repeated warnings over a period that has been marked by damaging cyber operations only emphasize that reality.

Goldsmith writes that the United States could do much more – but such action would run into two difficulties:  

·  One, the less serious hurdle, is international law, which limits U.S. options, at least those involving forcible measures, in the face of the Russian operations below the threshold of uses of force or armed attacks.

·  Second, the more serious hurdle, is the escalation threat.

David Sanger and Nicole Perlroth reported a few days ago that “[i]n recent days, however, a growing number of experts have argued that the United States is now facing such a barrage of attacks that it needs to strike back more forcefully, even if it cannot control the response.”

Goldsmith concludes:

Even if Biden responds to the latest ransomware operations, and he surely will, it is hard to see how he can impose pain enough to slow the operations while at the same time avoiding a serious risk of on-balance harmful escalation.

And so the United States remains stuck in response to these ever-more-menacing cyber operations. It cannot defend its networks from increased attacks. And it cannot credibly threaten greater consequences for the attacker, thereby deterring the attacker. The government has worked very hard on both of these approaches. And it has clearly failed. But it sure is talking a good game.