In a strategic environment that has become more volatile, complex, and uncertain, the United States increasingly relies on cyberspace to advance its national interests. Simultaneously, our adversaries, particularly nation states, are afforded more opportunities to undermine our efforts through their own nefarious activities in the digital domain. While not every act in coming years will pose an imminent threat to U.S. national security, economic well-being, or social stability, some will. Because of this, strategists, government leaders, and scholars frequently disagree over whether the United States should establish thresholds (or “red lines”) for responding to such hostile acts. Red-line proponents assert that thresholds can decrease the ambiguity of U.S. policies, bolster deterrence, and facilitate swift, decisive action.
Establishing cyber red lines, however, is folly. Given the evolving threat, current strategies, and the challenges of attribution in this domain, the United States is better served by not delineating them. Maintaining ambiguity on when and how U.S. instruments of national power will be used after a cyber attack gives government leaders the flexibility to tailor responses much as they would to threats in the other global domains.
Sources of Invisible Threats
To properly frame the issue, it is necessary to understand the evolving digital threat environment and current U.S. strategies. Hazards to national security and economic prosperity in cyberspace are multiplying. As the world becomes more interconnected, diverse state and non-state actors will have greater access and operational maneuverability to conduct malicious activities.
Sources of non-state cyber threats include, but are not limited to, hackers, “hacktivists,” terrorists, and organized crime groups. Hackers are generally thrill-seekers who regard accessing secure computer networks as a challenge. They usually don’t possess the technical skills to cause widespread, longstanding damage to computer networks; however, given the increasing availability of advanced tools, it is plausible that a skilled hacker could significantly disrupt critical U.S. information systems. Such a possibility becomes even more real if a nation state seeking to avoid attribution gives hackers the tools to disrupt or destroy critical networks.
For example, in early 2011, the computer security company McAfee, Inc., revealed that a Chinese hacker in Heze City, Shandong province, likely operating with external assistance, stole financial documents related to oil-and-gas-field exploration and operational details on data acquisition systems from five undisclosed Western multinational companies. The operation, known as Night Dragon, underscores how hackers can target not only the defense industrial base, government, and military computers, but global corporate and commercial targets.1
By contrast, hacktivists use cyberspace to promote their political beliefs. While often focusing on propaganda, they can cause significant disruptions to computer networks, especially if technical or financial support is provided by external parties. For example, during the first 24 hours of the 2008 Russo-Georgian War, unidentified entities created a forum called StopGeorgia.ru, which contained target lists, links to advanced malware, and expert advice on attacking critical Georgian information systems.2 No evidence linked the Russian government or military to this forum; however, its timing and Russia’s purported advanced digital capabilities suggest there could at least have been an indirect tie.
With the proliferation of technologies, terrorist organizations such as al Qaeda also could cause catastrophic damage. According to Deputy Secretary of Defense William J. Lynn, “The greatest concern . . . is a terrorist group that gains the level of disruptive and destructive capability currently possessed by nation states.”3 For example, in 2010 a terrorism suspect with links to al Qaeda acknowledged that the latter had conducted offensive operations that included denial-of-service attacks against the Israeli prime minister’s computer server.4
Organized crime groups penetrate computer networks to steal money and trade secrets or financial information. There is evidence that Central European crime groups have defrauded U.S. citizens and businesses of approximately $1 billion and as much as $1 trillion on a global scale in the past year.5 More ominous, crime groups have also attempted to acquire sensitive U.S. defense-related information, which could then be sold on the black market to our adversaries.
Foreign Intelligence Networks
While nonstate actors may constitute the greatest threat, nation states have the necessary resources to acquire the most advanced technologies. Currently more than 100 foreign national intelligence organizations conduct operations, many of which target U.S. computer networks.6 These organizations likely employ proxies to hide the identity of the responsible state. The most sophisticated threats originate in Russia and China, which continue to make significant advancements in their capabilities.
In May, China’s defense minister announced the existence of an elite People’s Liberation Army cyber unit called the Blue Army.7 While this unit’s mission is “cyber defense,” conducting offensive operations is but a keystroke away. And last year, Russia’s director of the Institute of Information Security Issues at Moscow State University (also a member of Russia’s National Security Council) admitted the nation is developing offensive cyber capabilities.8
The extent of this activity leads to several key conclusions. First, nation states pose the greatest threat to U.S. computer networks. China and Russia, for instance, can conduct a full range of hostile actions, from web-page defacements and espionage to deploying malicious software that can disrupt or destroy computer networks operating critical U.S. information systems. Second, cyberspace affords anonymity, masking both perpetrator and motive. Third, relative ease of access and the proliferation of advanced information technologies allow almost anyone to cause significant damage to U.S. computer networks. Finally, the lines differentiating the sources of these threats—nation state, criminal organization, or terrorists—are becoming increasingly blurred, rendering the appropriate response highly problematic.
Evolving U.S. Policies
The United States recently released two national strategies for operating in the digital domain: the International Strategy for Cyberspace (ISC) and the Department of Defense Strategy for Operating in Cyberspace (DSOC). The ISC is a landmark policy document intended to “promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.”9 While the document emphasizes diplomacy and development, defense plays a critical role, especially as it pertains to this domain. The ISC states:
When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.10
DOD followed with the DSOC, which acknowledges that such hostile operations will be prominent in any future conflict involving state or non-state actors. It outlines five strategic initiatives:
• Treat cyberspace as an operational domain to organize, train, and equip so that DOD can take full advantage of its potential.
• Employ new defense operating concepts to protect DOD networks and systems.
• Partner with other U.S. government departments, agencies, and the private sector.
• Build sound relationships with U.S. allies and international partners to strengthen collective security.
• Leverage the nation’s ingenuity through an exceptional workforce and rapid technological innovation.11
While DOD’s strategy is defensive in nature, it states that U.S. military power will be used if necessary: “The Department will work with interagency and international partners to encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuade and deter malicious actors, and reserve the right to defend these vital national assets as necessary and appropriate.”12
Both plans lead to several key observations. First, the ISC and DSOC are intentionally ambiguous. Neither defines a hostile act in cyberspace, nor is there language explicitly stating when, how, and to what extent the United States will respond to such acts. Second, both strategies acknowledge that there are no simple solutions to the challenges of the day. Finally, decisions will continue to be shaped by the dynamic interplay of a surfeit of political, economic, military, and social variables in the international environment, and because the world is more “gray” than black-and-white, responses to hostile acts in the digital domain will be determined as strategic responses are in conventional warfare.
The Case for Thresholds
Red-line advocates believe that creating thresholds will decrease the ambiguity of our policies, bolster deterrence, and facilitate a more timely response. Some pundits criticize the ISC and DSOC, arguing they take ambiguity too far. The DSOC in particular, they think, should outline response thresholds that if crossed, would result in diplomatic or military retaliation. Following the release of DOD’s strategy, Representative Jim Langevin (D-RI) acknowledged the DSOC represented a good start but said it was deficient in several key areas, including its fixation on defense and the identification of acceptable red lines.13
After the DSOC was published, now-retired Marine Corps General James Cartwright, the former vice chairman of the Joint Chiefs of Staff, remarked that the strategy was too defensive, stating “we are supposed to be offshore convincing people if they attack, it won’t be free . . . [and that] disabling computerized patient records at a hospital such that the patients cannot be treated would be a violation of the law of armed conflict [which could] then [trigger a] proportional response.”14 General Cartwright went on to emphasize the nation will need stronger deterrents. Although he did not say what the deterrents should be or what instruments of national power would be used, his words lend support to red-line advocates who demand greater specificity in U.S. policies, greater clarity on what constitutes a hostile act, and clear thresholds.
Why Ambiguity Is Good
Those arguing for establishing red lines fail to comprehend the complexity of the digital domain, in which adaptation and anonymity are the norm. The United States is better served in the long run by not establishing such thresholds, for four reasons. First, not doing so allows government leaders the latitude to tailor response options based on a hostile act, its physical and digital effects, and how it relates to the current state of affairs in the international system. As retired Air Force General Kevin Chilton remarked in 2009 as commander, U.S. Strategic Command, “I don’t think you take anything off the table when you provide [response] options to the president to decide. Why would we constrain ourselves on how we would respond [to hostile acts in cyberspace]?”15
Such an approach does not differ from the way the United States addresses hostile acts in other domains. If red lines are established, we will be compelled to respond to each threat that crosses the line, which is unrealistic, given that our computer networks are subjected to millions of probes, scans, and attacks on a daily basis. Even if red lines are narrowly focused (e.g., employing military force if a cyber attack results in the deaths of U.S. citizens), the first time the United States fails to respond accordingly, it will undermine the credibility and deterrence effect of our other capabilities.
A second reason in favor of ambiguity is that if our adversaries know our response to such acts, they will adjust accordingly. Because neither the national nor the defense strategy explicitly defines a hostile act in cyberspace or exactly how the United States will respond, this leaves it open to interpretation. As one military official remarked, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”16 In addition, hostile actors may perceive a green light for certain acts that do not cross a particular response threshold. While one such act below this threshold may not be harmful to U.S. interests, what if 100 million are? Again, maintaining ambiguity concerning when, how, and to what extent to respond gives the United States greater latitude.
Third, because cyberspace is a global domain that emphasizes open access, the free flow of information, and anonymity, it is extremely difficult to determine where the threat or attack originated. For example, U.S. military networks are probed more than six million times a day by assailants operating in one corner of the world using computer networks or servers in another corner. Most perpetrators are never identified, except for a computer Internet protocol address or a one-time user alias. Army General Keith Alexander, commander of U.S. Cyber Command and Director, National Security Agency, emphasized this challenge, saying, “Too often, the military discovers through forensics that network probes have been successful [and] as a consequence, response becomes policing up after the fact versus mitigating it real time.”17 If red lines demand a timely response and there is no one to pin responsibility on, then how can a response be implemented?
Finally, even if the source of the attacks is determined in a timely manner, automatic triggers for a response, particularly those that employ military force, could create negative second- and third-order effects that make a bad situation even worse. Given that nation states pose the greatest threat to U.S. networks, red lines that automatically result in a response could escalate an already volatile situation.
For example, in 2009 individuals in China and Russia penetrated computer networks operating parts of the U.S. electrical power grid.18 They reportedly inserted malware that could destroy infrastructure components. Although their identities or associations with the Russian and Chinese governments were not disclosed, it validates the point that response options must be tailored. If Russia or China, two nuclear powers, were responsible, a U.S. response would be markedly different than if they had they been conducted by a non-nuclear state. Clearly the diplomatic, information, and economic instruments of national power versus military force would receive more emphasis with China or Russia for what could be considered a hostile act in cyberspace.
Given the complex and indeterminate 21st century international system and the multitude of current threats, U.S. interests will be better served by not establishing clear thresholds. Ambiguity is a powerful tool to shape our adversaries’ actions in all domains and allows us the maneuverability to respond where, when, and how we choose. Red-line advocates must understand that thresholds only constrain our actions and could undermine credibility and the power to effectively deter our adversaries.
2. “Project Grey Goose Phase II Report: The Evolving State of Cyber Warfare,” GreyLogic, 20 March 2009, p. 7.
3. “Terrorist Groups Pose Most Dangerous Cyber Threat,” RSA 2011 Conference, 16 February 2011, http://www.infosecurity-us.com/view/16005/rsa-2011-terrorist-groups-pose-most-dangerous-cyber-threat/.
4. Alex Kingsburg, “Documents Reveal Al Qaeda Cyberattacks,” 14 April 2010, http://www.usnews.com/news/articles/2010/04/14/documents-reveal-al-qaeda-cyberattacks, p. 2.
5. “U.S. Strategy to Combat Transnational Organized Crime: Addressing Threats to U.S. National Security,” The White House, July 2011, p. 7.
6. Deputy Secretary of Defense William J. Lynn III, speech at U.S. Air Force–Tufts Institute for Foreign Policy Analysis Conference, 21 January 2010, p. 3.
7. Zhang Jiawei, “China Confirms Deployment of Online Army,” China Daily, 26 May 2011, http://www.chinadaily.com.cn/china/2011-05/26/content_12583698.htm.
8. Kathryn Stevens and Larry K. McKee Jr., International Cyberspace Strategies, “Improving the Future of Cyberspace . . . Issues, Ideas, Answers,” 28 June 2010, p. 8.
9. “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” The White House, May 2011, p. 8.
10. Ibid. p. 14.
11. “Department of Defense Strategy for Operating in Cyberspace,” U.S. Department of Defense, July 2011, pp. 5–10.
12. Ibid. p. 10.
13. Ellen Nakashima, “U.S. Cyber Approach ‘Too Predictable’ for One Top General,” The Washington Post, 14 July 2011, http://www.washingtonpost.com/national/national-security/us-cyber-approach-too-predictable-for-one-top-general/2011/07/14/gIQAYJC6EI_story.html.
15. Robert Lemos, “Cyber Attack Could Bring U.S. Military Response—No Options Removed from Table,” 13 May 2009, http://www.theregister.co.uk/2009/05/13/us_cyber_attack_response/.
16. Chris Carroll, “DOD: Cyberattack on U.S. Could Warrant Deadly Response,” Stars and Stripes, 31 May 2011, http://www.stripes.com/news/dod-cyberattack-on-u-s-could-warrant-deadly-response-1.145183.
17. William Mathews, “CyberCom: U.S. Lacks Online Situational Awareness,” Defense News, 3 June 2010, http://www.defensenews.com/story.php?i=4655216.
18. Siobahn Gorman, “Electricity Grid in U.S. Penetrated by Spies, The Wall Street Journal, 8 April 2009, http://online.wsj.com/article/SB123914805204099085.html.