I should’ve be asleep when I saw this tweet and accompanying Lawfare article:
The issues with unfulfilled threats of cyber retaliation are not primarily about international law, the comparative vulnerability between the United States and those it would inflict costs upon, or conflict escalation — all of which that article posits. Sure, those elements do matter. But there’s a more fundamental variable at play and that is an underlying misunderstanding of the dynamics governing cyber contests between states.
The fact of the matter is that the majority of discourse surrounding state-nexus cyber operations is conducted through the lens of use of force — which, as it turns out, is actually state-spectrum cyber’s least ubiquitous manifestation. Take the list of known incidences of malicious cyber activity conducted by state-nexus actors that have manifested the same kind of impacts as to pass the “use of force” effects test (such as Ukraine 2015/2016, Shamoon, OlympicDestroyer, etc.) and stack them up against all the cyber activity that amounted to either espionage or information operations (such as the SolarWinds campaign, the hack-and-leak operation against the DNC, the many network intrusion campaigns of China’s Ministry of State Security, etc.). There is just no comparison: the latter dwarfs the former by orders of magnitude. More often than not — and especially until recently when the Colonial Pipeline incident made ransomware a national issue — the cyber activity that people expect the US government to respond to with bellicosity boils down to traditional intelligence activities (including covert action) that just happen to be manifested via cyber means.
As a result, this misapplied “use of force” lens has totally skewed the general public’s and even policymakers’ expectations about how dynamics work in cyber contests between states, with everyone taking their cue from warfare rather than an intelligence contest. Imagine how silly it would’ve been if the US government’s counterintelligence strategy had been to meet every Soviet active measure or HUMINT penetration during the Cold War with some kind of tough talk about retaliation. It would’ve been farcical, which is where things are with cyber now.
Whenever a major cyber incident with even the slightest nation-state angle occurs, both the media and Beltway demand blood for the Blood God — i.e., proclamations about some kind of deterrence-via-punishment capacity and the willingness to use it to “impose costs” — as proof that whomever is in power is taking national security seriously. The problem is that, until extremely recently with regard to ransomware incidents (albeit ironically ones that have not demonstrated any evidence of being state-directed), these retaliation proclamations were demanded and made in response to what amounts to traditional intelligence activities of the 21st century.
Herein is why all the US government’s “braggadocio” has amounted to diddly-squat in the minds of the general public and specialist commentator alike: because no matter how much you want to be reassured by the idea, the US government is not likely to replace counterintelligence with warfare. If you’re disappointed by the lack of visible US follow-up on threats of cyber retaliation, open your eyes: historically, you’ve been asking for the misapplication of traditional connotations of deterrence (i.e., those grounded in warfare) to what amounts to a predominantly counterintelligence problem. The answer to counterintelligence threats is you can shape them, but not deter them; effects-oriented counterintelligence is also rarely conducted in public.
Ransomware is admittedly a different issue, as it could be deemed as passing the “use of force” effects test and is predominantly a weapon of cyber-criminals rather than states. So in that regard, threats of retaliation for the Colonial Pipeline incident or Kesaya incident should be viewed differently than — rather than conflated with — those for the SolarWinds campaign. In both cases, threats of retaliation have political value; however, the former represents a developing space where direct application of cyber offense is likely to have any meaningful impact, while the latter is just a new face of an old counterintelligence problem. Even with regard to ransomware, direct offensive cyber operations against non-state actors amount to degradation rather than neutralization and at best is a necessary holding action to buy time for policymakers and private industry alike to affect long-term changes required to truly enhance digital security writ large. So even against criminal ransomware actors, retaliation still is not a silver bullet — although it can hurt.
If you still insist on demanding the US government cyber saber-rattle in the direction of a foreign capitol, why not pay a little more attention to the fact that Iran has apparently gotten into the disruptive ransomware game? At least two vendors and one mystery party have taken note, but the pundits don’t seem to have gotten the memo yet. One wonders why.
Postscript: My wife, who has an eye for understanding human nature, offered this astute observation on a key psychological dynamic at play when someone is suddenly exposed to the bleak— albeit banal — reality of how pervasive intelligence contests actually are:
