If you pull a knife on a gunslinger, don’t be surprised if you get shot. This is one of the messages of the President’s new International Cyber Strategy.  Some media outlets have taken to extreme headlines, such as “Obama Reserves Right to Nuke Hackers,” or “Hack us and we’ll bomb you.” These headlines, though perhaps intended just as hyperbole, highlight the routine misunderstandings when applying national security concepts to the technical domain of cyberspace. What the Strategy actually says is this:

When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.

We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.

This is an old-fashioned declaratory policy, a way to “suggest the circumstances under which the United States will consider specific retaliatory options” signaling “U.S. perceptions of the gravity of specific acts,” according to RAND.   The U.S. national security strategy has been casting about for a way to deter devastating cyber attacks for years, and this is the strongest statement yet.

The declaratory policy (and indeed the whole International Cyber Strategy) should be seen as an extension of America’s broader national security policy, which has long preserved the option of asymmetrical response as a means of deterrence.

The Administration’s new declaratory policy is a direct attempt to so change an adversary’s calculus. If a nation wants to some plausibly deniable attack against the U.S. (such as sponsoring non-state actors or launching an attack from or through other countries) they must understand the consequences if they are caught – or even strongly suspected.    Just because an adversary only brings a knife to the showdown, they are on warning the U.S. won’t feel constrained to leave the six-guns in their holsters.

This ups the stakes for cyber attacks and making it clearer to any attackers that if the U.S. or its allies suffer a significant attack, they can expect proportional retaliation in any form that suits – a statement fully in compliance with international law. If the United States, or any other nation, were attacked on the seas, the President would not be limited to solely attacking using our own Navy. An attacked nation is free, bounded by proportionality and related legal norms, to choose from a variety of responses in the land, air, sea, or, cyberspace.   

Responding to Cyber Conflict: The hyperbolic headlines also imply that the U.S. would resort to bombing or “nukes” over mere annoyances, that at some point too many web pages will have been defaced so let’s unleash SEAL Team 6. This hyperbole is meant to attract attention, certainly, but also stems from too few commentators understanding national-security decision making. There is a government process – long-standing but of course not perfect – to ensure the U.S. only brings its guns to a gunfight or knife fight, not a schoolyard shoving match. Decisions about the use force are made within the National Security Council interagency process and overseen by its staff. Choices to respond to major cyber attacks will be made by the President, supported by the Principals Committee of the NSC, likely after reviewing options developed in an interagency policy committee and already chewed over by a Deputies Committee.  

The Principals on the NSC are senior decision makers used to making difficult choices with deadly consequences and based on less-than-perfect information. If the President and his NSC can decide to strike across international boundaries on a “50-50” chance to kill Bin Laden, then they likely can handle the ambiguities of cyber response more ably than many commentators anticipate.

Also often overlooked are the non-military tools, the DIME (diplomatic, informational, military, and economic) options such as sanctions or public pressure, available for response. The National Security Council would likely reach first for these options to respond to many kinds of cyber conflict, such as a repeat of the 2007 attacks against Estonia. Indeed, it seems the U.S. seems to be laying the groundwork for possible intervention in future Estonia-like situations when it says in the Strategy that cyber conflicts “could compel actions under the commitments we have with our military treaty partners” such as NATO where an attack on one is an attack on all.   

Any future decision to respond with kinetic military power will not be made lightly and will be rooted in existing international law, such as the “armed attack” threshold from the United Nations Charter. In short, if a cyber attack hasn’t killed anyone or caused significant property damage or a deep and prolonged hit to GDP – the normal indicators of war – do not expect any kinetic response, much less a fission-based one.  

This blog is a shorter version of an Issue Brief on the U.S. cyber declaratory policy which will be released in the near future. 

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey. Photo credit: Getty Images.

Image: cyberstrategy.jpg