On April 15, US President Joe Biden signed an executive order in an effort to impose costs on “harmful foreign activities by the Russian government.” These activities included Russian government-linked attempts at malign influence on the 2020 presidential election and involvement in the Sunburst cyber-espionage campaign that impacted more than 18,000 organizations. This executive order seeks to retaliate against the Russian government and affiliated entities through a combination of economic sanctions and public policy initiatives.
Imposing costs—or retaliation—in the physical domain has been studied, but what does retaliation look like in cyberspace and how is it different than retaliation in the physical domain? As governments continue to hone their cyber capabilities and statecraft, retaliation in cyberspace will increasingly be an important feature of interstate interactions in peacetime and in crisis.
For this edition of the 5×5, we asked five cyber experts to lend their insights on how retaliation shapes cyber conflict and what that means for international security.
#1 What combination of factors warrants an extra-cyber retaliation to a cyber incident or attack?
Gil Baram, postdoctoral fellow, Center for International Security and Cooperation, Stanford University; research fellow, Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University:
“There really is no “secret recipe” for such a combination, as these circumstances will always vary from one case to the next, depending on many factors, such as the regime type and particular circumstances. It also depends whether this is a state-on-state conflict or one that involves non-state actors, since there are often different considerations for retaliation in each. Another thing to consider is visibility of the original incident. Whether or not the domestic or international public is aware of the incident may considerably impact the decision whether to retaliate and how.”
Simon Handler, assistant director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council:
“There are a number of varying contextual and practical factors that may influence a state’s decision to opt for an extra-cyber retaliation. In 2019, the Israel Defense Forces bombed a Gaza building that Hamas was using to conduct offensive cyber operations. The United States has conducted similar kinetic operations, like airstrikes, targeting assets of the Islamic State’s CyberCaliphate. Both of these examples took place in the context of existing hot wars—meaning escalation was of relatively little concern—and against terrorist organizations, which by their very nature pose a threat to civilian populations.
Political factors may lead a state, warranted or not, to retaliate to a cyber incident outside of the cyber domain. While there is no evidence that the Sunburst cyber-espionage campaign intended to disrupt or destroy, the level of publicity and political pressure to show resolve in the face of what several members on Capitol Hill publicly likened to a Russian “attack” contributed in no small part to the Biden administration’s imposition of sanctions on Russian entities in a recent executive order.”
Richard Harknett, professor, University of Cincinnati; chair, Center for Cyber Strategy and Policy:
“Cybersecurity requires having the initiative in anticipating exploitation of vulnerabilities. If you have to retaliate, you have somewhere ceded the initiative to an adversary, who was able to exploit something before you could anticipate that exploitation. Thus, you have become more insecure. One must ask then if and how does retaliation help you regain the initiative in order to enhance your security—that needs to be the key factor driving policy.”
Jenny Jun, fellow, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council; PhD candidate, Department of Political Science, Columbia University:
“It depends on what we mean by “extra-cyber.” If it means a conventional military response designed to have more severe effects than the initial cyberattack, we need to consider its feasibility as a function of preexisting deterrence structures and whether such a retaliation will be effective in achieving the political objective, which is presumably deterring future cyberattacks of the same kind. If it means any retaliation just not in cyberspace, the United States is already doing this routinely as part of its Defend Forward policy, in the form of limited measures such as sanctions and indictments. There are relatively few situations where the former is satisfied, and the attackers probably know it too.”
Emma Schroeder, assistant director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council:
“The bar most frequently referred to in this discussion is a cyberattack which has a destructive physical effect—a cyberattack which itself crosses domain lines. However, in practice, attacks in one domain are felt and dealt with across other domains and levers of powers. The determining factor for an escalatory response to a cyberattack or incident is whether such a step would deter or impede an adversary from exploiting that same type of vulnerability in the future. Secondarily, as responses within cyberspace are likely sub-rosa, a state may choose to respond outside the domain in order to increase the publicity of the response to communicate strength.”
#2 Does retaliation play a productive role in effectively deterring future cyberattacks and incidents?
Baram: “The meaning and even feasibility of deterrence in cyber is still being discussed by scholars and practitioners, so the role of retaliation in achieving deterrence – i.e., preventing the actor from taking a planned action – is not in fact clear. Currently, there is not enough real-world data in order to assess the effectiveness of retaliation in deterring future cyberattacks.”
Handler: “There are examples of the US Cyber Command successfully conducting offensive cyber operations to at least temporarily disable adversary operations, but I have yet to see the United States successfully deter cyberattacks and incidents in the long term. Sanctions have lacked the forcefulness necessary to change adversaries’ calculations on engaging in persistent, low-grade cyber operations against the United States. These operations provide great economy of investment and a means for relatively weaker states to asymmetrically confront powers like the United States. As it stands, the benefits that these states reap from these operations are too great to give up.”
Harknett: “It can, if it allows you to regain initiative. However, if it is purely reactive and not tied to a strategic orientation to persist in anticipating exploitation, then no. Deterrence fails because the attacker calculates that you do not have the will to respond or that your response will not outweigh all the benefits they anticipate. If the aggressor attacked because they believed you would not respond, then demonstrating will is a necessary but not sufficient step to reestablish a new credible deterrence threat. Importantly, though, is whether the cost can be imposed at a level that outweighs the attacker’s expected benefit. Cyberspace promises a lot of gain in a competitive space short of armed conflict; a space where credible costs relative to those gains are difficult to threaten, impose and sustain, so retaliation will likely fall short. Then you must ask, does weak retaliation undermine future attempts to deter? And that answer is yes. This is one reason why retaliatory deterrence is not an effective anchoring strategy for national cybersecurity.”
Jun: “The key is to ask whether mutual hostage relationships can be created for particular assets, and whether a “second strike” retaliation is reliable. For example, both states can have access to each other’s grids or each have some intelligence that each would prefer not become public, and use retaliation in the second stage as a means to enforce the terms of the hostage relationship in the first stage. But this structure would not work if one side values the asset in question significantly less, or if turning off access is easy—which is why it is hard to find such stable mutual hostages in cyberspace. Beyond this, retaliation simply for the sake of applying costs is unlikely to be effective at deterring future cyber operations, especially against incidents such as the SolarWinds hack.”
Schroeder: “This depends on the specific retaliatory effort. If retaliation is done largely for the sake of domestic political grandstanding or is driven by a Moltke-like primacy of capability, then it is not strategic retaliation. An effective effort should target as specifically as possible, the entities and capabilities of the concerned actor, in order to impose specific costs and impede capability. Likely, this will not include only a single response, but a strategic campaign that uses all information gleaned from the incident to persistently engage with the malicious actor. Deterrence in cyberspace is tricky, as the concept applies to a type of conflict that is utterly conspicuous. A better way to look at this may be using retaliation to shape instead of deter an adversary’s response.”
#3 Could there ever be a scenario where a non-cyber incident warrants cyber retaliation? What would this scenario look like?
Baram: “First, we are familiar with the reverse scenario, that of a cyber incident incurring a non-cyber retaliation. In 2019, Israel responded to a cyberattack on Israeli systems with an airstrike on the Gaza strip building housing the Hamas cyber operatives involved. Media reports described the incident as “the first time that a country has reacted with immediate military force to a cyberattack in an active conflict, in real-time, rather than wait months to plan an operation and respond.
Now to answer the question—a country deciding to use cyber to retaliate for a kinetic action is certainty a possible scenario. Moreover, since offensive cyber operations can be carried out as covert actions, there is good reason to assume this is already happening—but away from the public eye.”
Handler: “These kinds of scenarios are prevalent, as they allow states to respond to non-cyber incidents while running a relatively low risk of escalation. In June 2019, in response to Iran’s attacks on oil tankers in the Persian Gulf and downing of a US Global Hawk surveillance drone, the United States threatened airstrikes but instead opted to conduct a cyberattack against a critical Iranian Revolutionary Guards Corp (IRGC) database used to target tankers. With tensions already at a boiling point, the cyber retaliation allowed the United States to demonstrate that Iranian aggression would not go unchecked, disable the IRGC from conducting similar attacks in the near term, and avoid the escalatory fallout of a kinetic response. It is reasonable to assume that similar incidents occur in a far more covert fashion as well.”
Harknett: “Cyber capabilities are modern elements of military and intelligence entities and can be employed in the pursuit of national interests. They are additional options to be considered alongside air, land, maritime, and space capabilities to advance national security. If you feel you must retaliate for security, cyber is just another means to consider.”
Jun: “Certainly, but the United States is more likely to be on the receiving end of the retaliation than vice versa. Because the United States is more reliant on cyberspace and therefore has more to lose from its unavailability, other states often enjoy an asymmetric advantage. Plus, both the effect of preexisting conventional deterrence structures with many rivals and the emerging notion of a “firebreak” that conventional military responses are more escalatory than cyber, may lead rivals to believe that a cyber retaliation is unlikely to result in negative consequences. North Korea’s attack on Sony is one example.”
Schroeder: “Absolutely. Following any incident, the US government should consider the full range of its response options, including its cyber capabilities. If effects bleed between domains, then so too should responses. The United States should focus on crafting a response that builds on its strength and targets the weaknesses of its adversaries, while forwarding the strategic goals of the state.”
More from the Cyber Statecraft Initiative:
#4 What are your takeaways from the Biden administration’s recent executive order (EO) on Russia and what, if any, implications will it have on the future of cyber conflict?
Baram: “This is a huge question, since it was ground-breaking in many ways. One particularly striking thing about this direct response to the SolarWinds hack is the unmasking of Russian agencies and companies aiding the Kremlin’s hacking efforts. The public attribution was unequivocally stronger and far more detailed than any made by previous administrations, making both a diplomatic and political statement. This may yet be followed with additional ‘unseen’ measures, as officials have suggested. While the diplomatic and economic sanctions may indeed be painful, these are unlikely to deter Russia from carrying out such operations in the future. More likely, this will encourage Russia to try to keep its cyber operations more secretive.”
Handler: “The EO takes some reasonable steps to designate Russian technology companies that supported the cyber operations of the Foreign Intelligence Service of the Russian Federation. Aside from any messaging value, the EO lacks the punitive effect necessary to move the needle on similar Russian behavior in the future. One positive from the EO was its emphasis on capacity building and engaging with allies and partners in a “global cybersecurity approach.”
Harknett: “While the main focus of coverage has been on the imposition of sanctions, history tells us sanctions are unlikely to change the behavior of motivated attackers. More important in the EO was the commitment to training allies to improve defensive capabilities and resiliency because it’s an effort that could regain initiative, if pursued in the context of persistence, rather than in the context of reaction.”
Jun: “The United States does not seem to have many good options when it comes to responding to breaches such as the SolarWinds hack, and it shows in the EO. Russia probably conducted the operation anticipating the likely response would be sanctions and possibly indictments, and assessed that the rewards still outweigh the costs. That assessment is unlikely to change with the recent EO and for future operations. SolarWinds is also a case of espionage—albeit in unprecedented scale—but the United States also conducts similar cyber-enabled espionage operations abroad. From a cyber-norms perspective, responding too harshly over SolarWinds gives others justification to do the same against the United States.”
Schroeder: “Sanctions as a response to this group of incidents, including Sunburst, are likely paired with less public, more targeted responses. In the case of Sunburst, the real response will be the long, hard work of improving US cyber incident detection and remediation capabilities. Sanctions likely will not deter future Russian harmful activities, but may be crucial in the signal it sends to allies and partners that the United States is prepared to respond more strongly in the future.”
#5 Where has retaliation to a cyberattack or espionage operation “worked” and how?
Baram: “This largely depends on what constitutes “works” for a particular country, as different countries have different perceptions of both the objectives and consequences of retaliation. Also, what one country considers a retaliation, another may consider an attack, thereby continuing the cycle. Take, for example, the Iran-Israel mutual cyberattacks over the past year. Both sides have (allegedly) already retaliated; but since neither has stopped yet, it is difficult to determine whether retaliation is working.”
Handler: “To the extent that policymakers have expected a policy or action to prevent future adversary operations, no attempts at retaliation have “worked” long term, at least that in any observable way. The cyber domain is home to an ongoing intelligence contest, and just as states would be hard pressed to coerce an adversary from conducting human intelligence operations, they are equally if not more challenged to prevent such operations in cyberspace. No single retaliation will make up for technical insecurity and shortfall in strategy. US policymakers must recognize the nature of the fight the United States is in and adjust cyber strategy accordingly to better compete.”
Harknett: “It has not, because retaliation is not how cyberspace is actually secured. Retaliation assumes an ‘act and react’ environment. Cyberspace is an initiative-persistent environment of setting and sustaining security through the mitigation or exploitation of vulnerabilities. It is not about what the other side is doing that should drive your operations, but the conditions of security in devices, systems, and networks you seek to secure. It is not about retaliation and playing catch-up; it is about persistence and sustaining the initiative.”
Jun: “It is hard to say, because successful deterrence is a non-event and therefore unobserved, and there can be many plausible alternative explanations for the lack of an attack. We also do not talk enough about displacement when evaluating success, where deterred activity simply moves to a different target to have similar or worse effects. But we may know more several years later as documents get declassified.”
Schroeder: “It is difficult to determine whether a single act of retaliation has, or can, ‘work’ against an adversary. However, there have been cases of constructive responses the cyber incidents. One that comes to mind is the systemic response of Estonia following the distributed denial-of-service (DDoS) attacks against Estonian banks, media outlets, and government bodies in 2007. In response, Estonia established the volunteer Cyber Defence Unit. Through this program the country’s top information technology and cybersecurity experts, largely employed in the private sector, donate their time and experience to bolster the cybersecurity stance of the state. By reaching into the private sector and civil society, the Estonian government was able to greatly expand their knowledge and capability base whilst creating a multiplicative force ready for action in wartime under a unified military command. In some cases, the most effective retaliation is good preparation.”
Safa Shahwan Edwards is the deputy director of the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative.
Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.