In one of the year’s most poorly understood bit of cyber news, the United States has again announced it may use military force in response to a cyber attack. In a new publication, Jason Healey, Director of the Atlantic Council’s Cyber Statecraft Initiative, puts this cyber “declaratory policy” into the proper context, both how it fits into other US declaratory policies and the reality of cyber conflict.
Findings of this brief include:
- On one hand, the cyber declaratory policy is a relatively boring affirmation of continuity with previous national security statements: it will not in what manner or with what weapons the United States is attacked. The US leadership will treat a significant cyber attack on the nation in the same way they would an attack on the land, sea, air or in space and respond in an appropriate manner.
- Having this declaratory policy will raise the stakes for adversaries hoping to cause damage or kill Americans, hiding behind claims of plausible deniability. The President has made clear that proportional military force will be an option.
- Press reports from Russia and China make it seem like this declaratory statement is well understood by those nations, even though it has been misunderstood by the media that covers technical topics, as evidence by headlines like “OBAMA RESERVES RIGHT TO NUKE HACKERS”.
This issue brief builds on the Cyber Statecraft Initiative’s previous writings including an assessment of the UN proposal from Russia and China, comparative international norms, declaratory policy, response to national security incidents, and the new cyber strategies from the White House, Department of Defense, and NATO.