During a Senate Intelligence Committee hearing in March, Senator Angus King, an independent from Maine, pressed General Paul Nakasone, the head of U.S. Cyber Command and director of the National Security Agency, about the lack of significant cyber-operations in Russia’s war in Ukraine. After all, Russia has long been known for targeting Western countries, as well as Ukraine itself, with cyberattacks. Echoing the surprise of many Western observers, King said, “I expected to see the grid go down, communications too, and that hasn’t happened”. Indeed, although President Joe Biden and members of his administration have also warned of potential Russian cyberattacks against the United States, there were remarkably few signs of such activity during the first six weeks of the war.
That is not to say that cyber-activity has been entirely absent. Proxy cyber-groups and hackers have mobilized on both sides, ranging from Ukraine’s 400,000-strong “IT Army” to Russia’s Conti ransomware group. Sandworm, an outfit linked to Russian military intelligence, also has a long record of cyberattacks against Ukraine.
Yet since the war began, such operations have mostly been limited to low-cost, disruptive incidents rather than large-scale attacks against critical civilian and military infrastructure. Two potential exceptions only underscore the relatively limited role of cyber-operations. There is some evidence that at the start of the war Russian-linked actors conducted a cyberattack against Viasat, a U.S.-based Internet company that provides satellite Internet to the Ukrainian military and to customers in Europe. But the impact was temporary and, more important, did not meaningfully affect the Ukrainian military’s ability to communicate. Additionally, Ukrainian officials recently announced that, in early April, the Sandworm group attempted, but failed, to carry out a cyberattack against Ukraine’s power grid. While the hackers appeared to have gained access to a company that delivers power to two million Ukrainians, they were thwarted by effective defenses before being able to cause any damage or disruption.
In fact, the negligible role of cyberattacks in the Ukraine conflict should come as no surprise. Through war simulations, statistical analyses, and other kinds of studies, scholars have found little evidence that cyber-operations provide effective forms of coercion or that they cause escalation to actual military conflict. That is because for all its potential to disrupt companies, hospitals, and utility grids during peacetime, cyberpower is much harder to use against targets of strategic significance or to achieve outcomes with decisive impacts, either on the battlefield or during crises short of war. In failing to recognize this, U.S. officials and policymakers are approaching the use of cyberpower in a way that may be doing more harm than good—treating cyber-operations like any other weapon of war rather than as a nonlethal instrument of statecraft and, in the process, overlooking the considerable opportunities as well as risks they present.
The Myth of Cyber-Escalation
Much of the current understanding in Washington about the role of cyber-operations in conflict is built on long-standing but false assumptions about cyberspace. Many scholars have asserted that cyber-operations could easily lead to military escalation, up to and including the use of nuclear weapons. Jason Healey and Robert Jervis, for example, expressing a widely held view, have argued that an incident that takes place in cyberspace, “might cross the threshold into armed conflict either through a sense of impunity or through miscalculation or mistake”. Policymakers have also long believed that cyberspace poses grave perils. In 2012, Secretary of Defense Leon Panetta warned of an impending “cyber-Pearl Harbor”, in which adversaries could take down critical U.S. infrastructure through cyberattacks. Nearly a decade later, FBI Director Christopher Wray compared the threat from ransomware—when actors hold a target hostage by encrypting data and demanding a ransom payment in return for decrypting it—to the 9/11 attacks. And as recently as December 2021, Secretary of Defense Lloyd Austin noted that in cyberspace, “norms of behavior aren’t well-established and the risks of escalation and miscalculation are high”.
Seemingly buttressing these claims has been a long record of cyber-operations by hostile governments. In recent years, states ranging from Russia and China to Iran and North Korea have used cyberspace to conduct large-scale espionage, inflict significant economic damage, and undermine democratic institutions. In January 2021, for example, attackers linked to the Chinese government were able to breach Microsoft’s Exchange email servers, giving them access to communications and other private information from companies and governments, and may have allowed other malicious actors to conduct ransomware attacks. That breach followed on the heels of a Russian intrusion against the software vendor SolarWinds, in which hackers were able to access a huge quantity of sensitive government and corporate data—an espionage treasure trove. Cyberattacks have also inflicted significant economic costs. The NotPetya attack affected critical infrastructure around the world—ranging from logistics and energy to finance and government—causing upward of $10 billion in damage.
But the assumption that cyber-operations play a central role in either provoking or extending war is wrong. Hundreds of cyber-incidents have occurred between rivals with long histories of tension or even conflict, but none has ever triggered an escalation to war. North Korea, for example, has conducted major cyberattacks against South Korea on at least four different occasions, including the “Ten Days of Rain” denial of service attack—in which a network is flooded with an overwhelming number of requests, becoming temporarily inaccessible to users—against South Korean government websites, financial institutions, and critical infrastructure in 2011 and the “Dark Seoul” attack in 2013, which disrupted service across the country’s financial and media sectors.
It would be reasonable to expect that these operations might escalate the situation on the Korean Peninsula, especially because North Korea’s war plans against South Korea reportedly involve cyber-operations. Yet that is not what happened. Instead, in each case, the South Korean response was minimal and limited to either direct, official attribution to North Korea by government officials or more indirect public suggestions that Pyongyang was likely behind the attacks.
Similarly, although the United States reserves the right to respond to cyberattacks in any way it sees fit, including with military force, it has until now relied on economic sanctions, indictments, diplomatic actions, and some reported instances of tit-for-tat cyber-responses. For example, following Russia’s interference in the 2016 U.S. presidential election, the Obama administration expelled 35 Russian diplomats and shuttered two facilities said to be hubs for Russian espionage. The Treasury Department also levied economic sanctions against Russian officials. Yet according to media reports, the administration ultimately rejected plans to conduct retaliatory cyber-operations against Russia. And although the United States did use its own cyber-operations to respond to Russian attacks during the 2018 midterm elections, it limited itself to temporarily disrupting the Internet Research Agency, a Russian troll farm.
These measured responses are not unusual. Despite decades of malicious behavior in cyberspace—and no matter the level of destruction—cyberattacks have always been contained below the level of armed conflict. Indeed, researchers have found that major adversarial powers across the world have routinely observed a “firebreak” between cyberattacks and conventional military operations: a mutually understood line that distinguishes strategic interactions above and below it, similar to the threshold that exists for the employment of nuclear weapons.
But it is not just that cyber-operations do not lead to conflict. Cyberattacks can also be useful ways to project power in situations in which armed conflict is expressly being avoided. This is why Iran, for example, might find cyberattacks against the United States, including the 2012–13 denial of service attacks it conducted against U.S. financial institutions, appealing. Since Iran likely prefers to avoid a direct military confrontation with the United States, cyberattacks provide a way to retaliate for perceived grievances, such as U.S. economic sanctions in response to Iran’s nuclear program, without triggering the kind of escalation that would put the two countries on a path to war.
The Advantage of Ambiguity
In addition to the ways they are used, cyber-operations also have two general qualities that tend to distinguish them from conventional military operations. First, they typically have limited, transient impact—especially when compared with conventional military action. As the Hoover Institute fellow Jacquelyn Schneider recently told The New Yorker, “If you’re already at a stage in a conflict where you’re willing to drop bombs, you’re going to drop bombs”. Unlike traditional military hardware, cyberweapons are virtual: even at their most destructive, they rarely have effects in the physical world. In the extraordinary instances when they do—such as the Stuxnet cyberattack, which caused the centrifuges used to enrich uranium in Natanz, Iran, to speed up or slow down—cyber-operations do not inflict the kind of damage that can occur in even a minor precision missile strike. And when states have launched cyberattacks against civilian infrastructure, such as Russia’s 2015 hit on Ukraine’s power grid, the impact has been short-lived. To date, cyberattacks have never caused direct physical harm; the only known indirect death associated with a cyberattack occurred in 2020, when a German patient with a life-threatening condition died as a result of a treatment interruption caused by a ransomware attack on a hospital’s servers.
In practice, governments themselves have also recognized the contrasting impacts of cyberattacks and conventional military attacks. Consider the incident between Iran and the United States that occurred in the summer of 2019: according to reports in the U.S. media, when Iran attacked oil tankers in the region and downed a U.S. drone, the Trump administration chose to respond in cyberspace, allegedly by hacking Iranian computer systems to degrade their ability to conduct further attacks against oil tankers. What stands out about this case is that there was a credible military option on the table that was subsequently revoked: President Donald Trump called off plans to conduct military strikes against Iranian targets. At the time, Trump tweeted that he changed his mind after learning of the potential for civilian casualties. By implication, a cyber-operation may have been seen as less risky precisely because it was unlikely to cause loss of life or even major destruction.
Second, in contrast to most military strikes, cyber-operations tend to be shrouded in secrecy and come with plausible deniability. Analysts have argued that uncertainty about responsibility makes interactions in cyberspace perilous and undermines deterrence. Cloaked in anonymity, so the logic goes, malicious actors can provoke conflict while remaining in the shadows. It is true that false-flag cyberattacks are common. For example, when a group linked to the Chinese government conducted cyber-operations against Israel in 2019 and 2020, it masqueraded as Iranian, presumably to confuse Israeli attribution efforts. Yet secrecy need not have negative implications: it can provide opportunities for states to maneuver in crises without the drawbacks that more conventional uses of hard power might have, such as exacerbating domestic political tensions. It can also offer a way to explore the extent to which the other side is willing to negotiate or resolve the crisis: ambiguity creates breathing space.
For example, when the United States withdrew from the Iran nuclear deal in 2018, experts worried that Iran might retaliate, perhaps by attacking U.S. personnel or U.S. interests in the Middle East. Instead, Iran appeared to respond with increased cyber-activity that was ambiguous and not escalatory. Although the Iranian cyber-operations were noted within a day of the U.S. announcement, they were not the kind of massive attack that many commentators had anticipated; they mostly appeared to be attempts to conduct reconnaissance and probe for vulnerabilities. If Iran intended for this activity to be uncovered, it would largely serve symbolic purposes—communicating Iran’s presence to the United States.
Put simply, cyber-operations by their very nature are designed to avoid war. They can act as a less costly alternative to conflict because they are ambiguous, rarely break things, and don’t kill people. By continuing to depict cyberspace as an escalatory form of warfare itself, policymakers risk overstating the role of cyber-operations in armed conflict and missing their true importance.
Tools Not Weapons
The recognition that cyber-operations are unlikely to lead to military escalation—and that they play at most a supporting rather than decisive role in actual armed conflicts—has direct consequences for U.S. policy and strategy. For one thing, it means that the United States may have greater room to use cyberspace to achieve objectives without precipitating new crises or exacerbating existing ones. Since 2018, for example, the U.S. Defense Department has treated cyberspace as an arena in which the military can operate more routinely and proactively rather than wait to respond to an adversary’s activity. According to the Pentagon, Washington needs to “defend forward to disrupt or halt malicious cyber activity at its source”. This approach encompasses maneuvering on networks controlled by U.S. adversaries or third parties and even conducting offensive cyber-operations.
At the time that the 2018 cyber strategy was released, many experts expressed alarm that it could provoke military escalation. Adding to the concerns, in the 2019 National Defense Authorization Act, Congress authorized the secretary of defense to conduct cyber-operations as a traditional military activity, which meant that cyber-operations would no longer be treated as a form of covert action requiring a presidential finding to be approved. Yet in the four years since the defend forward concept was implemented, the escalation that many feared has not materialized. This should give some assurances to policymakers that the United States can continue to conduct offensive cyber-operations without risking a wider conflict.
In 2021, for example, U.S. Cyber Command, working with a partner government, conducted a cyber-operation to limit the ability of the Russian-linked criminal group REvil to conduct ransomware attacks. Several months later, U.S. officials acknowledged that the military had “imposed costs” against ransomware groups. There is also some evidence that efforts to counter Russian cyber-activity during the current Ukraine crisis may have blunted a more effective Russian cyberoffensive, with Nakasone alluding to work done by the Ukrainians and others to hinder Moscow’s plans.
But just because the Pentagon’s plan has not led to escalation does not mean it is tool the U.S. can use to solve all of the cyber challenges it faces. For the very same reasons that offensive cyber-operations have not led to escalation, their constraints should cast doubt on the notion that the United States can use them to coerce adversaries into changing their behavior or punish them by inflicting high costs.
Second, the reality that cyber-operations are used by states in many different ways means that policymakers need to develop a more nuanced approach for responding to cyberthreats. Because cyber-operations are consistently seen as representing an existential threat to the United States, Washington has tended to deal with cyber-incidents of contrasting scope and scale with the same policy tools. For instance, senior U.S. officials described both Russia’s 2016 election interference and 2021 SolarWinds operation as acts of war. But the first was a cyber-enabled information operation and the second was in fact a large-scale cyber-espionage campaign—and neither resembled open war in any conventional sense. Moreover, the policy responses in both of these cases (as in many other cyber-incidents) were similar: a combination of public attribution, indictments, and sanctions. Instead of responding with inflammatory language and standard forms of retaliation, policymakers should consider how to employ cybertools and non-cybertools in ways that are tailored to specific incidents, taking into account the extent and gravity of a given operation. Responses can also be proportionate without being symmetrical. Rather than responding in kind, the United States should apply varying and more creative approaches that reflect differences in adversaries’ centers of gravity. What is important to Beijing and therefore what may motivate its behavior is different from what is important to Moscow, Tehran, and so on.
A one-size-fits-all approach to adversary cyber-operations may raise particular problems in the Ukraine conflict. Anticipating potential Russian cyberattacks against member states, NATO leaders have reaffirmed that Article 5, the treaty’s collective defense clause, applies to cyberspace, but they have also expressed ambiguity about what specific operations might trigger it. A lack of clarity about how thresholds and responses are defined risks undermining the credibility of this pledge and the effectiveness of NATO’s overall cyberstrategy.
A third lesson of cyber-operations over the past decade is that U.S. officials should adopt a more flexible mindset in their response to them. Rather than focusing on retaliatory action, the United States should devote more resources to enhancing resilience—the ability to absorb and rapidly recover from disruptive occurrences. Embracing this type of approach means accepting that cyberattacks are likely to take place and, more important, that the overwhelming majority of them will not have cataclysmic effects. Over the past several years, the United States has improved its resilience to such attacks, expanding the agencies responsible for working with and maintaining critical infrastructure, such as the Cybersecurity and Infrastructure Security Agency. The U.S. government has also created the Office of the National Cyber Director to harmonize its cybersecurity efforts and collaborate with the private sector. But these entities are still relatively new, and efforts to implement meaningful regulation of the private sector to promote resilience still have a long way to go.
A Cyber Escape Valve?
Just because cyber-operations have not yet caused escalation does not mean that they will never do so. If conflicts such as the war in Ukraine lead to greater instability in the international system and increased great-power competition, the risks of cyber-escalation may grow. The opposite is also possible, however: in a more unstable world, cyber-operations may provide an important outlet for recurring tensions, given their lack of physical violence and relatively limited effects. As international politics become more dangerous, cyberspace can offer a way for states to respond to perceived aggressions without causing physical destruction or loss of life, thus providing a kind of stability in itself.
Ultimately, escalation is in the eye of the beholder—it depends as much on the target’s perception of an event as on the perpetrator’s intent or the reality of the strategic context. Therefore, a further priority of U.S. policymakers should be to improve their understanding of how adversaries interpret Washington’s activities in cyberspace and leverage that knowledge to conduct cyber-operations that minimize the risk of escalation. During a crisis, for instance, the United States may want to avoid conducting cyber-operations in a manner that an adversary might perceive as a precursor to conflict or to a military strike, especially if that is not the intent. If there is a pressing strategic or military imperative to conduct these types of operations, they should occur in tandem with efforts to communicate their purpose to avoid misunderstandings.
For too long, policymakers have drawn the wrong lessons from cyber-operations. The absence of escalation across decades of strategic interaction in cyberspace—a record that has only been reinforced in the conflict in Ukraine—should cause policymakers to reevaluate long-standing assumptions about the cyber-domain. In doing so, they may be able to see how cyber-actions are but one of a number of strategic tools that, properly understood, can limit the risk of conflict as much as increase it. Of course, the potential for cyberattacks to temporarily paralyze large information networks or even whole sectors of an economy should not be discounted. But in a world in which armed conflict continues to destroy entire cities and wreak terrible human costs, both civilian and military, cyber-operations should be regarded less as another form of hard power than as a way for states to pursue strategic goals by other means.
Erica D. Lonergan is Assistant Professor in the Army Cyber Institute at West Point and a Research Scholar at the Saltzman Institute of War and Peace Studies at Columbia University. Previously, she served as Senior Director on the U.S. Cyberspace Solarium Commission. The views expressed here are her own.