The Whitehouse recently announced that President Barack Obama has the authority to initiate a preventive cyber strike in the event that an attack on the US is threatened. This announcement means that in the cyber domain, the military now has the authority to attack foreign nations, regardless of whether or not the US is involved in a conflict with them. This pre-emptive cyber policy has numerous implications for international politics.
Cyberweapons are truly going ballistic. They are now comparable to the ballistic nuclear missile arsenal of the US, which also resides under the jurisdiction of the President. Giving the President cyber-initiative responsibilities speaks volumes regarding the serious attitude to which they are treated.
Within the context of nuclear weapons, authorizing a pre-emptive strike has been a topic of heated discussion. This is largely due to the fact that verifying a future enemy strike is imminent is still a considerable challenge. To act on possible or probable enemy intentions is to attempt to predict the future. There is no way to determine, with certainty, that an enemy is about to attack before they actually commence an attack. Prior to that moment, nothing is certain and the vision of pre-emptive strike as a policy will simultaneously act as a deterrent and a disruptor of international stability.
The implications of a preemptive strategy can be viewed from many perspectives, and only the possible execution of such powers will determine the issue. At worst, the US could take the stance of a mad dog and attack with their entire arsenal in response to the slightest provocation. This, judging by any estimation of US cyber capabilities would likely cause damage comparable to a massive nuclear strike that would eradicate considerable portions of the cyber domain.
On the other hand, if the US clearly indicates that it would unleash its powers only in the case where it is hit first and the perpetrator of the attack can be determined, this could act as a plausible deterrence, which would make government hackers think twice before attacking US information networks. This type of statement is comparable to a nuclear strategy where the first strike is deemed an unacceptable option. This type of policy was debated and largely accepted due to the seriousness of nuclear aftermath, but the idea of a preemptive strike never became extinct. With cyberweapons, the full implications of their massive employment are unclear and we can only hope they never actualize.
The idea of cyber security going ballistic does not seem all that serious -- after all, the threat is non-kinetic and takes place online. However, as the Stuxnet cyber attack managed to prove, the effects of a cyber attack are not contained only in cyberspace. A cyber attack can produce tangible physical damage by causing malfunctions in machines and electronics. Power grids and air control systems are perfect examples. Many countries are now developing cyber-capabilities that will have massive impacts in the physical world. Disabling banking systems or logistics networks will disturb the lives of citizens as a direct consequence of these types of cyber attacks.
The “red line,” or the line the enemy has to cross before full-scale cyber retaliation would occur, needs to be defined. A digital Pearl Harbor or 9/11 would undoubtedly be enough to initiate counter-measures, but what about multiple minor breaches of cyber security? If continuous, but small-scale industrial or military espionage occurs in the information networks, when, exactly, is enough … enough?
As has been the case many times in the history of the physical world, offensive actions can quickly lead to greater problems. The danger of escalation is always present. In today’s digitally interconnected world, there is great potential for unpredictable side effects and collateral damage from aggressive actions.
While Presidential Policy Directive 20 is secret, what is known about it is sufficient to raise global concern. The US arsenal is stupefying as it is, and cyber capabilities add a new dimension; and preemption brings us back to the fear and insecurity of the chilliest Cold War years. The undertones of the new policy are aggressive and, as of now, there are no known restrictions.
Finally, it is important to remember that other countries are closely following the development of cyber policy in the US, and will apply it to their own practices.
This article was written by Dr. Jarno Limnéll and Dr. Jan Hanska.