Cybersecurity Leader: Deterrence Policy for Hacks Can’t Mirror That for Nukes

The possibility of a Russian cyberattack getting beyond Ukraine into the territory of North Atlantic Treaty Organization members is forcing consideration of a longstanding policy recommendation for the U.S. to create a consistent doctrine for determining the appropriate use of force across realms cyber and physical.

“When everything your adversary does is below your use of force marker, you probably have set your threshold too high,” said Mark Montgomery, “and you haven't established the conditions where an adversary feels the punishment or the cost imposition of your response in non-military terms, whether it's economic, law enforcement or cyber.”

Montgomery was executive director of the now dissolved Cyberspace Solarium Commission, a prolonged meeting of government and industry which produced a comprehensive report of congressionally mandated policy recommendations. He now leads an eponymous nonprofit pushing Congress to continue enacting the recommendations and spoke during an event the American Enterprise Institute hosted Tuesday, titled “gray-zone warfare: identifying and deterring a growing national security threat.”

Kori Schake, AEI’s director of foreign and defense policy studies, highlighted language in article five of NATO’s founding principles which calls for a collective response in the event of an “armed attack” and was asking about the implications for a NATO response in the event of a cyberattack.

It’s a question that was also front of mind for Sen. Mark Warner, D-Va., Monday during an event the Center for Strategic and International Studies hosted on the cyber component of Russia’s continued invasion of Ukraine, which is not a NATO member, but borders NATO’s “eastern-flank” countries. If Russian aggression reaches Poland or Romania, it could force U.S. engagement in the conflict. 

“I was very concerned in the early days that Russia might launch such an expansive cyber attack that it might bleed beyond the geographic borders of Ukraine and bleed into Eastern Poland where you know, if you shut down Polish hospitals and Poles die, is that an article five or if you had American troops, you know, getting in a traffic accident because the lights had gone off, could that be an article five?” Warner said. 

Montgomery said the dominant frame for determining the appropriate use of force doesn’t fit complicated considerations necessary in the cyber realm. 

“What constitutes an attack is very hard in the cyber domain,” he said. “You know, you can't take the kind of the traditional deterrence theory that comes from nuclear power, because of the idea [that] pretty much one nuclear weapon is enough to trip your deterrence doctrine whereas clearly one cyber attack is not enough to trip your deterrence doctrine … So we looked at this pretty hard in the Cyberspace Solarium Commission.”

Montgomery said NATO has done a good job of integrating cyber into its wartime policies, but absent an armed conflict, but could do more to establish appropriate deterrence policies during peacetime when adversaries still operate in a “gray zone” trying to secure strategic advantages.

“What we noticed in the United States—and what caused our commission to be created—was Senator [John] McCain, [being] tired of finding that almost anything the adversary did was below our threshold of the use of force and a response,” he said Wednesday. “This includes China's stealing 24 million records from OPM. It includes North Korea's attack on Sony, it includes Iranian distributed denial service attacks on our banks, and probably most explicitly the Russian cyber-enabled [Intelligence Operation] against our election system in 2016.” 

The Solarium Commission described current U.S. doctrine on the use of force as “deliberately, politically and legally ambiguous.”

“Our adversaries are clearly exploiting the current threshold to conduct a range of malicious activities that do not rise to a level warranting a major retaliatory response,” the commission wrote. “The U.S. government should announce a declaratory policy … This policy should clearly state that the United States will respond using cyber and non-cyber capabilities to counter and impose costs against adversary cyber campaigns below a use-of-force threshold. Essentially, the U.S. government should publicly declare that it will defend forward and couple its declaration with decisive and consistent action across all elements of national power.”

The Solarium commission emanated from provisions in the John S. McCain National Defense Authorization Act of 2019. McCain led the Senate Armed Services Committee before his death in the summer of 2018.