The Unfulfilled Promises of U.S. Cyber Strategy

Multiple large-scale cyberattacks against American companies and government agencies this past year raised alarms over cybersecurity. Politicians from both parties, such as Senators Marco Rubio (R-FL) and Mark Warner (D-VA), called upon the United States to retaliate against the perpetrators. However, like with every other kind of intrusive international behavior, the solution to cyber threats is not an arms race and aggression, but norms and standards. The U.S. needs to recognize that it will never be safe from cyberattacks until it reconciles its words with its own behaviors in the digital realm.

In 2011, the White House declared cyberattack against the U.S. as an act of war. The U.S. will be responding with “all necessary means – diplomatic, informational, military, and economic – as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.” However, when it comes to practices, the United States has broken many parts of that statement. The U.S. must live up to its words and earn the trust of its allies before it can start to lead the creation of global cyber norms, the only long-term solution to the challenge.

In the White House statement, the U.S. committed to building a digital environment that’s based on diplomacy, defense, and development. However, the U.S. has also conducted some of the most damaging cyberattack operations in the last decade. Often considered the first major state-sponsored offensive cyberattack, the use of Stuxnet malware caused substantial damage to Iranian critical infrastructure and set back its nuclear program for years. Although it might be a successful campaign from the perspective of non-proliferation, the operation demolished U.S. credibility to call out others for cyber espionage.

Despite taking on the responsibility to protect both the nation itself and its allies, the U.S. has prioritized its own interests at the expense of its partners. The global surveillance disclosures started by Edward Snowden in 2013 created a huge backlash against the U.S. across the globe. Even today, the European Union is extremely cautious with U.S.-based technology companies.

Rebuilding trust with allies is not easy, but direct retaliation against offenders is no better than putting out a fire with oil. Unlike conventional forces, cyberattacks have the potential of causing large-scale chain reactions and greater damage than one has planned. Pursuing a tit-for-tat strategy does little good for the U.S. and significantly increases the chances of total war.

As some have argued, the U.S. might be better off pursuing a defensive deterrence strategy instead, for it is low-risk. While this might be an attractive option on paper, practical challenges make it unrealistic to pursue. Previous administrations tried to deter Russia by imposing sanctions against key individuals. However, like most unilateral economic punishment, it failed to prevent Russia from initiating more attacks merely three months later. Even a defensive strategy requires the U.S. to work with its allies.

At the same time, the low-cost nature of cyberattacks makes it much more costly to be on the defensive side. For that reason, effective defense often requires stopping the attack at its source. This requires the U.S. to increase its surveillance over foreign governments and interfere when it deems necessary, the very thing the U.S. wants to punish its adversaries for doing. Continuing down this path will surely raise tensions between states, and push everyone into a cyber arms race. Therefore, without establishing responsible cyber practices as global norms, even a seemingly defensive strategy will eventually lean towards offense and all of its disadvantages.

After the Second World War, the world experienced a nuclear arms race that drove itself to the brink of doom. Nations eventually decided to press the brake and slowly de-escalate tensions. Although seemingly impossible at the time, it became the dawn of a new age. Major global actors reached an agreement on non-proliferation and the norm is still remarkably strong today. We do not need to repeat the same story with cyberweapons. Instead of retaliation and a cycle of aggression, the U.S. can reverse its past strategy and lead the world to create new norms of cyberspace. And just like the end of the Cold War, an age of prosperity would be waiting ahead.