Since the mid-2000s, cyber and armed conflict have become inextricably linked. Technological advances alongside the rapid expansion of cyberspace have led to the increased use of cyber operations as tools in conflicts and warfare. Our nation’s leaders must have a detailed awareness of cyber operations and their possible implications. Enhancing the credibility of deterrence through legislation coupled with advanced knowledge of offensive cyber capabilities helps ensure our leaders have a comprehensive understanding of the implications of cyber operations.
In the current international landscape, cyber operations are tools employed during war and peacetime, raising crucial questions for policymakers. The United States federal regulatory framework must prioritize preparation and mitigation techniques for cyber attacks. Despite growing state-level cyber security legislation, such as the California Consumer Privacy Act or New York’s Stop Hacks and Electronic Data Security (SHIELD) Act, many gaps remain in the United States’ federal cybersecurity regulatory framework. Former President Biden issued an executive order and memorandum to improve the federal government’s cyber security networks in conjunction with a $9.8 billion federal cybersecurity budget proposal that comes in the wake of intensified cyber attacks and signifies how the current cybersecurity legislative landscape is insufficient to meet the needs of intensified cyber threats.
Offensive cyber operations provide nations with strategic advantages. Deterrence is a key consideration when weighing the consequences of cyber operations in conflict. Deterrence by denial aims to make an action unlikely or impossible to succeed, preventing an aggressor from achieving its goals. The most critical aspect of deterrence is its credibility. The potential adversary must believe that the opponent’s threat of retaliation is credible in order to be deterred from attacking. As lone actors gain the capability to conduct cyber attacks, it becomes increasingly challenging to maintain credible deterrence strategies against attacks carried out by non-state actors. The threat of wiping an individual’s computer is not credible enough to prevent them from trying to shut down a country’s power grid. Focusing on deterrence by denial strategy legislation is a sensible approach to secure a nation-state’s ‘cyber borders’. This would entail a strong policy focus on enhancing pre-existing information security systems. Hardening systems, monitoring networks, improving public-private cooperation and information sharing, researching potential volatile attacks, and raising public awareness are all strategies that would bolster the credibility of a nation’s deterrence.
As cyber operations become more integrated with traditional mechanisms of war, it is essential to consider the role of offensive cyber operations. Countries often vary in the intensity and objectives of their cyber operations. However, countries can broadly utilize offensive cyber capabilities as a force multiplier to supplement conventional warfare and as an independent asset. Estonia, for example, is uniquely qualified to serve as a benchmark for comparing cyber policies. After enduring a massive and sustained cyber attack on its information infrastructure in 2007, Estonia implemented several significant cybersecurity reforms, becoming a paragon of cybersecurity and one of the first countries to adopt a national cybersecurity strategy. The 2007 cyber attack crippled government websites, media outlets, email servers, and banking systems for nearly a month and changed the way the nation approaches cyber security. Estonia bolstered its cybersecurity posture by implementing cyber education programs that highlight risk awareness, promote public and private sector partnerships, and integrate its foreign policies to improve stakeholder engagement in cyber defense. While the United States has adopted several domestic and foreign cyber policies that Estonia has proposed, the US continues to lack some key aspects of cybersecurity that are critical to ensure a cyber-resilient nation.
While the strategic value of different offensive cyber capabilities comes with its own conditions that may be difficult to fulfill and require trade-offs, this is not unique to cyber operations. A better conceptualization of such conditions and potential trade-offs helps set the necessary technical parameters for future cyber capability development. Ensuring offensive cyber tools’ reliability, stealth, and precision is crucial, and often involves balancing technical requirements with the need for adaptability and dynamism in fluid conflict scenarios. It is important to emphasize that policymakers should consider offensive cyber operations not as a standalone action or replacement but in conjunction with its direct and indirect impacts on a conflict. Offensive cyber operations can lead to significant strategic advantages for a state actor and provide an additional option to leaders across various situations. In cybersecurity, seconds too late can be the difference between having effective cybersecurity in place and having none.
Our nation’s leaders must enhance their understanding of preventative and offensive cyber strategies as cyber operations more prominently shape modern warfare. Implementing robust regulatory systems establishes credible deterrence and bolsters offensive cyber operations. A comprehensive cybersecurity regulatory framework empowers our leaders to be proactive in navigating the intricacies of cyber attacks, ultimately enhancing national security and resilience against current and future adversaries.