2.1 The Issue
Cyberspace is a new domain of conflict, one guided by few accepted rules or standards of behavior. Policymakers find offensive cyber operations attractive because they are relatively inexpensive, can be designed to be less destructive than traditional military strikes, and can provide a high degree of anonymity to the attacker. The vast majority of operations include cyber espionage (theft of military and political secrets or intellectual property) and political disruptions (website defacement or distributed denial-of-service [DDoS] attacks, which flood a website with so much data that it can no longer respond).
Defending against cyber threats is extremely difficult. Defenders need to worry about millions of lines of computer code, hundreds of devices, and scores of networks, while attackers only need to find one vulnerability to launch an attack. Moreover, attribution of cyberattacks is difficult and slow, which makes them different from other weapons. Attackers can hide their tracks with relative ease, and the attacks can happen in minutes, if not seconds. Many countries rely on proxies, criminal groups, or patriotic hackers to conduct operations: even if the location of the hackers can be determined, anyone anywhere could have authorized the attack. This conundrum also greatly complicates efforts to retaliate and prevent attacks. Although experts generally assume that a cyberattack resulting in death or physical destruction would be considered an armed attack, the threshold for a military response to other forms of cyberattacks remains uncertain.
Compounding these difficulties is the fact that relatively few international norms exist to govern cyberspace. Without shared standards of acceptable behavior to guide responses to cyberattacks and deter certain types of cyber operations, such as those targeting critical infrastructure, cyber operations pose a considerable risk to international security. Successful attacks could risk escalation beyond the realm of cyberspace or have unintended consequences beyond the initial target. Moreover, if, based on past trends, military leaders fear that their networks or weapons systems could be subjected to cyberattacks—which would limit their ability to order forces in the field or to launch weapons—they would be incentivized to use their weapons systems preemptively; such a move would escalate and further destabilize a conflict.