As offensive cyber activity becomes more prevalent, policymakers will be challenged to develop proportionate responses to disruptive or destructive attacks. Already, there has been significant pressure to “do something” in light of the allegedly state-sponsored attacks on Sony Pictures Entertainment and the Sands Casino. But finding a timely, proportionate, legal, and discriminatory response is complicated by the difficulty in assessing the damage to national interests and the frequent use of proxies. Perpetrators have plausible deniability, frustrating efforts to assign responsibility. Past experience suggests that most policy responses have been ad hoc.
In determining the appropriate response to a state-sponsored cyber incident, policymakers will need to consider three variables: the intelligence community’s confidence in its attribution of responsibility, the impact of the incident, and the levers of national power at a state’s disposal.
While these variables will help guide responses to a disruptive or destructive cyberattack, policymakers will also need to take two steps before an incident occurs. First, policymakers will need to work with the private sector to determine the effect of an incident on their operations. Second, governments need to develop a menu of preplanned response options and assess the potential impact of any response on political, economic, intelligence, and military interests.
Background: Cyber Incidents and Uncertainty
Even as the number of highly disruptive and destructive cyberattacks grows, governments remain unprepared to respond adequately. In other national security areas, policy responses to state-sponsored activity are well established. For example, a country can expel diplomats in response to a spying scandal, issue a demarche if a country considers its…