By Claude Barfield

Recently, my AEI colleague Shane Tews convened a group of experts to puzzle over the question:
“Does the US need a national cybersecurity strategy?” The discussion was
wide-ranging with deep dives into key issues; only in the last minute did the
issue of international cybersecurity norms come up, leaving little time for
full explication. But one panelist, James Andrew Lewis of the Center for
Strategic and International Studies, did offer brief comments, arguing that it
was a “false contrast” to juxtapose norms against “offensive strikes.” Lewis stated:

Norms basically say we’re going to regularize cyber operations by putting them under the umbrella of international or humanitarian law — the laws that govern armed conflict. And so norms provide a framework for responsive state action. . . . You have norms so that you can then say, as a law-abiding state, “You are transgressing these norms, and I have the right under international law that you’ve agreed to — to impose consequences.”

President Joe Biden recently warned Russia that the US would impose “significant”
retaliatory action if the Kremlin “violate[d] . . . basic norms” in cyberspace.
Significantly, Biden failed to set forth such “basic” norms. In truth, there is
no agreement on what constitutes cyber norms, and international law has fallen woefully behind the technological and legal challenges of
the new cyber age. More importantly, most, if not all, cyber action falls into
the category of what my AEI colleague Elisabeth Braw has labelled the “gray zone,” in which legitimate threats or
actions fall below the accepted threshold for a warlike response (whether
through kinetic or cyber responses).

As recounted over the years in this space, multiple gray-zone cyberattacks have
left succeeding US presidential administrations — Barack Obama, Donald Trump,
and now Biden — struggling with mixed success to even set forth public
rationales for US responses and countermeasures. The attacks have ranged from
cyber intrusions and breaches via routine digital espionage to intellectual
property theft and even disruption or destruction of US critical
infrastructure.

This brings us briefly to the situation the Biden
administration faces today regarding Russia and the recent SolarWinds attack. Since
the attack, the president and his top cybersecurity aides have repeatedly vowed that retribution will be paid. Biden has
often publicly referred to warnings he made against Russian President
Vladimir Putin personally. In recent ignorance of said warnings, however, the
same Russia-based group behind the SolarWinds attack successfully penetrated Microsoft’s cloud services and put at risk the
data from several government agencies and 14 private companies (though over 140
have been targeted since May of this year).

While not as technically sophisticated as the original SolarWinds
attack (the damage from which will take years to fully uncover), the Microsoft
attack firmly establishes that Putin is not daunted by US threats. As a top
Microsoft executive put it: “This recent activity is another indicator that
Russia is trying to gain long-term, systematic access to a variety of points in
the technology supply chain and establish a mechanism for surveilling — now or
in the future — targets of interest to the Russian government.”

The daunting question for the Biden administration is: When
do gray-zone attacks become so dangerously invasive that they call for non-gray-zone
responses?

As for cyber norms, the view here is that the question is
not just norms versus no norms, but more basically: What are the norms in the
first place?

The post The conundrums of cyber retaliatory norms appeared first on American Enterprise Institute – AEI.