By Claude Barfield
Recently, my AEI colleague Shane Tews convened a group of experts to puzzle over the question: “Does the US need a national cybersecurity strategy?” The discussion was wide-ranging with deep dives into key issues; only in the last minute did the issue of international cybersecurity norms come up, leaving little time for full explication. But one panelist, James A. Lewis of the Center for Strategic and International Studies, did offer brief comments, arguing that it was a “false contrast” to juxtapose norms against “offensive strikes.” Lewis stated:
Norms basically say we’re going to regularize cyber operations by putting them under the umbrella of international or humanitarian law — the laws that govern armed conflict. And so norms provide a framework for responsive state action. . . . You have norms so that you can then say, as a law-abiding state, “You are transgressing these norms, and I have the right under international law — that you have agreed to — to impose consequences.”
President Joe Biden recently warned Russia that the US would impose “significant” retaliatory action if the Kremlin “violate[d] basic norms” in cyberspace. Significantly, Biden failed to set forth such “basic” norms. In truth, there is no agreement on what constitutes cyber norms, and international law is woefully behind the technological and legal challenges of the new cyber age. More importantly, most if not all cyber action falls into the category of what my AEI colleague Elisabeth Braw has labelled the “gray zone,” in which legitimate threats or actions fall below the accepted threshold for a warlike response (whether through kinetic or cyber responses).
As recounted over the years in this space, multiple gray-zone cyberattacks have left succeeding US presidential administrations — Barack Obama, Donald Trump, and now Biden — struggling with mixed success to even set forth public rationales for US responses and countermeasures. The attacks have ranged from cyber intrusions and breaches via routine digital espionage to intellectual property theft and even disruption or destruction of US critical infrastructure.
This brings us briefly to the situation the Biden administration faces today with regards to Russia and the recent SolarWinds attack. The president and his top cybersecurity aides have repeatedly vowed since SolarWinds that retribution will be paid. Biden himself has often publicly referred to warnings he made against Russian President Vladimir Putin personally. In recent ignorance of said warnings, however, the same Russia-based group behind SolarWinds successfully penetrated Microsoft’s cloud services and put at risk the data from a number of government agencies and 14 private companies (though over 140 have been targeted since May of this year). While not as technically sophisticated as the original SolarWinds attack (the damage from which will take years to fully uncover), the attack firmly establishes that Putin is not daunted by US threats. As a top Microsoft executive put it: “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government.”
The daunting question for the Biden administration is: When do gray-zone attacks become so dangerously invasive that they call for non-gray zone responses?
As for cyber norms, the view here is that the question is not just norms versus no norms, but more basically: What are the norms in the first place?