The Issue
Cyberspace is a new domain of conflict, one guided by few accepted rules or standards of behavior. Policymakers find offensive cyber operations attractive because they are relatively inexpensive, can be designed to be less destructive than attacks against physical targets and can provide a high degree of anonymity to the attacker. Most of these operations include cyber espionage (theft of military and political secrets or intellectual property) and political disruptions (website defacement or distributed denial-of-service [DDoS] attacks, which flood a website with so much data that it can no longer respond).
The White House’s 2023 National Cyber Strategy states that the United States “will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests.” Experts generally assume that a cyberattack that causes death or physical destruction would be considered an armed attack. However, the threshold for a military response to other forms of cyberattack remains uncertain. Defending against cyber threats is extremely difficult. Would-be defenders need to worry about millions of lines of computer code, hundreds of devices, and scores of networks. An attacker, on the other hand, only needs to find one vulnerability.
Determining who is responsible for cyberattacks is a difficult and slow process. Unlike other kinds of attacks, cyber attackers can hide their tracks more easily. The attacks can happen in minutes, if not seconds. Many countries also rely on proxies such as criminal groups, or patriotic hackers to conduct operations for them. Even if the hackers can be located, anyone anywhere could have authorized the attack. This conundrum greatly complicates efforts to retaliate and prevent attacks.
Successful attacks could also risk military escalation. If military leaders fear that their networks or weapons systems could be subjected to cyberattacks—which would limit their ability to order forces in the field or to launch weapons—they would have an incentive to use their weapons systems preemptively. Such a move would escalate and further destabilize a conflict.
Hypothetical Decision Point
China, Brunei, Malaysia, the Philippines, Taiwan, and Vietnam have competing territorial claims in the South China Sea. In recent years, China has exerted authority over the area by increasing the size of existing islands or creating new ones. China has also constructed ports, military installations, and airstrips. The United States has promoted the right of military vessels to operate in China’s claimed two-hundred-mile exclusive economic zone. Furthermore, the United States has rejected China’s claim to a twelve-mile territorial zone around the artificial islands it has built. Since 2015, the United States has signaled its opposition by flying military aircraft and sending U.S. Navy ships near certain islands.
Last week, the U.S. Air Force conducted a flight near a shoal claimed by China in the South China Sea. Three days later, the Nasdaq Stock Market suffered a hack that damaged computers and forced the suspension of trading for two days. This imposed significant costs on various U.S. companies and dented confidence in the U.S. financial system. An underground hacker collective based in China known as the Zheng He Squadron has claimed responsibility for the hack. The group has known ties to the People’s Liberation Army, China’s military. U.S. intelligence agencies assess with 90 percent certainty that the hack occurred with the knowledge or support of parts of the Chinese government. Beijing claims no knowledge of the attack. The president has convened the National Security Council to discuss how the United States should respond.