Tripwire for real war? Cyber’s fuzzy rules of engagement

Written by Frank Bajak

President Joe Biden couldn’t have been more blunt about the risks of cyberattacks spinning out of control. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” he told his intelligence brain trust in July.

Now tensions are soaring over Ukraine with Western officials warning about the danger of Russia launching damaging cyberattacks against Ukraine’s NATO allies. While no one is suggesting that could lead to a full-blown war between nuclear-armed rivals, the risk of escalation is serious.

The danger is in the uncertainty about what crosses a digital red line. Cyberattacks, including those that cripple critical infrastructure with ransomware, have been on the rise for years and often go unpunished. It’s unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war.

“The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative. “It’s not clear what is allowed, what isn’t allowed.”

The United States and other NATO members have threatened crippling sanctions against Russia if it sends troops into Ukraine. Less clear is whether such sanctions, whose secondary effects could also hurt Europe, would be imposed if Russia were to seriously damage Ukrainian critical infrastructure — power, telecommunications, finance, railways — with cyberattacks in lieu of invading.

And if the West were to respond harshly to Russian aggression, Moscow could retaliate against NATO nations in cyberspace with an intensity and on a scale previously unseen. A major cyberattack on U.S. targets would almost certainly unleash a muscular response. But what of lesser cyberattacks? Or if Russian President Vladimir Putin restricted them to a NATO member in Europe?

Under Article 5 of the organization’s treaty, an attack on any of its 30 members is considered an attack on all. But unclear is what it would take to unleash full-scale cyber retaliation. Or how bad an attack would have to be to trigger retaliation from NATO’s most potent cyber military forces, led by the U.S. and Britain.

Read more at AP News

About the author

Frank Bajak

Leave a Comment