Survival

Global Politics and Strategy

ISSN: 0039-6338 (Print) 1468-2699 (Online) Journal homepage: http://www.tandfonline.com/loi/tsur20

Waging Cyber War the American Way

David C. Gompert & Martin Libicki

To cite this article: David C. Gompert & Martin Libicki (2015) Waging Cyber War the American
Way, Survival, 57:4, 7-28, DOI: 10.1080/00396338.2015.1068551

To link to this article: http://dx.doi.org/10.1080/00396338.2015.1068551

Published online: 22 Jul 2015.

Submit your article to this journal

Article views: 2836

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

http://www.tandfonline.com/action/journalInformation?journalCode=tsur20

Download by: [International University of Japan] Date: 22 April 2017, At: 02:15
Waging Cyber War the American
Way
David C. Gompert and Martin Libicki

War is cruelty, and you cannot refine it, said William Tecumseh Sherman.1
As we have previously argued in this journal, cyber war is war.2 Whether it
is cruel and unrefined depends on the manner in which it is waged.3 While
this is not solely up to the United States, US policy can have big effects. Yet,
if US policy on offensive cyber war is influential, it is also inchoate. While
some vagueness about when and how the United States would conduct
offensive cyber operations is necessary, its general policy on this matter
warrants debate. This article is meant to inform such a debate.
In part, US circumspection betrays an instinctive aversion to offensive
cyber war. Notwithstanding its unsurpassed abilities to disrupt computer
systems, the United States has approached the subject warily. The US
Department of Defense, for example, recently called the increase in cyber
attacks a dangerous trend in international relations.4 Official statements
have consistently stressed that US goals concerning cyber war are defence
and deterrence. For a power that has repeatedly engaged in offensive con-
ventional warfare since the end of the Cold War, such wariness is striking
and merited.
US ambivalence toward cyber war is both strategic and normative, the
implication being that what is bad for the United States is also bad for the
world. Washington insists that any cyber operations it might conduct would

David C. Gompert and Martin Libicki are Distinguished Visiting Professors at the US Naval Academys Center
for Cyber Security Studies. They thank the Academy and the Center for their support during the drafting of this
article, though they stress that the views expressed are their own.

Survival | vol. 57 no. 4 | AugustSeptember 2015 | pp. 728DOI 10.1080/00396338.2015.1068551

8 | David C. Gompert and Martin Libicki

be in a manner consistent with US and international law.5 Perceiving cyber

war as war implies the applicability of the laws of war, specifically the
principles of non-aggression, non-intervention, proportionality, discrimina-
tion and respect for neutrality.6 Compliance with all these norms could be
challenging when initiating and conducting offensive cyber war. Case in
point: the United States and Israel are said to have created and inserted
the Stuxnet worm to interfere with the control of centrifuges used by Iran
to enrich uranium. However justified by the imperative of preventing Iran
from building nuclear weapons, it is fair to ask if this act of cyber war was
lawful, especially in light of the unintended collateral effects it reportedly
had. More broadly, harming non-combatants and civilian life, which can
occur when infecting non-military computer systems, raises especially
vexing issues, at least for the United States thus its defensive posture.
There are several obvious reasons for US wariness about offensive cyber
war. Firstly, US military, intelligence, economic, governmental and soci-
etal functions are highly dependent on computer systems, and vulnerable
to their disruption and degradation. Put starkly, having led and benefited
enormously from the digital revolution, the United States regards cyber
war as counter-revolutionary. Moreover, once begun, the course a cyber
war might take would be hard to predict, control or contain. It could trigger
kinetic hostilities, visit indiscriminate harm on non-combatants, escalate far
beyond what the belligerents intended, and cause grave economic damage.7
Finally, US superiority in conventional military capabilities limits the need
for cyber war, whereas enemies could use cyber war as an asymmetric
answer to such superiority. In other words, cyber war could level the bat-
tlefield to the US disadvantage.
At the same time, the United States regards cyber war during armed
conflict with a cyber-capable enemy as probable, if not inevitable. It both
assumes that the computer systems on which its own forces rely to deploy,
receive support and strike will be attacked, and intends to attack the com-
puter systems that enable opposing forces to operate as well. Thus, the
United States has said that it can and would conduct cyber war to support
operational and contingency plans a euphemism for attacking computer
systems that enable enemy war fighting. US military doctrine now regards
 Waging Cyber War the American Way | 9

non-kinetic (that is, cyber) measures as an integral aspect of US joint offen-

sive operations.8 Even so, the stated purposes of the US military regarding
cyber war stress protecting the ability of conventional military forces to
function as they should, as well as avoiding and preventing escalation,
especially to non-military targets.
Apart from its preparedness to conduct counter-military cyber opera-
tions during wartime, the United States has been reticent about using its
offensive capabilities. While it has not excluded conducting cyber opera-
tions to coerce hostile states or non-state actors, it has yet to brandish such
a threat.9 Broadly speaking, US policy is to rely on the threat of retaliation
to deter a form of warfare it is keen to avoid. Chinese
criticism that the US retaliatory policy and capa-
bilities will up the ante on the Internet arms race Chinese criticism
is disingenuous in that China has been energetic in
forming and using capabilities for cyber operations.10
is disingenuous
Notwithstanding the defensive bias in US atti-
tudes toward cyber war, the dual missions of deterrence and preparedness
for offensive operations during an armed conflict warrant maintaining
superb, if not superior, offensive capabilities. Moreover, the case can be
made and we have made it that the United States should have superior-
ity in offensive capabilities in order to control escalation.11 The combination
of significant capabilities and declared reluctance to wage cyber war raises
a question that is not answered by any US official public statements: when
it comes to offence, what are US missions, desired effects, target sets and
restraints in short, what is US policy?
To be clear, we do not take issue with the basic US stance of being at
once wary and capable of cyber war. Nor do we think that the United States
should advertise exactly when and how it would conduct offensive cyber
war. However, the very fact that the United States maintains options for
offensive operations implies the need for some articulation of policy. After
all, the United States was broadly averse to the use of nuclear weapons
during the Cold War, yet it elaborated a declaratory policy governing such
use to inform adversaries, friends and world opinion, as well as to forge
domestic consensus. Indeed, if the United States wants to discourage and
10 | David C. Gompert and Martin Libicki

limit cyber war internationally, while keeping its options open, it must offer
an example. For that matter, the American people deserve to know what
national policy on cyber war is, lest they assume it is purely defensive or
just too esoteric to comprehend.
Whether to set a normative example, warn potential adversaries or foster
national consensus, US policy on waging cyber war should be coherent. At
the same time, it must encompass three distinguishable offensive missions:
wartime counter-military operations, which the United States intends
to conduct;
retaliatory missions, which the US must have the will and ability to
conduct for reasons of deterrence; and
coercive missions against hostile states, which could substitute for
armed attack.12
Four cases serve to highlight the relevant issues and to inform the elab-
oration of an overall policy to guide US conduct of offensive cyber war.
The first involves wartime counter-military cyber operations against a
cyber-capable opponent, which may also be waging cyber war; the second
involves retaliation against a cyber-capable opponent for attacking US
systems other than counter-military ones; the third involves coercion of a
cyber-weak opponent with little or no means to retaliate against US cyber
attack; and the fourth involves coercion of a cyber-strong opponent with
substantial means to retaliate against US cyber attack. Of these, the first and
fourth imply a willingness to initiate cyber war.

Counter-military cyber war during wartime

Just as cyber war is war, armed hostilities will presumably include cyber war
if the belligerents are both capable of and vulnerable to it. The reason for
such certainty is that impairing opposing military forces use of computer
systems is operationally compelling. Forces with requisite technologies and
skills benefit enormously from data communications and computation for
command and control, intelligence, surveillance and reconnaissance (ISR),
targeting, navigation, weapon guidance, battle assessment and logistics
management, among other key functions. If the performance of forces is
dramatically enhanced by such systems, it follows that degrading them can
 Waging Cyber War the American Way | 11

provide important military advantages. Moreover, allowing an enemy to

use cyber war without reciprocating could mean military defeat. Thus, the
United States and other advanced states are acquiring capabilities not only to
use and protect computer systems, but also to disrupt those used by enemies.
The intention to wage cyber war is now prevalent in Chinese planning for
war with the United States and vice versa. Chinese military planners have
long made known their belief that, because computer systems are essential
for effective US military operations, they must be targeted. Chinese cyber
capabilities may not (yet) pose a threat to US command, control, commu-
nications, computers, intelligence, surveillance and reconnaissance (C4ISR)
networks, which are well partitioned and protected. However, the networks
that enable logistical support for US forces are inviting targets. Meant to
disable US military operations, Chinese use of cyber war during an armed
conflict would not be contingent on US cyber operations. Indeed, it could
come early, first or even as a precursor of armed hostilities.
For its part, the US military is increasingly aware not only that
sophisticated adversaries like China can be expected to use cyber war to
degrade the performance of US forces, but also that US forces must integrate
cyber war into their capabilities and operations. Being more dependent on
computer networks to enhance military performance than are its adversaries,
including China, US forces have more to lose than to gain from the outbreak
of cyber war during an armed conflict. This being so, would it make sense
for the United States to wait and see if the enemy resorts to cyber war
before doing so itself? Given US conventional military superiority, it can
be assumed that any adversary that can use cyber war against US forces
will do so. Moreover, waiting for the other side to launch a cyber attack
could be disadvantageous insofar as US forces would be the first to suffer
degraded performance. Thus, rather than waiting, there will be pressure
for the United States to commence cyber attacks early, and perhaps first.
Moreover, leading US military officers have strongly implied that cyber war
would have a role in attacking enemy anti-access and area-denial (A2AD)
capabilities irrespective of the enemys use of cyber war.13 If the United
States is prepared to conduct offensive cyber operations against a highly
advanced opponent such as China, it stands to reason that it would do
 12 | David C. Gompert and Martin Libicki

likewise against lesser opponents. In sum, offensive cyber war is becoming

part and parcel of the US war-fighting doctrine.
The nature of US counter-military cyber attacks during wartime should
derive from the mission of gaining, or denying the opponent, operational
advantage. Primary targets of the United States should mirror those of a
cyber-capable adversary: ISR, command and control, navigation and guid-
ance, transport and logistics support. Because this mission is not coercive or
strategic in nature, economic and other civilian networks should not be tar-
geted. However, to the extent that networks that enable military operations
may be multipurpose, avoidance of non-military harm cannot be assured.
There are no sharp firebreaks in cyber war.14
Normatively speaking, cyber war during an
armed conflict would presumably not consti-
Avoidance of non- tute aggression any more than the underlying
conflict would.15 However, norms of proportion-
military harm ality, discrimination and respect for neutrality
cannot be assured could come under pressure.16 With or without
cyber war, these proscriptions are not absolute:
in essence, combatants are bound to avoid attacks that harm civilian popu-
lations or neutrals unless militarily exigent. Civilians engaged in supporting
war-making, and neutrals that are aiding the enemy, are fair game, provided
any harm to them is unavoidable in order to degrade their contributions to
war-making. Law-of-war standards should inform counter-military cyber
war, not preclude it. Strictly speaking, enemy violation of the laws of war
for instance, targeting non-combatants without military justification does
not remove the obligation to observe these standards.
Although the problems of proportionality, discrimination and respect for
neutrality are not unique to cyber war, they can be exacerbated by the dif-
ficulty inherent in controlling the course, paths and effects of cyber attacks.
As important as norms may be to the United States, its desire to avoid cyber-
war escalation is at least as important. For both reasons, the United States
favours tight command and control (C2). Authority to conduct offensive
cyber operations flows from the president via the secretary of defense to
military commanders for execution. Once ordered, cyber war is directed
 Waging Cyber War the American Way | 13

by regional combatant commanders, who oversee virtually all US mili-

tary operations in their respective theatres, in collaboration with US Cyber
Command, which is responsible for delivering actual effects.17 The assign-
ment of teams from Cyber Command to the combatant commanders enables
the latter to integrate cyber-war actions into joint operations.18
Even with effective C2, there is a danger that US counter-military cyber
operations will infect and damage systems other than those targeted,
including civilian systems, because of the technical difficulties of controlling
effects, especially for systems that support multiple services. As we have
previously noted in these pages, an attack that uses a replicable agent, such
as a virus or worm, has substantial potential to spread, perhaps uncontrolla-
bly.19 The dangers of collateral damage on non-combatants imply not only
the possibility of violating the laws of war (as they might apply to cyber
war), but also of provoking escalation. While the United States would like
there to be strong technical and C2 safeguards against unwanted effects and
thus escalation, it is not clear that there are. It follows that US doctrine con-
cerning the conduct of wartime counter-military offensive operations must
account for these risks.
This presents a dilemma, for dedicated military systems tend to be harder
to access and disrupt than multipurpose or civilian ones. Chinas military,
for example, is known for its attention to communications security, aided by
its reliance on short-range and land-based (for example, fibre-optical) trans-
mission of C4ISR. Yet, to attack less secure multipurpose systems on which
the Chinese military depends for logistics is to risk collateral damage and
heighten the risk of escalation. Faced with this dilemma, US policy should
be to exercise care in attacking military networks that also support civilian
services. The better its offensive cyber-war capabilities, the more able the
United States will be to disrupt critical enemy military systems and avoid
indiscriminate effects.
Moreover, US offensive strength could deter enemy escalation. As we
have argued before, US superiority in counter-military cyber war would
have the dual advantage of delivering operational benefits by degrading
enemy forces and averting a more expansive cyber war than intended. While
the United States should avoid the spread of cyber war beyond military
14 | David C. Gompert and Martin Libicki

systems, it should develop and maintain an unmatched capability to conduct

counter-military cyber war. This would give it operational advantages and
escalation dominance.
Such capabilities might enable the United States to disrupt enemy C4ISR
systems used for the control and operation of nuclear forces. However,
to attack such systems would risk causing the enemy to perceive that the
United States was either engaged in a non-nuclear-disarming first strike
or preparing for a nuclear-disarming first strike. Avoiding such a misper-
ception requires the avoidance of such systems, even if they also support
enemy non-nuclear C4ISR (as Chinas may do).
In sum, US policy should be to create, maintain and be ready to use superior
cyber-war capabilities for counter-military operations during armed conflict.
Such an approach would deny even the most capable of adversaries, China
included, an advantage by resorting to cyber war in an armed conflict. The
paramount goal of the United States should be to retain its military advantage
in the age of cyber war a tall order, but a crucial one for US interests.

Retaliation
While the United States should be ready to conduct cyber attacks against
military forces in an armed conflict, it should in general otherwise try to
avoid and prevent cyber war. (Possible exceptions to this posture of avoid-
ance are taken up later in the cases concerning coercion.) In keeping with
its commitment to an open, secure, interoperable and reliable internet that
enables prosperity, public safety, and the free flow of commerce and ideas,
the United States should seek to minimise the danger of unrestricted cyber
war, in which critical economic, governmental and societal systems and ser-
vices are disrupted.20 Given how difficult it is to protect such systems, the
United States must rely to a heavy extent on deterrence and thus the threat of
retaliation. To this end, the US Defense Department has stated that a would-
be attacker could suffer unacceptable costs if it launches a cyber attack on
the United States.21 While such a warning is worth issuing, it raises the ques-
tion of how these unacceptable costs could be defined and levied. Short
of disclosing specific targets and methods, which we do not advocate, the
United States could strengthen both the deterrence it seeks and the norms it
 Waging Cyber War the American Way | 15

favours by indicating what actions might constitute retaliation. This is espe-

cially important because the most vulnerable targets of cyber retaliation are
computer networks that serve civilian life, starting with the internet.
By definition, cyber retaliation that extends beyond military capabili-
ties, as required for strong deterrence, might be considered indiscriminate.
Whether it is also disproportionate depends in part on the enemy attack that
precipitated it. We can posit, for purposes of analysis, that an enemy attack
would be aimed at causing severe disruptions of such economic and societal
functions as financial services, power-grid management, transport systems,
telecommunications services, media and government services, along with
the expected military and intelligence functions.
In considering how the United States should retaliate, the distinction
between the population and the state of the attacker is useful. The United
States would hold the latter, not the former, culpable, and thus the rightful
object of retaliation. This would suggest targeting propaganda and other
societal-control systems; government financial systems; state access to
banks; political and economic elites on which the state depends; industries
on which the state depends, especially state-owned enterprises; and internal
security forces and functions.
To judge how effective such a retaliation strategy could be, consider the
case of Russia. The Russian state is both sprawling and centralised: within
Russias economy and society, it is pervasive, heavy-handed and exploita-
tive; power is concentrated in the Kremlin; and elites of all sorts are beholden
to it. Although the Russian state is well entrenched and not vulnerable to
being overthrown, it is porous and exposed, especially in cyberspace. Even
if the computer systems of the innermost circle of Russian state decision-
making may be inaccessible, there are many important systems that are not.
Insofar as those who control the Russian state are more concerned about
their own well-being than that of the masses, targeting their apparatus
would cause acute apprehension. Of course, the more important a computer
system is to the state, the less accessible it is likely to be. Still, even if Russia
were to launch indiscriminate cyber attacks on the US economy and society,
the United States might get more bang for its bytes by retaliating against
systems that support Russian state power.
16 | David C. Gompert and Martin Libicki

Of course, US cyber targeting could also include the systems on which

Russian leaders rely to direct military and other security forces, which are
the ultimate means of state power and control. Likewise, Russian military
and intelligence systems would be fair game for retaliation. At the same
time, it would be vital to observe the stricture against disabling nuclear C2
systems, lest the Kremlin perceive that a US strategic strike of some sort was
in the works. With this exception, the Russian states cyber vulnerabilities
should be exploited as much as possible.
The United States could thus not only meet the standard of unaccepta-
ble costs on which deterrence depends, but also gain escalation control by
giving Russias leaders a sense of their vulnerability. In addition to prevent-
ing further escalation, this US targeting strategy would meet, more or less,
normative standards of discrimination and proportionality.
US cyber-war-deterrence policy should answer two more questions:
what attacks would be considered cyber war and could trigger retaliatory
cyber war? And must an attackers identity be absolutely certain for retali-
ation to occur? To take up the first, while a sharp line cannot be drawn, the
most logical criterion for determining whether a cyber attack is an act of
war is the degree to which it is destructive (or severely disruptive).22 Cyber
espionage is an increasingly common part of the worlds second-oldest
profession spying and is typically meant to avoid detection, and thus
noticeable disruption. States may gripe about it, but they abide it, especially
if they also do it. Likewise, cyber theft by criminals or government agents is
harmful and prosecutable, but its destructiveness does not rise to the level
that would justify a retaliatory act of war, as meant here.
To illustrate, the alleged Chinese hacking of US government person-
nel records, evidently in search of files on people who have held sensitive
national-security jobs, was massive, sophisticated and possibly consequen-
tial; but it could not be, and was not, considered an act of war. This does
not preclude some sort of US reprisal, perhaps a comparably bold robbery.
(Presumably, the United States would not want China to know of such
retaliation, lest it be foiled.) What is precluded in this case, by our way of
thinking, is a US response so destructive or disruptive that it would cross
the threshold from cyber espionage to cyber war thus war. Admittedly,
 Waging Cyber War the American Way | 17

the line between intensely harmful theft and cyber war is woolier in reality
than in theory. But the points stand that not all hacking is cyber war; that
when it comes to espionage, states will be states; and that retaliation should
be broadly in kind.
Attribution is a thornier problem, requiring a more subtle solution. On
the one hand, retaliating with less than absolute certainty that the target
state was the attacker obviously runs the risk of harming the innocent. On
the other, declaring that retaliation depends on absolute certainty would
weaken deterrence, especially if an attacker thinks it can use a roundabout
attack path or rely on deniable agents to do the attacking. If this dilemma
seems insoluble in the abstract, there may be a prac-
tical solution: the identity of the state responsible
for an attack on the United States serious enough Attribution is a
to justify retaliation might be obvious by virtue of
the context for instance, tension, confrontation
thornier problem
or armed hostilities and the fact that few actors
would be capable of such an attack. One cannot exclude the possibility
that a capable third party might try to exploit a crisis to conduct an attack
for which another state would suffer retaliation; however, counting on US
misattribution would be a huge gamble to take. Deterrence is, after all, in
the eye of the would-be attacker. A 4-in-5 chance of knowing who attacked
produces a 1-in-5 chance of the attacker getting away with it.
While circumstantial evidence does not rule out mistaken identity and
thus mistaken retaliation, neither does it require the United States to retali-
ate. How the United States actually reacts to a specific attack, and what it
says about its standard for retaliation in order to create strong deterrence,
are two related but significantly different matters. It is best to limit declar-
atory policy to the effect that the United States would be confident of its
attackers identity before retaliating.23 To buttress this, it could also convey
confidence in its ability to identify the culprit.
In sum, US policy to support the legitimacy of retaliation for a cyber attack
might include making known that the United States can and may conduct
devastating retaliation for a cyber attack;24 concentrating the development
of options, doctrine and plans on the goals of disrupting and degrading the
18 | David C. Gompert and Martin Libicki

cyber aggressors state (as opposed to its population), thus allowing compli-
ance with norms of discrimination and proportionality while also enabling
escalation control; treating all state systems, including security systems,
as within the target set, with the exception of systems for nuclear C2; and
retaliating in kind against a state deemed responsible for a destructive cyber
attack, but not for stealing secrets. These policy provisions would apply not
only in the event of attacks on the United States, but also on allies with
which it has binding common defence ties, such as NATO and Japan.
US policy would make a sharp distinction between counter-military
offensive cyber war during armed conflict and the conduct of wider cyber
war, whether or not during an armed conflict. For the former, it would be
prepared to act as required by militaryoperational demands; for the latter,
it would show great restraint unless attacked, in which case it could unleash
major assaults on the attacking state.

Coercing an adversary incapable of strong retaliation

Given that retaliation and counter-military cyber war require copious offen-
sive capabilities, questions arise about whether these means could and
should also be used to coerce hostile states into complying with US demands
without requiring the use of armed force. Examples include pressuring a
state to cease international aggression, intimidating behaviour or support
for terrorists; or to abandon acquisition of weapons of mass destruction;
or to end domestic human-rights violations. If, as some argue, it is getting
harder, costlier and riskier for the United States to use conventional military
force for such ends, threatening or conducting cyber war may seem to be an
attractive alternative.25
Of course, equating cyber war with war suggests that conducting or
threatening it to impose Americas will is an idea not to be treated lightly.
Whereas counter-military cyber war presupposes a state of armed conflict,
and retaliation presupposes that the United States has suffered a cyber attack,
coercion (as meant here) presupposes neither a state of armed conflict nor
an enemy attack. This means, in essence, the United States would threaten
to start a cyber war outside of an armed conflict something US policy has
yet to address. While the United States has intimated that it would conduct
 Waging Cyber War the American Way | 19

cyber war during an armed conflict and would retaliate if deterrence failed,
it is silent about using or threatening cyber war as an instrument of coer-
cion. Such reticence fits with the general US aversion to this form of warfare,
as well as a possible preference to carry out cyber attacks without attribu-
tion or admission.
Notwithstanding US reticence, the use of cyber war for coercion can
be more attractive than the use of conventional force: it can be conducted
without regard to geography, without threatening death and physical
destruction, and with no risk of American casualties. While the United
States has other non-military options, such as economic sanctions and sup-
porting regime opponents, none is a substitute for cyber war. Moreover, in
the case of an adversary with little or no ability to return fire in cyberspace,
the United States might have an even greater asymmetric advantage than it
does with its conventional military capabilities.
However appealing cyber war may be as an alternative to armed con-
flict, especially where there is no fear of retaliation, the United States
must consider whether the use or, by extension, the threat of cyber war
for the purpose of coercion is consistent with norms it values, especially
its opposition to cyber war in particular and support for the laws of war
in general. As noted, coercion implies the possibility of first use, which
could be viewed as aggressive, unless of course the adversary is itself
already engaged in some other form of aggression. Arguably, cyber coer-
cion amounts to intervention in another states internal affairs. If directed
at civilian or multipurpose systems, it could be considered indiscriminate.
And in the absence of both armed conflict and enemy cyber attack, propor-
tionality could be hard to defend.
This raises the question of whether the laws of war should apply to coer-
cive cyber war (and cyber war in general). Specifically, must the target of a
cyber attack be a military capability? Because cyber war is war, the answer
would be yes if cyber attacks worked the same way that kinetic attacks do.
But they do not. In theory, cyber war can destroy things; but in actuality,
attacks rely on computer instructions that can cause things to destroy them-
selves. Stuxnet broke centrifuges because the centrifuges were built to execute
potentially self-destructive sequences. Otherwise, cyber attacks are essentially
 20 | David C. Gompert and Martin Libicki

disruptive: they keep things from working. In this sense, cyber war is gener-
ally not violent. Moreover, its direct effects can be reversed, and far more
quickly than those of physical war. An attack against the computer systems of
military forces that are not at war may be troublesome, but any degradation
is temporary, and physical hardware is left intact.26 Unless cyber attacks are a
prelude to armed conflict, and hence more pre-emptive than coercive, there
is time to mend any ruptures, so long as the country being threatened is not
itself at war with a third party. Hence, the threat of a cyber attack on military
forces is unlikely to be very persuasive or produce much coercive leverage.
By contrast, many systems that support
civilian and economic needs produce services
People living on the every day around the clock, in peacetime no
less than in war. If electric power is out for
edge may go hungry a week, that would be a week during which
little economic activity took place (not to
mention a very uncomfortable week, unless the weather cooperated). If
bank records are scrambled, people lose access to their money, possibly
forever if accurate records cannot be recovered. If government payments
are delayed, people living on the edge may go hungry. Being comparatively
accessible and vulnerable, civilian systems are more inviting targets than
military ones.
The advantage of targeting civilian rather than military systems to max-
imise the peacetime impact of a cyber attack immediately raises a yellow
card about using cyber war for coercion. This is especially so for countries
that claim the moral high ground and seek to discourage cyber war in
general, such as the United States. Still, if the alternative to conducting or
threatening a cyber attack on civilians is a choice between using kinetic force
and doing nothing in the face of enemy aggression or other hostile behav-
iour, then coercive cyber attack on civilian services is merely a bad option
among worse ones.
Apart from such normative considerations, the coercive value of the threat
of cyber war is diminished by the difficulty of brandishing offensive capabili-
ties, either by describing or demonstrating them. There is currently no state
that regularly boasts about its cyber-war capabilities; indeed, states regularly
 Waging Cyber War the American Way | 21

blame attacks on others or on hackers beyond their control. The release of

classified US National Security Agency (NSA) files by Edward Snowden in
2013 might have embarrassed the US government, but also, ironically, helped
it to broadcast how deeply the NSA can supposedly burrow into the systems
of others.27 Apart from incidents like these, offensive capabilities can only
be inferred from anodyne policy statements or from claims made by others
about the extent and authorship of this or that cyber-espionage intrusion.28
The more obvious a countrys capabilities in cyberspace, the more concern
they merit among leaders of states that may be targeted for coercion. Still, the
United States could not count on such leaders to heed threats or admit they
were afraid. They might instead seek to buy time, to resist political demands,
or even to publicise threats to put the onus back on the would-be bully
hardly an enviable position for the United States, given its stated concerns
about cyber war. The vaguer the threat, the easier it is to ignore. Yet, making
a bald threat could be uncomfortable for the United States.
For these reasons, simply shrugging off the threat is a more plausible
strategy for a US adversary in the case of a threatened cyber attack than a
kinetic one. Moreover, even target states that lack access to sophisticated
local providers of cyber-security services have some basic options to tighten
computer-system security: they might remove key information from certain
servers, limit access rights, re-authenticate users, disable certain network
services, isolate critical sub-networks or install cyber-security software.
The time required for such defensive measures can be measured in days
and weeks, rather than the months and years required to erect comparably
effective physical defences. The longer the potential victim can ward off an
attack, the less damage it can expect if attacks come. Perhaps most impor-
tantly, states without cyber-war retaliatory capabilities may also depend
less on computer systems than more sophisticated ones do. North Korea is
an obvious example of a state with rudimentary means to strike back which,
owing to its backwardness, may have little to fear from a US cyber attack.
As with threatening cyber war for coercion, the actual delivery of a cyber
attack against a vulnerable state may not have the desired impact on its
regimes decision-making, unless of course that state were heavily reliant on
computer systems. Even then, there is little evidence that coercive cyber war
22 | David C. Gompert and Martin Libicki

works. The case of Russian attacks on Estonia suggests that even a sophis-
ticated, computer-reliant target might get its back up rather than succumb
in the face of cyber attacks. Moreover, there are not many states that are at
once US adversaries, incapable of retaliation, and so computer-reliant that
they would yield to coercion even if attacked. Iran may be one; however, the
United States would be taking a large gamble in expecting Iranian leaders to
cower in the face of US cyber war.
The dynamics of cyber coercion reflect the ambiguity of information asso-
ciated with any cyber attack, quite possibly to the advantage of the target.
The attacker may know what systems it has penetrated and what first-order
effects might be generated from such a penetration; but its information on
whether the penetrated system is still usable may be iffy, particularly if the
system under attack has no real-time connection with the attacker. The target
may not know exactly what was penetrated or how, but it should have a
better idea than the attacker about the failure modes of the likely targets. It
should also have a better idea than the attacker about how resilient its systems
are, what the recovery path and lead times may be and, most importantly,
how well it can withstand the systems being down. Alternatively, it may be
that neither side has much clue about resilience and recovery, because cyber
attacks of the sort that call for resilience and recovery have so far been quite
rare.29 But such opacity could work to the disadvantage of the attacker.
One of the reasons that a target might believe that it can ignore a US threat
to carry out a cyber attack is because it knows that such an attack would not
be costless for the United States. Any cyber attack carries risks, especially if
carried out in peacetime, and not in retaliation. For instance, it might attract
world opprobrium. If the attack and attacker were publicised or obvious a
given in any cyber attack that followed a threat responsibility would also
be obvious. In addition, an attack risks angering and mobilising populations
of the target state in ways that render concessions politically less likely than
if a threat had been made without an attack. If cyber-war retaliation is infea-
sible, the target may respond in other, harmful ways. Again, think of Iran,
with its network of terrorist proxies, agents and extremists.
Sometimes, coercion is a matter of pounding away until the target state
complies. Examples include economic sanctions, blockades, support for
 Waging Cyber War the American Way | 23

regime opponents and recurrent, clandestine physical attacks. However,

this is a losing game if the instrument is a cyber attack. Although casual
opinion may be that the attacker holds all the cards, if it hopes to win con-
cessions, it needs the target to fold, not simply suffer. Once again, having
been exposed to the attackers capabilities and strategy, the target can mod-
ulate the disruption over time. While perfect security is unattainable, there
is a huge difference between the severe damage that can be done by a cyber
attack on an unprepared system and the chronic pain arising from attacks
on a system that has been battle-hardened.
In sum, while it might be appealing as an alternative to physical force,
the use or threat of cyber war against a weak adversary raises questions
of norms and efficacy, not to mention bad publicity in the event of either
success or failure. Were the United States to limit its risks by restricting itself
to low-grade or narrowly targeted cyber war, it would sacrifice efficacy. If,
instead, it made threats or launched major attacks for the sake of efficacy, it
would be seen as violating the laws of war, as well as its righteous opposi-
tion to cyber war. More fundamentally, US policymakers need to consider
whether they really want to pursue a form of warfare which can, by their
own admission, work to the United States ultimate disadvantage.
The inefficacy and risks associated with attempting to coerce even states
without cyber-retaliatory capabilities have a silver lining for the United
States. If states believe they can gird themselves against and ride out cyber
attacks, call out the attacker for international denunciation and largely
ignore coercive threats, they will feel less compelled than if threatened by
physical force to acquire cyber-war capabilities of their own. This would be
a good thing.

Coercing an adversary capable of strong retaliation

While the utility of threatening or using cyber war to coerce an adversary
with little or no retaliatory capability is limited mainly by norms that are in
the US interest to bolster, the utility of such coercion against an adversary
with strong capabilities is further limited by the prospect of retaliation. This
does not preclude attempting to coerce another cyber power if the stakes
are high enough to justify the risk. In any case, the heavy dependence of
24 | David C. Gompert and Martin Libicki

the US government, economy and society on computer systems implies the

possibility of the United States experiencing great harm in the event of retal-
iation, irrespective of US offensive superiority. For the foreseeable future,
the prospect of such harm would weigh heavily against any US coercive
threat toward at least the major cyber powers, such as China or Russia. An
opponents knowledge of this would in turn undercut the credibility and
thus the utility of a US threat to engage in coercive cyber war.
Even with misgivings about using cyber war to coerce a capable adver-
sary, the United States could still make such a threat. Apart from the general
inadvisability of making empty threats when national security and cred-
ibility are on the line, especially for a world power, bluffing is unlikely to be
a fruitful tactic. A capable adversary surely would both tighten its network
defences and gear up for retaliation. Furthermore, even a major cyber attack
could not destroy the enemys ability to retaliate (in contrast to nuclear and
conventional counterforce weapons that can degrade an enemys ability to
retaliate). Moreover, a public threat, or a comparable private threat leaked
by the adversary, would put the United States on record as threatening to
initiate the very form of warfare it wants to discourage, to little or no avail.
Are there, nonetheless, conditions under which the United States could
coerce a capable adversary by the threat or use of cyber war? Or does mutual
deterrence entirely preclude such measures by (or against) the United
States? It is worth recalling that, during the Cold War, mutual nuclear
deterrence did not dissuade the United States from invoking the threat to
use nuclear weapons to deter a Soviet conventional attack on NATO. Apart
from whether that threat was truly credible, the context was perceived
Soviet conventional superiority, the prospect of cataclysmic US defeat and
Soviet conquest of Europe. Equivalent circumstances are hard to imagine in
todays world, vis--vis China or Russia. And if such circumstances arose,
it hardly seems likely that US cyber war would measure up to the larger
stakes, or the larger threat.
Perhaps the United States could threaten or use low-grade cyber war
against a capable adversary, thinking or hoping that its retaliatory
threshold would not be crossed. However, in order to lower the risk of
retaliation, the United States would have to lower the severity of the attack,
 Waging Cyber War the American Way | 25

and thus the utility of using, much less threatening, cyber attack. In general,
pin prick cyber war offers doubtful benefits in return for avoiding the viola-
tion of norms the United States favours. In the case of a capable adversary,
moreover, low-grade cyber attacks risk not only retaliation but escalation,
presumably outweighing the benefits. As a general proposition, if the United
States were to wage offensive cyber war, it should do so robustly, and for
major purposes and effects. Against an adversary capable of both retaliation
and tightened defence, such cyber war would be most imprudent.

Non-state actors and covert operations

Swelling ranks of increasingly sophisticated non-state actors are engaged
in cyber attacks. The purpose of most of them is theft or the promotion of a
political cause. Some actors, such as well-resourced extremist organisations,
could conduct disruptive attacks acts of cyber war. Although US policy
cannot ignore this growing problem, it is less severe than state threats. In any
case, comparable principles apply. The United States should be prepared to
conduct cyber attacks on non-state adversaries that threaten it, assuming
they have computer systems worth attacking. Avoiding collateral damage
harmful to non-combatants is as important in this case as it is in inter-state
warfare. Although the United States should be prepared to retaliate against
non-state attackers, they tend to be more elusive, less vulnerable and less
susceptible to deterrence than states. The threat or use of US cyber war for
coercion is even less promising against non-state actors than against states.
The United States might find itself in situations in which it needs to
conduct cyber attacks that it wants to deny. In such cases, it has the option of
using covert operations based on presidential direction to intelligence agen-
cies rather than the armed services. We have argued in this journal that the
risks inherent in waging cyber war make it prudent for the United States to
use only one line of authority and control for that purpose from the presi-
dent via the secretary of defense to appropriate military commanders.30 If
cyber war is war, as we believe, the United States should not, and need not,
bypass its military chain of command for the sake of deniability.

* * *
26 | David C. Gompert and Martin Libicki

Cyber war is war, even if more refined and less cruel than Sherman could
have imagined. Being both vitally dependent on and a champion of an open,
secure, interoperable, and reliable Internet, the United States should have
and seemingly has a general aversion to cyber war, on both normative
and strategic grounds. In keeping with that aversion, as well as with the dif-
ficulty of controlling cyber war once begun, the United States should resort
to such warfare only when failure to do so could have grave consequences.
If cyber war is war, the United States should observe the laws of war gov-
erning discrimination and proportionality, just as it has a profound interest
in others observing them. At the same time, because the effects and course of
cyber war are not entirely controllable or predictable, the United States must
recognise that these norms, in particular, are difficult to monitor and police.
Therefore, while US policy should be to promote these norms internationally
which implies living by them their application cannot be unrealistically strict.
Cyber war against military targets during armed conflict or in retaliation
for cyber attack meets the standard of treating cyber attacks as acts of war,
to be conducted only when not doing so would have grave consequences.
Such warfare would also be broadly consistent with the norms of discrimi-
nation and proportionality. At the same time, if the resort to cyber war is
indicated by such circumstances, the United States should be prepared to
act robustly, inasmuch as tentative or pin prick cyber war may entail less
gain than risk, including the risk of failure.
Accordingly, for cyber war on military targets during armed conflict, the
United States should attain and maintain offensive superiority in order to
offset its cyber vulnerabilities, retain its overall militaryoperational advan-
tage and gain escalation control. For retaliation, the United States should
have and be ready to use capabilities to visit unacceptable costs on systems
critical to the operation and control functions of the attacking state, while
attempting to avoid any damage to wider societal and economic well-being.
For the sake of deterrence, the United States should effectively indicate that
the confidence it feels in its own attribution capabilities is sufficient to
justify retaliation when warranted.
The US use of cyber-war threats for purposes of coercion could do vio-
lence to the general US opposition to cyber war, the position that such war
 Waging Cyber War the American Way | 27

is genuine war and the standard that only grave circumstances warrant it.
Moreover, cyber war for the purpose of coercion is on the whole an unprom-
ising concept against weak adversaries: it might fail, undermine beneficial
norms, lead to international scorn (whether coercion works or not) and
cause non-cyber responses. Against strong adversaries, it could also lead to
damaging retaliation and escalation, from which there could be no winner.
In sum, general US offensive policy should be to avoid cyber war except
as a military operation carried out against enemy forces during armed con-
flict or in retaliation for attack. For these two purposes, the United States
should be second to none in its ability to wage cyber war, and to make it
count when no choice remains.

Notes
1 William Tecumseh Sherman, letter to
the mayor and city council of Atlanta,
12 September 1864, available at http://
history.ncsu.edu/projects/cwnc/items/
show/23.
2 Lawrence J. Cavaiola, David C.
Gompert and Martin Libicki, Cyber
House Rules: On War, Retaliation,
and Escalation, Survival, vol. 57, no. 1,
FebruaryMarch 2015, pp. 81104.
3 Broadly speaking, we define cyber
war as being destructive or harmfully
disruptive; thus, it would not include
cyber espionage or cyber theft.
4 US Department of Defense (DoD),
The Department of Defense Cyber
Strategy, April 2015, p. 2, http://
www.defense.gov/home/fea-
tures/2015/0415_cyber-strategy/
Final_2015_DoD_CYBER_STRATEGY_
for_web.pdf.
5 Ibid.
6 See Oona A. Hathaway et al., The
Law of Cyber-Attack, California Law
Review, vol. 100, 2012, pp. 81786.
7 The difficulty of control potential
for both vertical and horizontal
escalation is addressed in depth
in Cavaiola, Gompert and Libicki,
Cyber House Rules.
8 See, for example, Vice Admiral Ted
N. Branch, A New Era in Naval
Warfare, Proceedings, vol. 140/7/1,337,
July 2014, http://www.usni.org/
magazines/proceedings/2014-07/
new-era-naval-warfare.
9 The US government has never admit-
ted that it was in collaboration with
Israel in attacking the computer
program that controlled Iranian ura-
nium-enrichment centrifuges.
10 Chinese Defense Ministry spokes-
man Geng Yansheng, as quoted
in Joshua Philipp, China Wars
of Internet Arms Race as US
Military Starts Fighting Back in
Cyberspace, Epoch Times, 30 April
2015, http://www.theepochtimes.com/
n3/1340042-china-warns-of-internet-
arms-race-as-us-military-starts-fight-
ing-back-in-cyberspace/.
11 See Cavaiola, Gompert and Libicki,
28 | David C. Gompert and Martin Libicki
Cyber House Rules.
12 See David C. Gompert and Hans
Binnendijk, The Power to Coerce,
RAND Blog, 10 July 2014, http://www.
rand.org/blog/2014/07/the-power-to-
coerce.html.
13 See Norton A. Schwartz and Jonathan
W. Greenert, AirSea Battle, American
Interest, 20 February 2012, http://www.
the-american-interest.com/2012/02/20/
air-sea-battle/.
14 Cavaiola, Gompert and Libicki, Cyber
House Rules, p. 81.
15 For discussion of the applicability
of the laws of war to cyber war, see
Martin C. Libicki, Crisis and Escalation
in Cyberspace (Santa Monica, CA:
RAND, 2012), pp. 2936.
16 The use of third-party, and possibly
neutral, servers cannot be excluded.
17 These arrangements are explained in
Cavaiola, Gompert and Libicki, Cyber
House Rules, pp. 8894.
18 More specifically, Cyber Commands
Cyber Mission Force would pro-
vide Combat Mission Forces and
Cyber Protection Teams for integra-
tion into combatant commands
plans and operations. In parallel, a
National Mission Force would operate
directly under Cyber Commad. DoD,
The Department of Defense Cyber
Strategy, p. 6.
19 Cavaiola, Gompert and Libicki, Cyber
House Rules, p. 89.
20 DoD, The Department of Defense
Cyber Strategy, p. 1.
21 Ibid., p. 12.
22 Depending on the context, the United
States might find that it is in its inter-
est to regard a certain cyber attack
as an act of war and another of equal
destructiveness as not an act of war.
23 A related question is whether to
retaliate against a state which uses or
encourages non-state agents to wage
cyber war against the United States.
While this will certainly depend
on the circumstances, the general
US posture should be to hold states
responsible for attacks perpetrated by
persons under their sovereign control.
24 The United States has been careful
not to say that retaliation for a cyber
attack would be in the form of a cyber
attack, thus keeping open the option
of conventional military reprisal.
25 See Gompert and Binnendijk, The
Power to Coerce.
26 The affected software may need to be
replaced or repaired (because it would
otherwise be subject to re-attack).
Replacement is relatively inexpensive.
Repair can be expensive, but leaving
vulnerabilities unpatched may be far
more costly.
27 Whether or not these materials are
accurate, what matters is that they are
regarded as true by others.
28 Recent observations that todays
hackers are not taking great pains to
cover up their national origins may
be part of a strategy by countries to
gain implicit credit for clever hacks
they may still explicitly deny carrying
out. Or, it may reflect the increasingly
obvious conclusion that national (in
contrast to personal) attribution has
no consequences and thus is not worth
making much effort to avoid.
29 More information is available on how
long it takes for organisations to over-
come infections, but systems can be
run while infected if they need to be.
30 See Cavaiola, Gompert and Libicki,
Cyber House Rules.