It’s time to define how deterrence applies to foes who strike with software instead of missiles

small washpo

Russian hacking. Did it affect our election? Did it happen at all?

The use of force by a nation is an extension of political policies. For millennia, nations have engaged in war as a tool to achieve national ends, or sometimes as an end in itself — waging war to create a national political consensus or to deflect attention from ineffective domestic policies.

Until World War I, wars were fought between military forces. Populations were largely not active participants. However, starting in World War I, direct attacks on citizens became part of warfare with the bombing of London by Germans.

This addition of civilians as a direct target underpinned war strategies in World War II and beyond. Now, the balance of terror — the possibility of a direct and enormous attack on a nation’s citizens — is the basis of war and its deterrence.

There have always been rules for how nations engage in war through international treaties and customary practice. As the calculus changed and force projected onto civilians became an accepted practice, a global consensus emerged for how and when this would occur.

There was an expectation of proportionality: conventional force was to be met with conventional force and nuclear weapons with nuclear weapons. National security — the process of protecting American citizens — functioned within these clearly described expectations. War was to be waged by nations through their militaries.

However, over the last 15 years, we have seen this international consensus erode significantly. For example, we struggled with the correct military response to the September 11 attack on the World Trade Center carried out not by a nation, but by a terrorist group. More recently, Americans were unsure how to react when the North Korean government cyber attacked the servers of Sony, a private company.

Enter cyber warfare. Each day we are more reliant on software and the Internet as the backbone of our economy, and that leaves us vulnerable. Consider the chaos that would be caused by a widespread outage of power that lasted weeks. Or, the incalculable cost of a widespread disruption of our financial markets or records. Imagine the cost to our national discourse if the information we rely on is tainted by intentional misinformation fostered by a national adversary. Each of these harms could occur through nothing more than the use of software and computing power.

We have grown up with the expectation that America’s most existential threats would come from other countries using physical force against us. We are armed and have adopted policies for how our military would retaliate if attacked. We have a plan for how to react if another country dropped a nuclear bomb on Washington, or if it sent paratroopers to capture an oil pipeline in Saudi Arabia. This is the basis of our national security — because our adversaries know in advance how we would react, they are deterred from attacking us through use of force.

But, what’s our plan if the use of force isn’t physical force at all, but the use of software and hacking skills? Do we have a plan when the attackers themselves might be acting on their own and not part of a country’s military plan against America? What is our plan if the attack is on our businesses and citizens directly?

Deterrence — the promise that force will be met with force — is the backbone of our national security. Clarity on what constitutes warfare in the 21st century must be determined, and expectations of our likely response to a cyber attack must be clearly described to both friend and foe. Failure to do this will only embolden those who wish to do us harm.



Full column can be found at

Your email address will not be published. Required fields are marked *