A Chicago way response model could fall afoul of international rules and norms in some circumstances, however, and risks escalating cyber conflicts rather than deterring them, a top international law scholar told Nextgov.
Nielsen’s statement came after a fiery speech at George Washington University during which she warned U.S. cyber adversaries that the nation’s “days of cyber surrender are over” and declared that the Trump administration is “replacing complacency with consequences [and] replacing nations’ deniability with accountability” in cyberspace.
“By the time a country is attacking civilian networks, civilian assets … it’s not a fair fight,” Nielsen said when asked about U.S. efforts to deter adversary nations’ cyber meddling.
“That’s not how the international world has created norms and standards and I don’t think [our response] should be commensurate, I think it should be more,” she added.
Nielsen prefaced both statements by saying she was speaking for herself, not stating administration policy.
Nielsen described numerous possible U.S. responses to cyber strikes, including diplomatic efforts and trade actions such as sanctions. Some responses will also be “unseen,” she said, a likely reference to covert intelligence operations.
While Nielsen’s punch-back-harder cyber response strategy could send a muscular signal to U.S. adversaries, it also risks sowing confusion about how the U.S. will actually respond to a cyberattack and what is acceptable under international laws and norms, Michael Schmitt, an international law professor at the U.S. Naval War College, told Nextgov.
“I don’t like the statement because sometimes it’s 100 percent accurate and sometimes it’s way off base,” said Schmitt, who directed work on the most recent version of the Tallinn Manual, a NATO-affiliated guidebook for how international law should apply in cyberspace.
International laws and norms generally require proportionality when one nation responds to another’s aggression, but the word “proportionality” is used differently in different circumstances, Schmitt said.
For the sort of disruptive-but-not-destructive cyber operations that the U.S. regularly deals with, such as corporate data breaches, “proportionality” generally means the victim’s response should be lawfully equivalent to the offense, Schmitt said.
For a cyberattack that causes significant destruction or loss of life, however, such as shutting down an electricity grid or upending the U.S. financial system, “proportionality” generally means the victim can do whatever is necessary to make the attack stop even if it exceeds the destructiveness of the original attack, Schmitt said. The victim can’t, however, pile on the destructiveness just for kicks, he said.
In both cases, the response needn’t take place in cyberspace simply because the initial assault did, he said.
Schmitt’s preference, he said, would be for the U.S. to lay out in greater detail how it will respond to particular adversary actions in cyberspace and which red lines adversaries shouldn’t cross.
U.S. officials have historically been hesitant to lay out those detailed response plans for fear of losing flexibility or encouraging adversaries to take actions that fall just below the stated red lines.
“I believe there are times when you need to hit back and hit back hard,” Schmitt said. “I understand why [Nielsen] made the statement, but I would like to see more granularity…I believe more clarity will increase the likelihood of deterrence and diminish the likelihood of escalation.”