In the wake of recent and ongoing revelations about the massive SolarWinds hack, which granted the hackers access to a long list of U.S. government and partner systems and raises serious national security concerns, a wide range of politicians and cyber analysts have been quick to call for increased investments in U.S. cyber capabilities and operations to meet the threats of an increasingly cyber-capable world. However, these calls too often overlook another approach to meeting the threat that has received far less attention and resources: cyber diplomacy.
“Advocates of deterrence, whether nuclear or cyber, often fail to acknowledge that the very act of pursuing and fielding new capabilities inspires others to do the same.”
Similarly to many in the field of nuclear weapons policy, proponents of expanding our cyber capabilities tend to view the threats we face in cyberspace through the lens of deterrence—as the logic goes, we need to increase and display our capabilities in order to deter attacks. In the nuclear world, that logic has meant building and deploying new nuclear weapons, like the recently deployed low-yield W76-2 warhead that was designed to be “more usable,” despite obvious concerns that this could increase rather than decrease the risk of nuclear war.
In the cyber world, deterrence has sometimes meant infiltrating systems of our adversaries without actually attacking them—a demonstration that if provoked, we would be able to respond dramatically—but it can also mean retaliation to deter future attacks. Tellingly, advocates of deterrence, whether nuclear or cyber, often fail to acknowledge that the very act of pursuing and fielding new capabilities inspires others to do the same. Examples of this in the nuclear space abound, but one need not look far in the short history of cyberspace to find compelling examples there as well.
When the U.S. deployed the Stuxnet virus against Iran with the goal of setting back its nuclear program and incentivizing Iran to negotiate, the effort seemed to go as planned—the U.S. destroyed around a thousand Iranian centrifuges, machines that refine uranium, and Iran took more centrifuges offline as a precaution. Arguably, despite Iran tripling its number of centrifuges in the wake of the attack, the hack—along with a host of other factors—accelerated Iran’s approach to the negotiating table. But the long-term drawbacks became clear when Iran responded with heavy investments in cyber capabilities and a wave of hacks against U.S. financial institutions that even its far less sophisticated cyber program was able to orchestrate with relative ease.
In The Perfect Weapon, a prominent book on the subject of cyberwar and international relations, New York Times correspondent David Sanger argued that the U.S. could have used the opportunity of the revelations around the Stuxnet attack to pursue diplomacy to limit the use of cyber weapons, but chose not to. As Sanger explained, the U.S. had a lead over other nations in the development of cyber capabilities, and may have risked losing that lead if it agreed to limitations. But a stronger motivation, he argued, was that diplomacy would have put the brakes on a wide range of U.S. cyber operations already underway.
Both of these concerns illustrate a perennial problem in U.S. foreign policy—a short-sightedness we cannot seem to correct. For one, the U.S. may not maintain this lead for long, if it still in fact does. More importantly, pursuing a temporary advantage in cyberspace at the expense of diplomacy excludes a far more promising strategy for preventing the proliferation of cyber attacks than the shaky logic of deterrence.
One impediment to cyber diplomacy is that it is often difficult to prove the origin of an attack, making accountability and enforcement of any potential agreement a particular challenge. Notably, this presents a similar problem for advocates of deterrence, as deterring adversaries is more challenging if those adversaries believe they can successfully obscure the origin of their attacks. Regardless, attribution challenges are no reason to forgo diplomacy.
International agreements do not need to be perfect—they rarely are. For diplomacy to be worthwhile, it simply needs to offer more hope for reducing risk than its alternatives, and in this case it clearly does. Securing agreements against the use of cyber weapons, particularly where civilians and vital infrastructure are concerned, would increase the potential political cost of launching such attacks, whether or not their involvement could be definitively proven, and over time, as with nuclear weapons, it could create a cultural taboo against their use. It would also reduce the global demand for investments in cyber warfare that could be better spent on the provision of human needs like housing, healthcare, and sustainable energy.
The incoming Biden-Harris administration should prioritize cyber diplomacy by investing in State Department capacity on cyber issues and pursuing multilateral negotiations with the major players in cyberspace, particularly Russia and China. The alternatives—a cyber arms spending spree and endless cycles of retaliatory cyber attacks—are both costly and dangerous. At best, such alternatives squander valuable resources while offering us a false sense of security through the dubious logic of deterrence. At worst, they could lead to a tit-for-tat cycle of escalation that ends in catastrophe. It should be an easy decision.
This post was originally published on Radio Free.