When Would Cyber War Lead to Real War?

U.S. Air Force Photo

AA Font size + Print

The method of an attack does not dictate the means of reprisal. By Vincent Manzo

When would attacks on satellites or computer networks justify retaliation with conventional weapons?

Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, recently addressed this question at a forum at the Brookings Institute:

“[T]here is an assumption out there, I think, and I would like to disabuse you of it, that a cyber attack that had destructive effects would be met by a cyber response…That’s not necessarily the case…And I think that what the president of the United States would insist upon, actually, is that he had the options and the freedom of movement to decide what kind of response we would employ. And that’s why I say I don’t want to have necessarily a narrow conversation about what constitutes war in cyber, because the response could actually be in…one of the other traditional domains.”

In other words, the method of an attack does not dictate the means of reprisal.

That Dempsey took care to say a cyber attack with “destructive effects” makes clear that he was not referring to cyber espionage and theft but an operation that causes death and destruction. Dr. Michael Nacht, a former assistant secretary of defense for global strategic affairs, described Dempsey’s statement as an “opaque” but “thoroughly vetted” reference to cross-domain deterrence — which essentially means Dempsey is threatening to respond to attacks in space or cyberspace by using military force against land, air, or sea-based targets and vice versa.

Previous official statements of U.S. policy are consistent with Dempsey’s. The Defense Department’s November 2011 Cyberspace Policy Report explained that the U.S. would interpret hostile acts in cyberspace based on their purpose, effects and the context in which they occur and is prepared to “respond militarily in cyberspace and in other domains.” A more recent DOD statement on deterrence in space stated that “acts in space take place in a broader, geopolitical context. Those acts are undertaken to achieve some effect on earth, whether it be obtaining an operational advantage in another domain or obtaining a desired political or social effect,” and U.S. responses will “not be limited to the space domain, but rather will occur at the time and place of our choosing.”

Rather than drawing unambiguous red lines, these statements offer a more general message to potential adversaries: as with other strategic domains, nobody can mount significant attacks against the U.S. in space and cyberspace without risking war. That was clearly Dempsey’s point when he suggested we “think of cyber as a domain not unique to all others, it has many common features of other domains, that is land, sea, air, and space.”

According to this principle, if counter-space (an attack on satellites or their ground-based infrastructure) or cyber operations render U.S. forces less capable of defending against conventional missile strikes, the domain in which the initial provocations took place (cyber) would be less important than the results: degrading U.S. military capabilities on the cusp of a war. Restoring force protection and reducing vulnerability would, among other goals, dictate U.S. responses regardless of whether this required a retaliatory cyberattack or counter-space attack against the adversary’s military sensors or kinetic attacks against its conventional missile forces.

Translating this principle into practice, of course, would not be this simple. Although it is obvious that cross-domain responses would only be appropriate in extreme cases, U.S. officials would have to weigh scenario-specific considerations about effectiveness, attribution, proportionality, escalation and diplomacy. Whether they thought the attacks were the first stage of a larger conventional war plan would be an important factor, which speaks to the importance of U.S. discussions of cross-domain issues with China and Russia to reduce the risks of miscalculation and crisis instability.

Looking forward, analyzing potential responses to different types of space and cyber attacks in different contexts will be integral to maintaining a credible deterrence posture. In the meantime, Dempsey’s remarks are a valuable reality check to abstract discussions of wars unfolding entirely in outer space and between computers. Even in the unlikely event that offensive operations remain in these domains, the goal would be to influence events in the physical world. Attacks that unleash profound consequences will invite fierce retribution. That is a prudent rule of thumb for defense strategists — and their adversaries — in every country to keep in mind.

Vincent Manzo is a fellow in the Defense and National Security Group of the CSIS International Security Program. His research portfolio includes U.S. defense strategy, nuclear weapons, missile defense, space and cyber policy, with a focus on exploring deterrence, employment strategies and escalation control in the emerging strategic environment.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.