The SolarWinds Hack Doesn’t Demand a Violent Response

The SolarWinds hack – now attributed to Russia by U.S. government representatives including Mike Pompeo – has caused enormous damage. Perhaps it should come as no surprise, then, that a massive chorus of voices is calling on Joe Biden, once he takes office, to hit back hard. Deterrence is needed, we’re told. Yes, we need deterrence, but deterrence is more than retaliation, and massive retaliation against an espionage hack would be foolhardy.

“Deterrence,” explains Dr. Strangelove in Peter Sellars’s eponymous masterpiece, “is the art of producing in the mind of the enemy the fear to attack.” The hackers who, through an inadvertent opening provided by SolarWinds, infiltrated countless U.S. government departments and agencies — including the departments of State and Homeland Security — clearly didn’t have any fears of attacking. Clearly, that must change. So it is that over the past couple of weeks deterrence has become the concept du jour. Biden (Trump seems out of the equation) should hit Russia hard to show that America means business, we’re told.

Here’s the thing: we already have deterrence. Virtually all countries have deterrence. Deterrence is simply the combination of the defensive and offensive measures known to a country’s would-be-attackers. The deterrence capabilities can belong to a country or be extended to it by an ally, as is the case with the U.S. nuclear umbrella. Based on this combined picture, a prospective attacker decides whether an attack is worth the trouble. The point is this: deterrence isn’t just whatever retaliation a targeted country thinks up after an attack. Deterrence is a result of its reputation for deterrence by resilience and deterrence by punishment. 

Yet retaliation is becoming the honeypot of the post-SolarWinds debate. I, too, have argued for it, and there’s no doubt that the United States needs to demonstrate to Russia that hacks like the SolarWinds can’t be tolerated. But calling on Biden to hit Russia hard is where the argument enters dangerous territory. The U.S. Senate Intelligence Committee has declared that the SolarWinds hack was an espionage mission. The Russian hackers penetrated lots of government departments and agencies along with companies and foreign governments – but even though there’s only a thin line between espionage and disruption in cyberspace, to all available evidence they use the opportunity to disrupt. It’s possible they simply didn’t want to go that far – but it’s also possible that US cyber deterrence is so successful that it produced in the minds of the Russians the fear of doing so.

What’s more, the United States and other Western countries, too, engage in espionage, both the traditional HUMINT kind and via the world’s data networks. It’s possible that Russia will at one point uncover U.S. infiltration of SolarWinds magnitude. Now imagine if Biden “hits Russia hard” in response to SolarWinds. What will happen, then, when Russia discovers a major hack by the United States? That’s right: it will have no choice but to hit hard back. Would the United States simply take such a blow without responding? 

Deterrence, as the deterrence scholars reading this know, rests on credibility. If the announced punishment is disproportionate it lacks credibility and will not be taken seriously by the attacker. It won’t be taken seriously because it brings a significant risk of escalation. If Biden hit Russia hard, it wouldn’t just bring the risk of the U.S. receiving a similar hit following the discovery of a major espionage hack on Russia; it also carries the risk of Russia retaliating against what it perceived to be unjust punishment, and voilà, the cycle of violence spins out of control. Instead of creating deterrence against future attacks, retaliation risks escalating confrontation. This is why no Western countries vow to avenge cyber attacks with kinetic strikes: it too carries too large a risk of escalation. To date, Israel remains the only country to have avenged a cyber attack by bombing, as it did against Hamas last year. As for Biden himself, he’s said that he will respond “in kind” – that is, proportionately.

Indeed, massive force is not the only thing that produces in the mind of the enemy the fear to attack. Deterrence by resilience can do so by reducing the attacker’s success so dramatically that it’s not worth the effort. Translated to the cyber domain, that means better security – and Biden has vowed to make that a priority. But most deterrence also requires a punishment side. Fortunately, we’re not the first to try to establish how to punish an attack without escalating the confrontation. Thomas Schelling, the economist-turned-key-deterrence-thinker, did so in a decades-spanning career. Indeed, he won the 2005 Nobel Prize in economics not for his contributions to the field of economics but for his contributions to deterrence. In its prize motivation, the Nobel committee highlighted how Schelling had established “that uncertain retaliation is more credible and more efficient than certain retaliation. These insights have proven to be of great relevance for conflict resolution and efforts to avoid war.”

Uncertain retaliation increases the fear factor: how will the attacked country respond? When will it do so? Whom, which institutions will it target? I call this asymmetric punishment; in Foreign Policy earlier this month I outlined how the Biden administration can use asymmetry to increase the power of proportionate retaliation and thus strengthen deterrence against future attacks. Cyber attacks may be a new form of national security threat, but fortunately the United States and its allies (and indeed their adversaries) have a formidable body of Cold War deterrence knowledge on which to build. That matters because deterrence is not primarily about weapons: it’s about psychology.