Getty Images / seksan Mongkhonkhamsao

Will Biden’s ‘Severe Costs’ on Russia Include Cyber Attacks?

We should know more about U.S. cyber operations by now.

What if the “severe costs”—the damage the United States and its allies cause to the Russian military and government should they invade Ukraine—comes not with just sanctions, but through the use of cyber operations? Will we ever know?

Despite all of the attention paid to the deployment of 3,000 U.S. troops to Poland to support NATO’s defense, satellite images of Russian troops amassed on the Ukrainian border, and potential sanctions if Putin opts to invade, we simply don’t know what actions may or may not be taken in cyberspace by the U.S. government or NATO. But we should know something. Congress and the Biden administration should use this moment to ensure that, whatever Americans are told, it is the best possible and most transparent understanding of how their government is protecting the nation and its allies.

So far, the White House and intelligence offices at the FBI, National Security Agency, and Department of Homeland Security are actively warning about Russian state-sponsored malign cyber activity, but the U.S. government does not articulate how it might respond. This outdated lack of transparency about the true conduct of 21st century asymmetric war—or hostile activity below the threshold of war—clouds the domestic and geopolitical debate and hinders our ability to formulate policy options and inform decisions about military preparedness, engagements, and diplomacy.

The surveillance debate of the past 20 years, and the backlash to unauthorized disclosures of classified information, offer lessons about today’s current secrecy surrounding U.S. government cyber operations. The traditional arguments for keeping such information so highly guarded and classified are similar: how cyber activities are conducted must be protected lest the techniques become exposed and eventually useless. But important aspects of the surveillance information environment have changed in the past decade, paving the way for greater transparency. And the secrecy itself may have lowered confidence in the value of the underlying activities.

The debate is worth having. Greater transparency could enable better policymaking. It might also help nations, governments, and the global private sector better protect against malign nation-state cyber activity. In the physical world, although militaries endeavor to protect operational security, their troop deployments, movements, and combat actions are more easily visible to the public. But even when operations are kept secret, such as the U.S. military operation this month to capture the leader of ISIS in Syria, the event is generally known and acknowledged publicly after the fact. Where U.S. leaders draw the line for secrecy will always depend on each circumstance, but it’s time to rethink the rules and our assumptions.

A starting point would be the development of principles of transparency for cyber threats and operations, modeled on the Principles of Intelligence Transparency For the Intelligence Community. Those rules of the road were written seven years ago, following the unauthorized disclosures of classified information regarding U.S. government surveillance activities begun by Edward Snowden in 2013, and in light of the subsequent domestic and international reactions to those disclosures and associated privacy and civil liberties issues raised. The principles provided guidance to the intelligence community about how to approach declassifying information and engaging in public fora the authorities, policies, procedures, oversight, and compliance frameworks surrounding intelligence activities.

Today, the intelligence community and the homeland security enterprise engage in information sharing to better protect U.S. critical infrastructure and other assets that reside in the private sector. And, under the leadership of Avril Haines, a director of national intelligence who recognizes the value in transparency, the intelligence community has leaned very far forward in releasing information it has learned in order to inform diplomacy and public dialogue in advance of a potential Russian invasion.

Military planners and operators may counter that secrecy is an essential component of successful cyber operations. But there is a way in which governments can acknowledge the contours and use of cyber operations in a way that enables a more honest policy debate but does not compromise effectiveness. From time to time, congressional hearings or on-the-record interviews have revealed meaningful information about certain cyber engagements or activities, such as cyber operations as they relate to international terrorism organizations, like ISIS. Congressional, expert, and media response to the SolarWinds cyber event last year—which only came to light as a result of private sector public disclosure in December 2020—demonstrates how misinformed reactions to such events can vary wildly. In that case, they ranged from panicked allegations that war had started to calmer observations that the U.S. may be simply on the receiving end of the same type of nation-state cyber espionage activity it also may engage in. The lack of transparency about U.S. cyber operations appears to be increasingly hindering an honest policy conversation about deterrence, response, and engagement.

As Russia continues its physical military buildup on Ukraine’s border, Kyiv claims its networks have suffered significant cyberattacks this week. Has Ukraine, the U.S., or other NATO members responded in some way already that we don’t know about? The lack of openness about how nations are operating in the cyber domain may be limiting the world’s understanding of what activities may be going on behind the scenes, and what options are actually on the table. If Putin invades Ukraine, there will be costs. A framework for articulating how the U.S. and its allies intend to respond across all domains, including cyber, would be a valuable step forward in effectively communicating the high stakes at play for all involved.

Carrie Cordero is the Robert M. Gates senior fellow at the Center for a New American Security. She previously served as counsel to the assistant attorney general for national security and senior associate general counsel at the Office of the Director of National Intelligence.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.