Getty Images / seksan Mongkhonkhamsao

Will Biden’s ‘Severe Costs’ on Russia Include Cyber Attacks?

We should know more about U.S. cyber operations by now.

What if the “severe costs”—the damage the United States and its allies cause to the Russian military and government should they invade Ukraine—comes not with just sanctions, but through the use of cyber operations? Will we ever know?

Despite all of the attention paid to the deployment of 3,000 U.S. troops to Poland to support NATO’s defense, satellite images of Russian troops amassed on the Ukrainian border, and potential sanctions if Putin opts to invade, we simply don’t know what actions may or may not be taken in cyberspace by the U.S. government or NATO. But we should know something. Congress and the Biden administration should use this moment to ensure that, whatever Americans are told, it is the best possible and most transparent understanding of how their government is protecting the nation and its allies.

So far, the White House and intelligence offices at the FBI, National Security Agency, and Department of Homeland Security are actively warning about Russian state-sponsored malign cyber activity, but the U.S. government does not articulate how it might respond. This outdated lack of transparency about the true conduct of 21st century asymmetric war—or hostile activity below the threshold of war—clouds the domestic and geopolitical debate and hinders our ability to formulate policy options and inform decisions about military preparedness, engagements, and diplomacy.

The surveillance debate of the past 20 years, and the backlash to unauthorized disclosures of classified information, offer lessons about today’s current secrecy surrounding U.S. government cyber operations. The traditional arguments for keeping such information so highly guarded and classified are similar: how cyber activities are conducted must be protected lest the techniques become exposed and eventually useless. But important aspects of the surveillance information environment have changed in the past decade, paving the way for greater transparency. And the secrecy itself may have lowered confidence in the value of the underlying activities.

The debate is worth having. Greater transparency could enable better policymaking. It might also help nations, governments, and the global private sector better protect against malign nation-state cyber activity. In the physical world, although militaries endeavor to protect operational security, their troop deployments, movements, and combat actions are more easily visible to the public. But even when operations are kept secret, such as the U.S. military operation this month to capture the leader of ISIS in Syria, the event is generally known and acknowledged publicly after the fact. Where U.S. leaders draw the line for secrecy will always depend on each circumstance, but it’s time to rethink the rules and our assumptions.

A starting point would be the development of principles of transparency for cyber threats and operations, modeled on the Principles of Intelligence Transparency For the Intelligence Community. Those rules of the road were written seven years ago, following the unauthorized disclosures of classified information regarding U.S. government surveillance activities begun by Edward Snowden in 2013, and in light of the subsequent domestic and international reactions to those disclosures and associated privacy and civil liberties issues raised. The principles provided guidance to the intelligence community about how to approach declassifying information and engaging in public fora the authorities, policies, procedures, oversight, and compliance frameworks surrounding intelligence activities.

Today, the intelligence community and the homeland security enterprise engage in information sharing to better protect U.S. critical infrastructure and other assets that reside in the private sector. And, under the leadership of Avril Haines, a director of national intelligence who recognizes the value in transparency, the intelligence community has leaned very far forward in releasing information it has learned in order to inform diplomacy and public dialogue in advance of a potential Russian invasion.

Military planners and operators may counter that secrecy is an essential component of successful cyber operations. But there is a way in which governments can acknowledge the contours and use of cyber operations in a way that enables a more honest policy debate but does not compromise effectiveness. From time to time, congressional hearings or on-the-record interviews have revealed meaningful information about certain cyber engagements or activities, such as cyber operations as they relate to international terrorism organizations, like ISIS. Congressional, expert, and media response to the SolarWinds cyber event last year—which only came to light as a result of private sector public disclosure in December 2020—demonstrates how misinformed reactions to such events can vary wildly. In that case, they ranged from panicked allegations that war had started to calmer observations that the U.S. may be simply on the receiving end of the same type of nation-state cyber espionage activity it also may engage in. The lack of transparency about U.S. cyber operations appears to be increasingly hindering an honest policy conversation about deterrence, response, and engagement.

As Russia continues its physical military buildup on Ukraine’s border, Kyiv claims its networks have suffered significant cyberattacks this week. Has Ukraine, the U.S., or other NATO members responded in some way already that we don’t know about? The lack of openness about how nations are operating in the cyber domain may be limiting the world’s understanding of what activities may be going on behind the scenes, and what options are actually on the table. If Putin invades Ukraine, there will be costs. A framework for articulating how the U.S. and its allies intend to respond across all domains, including cyber, would be a valuable step forward in effectively communicating the high stakes at play for all involved.

Carrie Cordero is the Robert M. Gates senior fellow at the Center for a New American Security. She previously served as counsel to the assistant attorney general for national security and senior associate general counsel at the Office of the Director of National Intelligence.