Testifying before the Senate Armed Services Committee last month, retired Gen. Keith Alexander, who recently stepped down as head of U.S. Cyber Command and director of the National Security Agency, expressed misgivings about America’s deterrent posture in cyberspace. In particular, he raised concerns about the lack of a threshold that, when crossed by cyberattackers, would prompt a U.S. response. According to Alexander, “The question is, when do we act? That’s a policy decision. . . . What we don’t want to do is let it get to the point where we find out, ‘OK, that was unacceptable,’ and we didn’t set the standard.”
Alexander is raising the problem of “red lines.” Deterrence requires several elements to be successful. At its heart, deterrence is about preventing an adversary from taking an action through the credible threat of unacceptable counteraction. For a threat to be credible, an adversary must believe that the party seeking to deter it has both the capabilities and the will to carry out the threat. The adversary also needs to know what behavior is unacceptable—namely, what standards it will be held to, what red lines it must not cross.
Deterrence in cyberspace is more challenging. The United States possesses political, military and economic tools to make credible retaliatory threats for unacceptable cyberattacks, and it has demonstrated its willingness to use them when its vital interests are threatened in noncyber domains. However, uncertainty about U.S. cybercapabilities has created a gap in its deterrent posture. Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, often raised concerns about the secrecy that surrounded U.S. cybercapabilities. Simply put, so long as those capabilities remained secret, they could not deter anyone. The administration’s unofficial acknowledgment in 2012 of responsibility for the Stuxnet worm attacks on Iranian nuclear facilities, and the Snowden revelations in 2013, filled that void.