The West is in the middle of an undeclared cyberwar with Russia. The problem is, few Western leaders want to publicly acknowledge this or, apparently, do much about it. If Washington hopes to get European allies on board with its new, more competitive approach to Russia, it will have to start by leading the West in a clear-eyed assessment of the situation at hand and taking concrete steps to turn the tide through offensive cyber operations.
Offensive cyber operations are something that the West has only reluctantly and recently embraced. There are good reasons for treading carefully here—attribution is difficult in cyberwarfare, as are avoiding collateral damage, appearing as meddlesome as Moscow, and thwarting escalatory counterattacks.
Nonetheless, in 2017 NATO made the rather contentious decision to embrace cyber operations in alliance military missions, moving beyond merely defensive measures. There are major challenges to be overcome in how NATO will operationalize that decision, including in command and control of cyberwarfare assets and tools.
The United States took an important step forward in the development of those tools through the creation of cyber mission forces. Consisting of roughly 5,000 personnel spread across 133 teams, the U.S. Cyber Command’s Cyber Mission Force will be fully operational by later this year. The U.S. Army has already begun putting cyber-electromagnetic warfare teams into its brigades.
Even with the right tools in place, it is unclear if the West has much of an appetite to strike back. For instance, the West’s cyber response to Russia’s election meddling appears limited and uncoordinated at best. In mid-February, officials from the U.S. intelligence community testified that they had not been explicitly directed by the president to strike back at Russia, despite their unanimous assessment that Moscow sought to influence the 2016 U.S. election and will do so again in the 2018 mid-terms and in the 2020 general election. Some officials at the hearing obliquely referred to “a significant effort” to disrupt Russian activities through “all kinds of steps,” even while admitting there is no single U.S. agency in charge of countering Moscow’s meddling.
Obfuscation such as this has its benefits, for example in terms of maintaining operational security and preventing our adversaries from knowing what we’re up to. However, it fails to carry sufficient deterrent punch—to disincentivize adversaries from attacking us in the first place.
The previous administration was somewhat more willing to send a deterrent message. When describing a new cyberwarfare initiative against ISIS, then deputy secretary of defense Robert O. Work said, “We are dropping cyber bombs. We have never done that before.” In contrast, some U.S. officials today have been reluctant even to establish a deterrent posture, essentially arguing there’s not much the West can do to preempt Russian behavior once Moscow has made up its mind to interfere. This risks turning into a vicious cycle—if the United States and its allies refuse to counterstrike, foreign adversaries are more likely to attack.
Among America’s major European allies, there appears to be continued reluctance to engage Russia in its cyberwar against the West, much less acknowledge that offensive cyber operations may be necessary. In Germany, the Interior Ministry is responsible for cybersecurity strategy, the Bundeswehr remains unable to respond to attacks on civilian cyber infrastructure, and Berlin’s approach to cybersecurity emphasizes defense and resilience. France’s cyber strategy, while acknowledging that many states carry out “large-scale cyberspace operations” against the country, omits any reference to relying on offensive cyber action to deter or respond to major attacks. Italy’s and Spain’s cyber strategies are similar.
The United Kingdom and Poland appear to be two important exceptions to these trends. London’s cyber strategy explicitly acknowledges that offensive cyber operations are necessary both for deterrence and other military operations and that the United Kingdom seeks to be a world leader in offensive cyber operations. Poland’s conceptualization of “active cyber defense” clearly includes a role for offensive actions in cyberspace.
These rare exceptions aside, the Western approach to Russia’s ongoing cyberwar is foundering on two distinct shoals. First, many Western governments appear immobilized by the fear of escalatory counterattacks. They fear throwing stones while living in glass houses. Second, some governments—including the United States—exhibit a level of obfuscation that effectively undermines deterrence. Unless Moscow and other adversaries hear and see the United States and its allies undertaking significant counter-operations in cyberspace, they will remain undeterred. To do otherwise is to simply surrender to Moscow.