The US and a spiral of cyberfear

[Commentary] With little fanfare, the Pentagon went public in April on how the United States might respond to a cyberattack, such as the digital shutdown of its electricity grid. The military would go on the offensive and disrupt an attacker’s own key networks. Anyone whose personal computer has been hacked or credit-card numbers stolen might quickly agree with this strategy of deterrence. The aim is to threaten a major counterattack in hopes of preventing an attack in the first place. The idea is similar to mutual assured destruction -- or MAD -- the approach used by the US and Soviet Union during the cold war to justify building up their offensive nuclear weapons. The Pentagon’s new transparency on its offensive capability was done on purpose. “We think it’s important that potential adversaries out there know that this is part of our strategy,” Adm. Michael Rogers, head of the US Cyber Command as well as the National Security Agency, said May 12. He describes the strategy’s warning as “you don’t want [to] go down this road and if you do, you need to know there is a price to pay.”

At the same time, however, the US has been on a diplomatic campaign to establish global norms among nations and companies about good cyber behavior. It seeks to promote self-restraint more than international regulations to prevent cyber conflicts. Unlike military weapons, the Internet and other digital domains are too complex and fluid for rigorous controls. A country might use a shadowy surrogate to launch an attack, for example, making it difficult to assign responsibility. Before the US triggers an arms race in cyberweapons, it ought to rethink this strategy and focus more on strictly defensive steps and on its effort to deepen peaceful norms in cyberspace. The digital world’s positive traits are a source of strength against those who would use it for an attack. Why start a spiral of fear, especially if the fear itself is inflated?