The Washington PostDemocracy Dies in Darkness

Want to tell Russia to stop hacking U.S. systems? Here’s what works — and what doesn’t

Our research shows why cyberstrikes don’t signal resolve effectively

(Chris Ratcliffe/Bloomberg News)

With nine U.S. federal agencies reportedly still cleaning up after last year’s SolarWinds hack, the Biden administration’s plans to shore up security include $650 million in the recent coronavirus relief bill earmarked for cybersecurity defenses. A recent article suggested that the Biden administration reportedly considered cyber “counterstrikes” — language the White House subsequently distanced itself from — as a form of signaling to Russia that the recent SolarWinds attack was unacceptable.

3 lessons from Russia’s cyberhack into U.S. agencies

And it’s not just the United States and Russia — China reportedly launched cyber intrusions against India’s power grid during the months-long confrontation between the two nuclear-armed neighbors in the Galwan Valley. Some analysts argue that China intended these intrusions as a signal of resolve to deter India from escalating the border crisis.

This spate of ostensible cyber signals raises an important question: Do cyber operations actually act as signals? Not really. Here’s why countries have a harder time using cyber tools as signals than you might think.

What is “signaling” in international relations?

Signals are an important aspect of international crisis bargaining and coercive diplomacy. Countries often try to use signals for coercion (convincing a country to stop doing something they are already doing) or deterrence (convincing a country not to do something before they do it).

Signals convey information about a government’s capability to retaliate and willingness — or resolve — to do so. Signals could include verbal communications, such as diplomatic missives. Of course, actions can also be signals. For example, a country that wanted to send a warning signal to an adversary might send an aircraft carrier through a contested waterway or fly a nuclear-capable bomber near an adversary’s borders.

Don’t miss any of TMC’s smart analysis! Sign up here for our newsletter.

Signaling is easier said than done

But just because a country wants to send a signal doesn’t mean the message is received as intended. Signals can become garbled, or fail to reach their intended audience. And they can just not be credible.

For any signal to work, it has to satisfy a number of criteria. First, the intended target needs to get the message — the receiver has to know who sent it and what the signal means. Overly ambiguous signals can lead to either inadvertent escalation or a failed signaling campaign.

Once the signal has been received, attributed and understood, it still needs to be costly enough that the receiver believes the sender will follow through with the threat. And all this has to happen at the right time in a crisis — too early and it won’t be believed; too late and the signal becomes moot.

So can cyber tools be effective signals?

Cyber operations have a hard time meeting these criteria. As political scientists Erik Gartzke and Jon Lindsay demonstrate, cyber operations are most useful because of their stealthy, deceptive qualities. Countries typically aim to avoid being detected while conducting cyber operations, particularly because getting caught in the act compromises the operation, prompting the target to take measures to quickly patch vulnerabilities.

Uncovering a cyber operation may also take time, which means the nation that sends a signal has little control over when the cyber operation is discovered. If the signal is received too late, it’s likely to be overcome by events — which seems to have been the case with the purported Chinese signal to India.

Moreover, many cyber signals get lost in the overall noise. For example, a country may be unable to distinguish a routine service disruption from a cyberattack meant as a foreign policy signal. Further, attribution to the signaling country may take time, diffusing the signal’s effect on crises. The receiving country also has to surmise who intended to signal what from somewhat ambiguous cyber operations. Unlike in other areas, countries don’t yet agree on what constitutes a cyberattack, much less on any frameworks for what is more or less appropriate or escalatory.

Foreign hackers have made it harder for the U.S. to prosecute them

Most cyber operations also don’t cause big, visible effects, which makes them relatively cheap signals and therefore bad signals of resolve. Cyberspace activities are more likely to look like espionage or small-scale disruptions than attacks with large-scale strategic or violent effects.

And a cyber signal is probably fleeting. That’s because, as Brendan Rittenhouse Green and Austin Long show, brandishing a cyber capability for signaling purposes is counterproductive when, by the very act of revealing it, the capability can be rendered inert.

Perhaps for all of these reasons, emerging evidence from national security war games suggests that although players often try to send cyber signals, the intended targets either miss the signal altogether or dismiss it as incidental.

Cyber operations might work — if used with other tools

This doesn’t mean cyber operations are useless for signaling. Pairing clandestine or covert operations with unofficial or private statements — or even leaks to the New York Times — might make them more effective. Research by Austin Carson on special operations and signaling suggests that even covert operations may be effective signals when paired with private messages between leaders.

Michael Poznansky and Evan Perkoski explore this phenomenon in cyberspace and argue that the same logic could apply to cyber signaling campaigns. The United States has done this at least once, during the Russian election interference in 2016, when President Barack Obama used the nuclear hotline to warn President Vladimir Putin not to directly interfere with the election results. So, cyber signaling might work if there is a simultaneous diplomatic campaign.

But in general, cyber operations are difficult signaling tools at best — prone to be lost in the noise or, worse, misperceived. Countries may get better use out of cyber operations that focus less on altering another country’s behavior and more on tackling malicious cyber campaigns through better intelligence and improved defense and resilience, complemented by counter-cyber operations that target the infrastructure and capabilities countries use to conduct cyber operations in the first place.

For signaling, sometimes old-school methods work best: hotlines, diplomacy or even big weapons systems get more bang for your signaling buck than cyber operations.

Professors: Check out TMC’s expanding list of classroom topic guides.

Erica Borghard (@eborghard) is a resident senior fellow with the New American Engagement Initiative in the Scowcroft Center for Strategy and Security at the Atlantic Council and an adjunct associate research scholar at the Saltzman Institute of War and Peace Studies at Columbia University.

Jacquelyn Schneider (@jackiegschneid) is a Hoover Fellow at Stanford University and a nonresident fellow at the Naval War College’s Cyber and Innovation Policy Institute, an affiliate of Stanford’s Center for International Security and Arms Control.

Loading...