25 August 2015
Developing a Proportionate Response to a Cyber Incident
As offensive cyber activity becomes more prevalent, policymakers will be challenged to develop proportionate responses to disruptive or destructive attacks. Already, there has been significant pressure to "do something" in light of the allegedly state-sponsored attacks on Sony Pictures Entertainment and the Sands Casino. But finding a timely, proportionate, legal, and discriminatory response is complicated by the difficulty in assessing the damage to national interests and the frequent use of proxies. Perpetrators have plausible deniability, frustrating efforts to assign responsibility. Past experience suggests that most policy responses have been ad-hoc.
In determining the appropriate response to a state-sponsored cyber incident, policymakers will need to consider three variables: the intelligence community's confidence in its attribution of responsibility, the impact of the incident, and the levers of national power at a state's disposal.
While these variables will help guide responses to a disruptive or destructive cyber-attack, policymakers will also need to take two steps before an incident occurs. First, policymakers will need to work with the private sector to determine the effect of an incident on their operations. Second, governments need to develop a menu of pre-planned response options and assess the potential impact of any response on political, economic, intelligence, and military interests.