The Russian hack of SolarWinds—which affected at least 18,000 of the firm’s customers, including several federal agencies—has revived a long, unsettled debate in national security circles: When Americans are hit with a massive cyberattack, should the U.S. government strike back?
At first glance, the answer seems obvious: Of course, we should strike back—an eye for an eye, a tooth for a tooth—or how else will we deter the hackers, and others like them, from striking again?
On reflection, though, the question turns more complicated. Compared with the rest of the world, the United States, in all aspects of its life, is much more thoroughly connected to computer networks. We have the most powerful and precise cyber rocks to throw at other countries’ windows—but we live in a much glassier house. Therefore, retaliation could spark counter-retaliation, and, at each cycle of escalation, we could get hurt more badly than our adversary does.
Nevertheless, even some experts who have urged caution and taken note of our hypervulnerability are now saying that we have to do something. One of them, Richard Clarke, cybersecurity chief in President Bill Clinton’s White House and author of Cyber War—one of the first books to raise alarms about the subject—told me in an email that the SolarWinds hack “is over the line and requires a response. Yes, we run the risk of an escalating round of mutual damage, but that may be what it takes for this country to start taking the long list of necessary steps to secure out networks and what they run.”
President-elect Joe Biden seems to agree, saying he would impose “substantial costs” on those responsible for the hack. “A good defense isn’t enough,” he added. “We need to disrupt and deter our adversaries from undertaking cyberattacks in the first place.”
Fine. But how do we do this? What costs do we impose? And how do we ensure that the disruptions deter future attacks? President Barack Obama once signed a directive declaring that the United States might respond…