In 2022, an American dressed in his pajamas took down North Korea’s internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyberattack. It could shut down Taiwan’s airports and trains, paralyze British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom—Russia? China? Iran? It’s a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
For example, if the US is attacked by an uncertain foe, you might think “well, better they don’t retaliate at all.” But this is a losing strategy. If President Biden developed that reputation, it would invite even more clandestine and hard-to-attribute attacks.
Researchers have worked on this problem using game theory, the science of strategy. If you’ve ever played a game of poker, the logic is intuitive: It doesn’t make sense to bluff and call none of the time, and it doesn’t make sense to bluff and call all of the time. Either strategy would be both predictable and unimaginably costly. The right move, rather, is to call and bluff some of the time, and to do so unpredictably.
With cyber, uncertainty over who is attacking pushes adversaries in a similar direction. The US shouldn’t retaliate none of the time (that would make it look weak), and it shouldn’t respond all of the time (that would retaliate against too many innocents). Its best move is to retaliate some of the time, somewhat capriciously—even though it risks retaliating against the wrong foe.
The same logic guides potential attackers. Knowing the US won’t retaliate all of the time and might even punish the wrong country creates an incentive to take electronic risks—ones they would never take with a missile.