Policymakers should develop a framework to respond proportionally to state-sponsored cyberattacks, according to a think tank report released late last month.
The cyber brief from the Council on Foreign Relations (CFR), “Developing a Proportionate Response to a Cyber Incident,” outlines a possible framework that outlines different levers of state power that can be used in response to escalating cyber incidents, combining incident impact, policy options, and proportionality.
The author, Tobias Freakin, said that governments are unprepared to respond to cyberattacks adequately with clear policy responses because assessing damage is difficult and attribution is challenging.
He used the example of the April 2015 cyberattack on the French television station TV5 Monde by a group calling itself the Cyber Caliphate. Months later French media reported a Russian state-sponsored actor and not an ISIS-related group was likely responsible.
Even when attribution is possible, it may be hard to prove claims without releasing potentially classified information that damages intelligence assets.
“Under pressure, responses are likely to be made quickly with incomplete evidence and attract a high degree of public skepticism. This creates clear risks for policymakers,” Freakin said. Quick assessments could overestimate an incident’s impact, causing a country to act disproportionally while misattribution could direct a response at the wrong target or cause a diplomatic crisis.
Freakin is a senior analyst and director of the International Cyber Policy Centre at the Australian Strategic Policy Institute. In 2014, the Australian prime Minister appointed him to an expert panel to assist the government with its Cyber Security Review.
Policymakers should consider three variables when developing a response, the report said.
First, they should understand the level of confidence their intelligence agencies have on attribution. If attribution is low, policymakers are limited in response choices even if the attack is very severe. A less valuable retaliatory target can be used to limit the chances of escalation.
Policymakers should also assess the effects of a cyberattack on physical infrastructure, society, the economy, and national interests.
Finally, policymakers should consider an array of diplomatic, economic, and military responses available. These range “from a quiet diplomatic rebuke to a military strike,” and do not need to be limited to cyber actions, Freakin said.
The report’s possible framework plots increasing impacts of incidents against levels of response and political risk.
At the low end, the response to a website defacement could be a public denouncement. A higher level activity that manipulates data could require diplomatic action like a demarche or withdrawing an ambassador.
If a cyberattack begins to affect the victim’s economy, for example disrupting a stock exchange, diplomatic and economic responses can be used. This includes freezing financial transactions within the sponsoring state, levying international sanctions, and expelling diplomats, the report said.
Once a cyber incident causes physical damage, military options could be considered, Freakin said. This ranges “from military posturing to an attack, depending on the incident’s severity.”
Freakin said states can begin to develop their own frameworks by first working with the private sector, especially in critical infrastructure.
“Critical infrastructure is a priority for attackers, making it important for infrastructure operators to be involved in the development of a response framework.” The operators are in a good position to advise governments on incidents that would affect their operations, he said.
He also noted that each response by a state will bring costs–diplomatic relations, reputation, or military intelligence operations. The costs should be understood and weighed before choosing a response to a cyber incident, the report said.
While conceding the proposed framework is purposefully simplified, it “provides a rudimentary model for framing the potential responses to a state-sponsored incident before one occurs,” Freakin said.