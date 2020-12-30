All this tough talk feels reassuring, especially with crickets coming from the White House. But to assume that punishing Russia now will stop Russia later would be a mistake. Cyber deterrence is likely to fail.

The only thing universal about deterrence is the misguided faith in its applicability. In reality, deterrence works in very limited circumstances: when the culprit can be identified quickly, when the behavior has crossed clear red lines defining unacceptable behavior, and when the punishment for crossing them is credible and known in advance to would-be attackers. These conditions are rare in cyberspace.

Breach attribution is often difficult and time-consuming. Defining red lines is vexing: When a North Korean cyberattack on a Hollywood movie studio is called an act of war but Russian meddling in a presidential election doesn’t trigger much of anything, it’s fair to say red lines aren’t nearly clear enough. And because America’s arsenal of cyberweapons—hacks, viruses, and other ways of targeting network vulnerabilities—can become useless if they’re revealed, credibly threatening tit-for-tat punishment to strike fear into the hearts of hackers isn’t feasible. To be sure, a country can respond to cyberattacks in other ways. But if you’re figuring out what sanctions you might impose or how many diplomats you might expel after the fact, you’re not deterring. You’re just responding. For deterrence to work, bad actors have to know what punishment is coming—and fear it—before they act.

What’s more, so far the recent hack looks like the least deterrable type of breach—cyberespionage. Although some spying in cyberspace is the opening act for more aggressive behavior, early indications are that the SolarWinds operation was an intelligence-gathering effort, not a cyberattack meant to disrupt, corrupt, or destroy. Espionage is nearly impossible to deter in cyberspace for the same reason it can’t be deterred anywhere else: Everyone does it. All nations spy. Espionage has never been prohibited by international law. For 3,300 years, ever since people in the Near East chiseled the first known intelligence reports on clay tablets, spying has been considered fair game.

The United States engages in cyberespionage on a massive scale all the time. In 2015, after China hacked the Office of Personnel Management and stole 22 million highly classified security-clearance records, James Clapper, then the director of national intelligence, declared, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.” It’s hard to set convincing red lines against espionage when every country has been crossing them forever.

Understandably, American officials face intense domestic political pressures to talk tough now and figure out the details later. But hollow threats can undermine credibility with adversaries in the future. As former Secretary of State George Shultz likes to say, he learned in the Marine Corps never to point his rifle at someone unless he intended to shoot.