You’re sitting at home on a lazy weekend afternoon with your family and suddenly your cell phone turns off. You try to fix it, but no deal. Your family tells you their’s are down too. You go to your computer. You see emails from your bank that mysteriously puts various account balances at zero. Five minutes later you lose online access. What the hell is going on?

That could be the result of a cyber attack. The Russians are very capable of delivering one as a provocation short of a shooting war. It could short circuit election results as well. Jason Blessing of AEI explains.

“Russian Cyberattack Could Capitalize on Election Doubts”
| The Pew Charitable Trusts https://t.co/nY6HEbxu6U

— Larry Sabato (@LarrySabato) April 22, 2022

Blessing: Since the Russian invasion of Ukraine, the Biden administration has escalated warnings about likely Russian cyber-attacks on American infrastructure and business. More worrying still, cyber alarmists like Senate Intelligence Committee Chairman Mark Warner, D-Va., have suggested that this is a “real risk”, and cyber-attacks from the Kremlin could be acts of war that trigger NATO’s collective defense.

This sky-is-falling delusion, particularly from leaders with access to classified intelligence, is at best counterproductive and at worst dangerous. Cyber-attacks are rarely acts of war, and treating them as if they are undermines NATO’s ability to deal with real threats short of cyber war. NATO has only invoked Article 5 – which triggers a collective response – once and that was after the 9/11 attacks.

Cyber-attacks are unlikely to destroy buildings and kill thousands in an instant. While collective defense extends to cyberspace, few operations could realistically be a cause for war.

This would include cyber-attacks resulting in death or damage like traditional military operations or coordinated assaults that take the power grid or entire economic sectors offline. These scenarios are unlikely though: such attacks require far too much time, funding, manpower, and control. Instead, most attacks temporarily overwhelm servers with traffic, deny network access, hold computers hostage, and steal or delete data.

Even if allies wanted to trigger Article 5 over cyber operations, disagreements about the definitions of threats, origins of attacks, and pain thresholds in cyberspace can derail the process. Collective retaliation requires a unanimous vote across NATO; building unity across these points is nearly impossible for most cyber activity. Unlike missile attacks or tanks in the streets, few “red lines” exist to distinguish cybercrime, cyber espionage, and cyber disruption from digital acts of war.

Beyond the bureaucratic and logistical limitations of elevating cyber to a casus belli, focusing on cyber-attacks as acts of war distracts from the more likely Russian digital assaults below the level of armed conflict. These include ransomware attacks and supply chain infiltrations that look like criminal activity or espionage.

The Kremlin is particularly adept at the latter. In the SolarWinds compromise, Russia hacked one company’s software product to access networks of Fortune 500 companies and U.S. government agencies.

Spillover from operations in Ukraine poses an additional risk. The Russians have already deployed several digital tools to destroy computer data, resulting in corrupted computers for Ukrainian companies with government support roles. The same malicious software has also affected several Latvian and Lithuanian businesses.

The danger is another situation like NotPetya in 2017, where malware self-replicated, spread past Ukrainian targets to cripple networks in over 150 countries, and created $10 billion in damages. Each of these scenarios are much more likely than a “cyber doomsday” that would justify an Article 5 response from NATO members.

To be fair, policymakers’ fears of cyber war have led to some positive developments for the alliance. For instance, over the last several years, NATO has developed its own framework for combining cyber and conventional military capabilities in warfighting. But allies remain unprepared to deal with “death by 1000 cuts” in cyberspace.

The opinions expressed by contributors and/or content partners are their own and do not necessarily reflect the views of the Objectivist. Contact us for guidelines on submitting your own commentary.