A recent Defense Department report to Congress warned that foreign nations run a “grave risk” if they threaten or launch a large-scale cyberattack on the United States, and it announced for the first time that the Pentagon possesses cyberweapons the president can deploy in the face of such an attack. The report aims to bolster U.S. deterrence against cyberthreats but, in fact, highlights weaknesses in our deterrence policy.
The Pentagon’s threat applies to “significant” cyberattacks. It does not purport to deter small-scale ones. Nor does it address “cyber exploitations” that — in contrast to cyberattacks,which damage or disrupt a computer system — copy or steal information on a computer system. Cyber exploitations of valuable government and business secrets are vastly more pervasive than cyberattacks and, at present, are a more serious national security threat. They are also significant because they often cannot be distinguished from cyberattacks, at least until an attack begins. Passivity in the face of cyber exploitations thus encourages cyberattacks.