The United States struggles to impose meaningful costs for destructive or disruptive cyber operations. This article argues that the United States' restrained responses stem from a desire to avoid risk in an inherently uncertain operational environment. The societal desire for risk avoidance is the prism through which policymakers address the cyber domain and deliberate responses to attacks. The article shows that two particular operational characteristics of cyberspace—its complex adaptiveness and the ease of proliferation—combine to increase the risk of misattribution and the risk of unintended effects, including collateral damage, inadvertent escalation and blowback. These characteristics present a particular obstacle for risk societies such as the United States in the application of meaningful punishments. In addition to establishing the roots of US restraint, the article traces the application of risk management practices, including preventive action, increasing resilience and consequence management, from the Obama administration to the Trump administration. The analysis reveals that risk management has underpinned the overall US approach to the cyber domain.
This article analyses the recent use of European Union (EU) terminology of digital sovereignty and strategic autonomy, aiming to identify tensions between policy considerations of fundamental rights, free market principles and geopolitical concerns. These tensions are rooted in the disparity between the EU's considerable economic and regulatory power in digital matters and its limited mandate and capabilities in foreign policy. The article also explores the translation of the notions of digital sovereignty and strategic autonomy into EU policy. It identifies three important trends in the geopoliticisation of the EU agenda on digital technologies: (1) the instrumental use of ‘classic’ internal market policies to exert geopolitical influence; (2) the imposition of foreign policy imperatives on national markets; and (3) new ‘hybrid’ digital policies that combine internal market concerns, fundamental rights and geopolitical concerns. Ultimately, digital sovereignty has inherent tensions with the EU's normative power in digital issues and may also result in a strategic cacophony.
The fact that States resort to automated cyber operations like NotPetya, which spread virally and have indiscriminate effects, raises the question of how the use of these might be regulated. As automated operations have thus far fallen below the threshold of the use of force, the letter of international humanitarian law (IHL) does not provide such regulation. In IHL, the principles of distinction and discrimination hold that attacks should in their targeting distinguish between the civilian population and combatants, and between civilian objects and military objectives. Attacks must not be indiscriminate, and operations that might foreseeably spread to affect civilian objects are prohibited. This paper draws inspiration from the legal principles of distinction and discrimination to suggest a non-binding norm for responsible State behaviour with regard to automated operations that fall below the threshold of the use of force: the norm proposes that States should design cyber operations so as to prevent them from indiscriminately inflicting damage. The paper finds that in the case of automated
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.