Analysis & Opinions - Foreign Affairs
The Limits of Cyberoffense
Why America Struggles to Fight Back
The recent wave of high-profile cyberattacks by Russian organized crime groups has forced U.S. President Joe Biden’s administration to confront a difficult question: How should the United States respond to hacks not by hostile foreign governments but by criminal nonstate actors? Last October, Russian hackers targeted several U.S. hospital systems with ransomware, disrupting access to electronic medical records and leaving some providers to piece together medical protocols from memory in the midst of a global pandemic. Seven months later, in May 2021, hackers shut down one of the largest fuel pipelines in the United States, leading to shortages across the East Coast and forcing the operator to pay a ransom of $4.4 million to restore service.
These attacks and others like them are a sobering reminder that U.S. critical infrastructure is rife with vulnerabilities—and that criminals around the world are more than capable of exploiting them. The attacks have also prompted a growing chorus of calls for the Biden administration to not only shore up U.S. cyberdefenses but also to go on the cyberoffensive—to “hit Putin with a serious cyberattack,” as Senator John Kennedy, Republican of Louisiana, put it. But as the administration weighs its options in the wake of the recent attacks, it first has to confront a more basic question: Is the United States in fact capable of launching effective offensive cyberattacks against criminals who are not backed by a state?
President Biden seems to think so. During his recent summit with Russian President Vladimir Putin, he made a bold—if potentially overstated—threat by declaring that the United States has “significant cyber capability” and pledging to “respond with cyber” should Russian hackers attempt to disrupt U.S. critical infrastructure.
But the United States has tried and largely failed to execute offensive cyberattacks against nonstate actors in the past. In the battle against the Islamic State (also known as ISIS), it launched a cyber-campaign to destroy the terrorist group’s communications infrastructure, but a number of significant challenges—namely, in intelligence collection, cyberweapons development, and legal approval—hampered these operations and led to disappointing results. Since then, the United States has made little progress toward addressing these challenges, suggesting that it will have trouble taking the fight to cybercriminals. To turn the tables on organized crime groups in Russia and elsewhere, the United States must improve its ability to collect intelligence on cybercriminals, invest in the research and development needed to create effective cyberweapons, and establish a sturdy legal basis for offensive cyber-action.
Want to Read More?
The full text of this publication is available via Foreign Affairs.
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Rosenbach, Eric, Juliette Kayyem and Lara Mitra.“The Limits of Cyberoffense.” Foreign Affairs, August 11, 2021.
The Authors
Eric Rosenbach
- Senior Lecturer, Harvard Kennedy School
- Director, Defense, Emerging Technology, and Strategy Program
- Member of the Board, Belfer Center
- Co-Director of Belfer Center (2017-June 2023)
- Chief of Staff to Secretary of Defense (2015-2017)
- Assistant Secretary of Defense for Global Security and Homeland Defense (2014-2015)
- Dep. Assistant Secretary of Defense for Cyber Policy (2011-2014)
Juliette Kayyem
- Member of the Board, Belfer Center
- Belfer Senior Lecturer in International Security, Harvard Kennedy School
- Faculty Director, Homeland Security Project
- Faculty Affiliate, Middle East Initiative
Lara Mitra
- Belfer Summer Research Assistant, Research Assistant to the Co-Director and Executive Director
- Recommended
- In the Spotlight
- Most Viewed
Recommended
In the Spotlight
Most Viewed
Report
- Belfer Center for Science and International Affairs, Harvard Kennedy School
National Cyber Power Index 2022
Analysis & Opinions
- New Straits Times
Gorbachev and the End of the Cold War
Analysis & Opinions
- Foreign Policy
America Fueled the Fire in the Middle East
The recent wave of high-profile cyberattacks by Russian organized crime groups has forced U.S. President Joe Biden’s administration to confront a difficult question: How should the United States respond to hacks not by hostile foreign governments but by criminal nonstate actors? Last October, Russian hackers targeted several U.S. hospital systems with ransomware, disrupting access to electronic medical records and leaving some providers to piece together medical protocols from memory in the midst of a global pandemic. Seven months later, in May 2021, hackers shut down one of the largest fuel pipelines in the United States, leading to shortages across the East Coast and forcing the operator to pay a ransom of $4.4 million to restore service.
These attacks and others like them are a sobering reminder that U.S. critical infrastructure is rife with vulnerabilities—and that criminals around the world are more than capable of exploiting them. The attacks have also prompted a growing chorus of calls for the Biden administration to not only shore up U.S. cyberdefenses but also to go on the cyberoffensive—to “hit Putin with a serious cyberattack,” as Senator John Kennedy, Republican of Louisiana, put it. But as the administration weighs its options in the wake of the recent attacks, it first has to confront a more basic question: Is the United States in fact capable of launching effective offensive cyberattacks against criminals who are not backed by a state?
President Biden seems to think so. During his recent summit with Russian President Vladimir Putin, he made a bold—if potentially overstated—threat by declaring that the United States has “significant cyber capability” and pledging to “respond with cyber” should Russian hackers attempt to disrupt U.S. critical infrastructure.
But the United States has tried and largely failed to execute offensive cyberattacks against nonstate actors in the past. In the battle against the Islamic State (also known as ISIS), it launched a cyber-campaign to destroy the terrorist group’s communications infrastructure, but a number of significant challenges—namely, in intelligence collection, cyberweapons development, and legal approval—hampered these operations and led to disappointing results. Since then, the United States has made little progress toward addressing these challenges, suggesting that it will have trouble taking the fight to cybercriminals. To turn the tables on organized crime groups in Russia and elsewhere, the United States must improve its ability to collect intelligence on cybercriminals, invest in the research and development needed to create effective cyberweapons, and establish a sturdy legal basis for offensive cyber-action.
Want to Read More?
The full text of this publication is available via Foreign Affairs.The Authors
Eric Rosenbach
- Senior Lecturer, Harvard Kennedy School
- Director, Defense, Emerging Technology, and Strategy Program
- Member of the Board, Belfer Center
- Co-Director of Belfer Center (2017-June 2023)
- Chief of Staff to Secretary of Defense (2015-2017)
- Assistant Secretary of Defense for Global Security and Homeland Defense (2014-2015)
- Dep. Assistant Secretary of Defense for Cyber Policy (2011-2014)
Juliette Kayyem
- Member of the Board, Belfer Center
- Belfer Senior Lecturer in International Security, Harvard Kennedy School
- Faculty Director, Homeland Security Project
- Faculty Affiliate, Middle East Initiative
Lara Mitra
- Belfer Summer Research Assistant, Research Assistant to the Co-Director and Executive Director
- Recommended
- In the Spotlight
- Most Viewed
Recommended
In the Spotlight
Most Viewed
Report - Belfer Center for Science and International Affairs, Harvard Kennedy School
National Cyber Power Index 2022
Analysis & Opinions - New Straits Times
Gorbachev and the End of the Cold War
Analysis & Opinions - Foreign Policy
America Fueled the Fire in the Middle East
