Analysis & Opinions - Foreign Affairs

The Limits of Cyberoffense

| Aug. 11, 2021

Why America Struggles to Fight Back

The recent wave of high-profile cyberattacks by Russian organized crime groups has forced U.S. President Joe Biden’s administration to confront a difficult question: How should the United States respond to hacks not by hostile foreign governments but by criminal nonstate actors? Last October, Russian hackers targeted several U.S. hospital systems with ransomware, disrupting access to electronic medical records and leaving some providers to piece together medical protocols from memory in the midst of a global pandemic. Seven months later, in May 2021, hackers shut down one of the largest fuel pipelines in the United States, leading to shortages across the East Coast and forcing the operator to pay a ransom of $4.4 million to restore service.  

These attacks and others like them are a sobering reminder that U.S. critical infrastructure is rife with vulnerabilities—and that criminals around the world are more than capable of exploiting them. The attacks have also prompted a growing chorus of calls for the Biden administration to not only shore up U.S. cyberdefenses but also to go on the cyberoffensive—to “hit Putin with a serious cyberattack,” as Senator John Kennedy, Republican of Louisiana, put it. But as the administration weighs its options in the wake of the recent attacks, it first has to confront a more basic question: Is the United States in fact capable of launching effective offensive cyberattacks against criminals who are not backed by a state?

President Biden seems to think so. During his recent summit with Russian President Vladimir Putin, he made a bold—if potentially overstated—threat by declaring that the United States has “significant cyber capability” and pledging to “respond with cyber” should Russian hackers attempt to disrupt U.S. critical infrastructure.

But the United States has tried and largely failed to execute offensive cyberattacks against nonstate actors in the past. In the battle against the Islamic State (also known as ISIS), it launched a cyber-campaign to destroy the terrorist group’s communications infrastructure, but a number of significant challenges—namely, in intelligence collection, cyberweapons development, and legal approval—hampered these operations and led to disappointing results. Since then, the United States has made little progress toward addressing these challenges, suggesting that it will have trouble taking the fight to cybercriminals. To turn the tables on organized crime groups in Russia and elsewhere, the United States must improve its ability to collect intelligence on cybercriminals, invest in the research and development needed to create effective cyberweapons, and establish a sturdy legal basis for offensive cyber-action.

For more information on this publication: Belfer Communications Office
For Academic Citation: Rosenbach, Eric, Juliette Kayyem and Lara Mitra.“The Limits of Cyberoffense.” Foreign Affairs, August 11, 2021.

The Authors

Eric Rosenbach

Juliette Kayyem Headshot