Max Boot

Zocalo Public Square

In an election decided by just 80,000 votes in three states, it is hard to dismiss the possibility that Russian intervention could, in fact, have tilted the outcome of the 2016 election. That would make this the most consequential computer hack in history, but was it an act of war?

Certainly not in the classic sense. The Kremlin did not, after all, transgress America’s borders or the borders of an ally the United States is pledged to protect. It did not shoot down an American aircraft or sink an American ship. Those are the classic kinds of casus belli that have traditionally sparked hostilities. But such old-fashioned definitions of aggression do not seem fully adequate to deal with the cyber age, in which computers can be a far more potent weapon of war than a machine gun or a mortar.

How should one treat incidents such as the one that occurred in 2007, when Russian hackers are suspected of having temporarily disabled Estonia’s access to the Internet with denial-of-service attacks in retaliation for the removal of a statue in Tallinn honoring World War II Soviet soldiers? Or the 2010 Stuxnet virus used by Israeli and U.S. intelligence to disable a thousand Iranian centrifuges? Or the 2012 attack, blamed on Iran, which disabled 30,000 computers belonging to the Saudi state oil company? Or the 2014 North Korean attack on Sony Pictures in retaliation for the release of a movie parodying North Korea? As the Harvard strategist Joseph Nye notes in the journal International Security, these events, and others like them, do not fall neatly into “the classic duality between war and peace,” occurring instead in a “gray zone” that defies an easy definition or response.

It is possible, to be sure, to imagine more severe cyberattacks that would more easily cross the threshold of open hostilities. “Talk of a ‘cyber Pearl Harbor’ first appeared in the 1990s,” Nye writes. “Since then, there have been warnings that hackers could contaminate the water supply, disrupt the financial system, and send airplanes on collision courses. In 2012 Secretary of Defense Leon Panetta cautioned that attackers could ‘shut down the power grid across large parts of the country.’ ” If such a massive attack were to occur — and if responsibility for it could be attributed with a high degree of certainty — one could imagine treating that as a provocation requiring a response not just with computer viruses but with actual firepower.

But attacks such as Russian President Vladimir Putin’s hacking of the 2016 election fall below that threshold, which is part of what makes them so attractive to relatively weak states like Russia or North Korea: It lets them maximize their ability to disrupt their enemies while minimizing the backlash. In fact, what consequence has Russia suffered for intervening in the U.S. election? Nothing beyond the expulsion of a few diplomats, which is hardly enough to make Putin rethink the efficacy of these tactics.

James Comey, Trump and the Russians: Our view

Cyberwar on elections is just starting: Steven Strauss

Putin's best-laid plans are failing: Max Boot

POLICING THE USA: A look at race, justice, media

Indeed, even the impact of those last-minute Obama sanctions was probably undermined by the conversations that Michael Flynn, Trump’s first national security adviser, secretly had with the Russian ambassador prior to the inauguration — talks in which he is suspected to have asked Putin to hold off on any retaliation in the expectation that once Trump became president he would ease tensions. Flynn subsequently had to resign after lying about those conversations. But even the growing Kremlingate scandal has not been enough to dissuade Putin from meddling in similar fashion in the Dutch, French, and German elections to support pro-Russian and anti-EU candidates.

While no one is suggesting that the U.S. should have started World War III over the Russian interference in our election, a more serious response was in order. It’s not hard to think of a range of appropriate responses: As I have suggested before, Obama could have asked the National Security Agency to disclose embarrassing communications between Putin and his aides or details about all of the billions they are suspected of looting. Or he could have simply asked the NSA to fry Kremlin computer networks. A range of non-cyber responses could also have been entertained, such as providing arms to Ukraine to defend itself from Russian aggression or ratcheting up sanctions on Russia by kicking it out of the SWIFT system of inter-bank transfers. Of course now that Trump is president, there is scant hope of any response at all; the only issue is whether Trump will lift existing sanctions on Russia.

Obama hesitated to do more against Putin because every action carried the risk of unintended consequences and of sparking greater hostilities. But the greatest risk of all is relative inaction. By failing to respond more strongly to Russia’s election intervention, the U.S. risks legitimizing such “gray zone” attacks. Thus we can expect more of them in the future. They may not exactly be “acts of war,” but they can cause more damage than many military attacks — and it can be much harder to know how to respond. Figuring out a doctrine of cyberwar that includes everything from such low-level strikes to “cyber Pearl Harbors” will be one of the signal challenges for military and intelligence strategists in the 21st century.

Max Boot, a senior fellow at the Council on Foreign Relations and a member of USA TODAY's Board of Contributors, is the author of Invisible Armies: An Epic History of Guerrilla Warfare from Ancient Times to the Present. This essay is part of an Inquiry, produced by the Berggruen Institute and Zócalo Public Square, on what war looks like in the cyber age. On Twitter: @MaxBoot

You can read diverse opinions from our Board of Contributors and other writers on the Opinion front page, on Twitter @USATOpinion and in our daily Opinion newsletter. To respond to a column, submit a comment to letters@usatoday.com.