Until World War I, wars were fought between military forces. Populations were largely not active participants. However, starting in World War I, direct attacks on citizens became part of warfare with the bombing of London by Germans.

This addition of civilians as a direct target underpinned war strategies in World War II and beyond. Now, the balance of terror — the possibility of a direct and enormous attack on a nation’s citizens — is the basis of war and its deterrence.

AD

AD

There have always been rules for how nations engage in war through international treaties and customary practice. As the calculus changed and force projected onto civilians became an accepted practice, a global consensus emerged for how and when this would occur.

There was an expectation of proportionality: conventional force was to be met with conventional force and nuclear weapons with nuclear weapons. National security — the process of protecting American citizens — functioned within these clearly described expectations. War was to be waged by nations through their militaries.

However, over the last 15 years, we have seen this international consensus erode significantly. For example, we struggled with the correct military response to the September 11 attack on the World Trade Center carried out not by a nation, but by a terrorist group. More recently, Americans were unsure how to react when the North Korean government cyber attacked the servers of Sony, a private company.

AD

AD

Enter cyber warfare. Each day we are more reliant on software and the Internet as the backbone of our economy, and that leaves us vulnerable. Consider the chaos that would be caused by a widespread outage of power that lasted weeks. Or, the incalculable cost of a widespread disruption of our financial markets or records. Imagine the cost to our national discourse if the information we rely on is tainted by intentional misinformation fostered by a national adversary. Each of these harms could occur through nothing more than the use of software and computing power.

We have grown up with the expectation that America’s most existential threats would come from other countries using physical force against us. We are armed and have adopted policies for how our military would retaliate if attacked. We have a plan for how to react if another country dropped a nuclear bomb on Washington, or if it sent paratroopers to capture an oil pipeline in Saudi Arabia. This is the basis of our national security — because our adversaries know in advance how we would react, they are deterred from attacking us through use of force.

But, what’s our plan if the use of force isn’t physical force at all, but the use of software and hacking skills? Do we have a plan when the attackers themselves might be acting on their own and not part of a country’s military plan against America? What is our plan if the attack is on our businesses and citizens directly?