Election season has upended cybernorms. It all started before the 2016 U.S. presidential election when U.S. officials alleged that Russia had hacked the Democratic National Committee and orchestrated cyberattacks to influence the electoral outcome. “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations,” read a joint statement from the U.S. Department of Homeland Security and the Office of the Director of National Intelligence on October 7.

The fear that foreign-led cyberattacks might undermine democratic outcomes spread to other Western countries, too. German authorities pointed to Russia as the culprit of a massive cyberattack on the Bundestag, the lower house of parliament. Berlin also accused Moscow of being behind cyberattacks on the headquarters of the ruling Christian Democratic Union. The threat level is so acute that German Chancellor Angela Merkel is on record as saying that Russia could try to influence the 2017 German parliamentary election through cyberwarfare and disinformation.

The use of cyberattacks to influence electoral outcomes is a new and serious challenge for Western nations. Developing a proper and timely response is both necessary and difficult. The lack of a mutually accepted framework for the gradation of cyberattacks and the absence of potential countermeasures are parts of this conundrum. Most nations have long relied on a strategy of deterrence by secrecy to preempt cyberattacks. The thinking was that one side’s nondisclosure of its offensive cybercapabilities would create sufficient uncertainty to deter cyberattacks against critical targets.

But over the last year, there has been a fundamental shift in this posture. Russia’s relentless targeting of democratic institutions in Western countries heading toward elections is a clear indication that the age of deterrence by secrecy in cyberspace is drawing to a close. Earlier in 2016, the U.S. administration signaled that a more active cyberdefense posture might be needed to deter hacking by Chinese cyberwarriors. More recently, U.S. officials including Vice President Joe Biden have emphasized Washington’s newfound resolve to retaliate against Russia’s cyberhacking.

Similarly, UK Chancellor of the Exchequer Philip Hammond, who chairs the cabinet’s cross-department cybersecurity committee, set out a more aggressive cyberposture by confirming that Britain would retaliate against foreign governments that launch cyberattacks on the UK’s national critical infrastructure.

But as these developments show, the cybersecurity universe is edging toward uncharted territory, where the lack of proper norms to regulate escalation and retaliation has a potentially destabilizing impact on global security.

The transatlantic alliance stands out as the forum where norm building for cyberconflict below the threshold of military warfare can be advanced. The Tallinn Manual, an academic study launched in 2009 on how international law applies to cyberconflicts, is being updated to cover these situations.

More importantly, at its July 2016 summit in Warsaw, NATO decided to upgrade its cyberposture. The recognition of cyberspace as a new operational domain is a turning point for the alliance’s cyberstrategy and will have significant repercussions for NATO’s security doctrine and operational readiness. The alliance will need to develop a more elaborate understanding of how to make cyberdefense a collective endeavor and establish an acceptable set of principles for burden sharing among allies in the cyberdomain—just as for nuclear deterrence.

NATO’s more ambitious outlook was greatly facilitated by a shift in U.S. thinking that reduced Washington’s aversion to offering its impressive active cyberdefense capabilities as a resource for the alliance. It is unclear, however, whether the U.S. presidency of Donald Trump will be equally intent on outsourcing U.S. capabilities to respond to NATO’s cyberdefense challenges.

The events of 2016 have demonstrated that the gap between security threats triggered by the proliferation of cybercapabilities, on the one hand, and international norms to define acceptable behavior for state actors in cyberspace, on the other, has widened. This lack of international policy entrepreneurship may become a key challenge for ensuring peace and stability in today’s increasingly interconnected world.

 

Sinan Ülgen is the author of the Carnegie Europe report Governing Cyberspace: A Road Map for Transatlantic Leadership, which was supported by Microsoft.