limiting cyber war

Two longtime defense analysts have come up with a persuasive doctrine for the United States to adopt regarding cyber war. David Gompert and Martin Libicki argue in Survival that America should "attain and maintain offensive superiority" for cyber operations during armed conflict, but should not seek to use cyber operations for coercion.

In general, pin prick cyber war offers doubtful benefits in return for avoiding the violation of norms the United States favours. In the case of a capable adversary, moreover, low-grade cyber attacks risk not only retaliation but escalation, presumably outweighing the benefits. As a general proposition, if the United States were to wage offensive cyber war, it should do so robustly, and for major purposes and effects. Against an adversary capable of both retaliation and tightened defence, such cyber war would be most imprudent.

They convincingly refute the notion that offensive cyber operations are a valuable alternative to the use of explosive force. I agree that cyber operations can be an important part of major armed conflict, but should ot be seized upon in some naive effort to stop short of war.

Gompert and Libicki also argue that the apparent Chinese hacking of U.S. personnel records does not reach the level of cyber war.

To illustrate, the alleged Chinese hacking of US government personnel records, evidently in search of files on people who have held sensitive national-security jobs, was massive, sophisticated and possibly consequential; but it could not be, and was not, considered an act of war. This does not preclude some sort of US reprisal, perhaps a comparably bold robbery. (Presumably, the United States would not want China to know of such retaliation, lest it be foiled.) What is precluded in this case, by our way of thinking, is a US response so destructive or disruptive that it would cross the threshold from cyber espionage to cyber war – thus war. Admittedly, the line between intensely harmful theft and cyber war is woolier in reality than in theory. But the points stand that not all hacking is cyber war; that when it comes to espionage, states will be states; and that retaliation should be broadly in kind.

They don't say, but I believe, that the United States military establishment is spending disproportionately on cyber offense to the neglect of  desperately needed cyber defenses.