In 1888, German Chancellor Otto von Bismarck said, “One day the great European War will come out of some damned foolish thing in the Balkans.” His words proved prophetic. In 1914, a Serbian plot succeeded in the assassination of the heir to the Austro-Hungarian throne and precipitated World War One.
One hundred and thirty-three years later, President Joe Biden said, “I think it’s more than likely we’re going to end up if we end up in a war - a real shooting war with a major power - it’s going to be as a consequence of a cyber breach of great consequence, and it’s increasing exponentially the capabilities.”
Mr. Biden’s stumbling statement is likely to prove as prophetic as Mr. von Bismarck’s. A cyberattack that disables or destroys a significant part of our commercial or defense infrastructure is an act of aggression that would justify a kinetic response.
Mr. Biden’s statement shouldn’t be confused with saber-rattling but, he has inadvertently raised the issue of when a cyberattack should be regarded as an act of war.
Cyberattacks, often difficult to trace to their perpetrators, usually don’t take lives or cause physical destruction. Nevertheless, cyberattacks, including ransomware attacks, can cause enormous damage. The US legal definition of “act of war” only refers to declared and undeclared armed conflicts. That definition – and military planning - must be modernized to include cyberattacks that disable or destroy important parts of a nation’s defense or commercial infrastructure.
The concept is not new. Anyone who saw the 2007 “Live Free or Die Hard” movie saw how a nation could be stopped in its tracks by such cyberattacks. That same year, Russian cyberattacks stopped the Estonian government from functioning for weeks.
China has sought to develop the capabilities and strategies to make such cyberattacks for more than twenty years. The 1999 book “Unrestricted Warfare” by two Peoples’ Liberation Army colonels advertised that fact to the world. Chinese strategists call these attacks “sha shou jian,” the “assassin’s mace.” An “assassins’ mace” cyberattack could disable our power grids, make trillions of dollars disappear from the stock markets, or disable our satellite and missile defenses.
Along with China, Russia, Iran, and North Korea, each seeks to cripple our economy and defense capabilities through cyberattacks. We are doing virtually nothing to deter them.
During his June summit with Russian President Putin, Mr. Biden painted a red line for Russia by presenting Mr. Putin with a list of elements of US infrastructure, including defense, energy, communications, and commercial entities, that Mr. Biden warned were off-limits to Russian cyberattacks.
Only weeks after Mr. Biden’s warning, “REvil,” a Russian cybergang, reportedly attacked a defense contractor and stole several gigabytes of data. Russian cyber gangs – many of which are connected to Russian intelligence agencies - do not make such attacks without orders or consent from the Putin regime.
On the Friday following that attack, Mr. Biden called Mr. Putin and told him he would take any necessary action to defend US businesses and infrastructure from such attacks. But Mr. Biden did nothing to punish Russia. His actions, such as ending sanctions against the construction of the Nordstream 2 pipeline, only gave Mr. Putin more of what he desires most.
The Biden administration is taking an equally appeasing approach to China. Before Deputy Secretary of State Wendy Sherman’s meeting with Chinese Foreign Minister Wang Yi in late July, the Justice Department dropped its prosecutions of five Chinese “researchers” arrested for falsifying visa forms by not disclosing their links to China’s Peoples Liberation Army.
During the meetings, Ms. Sherman was scolded by Mr. Wang and given two lists of demands for US policy changes to repair relations with China. They included three “red lines” that the US should not cross, including subversion of the Chinese system, blocking China’s development, and infringing on China’s sovereignty.
Those vague terms could mean anything from supporting Hong Kong demonstrators being convicted under China’s imposed new laws to challenging China’s illegal claims in the South China Sea.
China obviously has no respect for Mr. Biden and will continue, if not accelerate, its hundreds of daily cyberattacks on US defense and intelligence networks.
Iran is eager to join in the cyberwar against the US. SkyNews, which obtained five reports allegedly authored by a unit of Iran’s Revolutionary Guard Corps’ cyber unit, reported that they revealed research into how to disable or destroy cargo ships and Iran’s effort to identify and target key infrastructure assets.
Despite Iran’s growing cyber threat, Mr. Biden pursues the renewal of the 2015 nuclear weapons deal former President Obama made with Iran. He should, instead, deal with that threat and other Iranian acts of aggression.
Cyberattacks on US infrastructure, such as the May Colonial Pipeline ransomware attack, are difficult but not impossible to trace to their perpetrators. Mr. Biden said that he didn’t believe Russia was responsible for the Colonial Pipeline attack. Still, evidence shows – according to my sources – that a Russian cybergang, operating under orders of the Putin regime or with its consent - was responsible.
Whenever Mr. Biden excuses a major cyberattack, our adversaries grow more confident that America will not defend itself. Each time Mr. Biden fails to punish the perpetrators of a major cyberattack, the danger of more devastating cyberattacks grows, along with the danger of the real shooting war Mr. Biden forecast.
• Jed Babbin, a deputy undersecretary of Defense in the George H.W. Bush administration, is the author of “In the Words of Our Enemies.”