This analysis was featured in Critical State, a weekly foreign policy newsletter from Inkstick Media. Subscribe here.
On March 3, I joined millions of strangers watching a video feed streamed from Ukraine’s Zaporizhzhia Nuclear Power Plant. The power plant was under assault as part of the just over a week-old Russian invasion, and the video showed flashes of light from explosions and gunfire. It was the stuff of war, transmitted over the internet, to an international audience worried about what might happen next.
The biggest risk to the reactors was disruption of maintenance and operation, followed by the explosives used in the fight. But there was also another ominous threat, carried in the same medium as the camera streaming the attack. What if the internet itself was used as a vector for an attack, disrupting or sabotaging controls and causing harm?
“Cyberattacks” is a big category, and one that doesn’t easily map onto a vocabulary of explosives and ramparts, flanks and missiles. But they’re real all the same, and can cause tangible, physical harm, like the Stuxnet worm did when it increased the spin rates of Iranian centrifuges to cause them to break.
In “Hitting Back or Holding Back in Cyberspace: Experimental Evidence Regarding Americans’ Responses to Cyberattacks,” authors Marcelo Leal and Paul Musgrave demonstrate that the American public supports a range of responses to cyberattacks. This range depends a great deal on the harm from the attack and the nature of who launched it.
While the public won’t actually be making the decisions about how to respond to a cyberattack, political leaders will be responding with that public sentiment in mind, so Leal and Musgrave set out to discover what that sentiment actually is.
“Our findings demonstrate that the effects of an attack matter for the public’s evaluation of its severity and how to respond,” Leal and Musgrave write. “This relationship, however, is not linear.”
Harsher retaliations were selected when the scale of harm increased, with deaths and lots of deaths eliciting the most drastic calls for retaliation, while surprisingly billions of dollars of economic damage was also seen as warranting the same retaliation as several deaths. Notably, the reason given for an attack and the entity targeted, like a business or a hospital or the military, mattered less for retaliation than the fact of the attack itself.
“Support for more severe retaliatory options rises in a curve as evaluations of attack severity increase.”
“Support for more severe retaliatory options rises in a curve as evaluations of attack severity increase,” the authors write. “There is no bright line between a severe and a less-severe attack; rather, both evaluations of attack severity and preferences over retribution are usefully conceived of as continua.”
This range of response matters a great deal, because the public will have some expectations of how the government should respond, but won’t have the same elaborate theorizing around it as people in the room.
“Policymakers should be aware that the public prefers cyber retaliation but supports escalation only conditionally,” write the authors. “In general, the public prefers to respond to cyberattacks with cyberattacks, but there is some pressure for harsher responses as the severity of an attack increases, especially if the aggressor is a US citizen.”
Related: Ladder theory: Part I
Critical State is your weekly fix of foreign policy analysis from the staff at Inkstick Media. Subscribe here.