[topkai22]

AFAIK, there remains no clear policy or line on what sort of cyber incident would warrant escalation to a “kinetic” (blowing things up) response. This is a serious problem, as it can lead to unintentional escalation.

For example, if Turkey and Russia got into a spat over access to the Black Sea and Russia triggered blackouts in Turkey that (perhaps unintentionally) killed people. Would that trigger Article 5? (NATO Mutual Defense Treaty?)

What if a state sponsored (but not state controlled) group managed to do a massive uncontrolled release of dam water, drowning hundreds. Would the US be justified in a kinetic retaliation against the sponsoring state?

This is one reason why people are calling for a cyber version of the Geneva convention- we need norms to help make the signaling and consequences inherent in these actions clear to all parties.

[panarky]

"Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms"

https://www.nytimes.com/2018/01/16/us/politics/pentagon-nucl...

[nradov]

The US already has a policy to use kinetic means to retaliate against state sponsored terrorism. Whether that terrorism is carried out through "cyber" or other means is irrelevant. And the US did trigger Article 5 after the 9/11 attacks.

[topkai22]

Ok, the dam scenario is excessive (and kinetic already), but where that threshold crossed? If a string of on going attacks caused 10s of billions of damage but with no fatalities, would it crossed? What about incidental fatalities such as preventable deaths in a blackout?

Messaging and intentions aren’t clear in this domain yet, that’s the worry about unintentional escalation.

[nradov]

Intentions about military responses are intentionally unclear. Presidents want to preserve their freedom of action and keep their options open.