This dynamic changed in September 2018, when President Trump issued National Security Presidential Memorandum 13 (NSPM 13), a classified directive that reportedly enables the White House to permit the military to engage in offensive cyber operations without a lengthy review process. The measure, which then-National Security Advisor John Bolton played an important role in crafting and implementing, is designed to deter adversaries from cyber campaigns targeting critical networks or interfering in U.S. elections. Bolton asserted that the directive would create “structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.” Cyber operations approved under NSPM 13 would have to fall short of the criteria for classification as “use of force,” however, meaning they cannot cause death, destruction, or severe economic impacts. Still, the directive gives the Trump administration a potent tool to respond to and prevent Iranian cyber aggression.
Despite the issuance of NSPM 13, U.S. policymakers have yet to make full and concerted use of the authorities contained within. Iran has therefore yet to be deterred, as evidenced by reports that it has continued to probe critical U.S. systems, signaling that an attack on industrial control systems remains on the table.
The primary deterrent to Iran undertaking the costliest and most destructive attacks would be the knowledge that such a cyber attack would lead to a kinetic response, but, troublingly, the U.S. has yet to define what constitutes an act of warfare in the cyber domain.
Lawmakers of both parties have grappled with the question in the wake of the Soleimani assassination and have called on the Pentagon to provide guidance. Since 2011, it has been U.S. policy that, “When warranted the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” Without clearly enumerated red lines, however, Iran is liable to test the waters in provocative ways, having already discovered it can carry out costly attacks on the U.S. financial system, on a casino, on universities, companies, and government agencies without significant pushback.
The most daunting task facing the U.S. is shoring up the defenses of the thousand soft targets around the country. The U.S. in 2018 elevated Cyber Command to a combatant command, and has made defending critical infrastructure against cyber attacks a key priority. Strategic collaboration with allied countries is an important component in ensuring that the U.S. and its allies are adopting best practices in cyber defense. In November 2019, the U.S. Cyber Command and its Israeli analog, the Israeli Defense Forces’ Cyber Defense Directorate, staged a joint exercise, dubbed “Cyber Dome,” in which the participants practiced responding to a simulated significant cyber attack. Israel has also opened its doors to other regional militaries to cooperatively share in its advanced cyber defenses. While such collaboration is useful for enhancing homeland security and protecting U.S. interests abroad, at the same time, the private sector in the U.S. has been largely left to its own devices when it comes to cybersecurity. A more proactive public-private approach is required to identify vulnerable targets and bolster cybersecurity across the board in order to achieve collective defense.