The US approach to cybersecurity implicitly rests on an effects-based logic. That is, it presumes that the key question determining how the US and others will respond to attacks is what effects they have. Whether the effects come about as a result of cyber means or kinetic means is largely irrelevant. In this article, we explore this logic further, focusing on the question of when the US should deploy cyber responses and when kinetic. We find that under a simple effects-based logic, kinetic responses will often be more effective than cyber responses, although we explain that cyber attacks that ‘leave something to chance’ may be an effective deterrent under some circumstances. We next develop a richer understandings of actors’ expectations by employing the concepts of focal points and saliencies. In this framework, kinetic responses may be considered too escalatory, and therefore less attractive under many circumstances. If there are ‘focal points’ emerging, under which cyber attacks are seen as qualitatively distinct from kinetic attacks, then crossing a saliency may appear escalatory, even if the actual effects of the kinetic and cyber attackes are identifical. Finally, we examine nascent norms around cyber, suggesting that the US may wish to consider promoting a norm against large scale attacks on civilian infrastructure, and evaluating the prospects for a norm against cyber attacks on nuclear command and control systems.

Henry Farrell and Charles Glaser (2017), “The Role of Effects, Saliencies and Norms in U.S. Cyberwar Doctrine,” Journal of Cybersecurity,3,1:7-17. Republished in Herbert Lin and Amy Zegart, eds. Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations(Brookings Institution 2019).