Tripwire for real war? Cyber's fuzzy rules of engagement

BOSTON (AP) — President Joe Biden couldn’t have been more blunt about the risks of cyberattacks spinning out of control. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” he told his intelligence brain trust in July.

Now tensions are soaring over Ukraine with Western officials warning about the danger of Russia launching damaging cyberattacks against Ukraine's NATO allies. While no one is suggesting that could lead to a full-blown war between nuclear-armed rivals, the risk of escalation is serious.

The danger is in the uncertainty about what crosses a digital red line. Cyberattacks, including those that cripple critical infrastructure with ransomware, have been on the rise for years and often go unpunished. It’s unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war.

“The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative. “It’s not clear what is allowed, what isn’t allowed.”

The United States and other NATO members have threatened crippling sanctions against Russia if it sends troops into Ukraine. Less clear is whether such sanctions, whose secondary effects could also hurt Europe, would be imposed if Russia were to seriously damage Ukrainian critical infrastructure — power, telecommunications, finance, railways — with cyberattacks in lieu of invading.

And if the West were to respond harshly to Russian aggression, Moscow could retaliate against NATO nations in cyberspace with an intensity and on a scale previously unseen. A major cyberattack on U.S. targets would almost certainly unleash a muscular response. But what of lesser cyberattacks? Or if Russian President...