We have updated our Privacy Policy and Terms of Use for Eurasia Group and its affiliates, including GZERO Media, to clarify the types of data we collect, how we collect it, how we use data and with whom we share data. By using our website you consent to our Terms and Conditions and Privacy Policy, including the transfer of your personal data to the United States from your country of residence, and our use of cookies described in our Cookie Policy.

There you are, minding your business as a nation state when Iranian geeks hack the networks of hundreds of your universities, rip off more than $3 billion worth of research AND leak the latest season of Game of Thrones. If you’re Washington, you respond by issuing felony charges and financial sanctions against the Iranian hackers and…
Wait, that’s it? Surely the US has the capability to inflict significant damage on state and non-state actors alike in cyberspace. But when it comes down to it, as my pal Kevin Allison explains, it’s harder for the US to pull the cyber-trigger than you’d think.
First, there’s no Geneva Convention for cyberspace at the moment. Without global agreement on the distinction between online behavior that is merely bad and what’s truly unacceptable, it’s difficult to determine proportionality in the cyber realm. Does large scale IP theft, for example, demand the same response as hacks or disruptions of critical infrastructure?
Second, unlike, say, lobbing a few cruise missiles at an airbase, cyberattacks and counter-attacks don’t have a neat geography. If those Iranians used servers in Dubai, does striking back at them entail an attack on Iran or on the UAE? Abu Dhabi will be keenly interested in your answer.
Third, cyberattacks are tough to control with precision. If your counterattack spreads beyond its intended target, it can cause collateral damage — including to friends and allies.
So while the US certainly could inflict an awful lot of pain on the Iranians, or any other cyber-attackers, hackers, or crypto-unsavories, the reality is that in most cases doing so is a lot messier and riskier than it seems.