Free societies must protect themselves and attract others to their vision without undermining the principles upon which their own domestic legitimacy rests. In a very real sense, what we need is not just a new Cold War strategy abroad, but a twenty-first-century “counter e-surgency” model at home that takes into account one’s own political legitimacy while countering adversaries in a never-ending, less-than-war state of conflict.

DEMOCRACIES HAVE significant work ahead of them, particularly in making the moral and practical case that their own citizens should primarily identify with their compatriots rather than with a foreign power with which they share historical, cultural or religious ties. Put another way, would someone coming of age today view U.S. activities in cyberspace as being different from those of other countries, either in competence or creed?

Consider the practical implications of how this might play out under urgent circumstances: a debate by NATO members, or an ad hoc coalition of the United States and its allies, on whether to go to war over a cyber-attack. Most likely, such a decision, which could include invoking NATO Article V’s collective defense provisions, would only happen if a cyber-attack resulted in large-scale loss of life or disruption to continuity of government. These could include cyber-attacks on aviation safety, critical energy infrastructure, and so forth, all done in combination with other disruptions and troop movements as a prelude to probable armed conflict. Likewise, direct attacks that cause major societal disruption, such as attacks that harm voting integrity, could be considered grounds for responding with force.

In such circumstances, it would be difficult enough to get any one nation’s citizens to agree that such an attack warrants a military response. Yet even if that hurdle were to be overcome, it will still be incumbent upon those impacted to convince other allied nations that they too must commit lives in response to a cyber-attack. Until Afghanistan, NATO had never invoked this commitment at all, even for straightforward military threats. But for many smaller European nations, the results of an armed conflict would not only be riskier, but their governments are less likely to have the cyber experts on government payroll to even evaluate attribution claims by the United States, United Kingdom, France, Germany, Netherlands, Italy or other members with more substantial domestic computer security industries. When it matters most, the necessary political will may be hard to summon not only because of natural human apprehension about war, but also due to a lack of capability to evaluate the attack claims of other alliance members: there may be no cyber equivalent to a mushroom cloud that all can see, complicating collective action and hence deterrence.

These concerns muddy the decisions of government cyberdefenders in the West, as they must confront tough decisions not only about how to respond to and defend against a growing array of attack vectors, but must also consider the long-term strategic implications of their conduct and decisions.

Christopher Porter is the chief intelligence strategist of cybersecurity company FireEye and a nonresident senior fellow at the Atlantic Council. He previously served nearly nine years in the Central Intelligence Agency, where he received the National Intelligence Analysis Award, coauthored a National Intelligence Estimate and served as cyber threat intelligence briefer to the White House National Security Council in 2015.

Image: Reuters