Cybersecurity, surveillance, and military retaliation: Why some balloons bust–and others don’t

By Kathryn Hedgecock, Lauren Sukin | February 27, 2023

A sequence of frames from video of the Chinese balloon shot down off the South Carolina coast on February 4, 2023.A sequence of frames from video of the Chinese balloon shot down off the South Carolina coast on February 4, 2023. (Thomas Gaulkin /Jonathan Snyder/LSM)

The Chinese surveillance balloon that began drifting across the United States on January 28 prompted headlines suggesting the incident was a foreboding indicator of malign United States-China competition. Some scholars, however, emphasized that these assertions were nothing but hot air. After all, the balloon is one of several that have been detected in the United States airspace since 2017, and merely a physical manifestation of an ongoing trend of Chinese espionage that is often much more clandestine.

So, what was it about this particular incident that generated such swift, bipartisan calls for a military response? Our recently-published research shows that it was more likely the unequivocal, timely public attribution of this surveillance balloon to its country of origin (China), rather than the actual effects of the surveillance or the more unusual means of its collection.

How valuable is surveillance? China is believed to have used surveillance balloons to collect intelligence for the past several years, though the origin of the balloon program has yet to be disclosed. These balloons have been observed in American airspace before–including four times during the Trump administration–as well as in airspaces throughout the world. China is not the only country to use this technology. In early February, South Korea also spotted a North Korean surveillance balloon over its territory.

Importantly, balloons are just one of many surveillance technologies designed to intercept electronic signals and communication. States routinely run cyber espionage operations. In most cases, the information gleaned by these cyber operations—though they vary in their size and effects—is much more consequential than what could be detected with a simple balloon. Several major, Chinese-sponsored cyber operations have been discovered in United States networks.

Take, for example, the 2021 Microsoft Exchange hack that was attributed to the Chinese-state sponsored, Hafnium Group. This espionage operation targeted a significant range of industries, including higher education, defense contractors, and nongovernmental organizations, to extract data. Other notable Chinese hacks include the 2014 Office of Personnel Management (OPM) breach, which obtained the security clearance investigations of 21.5 million Americans and the 2017 hack of Equifax credit service resulting in the data breach of nearly 150 million Americans. North Korea frequently conducts ransomware cyberattacks in the United States as well, including a campaign of attacks on American hospital networks last year. Russia’s infamous “election interference” in the United States and elsewhere has included myriad cyber operations. Since the start of the Russia-Ukraine war, Microsoft has detected Russian cyber intrusions on “128 organizations in 42 countries outside Ukraine.”

There is a puzzle associated with the balloon incident: The actual intelligence-gathering value of the balloon is presumably limited. The additional information China could have gained, had it not been downed, would make little difference to its strategic dynamics. And yet the public response was similar—maybe even louder—than the reaction to much more severe violations of United States sovereignty or privacy. This led, in turn, to a military response, a rarity for the type of operation generally thought to fall “below the threshold” that should justify such retaliation. (China, after all, responded to the attack on the balloon by saying it was an unreasonable and disproportionate escalation.)

The short march to China’s hydrogen bomb

In a recent research paper, we examined American public support for retaliation against these types of foreign-sponsored operations, ranging from common, minor violations, such as espionage and theft, to more serious but still historically observed operations like cyberattacks on hospital infrastructure.

The recent balloon incident in the United States airspace supports our findings that Americans view any violation of sovereignty as serious. We found significant public support for the US military to take action against foreign governments and operatives—even in response to the types of incursions that happen on a regular basis.

The difference a method makes. How surveillance and other adverse foreign operations are conducted has been thought to have critical influence on what the response to these operations will be. For example, one commonly held belief is that operations in the cyber and physical domains escalate differently. It may be easier for governments to retaliate when their adversaries send in spies, balloons, or other types of operatives and physical equipment than it is to retaliate when the same information is obtained via hacking.

But this view might be changing. In our research, we find that the public does not discriminate between cyber operations and kinetic ones that rely on physical equipment or operators. Instead, there’s support for retaliation across the board. Two-thirds of Americans say they would support a military response to a foreign-sponsored hack—the same percentage that would support a military response to a kinetic operation that caused the exact same effect.

This, in fact, is what we saw as the infamous balloon floated overhead. Public outcry for retaliation was swift, and President Biden was quick to assert that he had personally given the order to shoot the balloon down “as soon as possible.” Several other high-altitude objects have been downed since; these currently unattributed vessels may have stayed under the radar, so to speak, had the public balloon incident not occurred.

Sailors assigned to Explosive Ordnance Disposal Group 2 recover a high-altitude surveillance balloon off the coast of Myrtle Beach, South Carolina, Feb. 5, 2023.
Sailors assigned to Explosive Ordnance Disposal Group 2 recover a high-altitude surveillance balloon off the coast of Myrtle Beach, South Carolina, Feb. 5, 2023. (Photo: U.S. Navy/Tyler Thompson)

What matters most? So, what was it about this spy balloon that caused it to go viral, generate widespread public outcry for retaliation, and solicit a unanimous resolution of condemnation from the House of Representatives? Simply put, the spy balloon was swiftly and publicly attributed to China.

At least four other spy balloons have traversed American airspace in recent years, yet the Chinese balloon of early 2023 was the first to be shot down and receive public attention. There is a difference between the past balloons and the recently downed one: This balloon was quickly identified. On February 1, Billings Gazette editor Chase Doak spotted and took photographs of the balloon, sending them to government agencies and publishing the photos in the Gazette to widespread media attention. By the next day, the US Department of Defense announced that they had been aware of, and were tracking, the balloon—meaning that without Doak taking notice, the presence of the balloon may have never been publicly revealed. This public disclosure by a reporter, coupled with improved intelligence after failing to detect past balloons, led to the timely attribution of this most recent balloon to China.

To do or not to do: Pyongyang’s seventh nuclear test calculations

Such dynamics also occur in the cyber domain. The near simultaneous revelation of the Solarwinds hack and attribution of the attack to Russia generated rapid, powerful calls for retaliation. Similar Russian cyber espionage actions, which remained unattributed, or were only attributed far after they originally occurred, however, have not evoked the same public outcry. After all, accurate source identification is necessary to determine where punishment should be directed. The timing of attribution can also impact the support for retaliation. Despite the adage that “revenge is a dish best served cold,” in practice, retaliation is more often served “hot.” Our research finds support for retaliation against an incursion to be four percentage points higher for recent offensives.

What’s next? While the Chinese surveillance balloon no longer soars across the United States airspace, frequent, consequential espionage efforts are a persistent facet of American reality. Attribution remains a central prerequisite in both the cyber and physical domains in situations where plausible deniability remains high. Moving forward, the United States must continue to strengthen its attribution capabilities to deal with a competitive environment dominated by competition below the threshold of combat.

However, having the ability to identify the responsible actor and making a public attribution should be seen as distinct actions. Our research shows that the public generally supports retribution when sovereignty is encroached, and they are even more likely to demand retaliation when attribution is certain and swift. Yet retaliation is not always the best answer. In this case, the decision to burst the balloon had immediate and detrimental political effects. United States Secretary of State Antony Blinken’s visit to China earlier this month, which was expected to be a critical conversation about strategic stability between the two powers, was postponed.

Some scholars have suggested that this incident was a bold, but calculated, opportunity for China to test the limits of United States response. Others suggest it was part of a routine practice, considered by China to be a low-risk strategy. Regardless of China’s intentions, the balloon incident highlights the uncertainty present in an era of multi-domain, gray zone conflict and competition, where whether a state should respond—and to what extent—to an incursion is often murky at best.

The views expressed herein are those of the authors and do not reflect the position of the United States Military Academy, the Department of the Army, or the Department of Defense.

Together, we make the world safer.

The Bulletin elevates expert voices above the noise. But as an independent nonprofit organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.

Get alerts about this thread
Notify of
Inline Feedbacks
View all comments


Receive Email