Strategic instability will be an inherent factor in cyber conflict for the foreseeable future, according to preliminary findings of a research effort by the Cyber Conflict Studies Association (CCSA), led by Greg Rattray and James Mulvenon.
This inherent cyber instability was the topic of a recent conference co-sponsored by the Atlantic Council, Council on Foreign Relations and CCSA. The full findings will be to be published by CCSA in December at an event cosponsored with the Atlantic Council’s Cyber Statecraft Initiative.
As noted in a panel discussion – moderated by CCSA chairman James Mulvenon with Barry Pavel (Atlantic Council) and Chris Demchak (Naval War College) – on the causes and concerns of strategic cyber instability, many of the reasons for this instability have been recognized for a decade or more: the advantage of offense over defense, low barriers to entry, strategic and asymmetric vulnerability of critical infrastructure in developed nations, possibility for cascading effects and less-than-kinetic effects, difficulty of attribution, lack of norms, and the possibility for and relative ease of crossing international borders over intercontinental ranges.
However, what has not been fully appreciated by researchers or policymakers is that these factors combine to make cyber conflict far more unstable than conflict in other domains:
- Nations are more likely to be tempted into launching pre-emptive attacks either in advance of, or to coercively attempt to forestall, more traditional kinetic conflict.
- Non-state groups have been used as proxies by nations and will be less accountable and controllable than government forces.
- As the issue is not well understood, there is a greater chance that nations will misunderstand signals being given by other nations in cyberspace, especially if in the midst of attacks by non-state actors.
- Worse, in a cyber conflict nations have established or are prepared to use few of the traditional methods for risk reduction, such as hotlines between military operations centers (think Failsafe).
Accordingly more effort needs to be made, as will be noted in the forthcoming CCSA research, on addressing this instability head on. More security will not, by itself, resolve this instability. Rather, nations
- Must be prepared to work through disruptions (as DoD has already resolved to do),
- Invest more in incident response to deal with the inevitable catastrophes,
- Agree to norms and regimes, and
- Establish mechanisms to ensure clear communications for conflict prevention and termination.
The highlight of the discussions on the conference was a lunch keynote on the relationship of Internet governance and cyber instability, by Paul Twomey, Atlantic Council board member, moderated by Stewart Baker.
Jason Healey (Atlantic Council) moderated a panel discussion on new approaches to deal with these issues, with Micah Zenko (Council on Foreign Relations) and Scott Charney (Microsoft) detailing other models. In addition, Jody Westby (Global Cyber Risk LLC) discussed establishing norms and legal regimes with Catherine Lotrionte (Georgetown University) and Martha Finnemore (George Washington University).
In partnership with CCSA, the Atlantic Council will continue to be involved in this work and bring the results to this audience.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This blog is the first of a periodic series on cyber conflict history. Hannah Pitts is the Executive Director of the Cyber Conflict Studies Association.