May 9, 2022
Assumptions and hypotheticals: First edition
When academics, policymakers, and practitioners discuss security and conflict within the cyber domain, they are often hampered by a series of ongoing debates and unarticulated assumptions, some more commonly agreed upon than others, which they nevertheless must cope with to better understand the domain.
We have brought together members of these communities to discuss the reasons that these debates are important to the shaping of cybersecurity and strategic plans, as well as how outcomes of these debates might impact the way that public- and private-sector actors’ actions, informed by these debates one way or another, affect the domain, their adversaries, and their own goals.
The first edition of this series considers several ongoing debates, including the escalatory potential of cyber operations, the measure of deniability created through the use of proxies, and the offense-defense balance in cyber engagements.
Assumption: Cyber operations are not escalatory, and are even de-escalatory.
Why is this discussion important?
Cyber operations (like operations in any other domain) are not inherently escalatory or de-escalatory. Escalation/de-escalation only exists in the context of an engagement with an adversary/competitor. Owing to the ability of cyber operations to create reversible damage/effects, they present a broader range of options at the lower end of the spectrum of conflict. This can provide nonescalatory or de-escalatory options, even face-saving measures, but it can also mean that the United States is always in a higher level of conflict with, say, the People’s Republic of China, than would otherwise be the case. Ambiguity about thresholds or even credibility when it comes to defining thresholds to US adversaries might also encourage escalatory behavior. The range of views on what constitutes proportionality (especially when trying to weigh cyber actions against actions in other domains or hybrid activities) makes it difficult to accurately understand other actors’ logic and to communicate Washington’s. This can lead to complicated escalatory dynamics that are not yet well understood. A nuanced understanding of these dynamics is hampered by generalizations such as this assumption.
The debate over cyber operations’ escalatory potential is important because policymakers need to understand under what conditions cyber campaigns and/or operations bolster or undermine national security. Treating the statement above as a generalizable assumption for the basis of policy across the full spectrum of strategic competition—day-to-day competition short of militarized crisis and armed conflict, militarized crisis, and armed conflict—risks unintended escalation, either accidental or inadvertent, or military failure.
For example, the empirical record suggests that this assumption is valid in day-to-day competition (operations that tend not to generate armed-attack equivalent effects). Under this condition, cyber campaigns can inhibit opponent gains while advancing US interests, set the conditions for deterrence success should a crisis emerge, and set conditions for military victory should armed conflict erupt—all without risking escalation out of competition to conflict.
On the other hand, there is no empirical evidence to suggest the assumption is valid during the qualitatively different condition of militarized crises. Moreover, there is a sound, deductive argument based on crisis-decision-making theory that the core features of crises and the character of cyber operations interact to increase the risk of unintended escalation. Thus, accepting this assumption for policy under a condition of crisis could lead to a disastrous outcome.
Although there are few cases of cyber operations being used in armed conflict, events in the Russia-Ukraine conflict challenge the validity of the assumption that cyber operations in war are being perceived by either belligerent as signaling a desire to de-escalate. Were Ukraine to relax its pressure on Russian forces as a de-escalatory gesture after being subject to Russian distributed denial-of-service or wiperware attacks, Kyiv’s move would most likely further encourage Russian aggression.
The main reason this debate is important is that it also comes with a secondary assumption that some potential cyber scenario will cross a so far imaginary redline that might lead to land warfare between great powers. Without considering the intent of the operator, the assumption can only focus on the impact of a given cyber operation . . . but we know that the only difference between many reconnaissance missions and offensive payloads is often the intent of the operator or operators and their own affiliations. The escalation conversation for cyber operations is better met with debates related to defining the rules of engagement in cyberspace and the military practice of effects-based, rather than means-based, analysis and response.
The escalatory nature of cyber operations remains a matter of debate. In fact, the prevailing assumption among practitioners and academics has been that cyber operations are dangerously escalatory, rather than the opposite. It is only recently that the consensus has begun to shift in the opposite direction, largely driven by academic research—through war games, statistical analysis, surveys, and case studies—that has found little empirical support for the contention that cyber operations cause escalation. Instead, there is emerging evidence that such operations could facilitate the de-escalation of crises because they lack the physical violence associated with kinetic military capabilities, and their ambiguity and plausible deniability can create breathing room for crises to resolve short of war. This is a critical debate because it has direct implications for the stability of cyber rivalries and the international system as a whole.
If purely cyber operations launched by Russia against Ukraine affect systems within neighboring NATO countries and those governments deem them to be proportional to an armed attack, then . . .
Does the US deem such attacks to be proportional to an armed attack (what was the effect? were those NATO countries intended targets and does it matter? Etc.)? If so, should the US encourage an Article 5 invocation—arguably, of the worst strategic outcomes would be an Article V invocation that does not get unanimous support from NATO members—or instead aim for a non-NATO, bi-/multi-lateral response. What kind of precedent does that set? How can the US help build consensus in the rest of NATO, on both how to characterize and how to respond to the attack — and what are the starting positions of other members?
If the US does not deem the attacks to be proportional to an armed attack, what other actions could the US take to assure the affected nations and deter Russia from continuing this behavior? To the extent that it might take longer to reach consensus on key issues within NATO than it would in a non-cyber attack scenario, what do we do in that critical window between the attack and any kind of response? How can NATO members’ cyber defensive posture be improved and what immediate defensive actions would need to take place? What if the affected nations are not satisfied by NATO/US actions, or consensus is too difficult, and they act unilaterally or in an alliance that excludes the US and NATO? In the event of an allied (either NATO or bi-lateral/other) response, would sensitivities about sharing offensive cyber capabilities make retaliation in other domains more attractive? If the response is disjointed or weak, does an emboldened Russia escalate its cyber attacks against eastern flank and other NATO countries? How else might Russia exploit or capitalize on new divisions within the alliance? What does the PRC (and others) learn from this?
If those governments attribute the operations to Russia, the states have the right to invoke Article 5 and then to decide based on their particular national circumstances how to respond. Whether or not they would invoke, however, would likely be informed by conditionality (day-to-day competition, militarized crises, or armed conflict). Were the affected NATO member states not, at that time, in a militarized crisis with Russia (presuming they are not in an armed conflict), the states may be inclined to consider the operations an accident, albeit a costly one. Some have argued that NotPetya, due to its substantial economic damage, could be considered as causing armed-attack equivalent effects. The NATO response to NotPetya could, then, be instructive. Although the NATO Cooperative Cyber Defence Centre of Excellence stated that a state actor was most likely behind NotPetya, it did not attribute the operation to Russia, and, instead, called for an international investigation. On the other hand, under a condition of militarized crisis with Russia, if the operation were attributed to Russia, NATO would be more inclined to invoke Article 5.
Such attacks would probably warrant either a cyber in-kind retaliation, increased sanctions, broader law-enforcement activity and cooperation, or a justifiable military response, depending on the impact they have (especially in the physical world) and the population they impact.
NATO will face an important test. However, it’s important to note that the plausibility of NATO countries defining a spillover cyber attack as proportional to an armed attack is low—this is a pretty high bar. That said, this scenario would raise a critical issue for NATO: the applicability in practice of Article 5 (collective defense) to cyber attacks. Since the 2014 Wales Summit, NATO has stated that Article 5 applies to cyberspace. The alliance has reaffirmed this at subsequent summits, most recently in Brussels last year. However, leaders have hedged when it comes to clarifying what type of cyber attack would actually trigger Article 5. During a press conference in February of this year about the Ukraine conflict, NATO Secretary General Jens Stoltenberg stated that, “We have never gone into the position where we give a potential adversary the privilege of defining exactly when we trigger Article 5.” Therefore, this hypothetical case would be a significant test of the credibility of Article 5—in cyberspace and beyond. The immediate outcome would be deliberations within the North Atlantic Council about if and how to respond. Any NATO response would require consensus, potentially creating the conditions for allied unity to be undermined if allies fail to agree. Sustained and public disagreements could have negative implications for the credibility of NATO deterrence and collective defense more broadly.
Want to read more on the topic?
Assumption: States can effectively rely on ‘cyber proxies’ to create deniability
Why is this discussion important?
This assumption is important because, if true, aggressor states will conclude they can pursue their interests through illegal or unacceptable acts without facing meaningful consequences. If an aggressor state successfully conceals its participation in an activity through the use of a proxy, it is unlikely that the state can be held accountable for its actions. Under international law, a victim state cannot respond with force in self-defense or by use of countermeasures against a state that is not responsible for a proxy’s actions. If a victim has intelligence or other evidence that an aggressor has direction or control over a proxy, and asserts so publicly, the aggressor may challenge the victim to produce the information on which it relies. This might force the victim state to either reveal information that could make future operations ineffective, compromise sources that produced the information, or risk leaving its accusation unsubstantiated. It appears that states might have greater success hiding their connections to proxies conducting activities in cyberspace than other domains, making this form of competition desirable.
Justin Key Canfil
It is often assumed that plausible deniability is one of the main reasons states outsource to proxies, yet the relationship between proxies and plausible deniability is anything but straightforward. Cyberspace is already secretive and deterrence is questionable. Attacks often go undiscovered for extended periods, and bringing foreign perpetrators to justice is difficult. So what is the value-add of extra deniability? Researchers have pointed out that states don’t always bother to deny their involvement in cyber operations, and that the logic of plausible deniability is questionable even in physical domains. For scholars and practitioners, questioning the motives of cyber adversaries is important because altering their behavior depends on understanding why they do what they do.
Whether or not states can effectively rely on cyber proxies can have major implications on escalation dynamics, especially in times of crises. If cyber proxies can create deniability for states, states are afforded a range of options while reducing their own exposure to any potential retaliation. States that can plausibly deny their proxy’s actions might act more aggressively through their proxies without fear of the consequences. States could use their cyber proxies to conduct attacks, as well as collect intelligence and steal money on their behalf. Without this deniability, defenders can treat all hostile acts—whether they emanate from the adversary state or its proxy—as equally state-backed.
If the ‘deniability’ provided through the use of cyber proxies is not sufficiently countered by the attribution capability of states and private companies, then . . .
Cyberspace will become a more lawless space where actors, particularly highly capable state actors, can act without fear of meaningful consequences. Power alone will determine the rules for acceptable cyberspace behavior rather than deliberation and consensus. The rule of law will apply to malicious state cyber actors in few circumstances, and states seeking to use capabilities to advance their interests will face few restraints. Without the ability to attribute discrete malicious cyberspace activities, the only meaningful limit on an individual actor will be the fear that eventually the sum total of one’s malicious acts may be discovered, connected, and attributed. This fear will most likely be remote compared to the rewards of continued malicious activity, especially if the actor is directed, protected, sponsored, or at least ignored by the state from which the actor operates. If directed by the state, it is likely that the proxy’s protection from domestic consequences will be comprehensive; the only meaningful threat an individual actor serving as a state proxy may be presented is denial of international travel and sanctions. With proxies obfuscating the role of states in their activities, states can pursue national agendas freely.
Justin Key Canfil
Reliance on cyber proxies would be widespread— and this is the conventional wisdom for why it is. Nevertheless, deniability may not really be the main reason why states outsource to proxies, at least anymore. After all, when talking about states that rely on proxies, researchers tend to point to the usual suspects. If the United States already has an idea regarding which country is behind those proxies, how deniable are they really?
In an article recently accepted by the Journal of Cybersecurity, I argue that targets are increasingly willing to go public, regardless of whether proxies or one’s own agents are used. One consequence is that state sponsors are using in-house personnel to conduct attacks more than they used to. The reasons for this should be obvious. Outsourcing to proxies that do not convey plausible deniability means sponsors get the worst of both worlds: proxies can be difficult to control, might have their own agenda, and do not offer any additional political cover vis-à-vis a target who is not fooled about who really stands to gain. Capable sponsors who find that they will take the heat either way learn that they may as well do it themselves. Of course, states do sometimes outsource to proxies, as others have described. But if using proxies is still beneficial, it is probably not because they offer much plausible deniability. Targets are ultimately the ones who get to decide what is plausible, and not only has attribution gotten better—because cyber conflict is not a courtroom—suspicion is evidence enough.
It is not difficult to imagine a scenario in which even a small degree of deniability can create real dilemmas for defenders. Take the current war in Ukraine. NATO Secretary General Jens Stoltenberg asserted that spillover from the conflict, including a serious Russian cyberattack against a NATO member state, would trigger the Alliance’s Article 5 collective-defense measures. But what if such an attack was conducted by a nonstate proxy at the behest of the Kremlin? Even with a little plausible deniability, Russia might employ proxy operations as a means of sowing divides among NATO member states on what necessitates collective defense. In addition to technical attribution, the need for accurate intelligence on the nature of proxy relationships and their chains of command is critical to countering this threat.
Want to read more on the topic?
Assumption: The offense has the advantage over defense
Why is this discussion important?
Offensive advantage and defensive advantage are the two extreme poles that define a dynamic competitive space. The US position at any given moment in that space depends on the actors, technologies, organizational/ecosystem posture (like nature of public-private partnerships, or how stakeholders cooperate, for example) and goals, among other things. If the goal is intelligence collection (where encryption technology is one driver), the United States might be in a different place on that spectrum than if the goal is irreversible destructive effects, or influence operations, etc. The nature of the goal in question will drive what technological competitions, organizational structures, systems, etc. are most relevant in defining where the United States is in the competitive space. Conversely, the state of the technological competition, systems, etc. will shape what goals are possible.
The debate is valuable, although it is not important for cyberspace. It is valuable because the concept of offense-defense balance has informed a number of policy debates regarding the nuclear and conventional strategic contexts, including but not limited to arms races, preemptive attack, and expectations of war duration. Additionally, history has shown that pursuing policy not aligned with the strategic environment can be catastrophic. It seemed reasonable, then, to apply the concept to the cyber environment to possibly discover useful policy insights. Those who have attempted to do so, however, have found the concept wanting, with some having to dive into state-level attributes (or even deeper) in order to suggest any prescriptive value. But offense-defense theory is a structural theory of international relations where core features of the strategic environment are argued to be determinative. For example, the nuclear strategic environment—where nuclear weapons capabilities ensure that the offense wins every time—is an offense-dominant environment. In the conventional strategic environment, offense-defense advantage is determined by the combination of technology, operations, and tactics. Neither of these frames apply to the cyber strategic environment, which comprises a set of technologies that are macro-resilient and yet micro-vulnerable, where defense is possible but always at risk. Consequently, the debate does not account for the primary mechanism for achieving advantage in cyberspace—initiative persistence—which requires a persistent, fluid operational approach for precluding or inhibiting opponents’ gains by exploiting adversary vulnerabilities and reducing the potential for exploitation of one’s own.
This is less of an assumption and more of a modus operandi. Criminals often work to outsmart or subvert rules and norms. Transnational criminals have long conducted operations in a way that implies an understanding that the scale of those operations could overwhelm response capabilities. Customs officials cannot search every single shipping container at a port without significantly delaying deliveries and impacting trade and economies. As countries continue to battle smuggling at land borders, cigarettes are well known to be among the most illicit products bought and sold in the United States, in an effort to evade taxes. There are no real parameters for what is a “felony” or “violent” crime in cyber compared to petty thefts or misdemeanors. If cyber operations are viewed as a monolith, offense has the advantage. But cyber is seen in terms of risk tolerance vs. risk mitigation, nuclear weapons are very secure for very good reasons. Banking and finance do a great job to stay ahead of evolving tactics, techniques, and practices (TTPs) and thwart widespread attacks and cascading impacts. So on and so forth, the offense/defense divide depends very much on what is being defended and by whom.
The assumption that offense has the advantage over defense is deeply linked to debates about whether cyberspace is truly dangerous and escalatory. In the traditional security-studies literature, when offense has the advantage, arms races and spirals are likely, conquest is perceived to be easy, and states see an incentive to strike first. Political scientist Robert Jervis measures offensive advantage as follows: “If the state has one dollar to spend on increasing its security, should it be put into offensive or defensive forces? Second, with a given inventory of forces, is it better to attack or to defend?” Therefore, an essential element of measuring the offense-defense balance is relative cost; it is not simply whether an attacker can get through, but at what cost. In conventional warfare, defense typically has the advantage over offense, measured by factors such as force-to-force or force-to-space ratios. Extending this logic to cyberspace, many experts argue that the attacker has a significant advantage over the defender. However, others are more skeptical, noting the investments in time, skill, and resources that are required for offensive cyber operations—particularly against strategic targets—and their unpredictable and limited results.
If when considering the offense-defense balance, defense has the strategic advantage, then …
Actors are incentivized to develop disruptive technologies and TTPs to shift the balance toward offense; breakthroughs in offensive technologies/TTPs/operational concepts may be particularly surprising; actors are incentivized to develop novel ways to achieve their goals, using cyber tools as part of a hybrid approach; increased difficulty of using the cyber domain for intelligence collection increases the risk of operational and strategic surprise in other domains.
Here, it would also be important to explore: what does this defensive strategic advantage look like? What is the source of the advantage? For example, if intrusions are easy to mitigate once detected, that incentivizes the development of tools and operational concepts that focus on rapid actions on target to achieve effects prior to detection. On the other hand, if penetration itself is almost impossibly difficult but once achieved mitigation is not easy, that might drive very different behavior and goals. Those examples are oversimplifications, just intended to illustrate the point.
Given the balance of incentives (ease of use v. security) and technology production trends, it is difficult to imagine a future cyber strategic environment in which the technology favors the defense. Even many who look to, for example, the promise of artificial intelligence/machine learning (AI/ML) to someday give defense the upper hand in cyberspace admit that AI/ML algorithms are as likely to make the offense more capable. Leaning on the offense-defense frame for informing future policy (including technology investments) regarding cyber security, therefore, is constraining the cyber security solution space. Policy solutions supporting initiative persistence are, for the foreseeable future, the most promising route to security.
It will take the best and the brightest talent to defend the systems and information most critical to a mission, a nation, a company, etc. Defense in cyber is more than a strategy or an activity where monotonous practice and lots of spending yield results, it is a daily evolution of analyzing and responding to changing TTPs, and a tradecraft that is practiced and perfected continuously over time.
Cyberspace is not a dangerous domain, escalatory spirals are less likely and, when they occur, are less severe. States get more out of investing in capabilities that support defense and resilience than they do out of investing in offensive capabilities that are expensive and often net less-than-desirable results. What is fascinating about this debate, however, is that many of the same experts who claim that cyberspace is escalatory and offense-dominant also argue that states should invest in defense—when the reverse should be true, according to the logic of offense-defense theory. If the attacker has the advantage in cyberspace, then from a purely strategic perspective states should be leaning into offensive strategies.
Want to read more on the topic?
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.