September 22, 2022
Assumptions and hypotheticals: Second edition
When academics, policymakers, and practitioners discuss security and conflict within the cyber domain, they are often hampered by a series of ongoing debates and unarticulated assumptions, some more commonly agreed upon than others, which they nevertheless must cope with to better understand the domain.
We have brought together members of these communities to discuss the reasons that these debates are important to the shaping of cybersecurity and strategic plans, as well as how outcomes of these debates might impact the way that public- and private-sector actors’ actions, informed by these debates one way or another, affect the domain, their adversaries, and their own goals.
In this edition we explore various topics including the cyber sovereignty debate, the question of an attribution threshold, and the utility of cyber tools in crisis escalation.
Assumption #1
Assumption #2
Assumption #3
Assumption #1
Cyber sovereignty is an unappealing alternative to the Western vision of a “free, open, and interoperable” internet.
Why is this discussion important?
Kenton Thibaut
As governments around the world grapple with how and to what degree the internet should be regulated, countries like China and Russia are advancing a regulatory concept that privileges total state control. This approach, known as “cyber sovereignty,” includes tactics like censorship of political speech online, strict data localization requirements, and the use of internet shutdowns to stifle unwanted activity. At the same time, cyber sovereignty is appealing to many countries across the world for which regulation of the internet poses significant challenges. The current lack of a coherent approach by liberal societies means ceding the debate and risks an eventual world where a more authoritarian approach to digital governance standards becomes a norm.
Bulelani Jili
Cyber sovereignty can simply be defined as respecting an individual country’s right to choose its own internet development and management. This vision assumes and demands the recognition of individual countries’ right to craft and employ their own public policies about cyberspace. Crucially, Beijing’s efforts to shape the governance of cyberspace hinge on the promotion of this idea.
Justin Sherman
This assumption is false. When we talk about “cyber sovereignty” in the United States, we often discuss the idea of top-down, authoritarian, repressive control of the internet—which it can be, and in China and Russia’s case, it certainly is—but this can result in mirror-imaging. Sometimes, when Beijing and Moscow approach other states, there is an explicit or strong implicit suggestion that greater state control of the internet enables regimes to control dissent and information flows. But in many cases, that is not the narrative per se. Beijing and Moscow instead emphasize the “sovereignty” word in “cyber sovereignty”—telling others that cyber sovereignty is not about empowering China and Russia, but about empowering individual countries to exert their political rights and push back against United States government and Silicon Valley hegemony online.
The appeal of “cyber sovereignty” matters because the Chinese and Russian governments are increasingly building coalitions in the United Nations (UN) and other forums to increase state control of the internet globally. Several pieces of evidence bear this out, whether my 2018 study with colleagues identifying “Digital Decider” swing states in the future of the internet or Russia’s successful UN proposal to establish a new cybercrime treaty. If the United States wants to preserve a relatively global, open, interoperable, secure, and resilient model of the internet—in concert with allies, partners, the private sector, and civil society—it must confront the effectiveness of “cyber sovereignty” messaging from those seeking to undermine the global internet. The fall election for the International Telecommunication Union (ITU) secretary-general—the leader, for the next four years, of the UN’s tech agency—may be a strong indicator of how the world falls on this question.
Joshua Rovner
Cyberspace is neutral. States can use it to share ideas freely – or simply as a vehicle for their ideology. Because not everyone shares the same ideology, it is unsurprising that some have pushed back on the notion that the internet should be free and open. States, including Western states, are always conscious of outside influence. In this respect the debate about “cyber sovereignty” is no different from any other aspect of international politics.
States are also aware that their rivals can use cyberspace for espionage and sabotage, so they have reason to monitor and restrict the flow of information as a kind of counterintelligence. All of this comes at a cost, of course, because they stand to lose a lot of business if they restrict too much.
Melissa Griffith
This assumption is particularly important when coupled with a secondary assumption: that a “free, open, and interoperable” internet best serves American interests at home and abroad. The notion that democratic states would inherently prefer, and non-democratic states would be inherently undermined by, a “free, open, and interoperable” internet removed any need to actively evaluate how to best pursue US security, economic, and foreign policy interests in a world increasingly tilting toward cyber sovereignty. This – notably in both democratic and non-democratic states alike – has not been the case. It is important to recognize, however, that the phrase “cyber sovereignty” encapsulates a wide range of activity including China’s Great Firewall and the EU’s vision of Digital Strategic Autonomy.
If smaller states increasingly see more benefit in the idea of cyber sovereignty and improved domestic security, than in the open, multistakeholder view championed by the United States, then …
Kenton Thibaut
The United States and other open societies will need to come together to develop a broader consensus around what a “free and open” internet looks like. This will involve engaging international organizations, civil society actors, and platform operators to address the challenges brought about by an underregulated internet. Support for cyber sovereignty among smaller countries is not necessarily an endorsement of authoritarianism, but rather a strategy to address real issues with internet regulation in their respective political and economic contexts. Instead of thinking of this issue as a binary choice between a free, open internet and a closed authoritarian one, we need to start from a diagnosis of how smaller states believe “cyber sovereignty” can address their regulatory challenges. We can then provide actionable solutions that support the development of a more free and open internet, while steering other governments away from the more extreme forms of cyber sovereignty that countries like Russia and China espouse.
Bulelani Jili
Following this logic of cyber sovereignty, states big and small should discourage cyber hegemony; moreover, they should avoid interfering in the assumed internal affairs of other states. As a result, this vision privileges the actions and ambitions of state actors over private vendors and Civil Society Organizations (CSO). Such a vision is antithetical to the US government’s position on cyberspace and governance, which advocates for a more open, free, and multistakeholder approach that privileges private actors and CSOs. More to the point, this cyber sovereignty conception is precisely attractive because it offers legitimacy to state actors who wish to further curb and limit online activity under the name of political and social stability. The embrace of cyber sovereignty, particularly in the Global South, is not simply an outcome of Chinese promotion, but also, a corollary of the growing challenge of misinformation and disinformation that appears to be a consequence of underregulated cyberspace. Given this circumstance, a defense of US interests and values will chiefly rely on addressing disinformation, galvanizing all relevant stakeholders, and promoting the salience of privacy and online free speech.
Justin Sherman
We are going to see increased fragmentation of the internet around the world—fragmentation legally, as more governments introduce top-down internet laws within their borders that cut out industry and civil society voices; fragmentation in content and information, as countries introduce more restrictions on speech, including those enforced by companies in their borders; fragmentation architecturally, even, as some countries seek to further isolate themselves from the global internet (e.g., Russia’s “RuNet” push or Iran’s National Information Network); and so on. It is also likely that it will be harder for the United States and similarly minded countries to build international coalitions to support global and open internet proposals.
Joshua Rovner
Internet governance will become a great deal more complex. That said, internet governance has never been a binary proposition, with states having a choice between sovereignty and the multistakeholder model. As in other forms of international organization, states balance the gains of institutional cooperation against the desire for autonomy and control. And as in other aspects of international life, there will be no permanent structure that satisfies anyone. Politics is an open-ended negotiation.
Melissa Griffith
Is it only smaller states? The perceived benefits of cyber sovereignty and improved domestic security, in all its various incarnations, appears to be thriving in small, medium, and large states alike. For the United States, this broader shift requires a recalibration of our security and economic policies. The question is no longer how the United States can ensure the ideal of a “free, open, and interoperable internet”. But rather, how can the United States best capitalize on shared values, mitigate security concerns, and capture economic gains in areas where we are neither the main, global architect nor the first mover (e.g. privacy regulations such as GDPR). Concerningly, this is a challenge that we are only recently coming to terms with and that we are currently underequipped to meet.
Want to read more on the topic?
Assumption #2
High confidence attribution often requires significant time and resources, which limits response options.
Why is this discussion important?
Louise Marie Hurel
The fact is that attribution should be handled with more care – especially when considering political attribution – and that indeed it is a process that takes time despite political pressures. It is not a finalistic process. Attribution is composed of multiple processes that incrementally provide more confidence. Countries and private sector entities will have varying baselines to determine when to attribute. These will be determined not only by time, but also by resources and capacities available. Even so, that does not mean that a government cannot implement crisis communication plans before achieving high confidence, for example.
June Lee
If states are to deter cyber attacks by imposing costs (or credibly threatening to impose costs) on responsible parties, they must be able to identify the responsible actors with high confidence. If high confidence attribution requires significant time and resources, threat actors could exploit the uncertainty that comes with operating in cyberspace to get away with illicit or criminal activity. A failure to quickly respond or call out problematic cyber activity cedes the initiative and can create a norm of impunity in cyberspace. Any joint activity that states wish to take in response to cyber operations (whether collective public attribution or joint operations) will likely require high confidence attribution and sharing of underlying intelligence. While rapid improvements in private sector cyber threat intelligence capabilities have ameliorated some of the constraints imposed by the time- and resource-intensive nature of cyber attribution, governments must continue to develop channels of communication with private entities to take advantage of this trend.
Joshua Rovner
Attribution is hard when the stakes are low, and easy when the stakes are high. Attributing minor cyberspace operations is hard because attackers can hide, because the signal is lost in the noise, and so on. But significant operations are more likely to leave a trail. And determining responsibility for such operations doesn’t just rely on cyberspace forensics; all sorts of other information might be useful in determining responsibility.
Melissa Griffith
Attribution is not an end in and of itself, but rather an important, and sometimes critical, input into other goals – processes and outcomes – we care about. The ability to attribute can help incentivize and inform security, increase visibility, and impose costs. As such, the goals can vary, ranging from businesses that find themselves in the midst of incident response to law enforcement pursuing an inditement to national security strategies like deterrence.
Moreover, not all cyber operations take the same amount of time or resources to attribute. Operations vary, including the use of proxy actors, the degree of operational security, and the prevalence and diversity of operations undertaken by an actor over time. Attribution can be carried out by a diversity of actors (across the private sector and government) using a variety of indicators (technical, political, and clandestine). All of these factors influence the time and resources required for high confidence attribution. Notably, as the resources and time needed to attribute a cyber operation increase, the number and diversity of states and private companies in a position to attribute shrinks.
Importantly, attribution, timely or otherwise, is not always essential even if it is desirable. For example, the ability to impose costs on an adversary – a critical component of deterrence by punishment – requires being able to identify the responsible party. In contrast, the “who” behind an operation is not as critical to bolstering the overall resilience and security of a system. Similarly, while the speedy aspect of attribution may be desirable, it is also not always essential. For example, while rapid attribution was critical to the success of Mutually Assured Destruction (MAD), the same “limited window of opportunity to act before a response potentially becomes impossible” is not equally true when defending against cyber operations.
If the threshold for actionable attribution is lower than that which requires a long and in-depth process, then …
Louise Marie Hurel
One needs to examine why it is considered ‘lower’. Most of the times, the discussion around attribution being ‘lower’ that the ‘long and in-depth process’ is narrowly associated with countries that conduct political attribution and are called out for not presenting enough evidence to support it (Russia and China, for example). However, sometimes ‘actionable attribution’ from countries with less resources might be considered different (in their timeliness and evidence) or even ‘lower’ because their challenges in capacities. We need more of that sensitivity to the attribution debate both in the academic and policy discourse – as it assumes the capacity, resources, and effectiveness of response at times.
June Lee
First, it’s important to note that there is no threshold of “actionable attribution” for cyber operations in international law – states are not required to provide evidence for any statement of public attribution, and primarily do so (if at all) as a matter of policy.
At least within the United States, internal thresholds for “actionable attribution” vary depending on government agency and the type of “action” being considered. For instance, the threshold for a US official to speak anonymously to the press in a press leak or planted messaging (what David Pozen coined a “pleak”) might be lower than that needed for the Department of Justice (DOJ) to issue a criminal indictment, which is determined by domestic laws and standards of evidence. Bureaucratic processes and internal prioritization by agency leadership can also affect the speed of public attribution and/or subsequent responses. Lowering the threshold for “actionable attribution” may therefore not have a significant effect on how or when the United States and like-minded states respond to cyber incidents. However, if a lower threshold creates greater expectation for a response, and on a shorter timeline, the United States will need to clarify its thinking on proportional responses to different cyber operations.
Joshua Rovner
The implications of this are complex. On the one hand, we might expect that states might publicly denounce their adversaries. Yet they might have reason to signal their displeasure quietly, or not at all, if they believe they gain an intelligence advantage by saying nothing. Counterintuitively, they might also downplay cyberspace intrusions in order to reinforce international norms, because alarmism might reduce everyone’s confidence in the system.
Melissa Griffith
In many instances, this is already the case. While it is true that attribution presents a unique challenge in cyberspace, we have seen a sharp increase in public attribution by states and private companies. “Actionable” also takes on a very different meaning for a company engaged in incident response than it does for a state seeking to deter a subset of malicious hacking through the threat of punishment. Importantly, however, even if the threshold for actionable attribution was low across the board, it would still not be a costless process. For policymakers and industry alike, the question of “what purpose does attribution serve” and “what risks or consequences stem from public attribution” are just as important as “how feasible is high confidence attribution” and “by whom.”
Want to read more on the topic?
Assumption #3
Cyber capabilities are a useful tool for signaling de-escalation or intent to deescalate during a militarized crisis.
Why is this discussion important?
June Lee
Scholars are often skeptical of the efficacy of cyber capabilities as a means of signaling. Cyber operations inherently involve ambiguity surrounding intent; the same capabilities can be used for espionage but also destructive effects. There is also uncertainty around states’ perception of cyber capabilities – an operation that some states view as de-escalatory may be perceived as hostile or threatening by others. And in the fog of war, ambiguity surrounding cyber operations may further limit their utility as de-escalatory signals.
But that’s not to say that cyber capabilities will escalate an ongoing conflict. Cyber operations have temporary, sometimes covert effects and typically avoid casualties; plausible deniability provides a sort of shield for states from responding to and further escalating conflict. Moreover, states have not yet responded to a cyber operation with military force. Responses have consisted of economic or legal punishment (sanctions, indictment), public attribution, and limited cyber activity. Throughout the Russia-Ukraine conflict, European governments have not responded to several cyber incidents disrupting energy companies other than by publicly attributing intrusions to Moscow. Cyber incidents throughout the conflict have had primarily disruptive effects and do not appear to have meaningfully shaped the course of the war. Examining the record over the past few years suggests that states are hesitant to respond to cyber activity through kinetic, military means that could further escalate an ongoing conflict. A better understanding of the role cyber capabilities play in a militarized crisis will help policymakers to deploy them more effectively as part of their strategic toolkit
Joshua Rovner
It depends on what we mean by “cyber capabilities.” If we are talking about aggressive intrusions that seem to be aligned with conventional military preparations, then cyberspace operations are probably not good for de-escalation. But in other cases, intrusions and minor acts of sabotage might serve as a useful release valve in a crisis. Covert cyberspace operations allow states to do something without simply backing down, giving some psychological comfort to leaders who worry about their reputations. And they also allow states to act in ways that show their displeasure, but without doing lasting harm. States have a long history of using covert action for this purpose.
Melissa Griffith
This would be an incredibly risky assumption for policymakers to adopt in practice. In theory, cyber operations might hypothetically provide policymakers with de-escalatory offramps given that, unlike kinetic counterparts, they can lack physical violence; can, in some cases, be reversable; and present a greater degree of possible ambiguity. However, unlike the escalatory nature of cyber operations (which, despite a growing range of research, remains a matter of debate), their de-escalatory potential in the context of ongoing militarized conflict has been far less rigorously examined. The consequences of getting this wrong – both (a) having the opposite impact or (b) misinterpreting the intent of a cyber operation by an adversary as de-escalatory during a militarized crisis – could be severe.
If cyber capabilities are used by another state to signal de-escalation but they are seen in the United States as either a continuation, or even an escalation, of conflict then …
June Lee
It’s unclear that such a circumstance would lead to a significant escalation in conflict. The United States would likely respond with sanctions and public attribution, while pursuing an indictment. Kinetic military action is unlikely, and any cyber response would be relatively constrained (e.g. disrupting adversary offensive cyber capabilities) and consistent with international law. The United States would be careful not to set a precedent for responding to cyber operations that could create destabilizing norms around cyber activity or give adversaries reason to escalate in response to future cyber incidents. Escalation could be possible if a cyber operation were to significantly disrupt critical infrastructure (e.g. targeting nuclear facilities) or vulnerable civilian facilities (e.g. hospitals), but states are unlikely to launch such operations with de-escalatory intent.
Joshua Rovner
Will the United States view adversary action in a crisis as escalatory or de-escalatory? The answer is hard to predict in advance, because so much will depend on the circumstances of the case, the type of intrusion, the nature of the target, and evidence that its adversary is committed to conflict.
Melissa Griffith
This issue rests at the heart of signaling challenges. Efforts to signal rely on managing the perception of an adversary and those efforts can easily fall victim to misperception or uncertainty. The best-case scenario represented here would be if the United States perceived a cyber operation as non-escalatory: just one facet amongst many that shaped its specific approach to crisis management in real time. If the United States saw a cyber operation as an escalation of conflict and, depending on the state and militarized crisis in question in this scenario, crisis could potentially spill over into war. In either instance, this failed attempt may also hamstring future offramp efforts.
Want to read more on the topic?
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.