This summer, we drew on insights from across the academic and policymaking communities for two editions of the 5×5 focused on the nature of cyber operations and their role in international relations. In June, we published an edition that featured a panel of scholars whose deliberate works have helped inspire and shape government cyber strategies in recent years. We followed that up with a second edition featuring perspectives from a range of current and former policymakers, whose day-to-day work has had to navigate government politics, processes, and other realities to confront present cyber challenges.
These two editions can be accessed here:
The contributions from members of these two communities are valuable in their own rights, but when taken together, provide a fuller picture of the intersection of the theory and practice of cyber conflict. Geopolitics, technologies, and the use of operations in and through the cyber domain are constantly evolving, creating new challenges for understanding cyber conflict. Continued collaboration between the scholarly and policy communities stands to deepen understanding for all involved.
To reflect on this conversation, we brought together four researchers whose career experiences span both the scholarly and policy worlds, to share their thoughts and advice for those interested in breaking into each community.
#1 What, in your opinion, is the biggest misconception about cyber conflict’s role in international relations theory?
Michael Fischerkeller, researcher, Information, Technology, and Systems Division, Institute for Defense Analyses:
“I consider two [misconceptions] as equally important. The first is that independent cyber operations offer de-escalatory offramps in a militarized crisis between nuclear states. There is no empirical evidence to support this view and it is at odds with what crisis bargaining theory suggests. The second is that states’ primary cyber behaviors are best understood as an intelligence contest, vice cyber strategic competition. The intelligence contest argument is too narrow to serve as a guide to policy, as it struggles to account for the wide range of strategic outcomes (gains and losses) that are a consequence of the speed, scope, and scale of cyber campaigns/operations, and needlessly ties the definition of strategic significance to coercion theory.”
Jackie Kerr, senior research fellow for defense and technology futures, Center for Strategic Research, National Defense University’s Institute for National Security Studies:
The views expressed in this interview are those of Dr. Kerr and do not reflect the official policy or position of the National Defense University, the Department of Defense, or the US government.
“For those new to the field, it might be easy to imagine cyber conflict as a very narrow subfield of security studies or the study of military strategy—focused on a specific and rather technical domain. But the biggest challenge in the field, as I see it, is actually the degree of interdisciplinary and cross-silo thinking that is needed. The digital technologies and networks that constitute cyberspace cut across many areas of society and policy, are broadly accessible, and allow for novel emerging innovations. Understanding the potential areas of conflict, competing interests, and roles of different stakeholders and governance mechanisms—not to mention how to address these in relation to various domestic and international institutions, actors, and levels of contestation—requires a broad range of expertise.”
Erica Lonergan, assistant professor, School of International and Public Affairs, Columbia University:
“An enduring and significant misconception is that cyberspace is a dangerous, escalatory domain and that conflict in cyberspace is likely to spill over into the kinetic realm. This is an assumption that exists at the highest levels of policymaking. Secretary Austin, for example, has described cyberspace as an escalatory environment, and US President Joe Biden has said that if the United States ends up in a conventional conflict, it will likely be because of a cyberattack. However, academic research has revealed little evidence of cyber escalation. The implications of such misconceptions are significant as they continue to shape US cyber strategy and policy.”
Joshua Rovner, associate professor, School of International Service, American University:
“That cyber conflict is akin to war. Cyber conflict is not anything like the bloody business of war, where states use violence to coerce their enemies and wreck their forces. It is about information superiority. States use cyberspace for espionage, deception, and propaganda. Their basic goal is the same: understanding the world better than their rivals.”
#2 What would you like to see scholars and students studying cyber conflict better understanding about policymaking?
Fischerkeller: “[I would like them to understand] that once a theory has set a foundation for strategy, policymakers benefit from what Alexander George and Richard Smoke call ‘contingent generalizations.’ These comprise policy insights that are informed by context—for example, the distinct geopolitical conditions of competition, militarized crisis, and armed conflict; the interactions between nuclear and non-nuclear states; and state versus non-state actors.”
Kerr: “I think it is important for students and scholars who are interested in policy to gain as much granular familiarity as possible with policymaking processes and institutions relevant to their work. This can provide insights into the silos, bureaucratic frictions, and institutional politics involved—some of the real dilemmas faced by policymakers—all of which can be quite helpful for delineating what kinds of policy recommendations might be most valuable and to whom.”
Lonergan: “Policymaking is often a messy, complicated, bureaucratic process. As scholars, we like to debate the intellectual merits and substance of various ideas and strategies, carefully examining documents that the government publishes. But the reality is that those documents reflect underlying bureaucratic politics and organizational processes—they are the result of bargaining, logrolling, standard operating procedures, parochial interests and biases, and so on. Therefore, it is important to take the behind-the-scenes processes into account when evaluating strategy and policy.”
Rovner: “They should start by studying something else. Instead of focusing on cyber, they should start by studying diplomacy, intelligence, and war. They should study the policy process with care, noting especially the ways in which weighty theoretical issues play out in mundane matters like budgets and authorities. Only then should they start thinking about cyber.”
#3 What is a scholarly piece of literature on cyber conflict that you recommend aspiring policymakers read closely and why?
Fischerkeller: “This would be a function of their policy portfolio. If they are interested in cyber organizational development and capacity building, I would recommend Max Smeet’s No Shortcuts: Why States Struggle to Develop a Military Cyber-Force. If they are interested in the nexus of cyber campaigns/operations and the nuclear weapons enterprise, I would recommend Herbert Lin’s Cyber Threats and Nuclear Weapons. If they are interested in national strategy, I would recommend Cyber Persistence Theory: Redefining National Security in Cyberspace. And so on.”
Kerr: “As a first recommendation for aspiring policymakers, I would actually recommend that they take a step further back and read something on the history of computing, cybernetic theory, the Internet and its governance, and the different ways these have been thought about in connection both to interdependent economic growth and democracy, and to conflict and strategic competition. Norbert Wiener’s Cybernetics would not be a bad starting point. Thomas Rid’s The Rise of the Machines and Laura DeNardis’ The Global War for Internet Governance would also be excellent. I recommend this because this is the larger perspective that will help people entering the policy arena see the connections between more narrowly circumscribed policy debates of this moment and the longer-term evolution and bigger issues at stake.”
Lonergan: “Aspiring policymakers should read Lennart Maschmeyer’s 2021 International Security article, ‘The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations.’ This piece provides an alternative perspective on cyber conflict that will likely challenge some of the conventional wisdom in policy circles, because Maschmeyer argues that cyber conflict is more like subversion than it is like conflict. The ‘subversive trilemma’ in cyberspace, in which there are tradeoffs between speed, intensity, and control of cyber operations, accounts for the gap between expectations and reality of cyber conflict.”
Rovner: “Robert Chesney and Max Smeets edited Deter, Disrupt, or Deceive: Assessing Cyber Conflict as an Intelligence Contest, in which contributors debate whether cyber conflict is best seen in terms of intelligence. This debate has important implications for policy. It speaks to several fundamental questions. Which agencies and organizations should be responsible for cyber operations? Who should oversee them? How should they measure success and failure?”
More from the Cyber Statecraft Initiative:
#4 How has understanding of cyber conflict evolved in the last five years within the cyber policy community and how do you see it evolving in the next five years?
Fischerkeller: “There has been a notable shift to the recognition that the primary strategic threat in and through cyberspace is from campaigns whose effects are short of armed-attack equivalence but whose cumulative gains are of strategic significance. Additionally, there has been a recognition that cybersecurity is national security. And, unfortunately, states cyber behaviors have demonstrated that extraordinary, explicit efforts to cultivate voluntary, non-binding cyber norms have met with limited success.”
Kerr: “The last five years have been a productive time for innovative thinking in the field. There have been serious efforts to understand complex issues, including the nature of strategic interactions, different adversary conceptions of the domain, cross-domain interaction and escalation dynamics, the relationships of cyber conflict with intelligence competition and with other cyber-enabled forms of conflict—and the list goes on. While these efforts have led to significant insights, the continuing evolution of global politics, technology, and cyberspace itself keeps pushing forward new challenges for both policy and theory. I think the intersections between thinking on cyber policy, artificial intelligence, and other emerging areas of technology competition and cooperation will be important areas to watch.”
Lonergan: “A significant inflection point in cyber policy took place five years ago. In 2018, the Defense Department published a new cyber strategy anchored in the concept of Defend Forward and US Cyber Command promulgated its first vision statement guided by the idea of ‘persistent engagement.’ Both define a broader and more assertive role for the US military in cyberspace. But we still lack real metrics that enable experts to evaluate the outcomes of these approaches. Looking ahead over the next five years, I hope the policy community focuses on assessing the implementation of these strategies, with an eye toward gauging how they integrate and are aligned with broader US strategic goals.”
Rovner: “The policy debate has become more interesting and expansive. New ideas about the logic of cyber conflict, and the nature of different cyber actors, have entered the chat. This has happened in part because scholars have deliberately sought to speak to policy, and their research has nudged the policy community to think harder about the uses and limits of cyberspace operations. It helps that many of these scholars have experience in government, the military, and the intelligence community. The quality of their research—and the clarity of their writing—has probably disabused policymakers of the idea that cyber issues are only comprehensible to technical specialists. The next five years will be interesting, mostly because we will have a huge amount of data on current conflicts to explore. Information from Russia-Ukraine war and the ongoing US-China competition will help put our theories to the test.”
#5 How can scholars and policymakers of cyber conflict better incorporate perspectives from each other’s work?
Fischerkeller: “The military uses the phrase ‘right seat ride’ to describe a process whereby an incoming commander stays at the hip of an outgoing commander to gather in-depth knowledge of the historical, present, and future challenges facing the command. A similar model is equally valuable for policymakers and scholars. Policy shops ought to leverage scholar-in-residence programs or, alternatively, the Intergovernmental Personnel Act that allows for the temporary assignment of skilled personnel between the federal government and state and local governments, colleges and universities, tribal governments, federally funded research and development centers, and other eligible organizations. These approaches are particularly relevant for cyber policy, as much of the background that informs cyber policy cannot be discovered by scholars via open-source research.”
Kerr: “There are so many areas where mutual learning is possible, and I have seen a lot of this going on that is productive. My first recommendation is to get involved in the communities that have developed to deliberately bridge this gap. People know each other, attend workshops together, read and comment on each other’s work, and really facilitate more innovative thinking for all involved. There also are opportunities for individuals to rotate between scholarly and policymaking roles—whether entering the policy arena temporarily from academia or taking a period off from government service to conduct research at a think tank or university. Going in either direction is a great way to learn.”
Lonergan: “This challenge is not unique to the field of cyber conflict. Bridging the gap between academics and policymakers is an important and enduring issue in the international relations field. What makes this even more complex in cyberspace is the multistakeholder nature of the cyber domain, which significantly expands the ecosystem of relevant parties, each of which has unique perspectives, interests, and expertise. Therefore, seeking out opportunities to engage with this diverse community—encompassing not just academics and beltway bureaucrats, but also the private sector, non-governmental organizations, big tech, civil society organizations, and so on—will enrich the understandings of all involved.”
Rovner: “[They can do so] by stepping away from their day jobs, at least for a while. Policymakers who spend a little time in academia get the chance to think about the bigger picture, and to think about how their work fits in. Mid-career master’s degrees are particularly useful here, as are programs with fewer time commitments, like MIT’s Seminar XXI. The opposite is also true. Scholars who routinely interact with policymakers are likely to get a more detailed sense of cyberspace competition. Spending time in government can be illuminating.”
#6 What is one piece of advice you have for scholars interested in making a more direct impact on cyber policymaking?
Fischerkeller: “Write concise, peer-reviewed essays that speak directly to a current or likely future cyber challenge with the intention of submitting those essays to well-established online fora for publication consideration.”
Kerr: “There are many things you can do here, some of which I have already mentioned. But one of the most important things that I will stress here is that human relationships are key. There is no substitute for getting to know people in the policy world and having regular enough interaction to understand what they are wrestling with and where scholarly research can help. Whether this happens through attending the same conferences, reading and engaging with the same policy-relevant publications, or fellowship stints in government service, academics who get to know and engage regularly with people in the policy community will benefit from learning how policymakers think about the issues, and iteratively contributing to the existing policy debates. For this, they also need to learn where and how to publish output that will be picked up and seen as relevant in the policy circles. This will not always be the same output as is relevant to within-discipline academic prestige or tenure track progression, but the two objectives can also be mutually beneficial.”
Lonergan: “First and foremost, scholars should familiarize themselves with what is going on in the policymaking realm—just as they would when tackling a new research project. It is important to take care to understand the significant policy work that has already been accomplished, prior efforts that have been less successful and why, and so on. I would also encourage scholars to actively engage in dialogues and venues that bring together scholars and practitioners, like roundtables or other events hosted at think tanks, or find ways of getting involved in track II or track 1.5 dialogues.”
Rovner: “When you are starting a new project, plan on three products: a peer-reviewed article in a scholarly journal, a policy paper summarizing your research, and an op-ed. Thinking about a project with these goals in mind helps broaden your audience, and it forces you to think about how to get your ideas across to policy professionals who are more or less familiar with cyber issues.”
#7 What is the biggest difference between writing for a scholarly audience vs. writing for a policymaking audience?
Fischerkeller: “Importantly, one difference should not be the quality and depth of research supporting one’s arguments. The format in which those claims are presented differs, however, as many, perhaps most policymakers prefer to read concise presentations rather than twenty-five-page articles with over one hundred footnotes. Additionally, policymakers are often interested in options rather than a definitive argument in support of a single viewpoint.”
Kerr: “A key element in either type of writing is to really know your audience and know where you can add value. Do not underestimate your audience in either direction. While scholars bring extensive theoretical, conceptual, and methodological rigor, policymakers often have significantly more first-hand experience and day-to-day knowledge of empirical data or precise processes relevant to the area of inquiry. For a scholarly audience, the goal is often to advance theoretical arguments within an academic discipline, often by publishing long articles or books through lengthy peer review processes. For a policy audience, some of the theory, concepts, and rigor from academia can absolutely be valuable, but they must relate to practical approaches to address fast-moving policy challenges. Writing for a policy audience also should be written in a style, format, and length that can be rapidly absorbed by busy professionals. This writing usually is much shorter and more concise than long-form academic writing, responding quickly to real-world events, and avoiding discipline-specific jargon. It also is important to write for outlets that are known and read within policy communities.”
Lonergan: “The biggest difference lies in the ‘so what’ question. For scholarly writing, researchers usually aim to formulate and answer research questions that speak to, build on, or challenge core theoretical and empirical issues in the discipline; the ‘so what’ is a function of how that research engages with a robust academic body of work. For policy writing, the ‘so what’ is entirely different—even if the main insights may stem from academic research. What matters in this area is how a research question or topic directly informs or speaks to questions of policy.”
Rovner: “[The biggest difference is] length. Good scholarship is a conversation with the past, as the saying goes. This means scholars need to spend time situating their work in a broader field, footnoting everything, criticizing one another’s work, and proposing new questions to encourage new arguments. Research articles and books are long and sometimes quite dense. Engaging scholarly work takes time. Because policymakers do not have the luxury of time, good policy pieces are shorter. They get to the point, eschewing the paraphernalia of academic writing in favor of the bottom line. Scholars who write for policy are ruthless about chopping up their research into digestible portions. Especially good scholars keep all the background in mind, just in case an interested policymaker wants to do a deeper dive.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.