In last month’s edition of the 5×5, we featured a group of leading scholars to share their views on cyber conflict in international relations. Contributors discussed the important interplay between the scholarly community and the policymaking sphere, as scholarly debate over cyber conflict’s place in international relations has driven seminal government strategies. For instance, key underpinnings of US Cyber Command’s 2018 decision to shift its strategy away from a deterrence-based approach and toward the concepts of Defend Forward and Persistent Engagement—which has improved effectiveness since—can be traced back to a series of scholarly articles embodied in a recent book by Michael Fischerkeller, Emily Goldman (featured below), and Richard Harknett (featured in last month’s 5×5).
This time around, we brought together a group of distinguished individuals with past and present cyber policy experience across a range of government organizations to share their perspective on the topic. They address cyber conflict’s fundamental place in international relations, some of their recommended readings for aspiring policymakers, disconnects between scholars and policymakers, and ideas for how both communities can more effectively engage one another.
#1 What, in your opinion, is the biggest misconception about cyber conflict’s role in international relations theory?
John Costello, principal, WestExec Advisors; former chief of staff and principal architect, Office of the National Cyber Director; former deputy executive director, Cyberspace Solarium Commission; former deputy assistant secretary of intelligence and security, Department of Commerce:
“There are many. The history of cyber as a public policy topic has been (forgivably) dominated by the application of frameworks or theory ultimately ill-suited to the domain. The use of nuclear or conventional deterrence theory and related escalation dynamics are chief among them. It is understandable that familiar concepts would be used and take so long to shake. Cyber is at its heart espionage and sabotage. Perceptions of strength and advantage are hard to define and quantify. Though it can have physical effects, as any covert action can, cyber fundamentally relies on secrecy and an unacknowledged but accepted gray space wherein states tolerate—within limits—each other’s intelligence operations. Deterrence as a strategy, escalation dynamics, prescriptive international norms, and usefulness of cyber capabilities for tactical effect and compellence are all concepts that have been borrowed from prevailing scholarship and adapted into cyber. It is a misread of the core dynamics governing cyber operations, which look and act far more like intelligence operations than anything else.”
Emily Goldman, strategist, US Cyber Command; former cyber advisor to the director of policy planning, US Department of State:
The views expressed by Dr. Goldman do not reflect the official policy or position of the Department of Defense or the US government.
“It is analytically and practically useful to talk of ‘operations and campaigns in and through cyberspace’ rather than ‘cyber conflict.’ The latter term conflates ‘means’ with geopolitical ‘condition’ (e.g., competition, militarized crisis, armed conflict). All conflict today has some cyber element. With this reframing, the biggest misconception in international relations theory is treating operations and campaigns in and through cyberspace as substitutes for conventional and nuclear forces, and therefore misapplying concepts and tools of deterrence, coercion, signaling, escalation management, and offense-defense advantage.”
Nina Kollars, associate professor, Cyber and Innovation Policy Institute, US Naval War College:
“The biggest misconception is about the role of state and military leadership as the primary drivers of effects. Because international relations theory tends to leverage states and militaries as the lead agents in its theories, it struggles to provide a useful understanding of the primary agents in cyberspace, wherein states and militaries are working on the edges.”
Heli Tiirmaa-Klaar, director, Digital Society Institute, ESMT Berlin; former ambassador at large for cyber diplomacy and director general of the cyber diplomacy department, Estonian Ministry of Foreign Affairs:
“Quite often, cyber technology is compared to nuclear technology. But information and communications technology and cyber tools are mostly dual-use technologies, civilian technologies and applications that can be weaponized. This is making analysis and conceptualization of cyber threats more complex, requiring a thorough understanding of the actual cyber tools used when analyzing the impact of the cyber operation.”
Gavin Wilde, senior fellow, Technology and International Affairs Program, Carnegie Endowment for International Peace; former director for Russia, Baltic, and Caucasus affairs, National Security Council:
“[The biggest misconception is] the notion that cyber conflict might be mapped nicely onto predominant international relations theories—particularly in the same way nuclear weapons were in previous eras. Thus far, offensive cyber operations lack the speed, precision, scope, and impact of kinetic weapons, while states hardly maintain a monopoly over cyber capabilities or the means of mitigating their effects. This makes realism and liberalism faulty lenses through which to analyze cyber conflict. Conversely, as cyber capabilities introduce more chaos into geopolitics, constructivism may yet have its moment: ‘anarchy is what we make of it.’”
#2 What would you like to see scholars and students studying cyber conflict better understanding about policymaking?
Costello: “Budget, not policy, is the most authentic indicator of a state’s priorities. The significant divide between a state’s apparent policy priorities and its budgetary outlay is a terminal condition for achieving the objectives and aspirations it has set. In the United States, though the constitution and judiciary have assigned the president a preeminent prerogative for national security, his latitude and reach are always constrained by conflicting and disparate congressional interests in the budget process. Legislative inaction has often compelled the president to adapt executive power in its place—initiatives that are essentially unfunded mandates until blessed by congressional appropriators. This has become a significant problem in cyber and technology policy. Often the most effective tools at the United States’ disposal to mitigate risk and create advantages in strategic competition lie with departments or agencies that do not sport the budgetary flexibility and heft of our traditional national security agencies. Policy is shaped by politics, no doubt, but these institutional issues and competing interests can be just as significant in shaping the practical contours of policy and strategy for cyber and technology. Policymakers and scholars would do well to understand them.”
Goldman: “The range of cyber topics occupying policymakers. Many scholars focus on the independent coercive impact of destructive cyber options. Policymakers are interested in how campaigning in and through cyberspace generates insights, opportunities, and effects—both technical and cognitive—that cumulatively produce strategic impact over time. Policymakers are also interested in how cyber plays out across the geopolitical conditions of competition, militarized crisis, and armed conflict, and particularly the transitions between them.”
Kollars: “Policymaking at the corporate level is almost never discussed in generalized theories of international relations. But corporate policies, such as ‘How many characters in a tweet?’ ‘Who has a check mark?’ and ‘Can my account be anonymous?’—have fundamental effects on how the Internet is used.”
Tiirmaa-Klaar: “I would recommend that students always to look at cyber elements in any given conflict as part of a larger political-strategic picture. It is unusual for conflict to remain in the cyber domain and for cyber tools to be used without other tools. We have seen in both hybrid and kinetic conflicts how cyber tools were used to facilitate political goals of warring parties. For example, Russia used cyber operations to create confusion among the population during its 2007 Estonian hybrid operation and as a means of facilitating its battlefield operational goals in Ukraine beginning in 2022.”
Wilde: “[I would like scholars and students to better understand] that the dominant force working against policymaking on cyber issues is often bureaucratic inertia. The status quo, however tenuous, is often more preferable to key stakeholders than an uncertain shift in funding, authorities, or public visibility. Insofar as policies on cyber issues must address the competing structural incentives of the private sector and civil society, savvy decision makers will also recognize the need to examine those same dynamics within the government itself to be successful.”
#3 What is a scholarly piece of literature on cyber conflict that you recommend aspiring policymakers read closely and why?
Costello: “The work from Richard Harnett and Joshua Rovner, US Cyber Command’s scholars-in-residence over the past few years, is worth reading in-depth. Rovner’s work on viewing cyber as an intelligence contest influenced the Cyberspace Solarium Commission’s approach; we looked to strategies and measures adopted by counterintelligence for lessons that could be applied to cyber. This understanding prompted, in part, the shift in principal focus to defense and resilience. Though not stated outright but heavily implied, the Solarium’s heavy focus on cyber defense as the missing element of deterrence was an intentional counter to the prevailing approaches that prioritized cost imposition and offense. Though important, these tools are less impactful in an intelligence contest than credible resilience.”
Goldman: “Operators on the edge, diplomats, and military leaders internationally tell me that Cyber Persistence Theory is illuminating and persuasive. It resonates with their experience in ways other academic treatises have not. Max Smeets’ volume No Shortcuts focuses on building military cyber capacity, with implications for which actors are likely to wield sophisticated cyber capabilities whether in competition, crisis or conflict. His analysis is important for tempering policymakers’ fears and expectations about exquisite military-grade cyberspace operations.”
Kollars: “Semi-State Actors in Cyber Security by Florian Egloff really broke ground here.”
Tiirmaa-Klaar: “The real textbook for cyber conflict policymakers has not been written yet and should be written soon. I recommend books, such as Thomas Rid’s Active Measures, that give broader strategic and intelligence assessments of some key players.
Wilde: “I would highly recommend a great 2012 piece by Dr. Myriam Dunn Cavelty at ETH Zurich, entitled ‘The Militarisation of Cyberspace: Why Less May Be Better.’ In light of the Biden administration’s recently released National Cyber Strategy, her piece was rather prescient for the time about the need for ‘governments and military actors [to] acknowledge that their role in cyber security can only be a limited one, even if they consider cyberattacks to be a major national security threat. Cybersecurity is and will remain a shared responsibility between public and private actors.’”
More from the Cyber Statecraft Initiative:
#4 How has understanding of cyber conflict evolved in the last five years within the cyber policy community and how do you see it evolving in the next five years?
Costello: “The past five years have seen a slow-growing fundamental rethink of many of the assumptions in the US approach to governing cyberspace, cybersecurity, and cyber conflict. Chief among these is the Department of Defense’s shift towards Defend Forward, underpinned by the Persistent Engagement theory of cyber competition. Accompanying the shift is growing skepticism of cyber operations as a decisive strategic deterrent or its usefulness alongside or in place of conventional tactical operations in conflict. The type of widespread, disruptive cyberattacks against critical infrastructure often predicted in military theory was conspicuously absent in Russia’s invasion of Ukraine in 2022. It is unclear whether Ukrainian and US cybersecurity efforts limited Russian options or tactical and strategic considerations caused Russia to withhold using these capabilities. For all cyber’s advantages, it is less attractive when missiles are on the table. Time will tell, of course, but it is another data point to consider when trying to understand the practical usefulness of cyber capabilities in conflict. The Defend Forward construct has reshaped the Defense Department’s own conception of its role in fundamental ways, most prominently in extending and expanding its supportive role to international partners, the private sector, and other agencies. It is a de facto acknowledgement that the Defense Department is not always the best tool in the gray zone-defined cyber conflict, but one with significant resources and capabilities. More broadly, the optimism of truly borderless, global internet has been completely dashed. The past five years have seen an increasingly unwieldy fracturing of global cyberspace into different internet ecosystems and markets—each with their own priorities, laws, and norms. Disentanglement with China, European regulation, and overt preference for domestic firms have each contributed to this dynamic. This disentanglement and fracturing will likely contribute to new instability—or the likelihood that cyber conflict spills over into the physical world in ways that are disruptive. I do not see this trend reversing.”
Goldman: “The biggest shift in the last five years is away from deterrence as the dominant strategic approach and from expectations that cyberspace operations in competition will escalate to militarized crisis and armed conflict. The next five years will be shaped by insights from the Russia-Ukraine conflict (hopefully not overly so) and by the integration of cyberspace campaigns with information operations—in turn shaped by adoption of disruptive technologies like AI.”
Kollars: “The Russia-Ukraine war will provide fertile ground for scholars and policy makers alike. The sheer volume of the cyber dynamics, associated sensors, and corporate involvement will reshape what we think effective policy is when it comes to cyber conflict and information use.”
Tiirmaa-Klaar: “First of all, many more people are in the cyber policy community today than there were five years ago. We also have understood the complexities of cyber conflict and learned from actual scenarios. The war in Ukraine has provided a good lesson in understanding how adversaries are planning to use cyber elements during conventional conflict. The other lesson is to develop cyber capabilities among NATO and other democratic states to create more robust cyber defense among likeminded states. In the next five years, I see serious deficiencies when it comes to cyber preparedness for most states to face serious cyber threats. In future conflicts, many states might experience cyber hostilities but will not be able to respond in a timely manner due to lack of capabilities and coordination. International cyber capacity assistance is still very limited and there are too few programs to advance cyber resilience of countries beyond technologically advanced states. Among Western states, I predict steady growth of cyber capabilities and expertise that helps them become more resilient and prepared for future conflicts.”
Wilde: “The conversation has slowly expanded beyond state-centric, highly sophisticated threat actors and broken conceptual frameworks centered on prevention and deterrence. The democratization of sophisticated cyber capabilities and the acknowledgement that disruptions—intentional or otherwise—are likely unavoidable has made resilience the organizing principle for policy. In this regard, the next five years will hopefully see market and regulatory pressures on industry to take a more ‘secure-by-design’ approach, more funding for non-military cyber capacity at the state and local levels, and more privacy protections for consumers.”
#5 How can scholars and policymakers of cyber conflict better incorporate perspectives from each other’s work?
Costello: “The scholars and public policy hands who are most effective in communicating their message often tailor it in form and substance to meet the needs of their audience—policymakers and their staff. Succinct, incisive, engaging, and accessible are watchwords. Secondly, they answer the ‘what’s next’ element of policymaking in ways that are useful—namely, accounting for and tailoring their policy recommendations to political needs, institutional or budgetary limitations, identifying supporting or opposing constituencies, and giving weight and consideration to feasibility and practical means of achieving progress. In other words, they develop ‘battle ready’ recommendations. It is easier for lawmakers and staff to translate them into action if they answer pressing policy problems, while having already thought through basic questions and vexing particulars.”
Goldman: “Working side-by-side is an incredibly powerful way to bridge the scholar-policy gap, accelerate mutual learning, and generate convergent insights that drive innovation in policy and scholarship. US Cyber Command’s Scholar in Residence program and its Academic Engagement Network are paying huge dividends and are models for other organizations to adopt.”
Kollars: “I think we are seeing a gradual maturation of the cyber conflict literature in academia as moving from the hyper-theoretical toward the practical and heavily empirical. In this sense, scholars are moving ever closer to investigating cyber conflict by examining variables over which policymakers can have effects. To accelerate that pace, academics can start thinking about what are causal variables that are useful to policymakers. Policymakers can help by signaling their span of control, and what is outside of their control given cyberspace. A theory of multipolarity and cyber conflict is important, but harder for policymakers to find levers to pull.”
Tiirmaa-Klaar: “One field that needs specific scholarly and policy attention is determining how to enforce a framework for responsible state behavior. We have a UN framework, but its implementation has been suboptimal and, therefore, many states doubt the viability for international law to apply in cyberspace and for norms to be helpful. I think this is a dangerous path, because we need to strengthen the normative elements in cyberspace and make sure more states adhere to the norms. Otherwise, we will face a future that is characterized by growing threats and cyber anarchy—this is what we must avoid. If scholars can come up with good recommendations on how to improve this situation, policymakers would gladly welcome these novel ideas.”
Wilde: “[Scholars and policymakers can better incorporate perspectives from each other’s work] by acknowledging each other’s limitations. As an academic field, cyber conflict remains in relative infancy, highly theoretical with many unknown (and unknowable) aspects. Meanwhile, much of what is known about the practice of cyber conflict by militaries and intelligence services will likely remain classified. Scholars should therefore not profess cyber conflict to be a settled science, nor should policymakers presume to be operating on one.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.