Global cyber conflicts will be hard to control
Strategic stability in cyberspace will be difficult to maintain. Because technological innovation there is faster than in the nuclear realm.
Whether or not a conflict spirals out of control depends on the ability to understand and communicate about the scale of hostility. Unfortunately, when it comes to cyber conflict, there is no agreement on scale or how it relates to traditional military measures. What some regard as an agreed game or battle may not look the same to the other side.
A decade ago, the United States used cyber sabotage instead of bombs to destroy Iranian nuclear enrichment facilities. Iran responded with cyber attacks that disrupted American banks. This summer, following the imposition of crippling sanctions by US President Donald Trump's administration, Iran shot down an unmanned American surveillance drone. There were no casualties. Trump initially planned a missile strike in response, but canceled it at the last moment in favor of a cyber attack that destroyed a key database used by the Iranian military to target oil tankers.
Again, there were costs but not casualties. Iran then carried out, directly or indirectly, a sophisticated drone and cruise missile strike against two major Saudi oil facilities. While it appears there were no or only light casualties, the attack represented a significant increase in costs and risks.
The problem of perceptions and controlling escalation is not new. In August 1914, the major European powers expected a short and sharp "Third Balkan War." The troops were expected to be home by Christmas. After the assassination of the Austrian archduke in June, Austria-Hungary wanted to give Serbia a bloody nose, and Germany gave its Austrian ally a blank check rather than see it humiliated. But when the Kaiser returned from vacation at the end of July and discovered how Austria had filled in the check, his efforts to de-escalate were too late. Nonetheless, he expected to prevail and almost did.
Cyber technology, of course, lacks the clear devastating effects of nuclear weapons, and that poses a different set of problems, because there is no crystal ball. During the Cold War, the great powers avoided direct engagement, but that is not true of cyber conflict.
And yet the threat of cyber Pearl Harbors has been exaggerated. Most cyber conflicts occur below the threshold established by the rules of armed conflict. They are economic and political, rather than lethal. It is not credible to threaten a nuclear response to cyber theft of intellectual property by China or cyber meddling in elections by Russia.
After all, we cannot assume that we have enough experience to understand what is an agreed competition in cyberspace or that we can be certain of how actions taken in other countries' networks will be interpreted. For example, Russian cyber meddling in US elections was not an agreed competition. With a domain as new as cyber, open rather than mere tacit communication can enlarge our limited understanding of the boundaries.
Negotiating cyber arms-control treaties is problematic, but this does not make diplomacy impossible. In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or the same program can be used for legitimate or malicious purposes, depending on the user's intent. But if that makes traditional arms-control treaties impossible to verify, it may still be possible to set limits on certain types of civilian targets (rather than weapons) and negotiate rough rules of the road that limit conflict.
In any event, strategic stability in cyberspace will be difficult to maintain. Because technological innovation there is faster than in the nuclear realm, cyberwarfare is characterized by a heightened reciprocal fear of surprise.
Over time, however, better attribution forensics may enhance the role of punishment; and better defenses through encryption or machine learning may increase the role of prevention and denial.
At this point, however, the key to deterrence, conflict management, and de-escalation in the cyber realm is to acknowledge that we all still have a lot to learn and expand the process of communication among adversaries.
- Project Syndicate