The Washington PostDemocracy Dies in Darkness

The 10 things you need to know about cyberconflict

Last spring, China apparently hacked into U.S. systems. Should you be afraid? (Jonathan Ernst/Reuters)
Placeholder while article actions load

The cyber domain may offer a new direction in how nations threaten and act against one another.  This threat’s immediacy became clear when China hacked the U.S. Office of Personal Management’s systems last June, leaking more than 4 million sensitive records.

The U.S. government’s only viable response was economic sanctions against companies and individuals. It refrained from escalating the conflict so close to President Xi Jinping’s official state visit. In other words, although some hope that cyberconflict will revolutionize military and diplomatic interactions, governments are confronting this new threat through traditional methods.

[The hack on the U.S. government was not a ‘cyber Pearl Harbor’ (but it was a very big deal)]

But what evidence is there about the reality of the cyber-threat? The first step to understanding cyberconflict is to define the domain. Here are 10 things to know about the cybersecurity debate, as taken from our recently released book from Oxford University Press, Cyber War versus Cyber Realities.

1. Terminology is important

Many cyber-scholars have been sloppy in their usage of terms, leading to this rather voluminous definitions document by New America. Since almost anything is now termed as a cyberattack, the term itself is meaningless. Predicting the amount, level  and context of cyberconflict is dependent on how the term is defined, framed  and engaged. For us, the prefix “cyber” simply means computer or digital interactions. “Cyberspace” is the networked system of microprocessors, mainframes  and basic computers that interact at the digital level but have foundations at the physical level. What happens on the physical layer of cyberspace is where political questions operate.

We define “cyberconflict” as the use of computational means, via microprocessors and other associated technologies, in cyberspace for malevolent and/or destructive purposes in order to affect, change  or modify diplomatic and military interactions between entities.

2. We need data and theories about cyberconflict

We need to develop theories of cyberaction in the cybersecurity field. Without theory, key aspects of cyber-dynamics can be left unexplained, unexplored  or ignored in favor of broad projections.

Our counterintuitive theory suggests that rivals will tolerate cybercombat operations if they do not cross a line that leads directly to the loss of life. Put simply, cyber-actors show a remarkable degree of restraint. To support, we need data.

The goal of creating an exhaustive database of all cyber-incidents and disputes between countries is daunting yet achievable. Our data feature interactions between rival antagonists between 2001-2011 and includes dates, strategies, goals, severity  and methods. Future updates will extend the data to all countries and expand the years covered.

3. Cybertactics are not used often

In the table below, we list who uses cybertactics against whom, the number of cyber-incidents and cyber-disputes a state has been involved in, the highest severity type of a dispute, the highest method used by the state, the highest target type the state has used  and the highest objective of the initiating state.

Only 16 percent of all rivals have engaged in cyberconflict. In, total, we recorded 111 cyber-incidents and 45 disputes over the period of relations among the 20 rivals. The most frequent users appear to be China as an attacker and the U.S. as the attacked. Other frequent offenders include states such as India, Japan, North Korea  and Russia, all with ongoing international conflicts, suggesting the context of disputes matters a great deal.

4. Cyber-actions to date have not been very severe

The severity levels of the incidents and disputes we observe are, on average, at a very low level. The average severity level for cyber-incidents is 1.65 and for disputes is 1.71. This means that most cyberconflicts – 73 percent – between rival states have been mere nuisances or disruptions. This is surprising, considering how widely the media and military are aware of these possible conflicts. It is also perplexing considering these states are active rivals who seemingly are willing to utilize any tactic to harm their enemy.

Given all this, we may actually be in an era of cyberpeace.

5. Most cyber-incidents are regional

Regional contexts clearly play a role in cyberconflict, a confounding idea given that these technologies defy the physical bounds of time and place.

Below we map cyber-incidents in East Asia. Blast radii mark the location and level of the attack, while the arrows show their source. The vast majority of cyber-incidents occur in regional rivalries. China’s cyberconflicts continue their push for regional dominance with the United States as the only outside regional actor. Most other regions display similar tendencies.

6. Cyber-operations haven’t gotten much reaction

Do cyber-actions have much impact? That question has generally been ignored in the field. We tackle it in Chapter 5 of our book and in this article. Using a random effects model with event data that measure the level of conflict and cooperation between states at the weekly level, we find little impact of cyber-operations.

[What’s new in the U.S. cyberstrategy]

Overall, cyber-incidents, their methods  and the nature of their targets do not have statistically significant effects on foreign policy interactions if examined according to interaction types. Further, different cyber-methods do not have statistically significant effects on foreign policy interactions, except for distributed denial of service (DDoS) methods, which have negative effects on conflict cooperation dynamics between states.

This is surprising due to the low level of severity as well as the usual short durations of DDoS attacks. Looking at the intention of the attack, the effects are insignificant except for when the initiator’s intent is to change the behavior of the target state. Attempting to force a state to do something it otherwise would not do in a coercive manner will usually evoke a negative response.

7. Many cyber-incidents would be classified as espionage

An espionage attack is one in which the initiator’s objective is to steal sensitive information from the target government or private sector essential to national security. Twenty-seven of the 111 cyber-incidents recorded here (24 percent) are cyberespionage incidents. Thirteen of the 45 cyber-disputes (29 percent) in our data are cyberespionage campaigns. China is the most active cyberespionage state in our list of rival states engaged in cyberconflict, yet states are unable to find a way to respond since it is unclear if espionage itself is violation of the norms of interaction.

8. Cyberterrorism is an inflated threat

In Chapter 7, we demonstrate there is very little evidence that cyberterrorism is utilized by state-supported or -sponsored groups. In total, we find six incidents, all very low in severity and impact. Within cyberterrorism, we find that each side makes moves to try to influence the other side, force one to back down  and provoke fear in the civilian population. Yet we find that every single cyberterrorist event has been trivial and insignificant, evidence for why the tactic might not be utilized often.

9. Cyber-hygiene is important

Unfortunately in the cyber realm, the target often invites violations by allowing vulnerabilities in their systems. The June attack on the White House and State Department supports this conclusion. A state can only steal what others have allowed to be stolen in the cyberworld. The target is therefore partly responsible for cyberconflict.

States need to be concerned with cyber-hygiene and proper online usage. There needs to be cooperation between states at the international level, but also cooperation between government and private industry at the sub-state level.

10. A taboo is developing against cybertactics

Taboos have developed against the use of certain weapons. Deploying nuclear weapons and chemical weapons is said to be unthinkable.

[Why it’s so hard to create norms in cyberspace]

We argue that cyberweapons are moving in this direction. The goal would then be to institutionalize the perspective that cyberweapons are prohibited as taboo. As with any taboo, a system of cyber-justice where the use of the tactic is limited and restrained must be founded upon the notion that the tactic would bring on a stigma not to be risked.

In short, we need cyberrules of action. This needs to be a global debate, not just one hosted by the United States and China.

The cyber-future

Many questions remain. Much more work needs to be done in the field of cybersecurity. The goal should be to move beyond conjecture and prognostication in favor of considered examinations of cybersecurity processes.

Our research program in some ways clashes deeply with futurist proposals of those who would like to suggest war and conflict will be different with the rise of new weapons. We have seen little variation in the methods of warfare and diplomacy used through the history of human civilization. These processes have remained remarkably stable. We do not see that the use of cyber-technologies as a tactic will reshape the future.

Of course, cyberconflict will happen, and with greater frequency. But what we see is that the actions’ severity will be minimal, and that clear norms are developing that will institutionalize the idea that there are only limited acceptable options for states in cyberspace if they wish go on the offense.

Brandon Valeriano is senior lecturer in global security in the School of Social and Political Sciences at the University of Glasgow, Scotland. Ryan C. Maness is visiting fellow in security and resilience studies in Northeastern University’s department of political science. Their book Cyber War versus Cyber Realities: Cyber Conflict in the International System was published in the  spring by Oxford University Press.