“Frankly, the United States is under attack.”
This February 2018 warning to the Senate from Director of National Intelligence Dan Coats included a message that “there should be no doubt” that Russia, emboldened by its 2016 cyberattacks and informational warfare campaign, will target the U.S. midterm elections this year.
We agree. However, our research suggests that, although states like Russia will continue to engage in cyberattacks against the foundations of democracy (a serious threat indeed), states are less likely to engage in destructive “doomsday” attacks against each other in cyberspace. Using a series of war games and survey experiments, we found that cyber operations may in fact produce a moderating influence on international crises.
Would you like to play a game?
To understand how actors use cyber operations to achieve a position of relative advantage, we designed a series of analytical war games. This methodology lets us assess how multiple factors could combine in a competitive environment, and helps identify recurrent strategic preferences associated with cyber operations. We ran military officers and university students through these war games. Next, we turned the war games into survey experiments via Amazon Mechanical Turk (MTurk) — so randomized respondents answered questions about how to respond to an international crisis.
War games offer a time-tested means of assessing the changing character of crisis and competition. Following scripted scenarios, players are assigned to different “teams” and armed with resources to meet their objectives. They earn points based on their choices, with referees guiding the play and military/security analysts interpreting the results.
As players seek to win the game, they may choose previously unconsidered options or draw on or combine resources in unexpected ways. By observing these games, recording their results, repeating the plays and redesigning the scenarios, analysts can understand the nature of the complex and highly contingent problems the scenarios represent.
And political scientists use war games to create survey experiments to test hypotheses about strategic preferences. Our study of over 100 military officers and students, for instance, gave players a crisis scenario and a range of response options, all of which included the ability to escalate in cyberspace — as well as more traditional diplomatic, economic and military instruments. Players could also choose to de-escalate.
What would a great power cyber crisis in East Asia look like?
In our first round, “Island Intercept,” we sought to identify whether states escalated using cyber capabilities. Players took on the role of China or the United States in an escalating dispute in the South China Sea.
Over the course of multiple war games, we found our mix of military officers and university students often sought to de-escalate the crisis and rarely used offensive cyber operations. Players assigned to the Chinese side often combined cyber espionage and more traditional intelligence activities to identify the U.S. players’ intentions and capabilities. Players replicating strategic decision-making in Beijing seemed to prefer a “wait and see” approach involving increased intelligence and diplomatic lobbying, rather than escalatory offensive cyber operations.
The broader survey experiment replicated these findings. The 800 MTurk respondents revealed a bias toward not escalating into the cyber domain. Specifically, about 52 percent chose to de-escalate while 30 percent opted for minor escalation in the diplomatic or economic arena. Only 18 percent of respondents preferred escalatory offensive cyber operations. These findings support other studies demonstrating that states do not prefer escalatory responses to cyber intrusions.
How will states employ cyber capabilities against their domestic populations?
In a second round, we shifted to examine intrastate conflicts. In our “Netwar” game, players took on the role of either the government, a paramilitary organization, a multinational company or a transnational group of hackers and activists, all attempting to achieve their interests in a weak and corrupt state. This scenario sought to replicate the complex, often proxy, multiparty competition in cyberspace.
In these games, the results were more mixed. Players replicating the state tended to use offensive cyber operations as a means of targeting domestic opposition groups — while opposition groups used cyber to blackmail the state by leaking sensitive information.
In an MTurk survey experiment involving 800 respondents, we found that states still preferred not to jump into the cyber domain, opting about 43 percent of the time to limit escalation. Yet these results appeared to be a function of regime type. When we controlled for regime type in a second round of surveys involving 800 respondents, we found that democracies had a higher than expected count of de-escalatory measures (53 percent). But authoritarian regimes escalated to cyber measures 35 percent of the time, vs. 18 percent for democracies.
Where is the escalation?
Our findings suggest that cyber weapons may be far less destabilizing than many assume. First, we found that actors in crisis situations were restrained in their use of cyber weapons. Indeed, actors were more likely to use military, economic or diplomatic alternatives before escalating into the cyber domain.
How might this work in the real world? We might interpret the Russian shift to cyber operations to be one of desperation, rather than evidence of a calculated strategy. Our findings suggest that actors are uncomfortable in the cyber domain and only operate there when they lack relative influence in other areas — or seek to limit the risk of escalation, likely due to attribution issues associated with cyber operations.
Second, fears of large-scale cyber operations are likely overblown due to cyber’s unique “use it and lose it” character. Individual cyberattacks could potentially wreak considerable damage, but any such exploits could — once deployed — be quickly reverse-engineered and the vulnerability in target networks patched.
Here’s the catch: Once you convert network access and cyber espionage into an attack payload, you signal your capabilities and lose the ability to conduct similar attacks. There is a unique shadow of the future in cyber statecraft. States have to assess whether they want to jeopardize an exploit in the short term — and lose long-term coercive options against rivals.
Benjamin Jensen holds a dual appointment as a scholar-in-residence at American University, School of International Service and as an associate professor at the Marine Corps University. He is the co-author of “Cyber Strategy: The Evolving Character of Power and Coercion.” The opinions expressed are his own and not represent the U.S. government.
David Banks is a professorial lecturer at the American University, School of International Service.