The Fallacy of Cyber-Escalation

What the Ukraine War Teaches Us About State-Sponsored Hacking

Senator Angus King, an independent from Maine, questioned General Paul Nakasone, the chief of US Cyber Command and director of the National Security Agency, on the lack of significant cyber-operations in Russia's war in Ukraine during a Senate Intelligence Committee hearing in March. After all, Russia has a history of launching cyberattacks on Western countries, including Ukraine. "I expected to see the grid go down, communications too, and that hasn't happened," King added, echoing the amazement of many Western observers. Although President Joe Biden and officials of his cabinet have warned of possible Russian cyberattacks on the US, there were surprisingly little indicators of such activity in the first six weeks of the war.

That isn't to imply that there hasn't been any online activity. Both sides have organized proxy cyber-groups and hackers, ranging from Ukraine's 400,000-strong "IT Army" to Russia's Conti ransomware organization. Sandworm, a Russian military intelligence-linked group, has a lengthy history of cyberattacks against Ukraine.

However, such activities have generally been limited to low-cost, disruptive occurrences rather than large-scale attacks against crucial civilian and military infrastructure since the war began. Two such exceptions only serve to emphasize the cyber-operations' limited importance. There is evidence that Russian-linked individuals launched a cyberattack against Viasat, a US-based Internet business that delivers satellite Internet to the Ukrainian military and clients in Europe, at the commencement of the conflict. However, the effect was very transitory, and it had no discernible impact on the Ukrainian military's capacity to communicate. Furthermore, Ukrainian officials recently stated that the Sandworm organization attempted but failed to launch a cyberattack against Ukraine's power grid in early April. While the hackers looked to have obtained access to a corporation that supplies electricity to two million Ukrainians, they were stopped before they could inflict any damage or interruption by efficient security.

In reality, it should come as no surprise that cyberattacks played such a minor role in the Ukraine crisis. Scholars have found no evidence that cyber-operations provide effective forms of coercion or trigger escalation to actual armed combat through war simulations, statistical analyses, and other types of investigations. That's because, despite its ability to disrupt industries, hospitals, and utility grids in times of peace, cyberpower is much more difficult to utilize against strategic targets or to achieve decisive outcomes, whether on the battlefield or in non-war crises. By failing to grasp this, US officials and policymakers are treating cyber-operations like any other weapon of war rather than a nonlethal tool of statecraft, potentially causing more harm than good.

The Cyber-Escalation Myth

Much of Washington's present understanding of the role of cyber-operations in conflict is based on long-held, but incorrect, assumptions about cyberspace. Many academics believe that cyber-operations might quickly lead to military escalation, possibly even nuclear weapons usage. For example, Jason Healey and Robert Jervis have stated that an incident in cyberspace "could transcend the threshold into armed conflict either through a perception of impunity or by miscalculation or misunderstanding," echoing a generally held viewpoint. Policymakers have long believed that internet is fraught with dangers. Secretary of Defense Leon Panetta warned in 2012 of an approaching "cyber-Pearl Harbor," in which adversaries may use cyberattacks to bring down crucial US infrastructure. Nearly a decade later, FBI Director Christopher Wray compared the threat of ransomware, which encrypts data and demands a ransom payment in exchange for its decryption, to the 9/11 attacks. Secretary of Defense Lloyd Austin stated in December 2021 that "norms of behavior aren't well-established in cyberspace, and the chances of escalation and miscalculation are significant."

A long history of hostile government cyber-operations appears to back up these assertions. Cyberspace has been exploited by regimes ranging from Russia and China to Iran and North Korea to perform large-scale espionage, cause major economic harm, and weaken democratic institutions in recent years. Attackers linked to the Chinese government, for example, were able to breach Microsoft's Exchange email servers in January 2021, giving them access to communications and other private information from companies and governments, and potentially allowing other malicious actors to conduct ransomware attacks. That incident came on the heels of a Russian cyberattack on software firm SolarWinds, in which hackers gained access to a massive amount of sensitive government and corporate data—an espionage gold mine. Cyberattacks have also resulted in major financial losses. The NotPetya attack wreaked havoc on essential infrastructure all around the world, from transportation and energy to finance and government, costing upwards of $10 billion.

However, it is incorrect to assume that cyber-operations play a significant role in either instigating or extending conflict. Hundreds of cyber-incidents have happened between adversaries with extensive histories of hostility or conflict, but none has ever escalated to war. North Korea, for example, has launched major cyberattacks against South Korea on at least four occasions, including the "Ten Days of Rain" denial of service attack in 2011 against South Korean government websites, financial institutions, and critical infrastructure, and the "Dark Seoul" attack in 2013, which disrupted service across the country's finite infrastructure.

It's logical to assume that these operations will exacerbate tensions on the Korean Peninsula, especially since North Korea's war plans against South Korea are said to include cyber-operations. That, however, was not the case. Instead, the South Korean response was minimal in each case, consisting of either clear, official attribution of the assaults to North Korea by government officials or more subtle public suspicions that Pyongyang was likely responsible.

Similarly, while the US reserves the right to retaliate to cyberattacks in any way it sees fit, including with military force, it has relied on economic sanctions, indictments, diplomatic steps, and a few recorded cases of tit-for-tat cyber-responses up until now. Following Russia's meddling in the 2016 US presidential election, the Obama administration expelled 35 Russian diplomats and closed two facilities thought to be Russian espionage hotspots. Economic sanctions were also imposed on Russian officials by the Treasury Department. Nonetheless, according to sources in the media, the administration finally decided against retaliatory cyber-operations against Russia. Although the US used its own cyber-operations to counter Russian attacks during the 2018 midterm elections, it was restricted to temporarily disabling the Internet Research Agency, a Russian troll farm.

It's not uncommon for people to respond in this manner. Cyberattacks have always been contained below the level of military conflict, despite decades of hostile behavior in cyberspace—and regardless of the level of destruction. Indeed, researchers have discovered that major adversarial powers around the world have routinely observed a "firebreak" between cyberattacks and conventional military operations: a mutually understood line that distinguishes strategic interactions above and below it, similar to the nuclear-weapons-use threshold.

But it's not simply that cyber-operations don't result in war. Cyberattacks can also be an effective means of projecting power in situations where armed combat is specifically avoided. This is why Iran, for example, would find cyberattacks on the US intriguing, such as the denial of service strikes it carried out against US financial institutions in 2012–13. Because Iran is likely to prefer avoiding a direct military confrontation with the US, cyberattacks offer a mechanism for Iran to react for perceived grievances, such as US economic restrictions in response to Iran's nuclear program, without initiating the kind of escalation that might lead to war.

The Benefits of Ambiguity

In addition to the ways in which they are deployed, cyber-operations have two general characteristics that set them apart from traditional military operations. To begin with, they have a limited, transient impact—especially when compared to traditional military operations. "If you're already at a stage in a conflict where you're willing to drop bombs, you're going to drop bombs," Hoover Institute fellow Jacquelyn Schneider recently told The New Yorker. Cyberweapons, unlike traditional military weaponry, are virtual: even at their most lethal, they rarely have physical consequences. When they do, as in the case of the Stuxnet cyberattack, which caused the centrifuges used to enrich uranium in Natanz, Iran, to speed up or slow down, cyber-operations do not produce the kind of devastation that even a tiny precision missile strike can bring. When states have undertaken cyberattacks against civilian infrastructure, such as Russia's attack on Ukraine's power grid in 2015, the consequences have been limited. Cyberattacks have never directly resulted in bodily injury; the only recorded indirect death linked to a cyberattack occurred in 2020, when a German patient with a life-threatening disease died as a result of a treatment interruption caused by a ransomware attack on a hospital's infrastructure.

In practice, governments have realized the differences in impact between cyberattacks and traditional military attacks. Consider the incident between Iran and the United States in the summer of 2019: according to reports in the American press, when Iran attacked oil tankers in the region and shot down a U.S. drone, the Trump administration chose to respond in cyberspace, allegedly by hacking Iranian computer systems to weaken their ability to conduct further attacks against oil tankers. What makes this instance unique is that there was a realistic military option on the table that was later withdrawn: President Donald Trump canceled plans for military strikes against Iranian targets. Trump tweeted at the moment that he had altered his mind after learning about the possibility of civilian casualties. By implication, a cyber-operation may have been deemed less dangerous precisely because it was unlikely to result in death or major destruction.

Second, unlike most military strikes, cyber-operations are usually conducted in secret and with credible denial. Analysts say that ambiguity about accountability makes internet interactions dangerous and hinders deterrence. Malicious actors, cloaked in anonymity, can instigate conflict while remaining hidden, according to reasoning. False-flag cyberattacks are a widespread occurrence. For example, when a Chinese government-linked gang carried out cyber-attacks against Israel in 2019 and 2020, it pretended to be Iranian, ostensibly to confound Israeli attribution efforts. Secrecy, on the other hand, does not have to be a bad thing: it can allow states to move in times of crisis without the limitations that more traditional deployments of hard power could have, such as increasing domestic political tensions. It can also be used to determine how willing the other party is to negotiate or settle the crisis: ambiguity creates breathing room.

When the US withdrew from the Iran nuclear deal in 2018, for example, experts feared that Iran would respond by attacking US personnel or interests in the Middle East. Instead, Iran appeared to reply with unclear and non-escalatory increased cyber-activity. Although Iranian cyber-operations were discovered within a day of the US announcement, they did not appear to be the kind of major attack that many commentators had predicted; instead, they appeared to be reconnaissance and vulnerability testing. If Iran meant for this conduct to be discovered, it would mostly serve symbolic goals, such as informing the US of Iran's existence.

Simply put, cyber-operations are designed to avoid conflict by their very nature. Because they are vague, rarely break objects, and don't kill people, they can be a less expensive alternative to conflict. Policymakers risk overstating the role of cyber-operations in armed conflict and overlooking their genuine significance if they continue to portray cyberspace as an escalatory form of warfare.

Weapons are not tools

The realization that cyber-operations are unlikely to lead to military escalation—and that they are more likely to play a supporting role than a decisive role in actual armed conflicts—has immediate implications for US policy and strategy. For starters, it means that the US may have more leeway in using cyberspace to achieve goals without causing new crises or intensifying current ones. The US Defense Department, for example, has considered cyberspace as an arena in which the military can engage more consistently and proactively rather than reacting to an adversary's activity since 2018. Washington must "defend ahead to interrupt or terminate harmful cyber activity at its source," according to the Pentagon. This strategy includes maneuvering on networks controlled by US opponents or third parties, as well as carrying out offensive cyber-operations.

Many analysts raised concern when the 2018 cyber plan was announced, fearing that it may lead to military escalation. To add to the worries, Congress permitted the secretary of defense to undertake cyber-operations as a standard military activity in the 2019 National Defense Authorization Act, which meant that cyber-operations would no longer be considered a type of covert action requiring presidential approval. Despite this, the escalation that many expected has not occurred in the four years after the defend forward idea was introduced. This should reassure policymakers that the US can continue to conduct offensive cyber-operations without risking escalation into a larger conflict.

For example, in 2021, US Cyber Command undertook a cyber-operation with a partner nation to hinder the ability of the Russian-linked criminal gang REvil to undertake ransomware attacks. Several months later, officials from the United States admitted that the military had "imposed costs" on ransomware gangs. There's also indications that measures to oppose Russian cyber-activity during the present Ukraine crisis may have thwarted a more effective Russian cyber-offensive, with Nakasone mentioning Ukrainian and other efforts to thwart Moscow's ambitions.

However, just because the Pentagon's plan hasn't resulted in escalation doesn't mean it's a weapon the US can employ to address all of the country's cyber concerns. For the same reasons that offensive cyber-operations haven't led to escalation, their limitations should raise doubts about the US's ability to employ them to compel adversaries to change their behavior or punish them with severe costs.

Second, the fact that nations utilize cyber-operations in a variety of ways necessitates policymakers developing a more nuanced strategy to responding to cyberthreats. Because cyber-operations are continuously viewed as an existential danger to the US, Washington has tended to respond to cyber-incidents of varying scope and size using the same policy tools. Senior US officials, for example, have classified both Russia's 2016 election meddling and the SolarWinds operation in 2021 as acts of war. However, the first was a cyber-enabled information operation, and the second was a large-scale cyber-espionage operation—neither of which resembled open combat in any traditional sense. Furthermore, the policy reactions in both of these cases (as in many others) were similar: public attribution, charges, and sanctions. Rather than using incendiary words and traditional kinds of reprisal, officials should think about how to use cyber and non-cyber tools in ways that are adapted to unique occurrences, taking into account the scope and intensity of the operation. Without being symmetrical, responses might be proportionate. Rather than retaliating in like, the US should take a variety of different and more innovative ways that take into account variances in opponents' centers of gravity. What matters to Beijing, and thus what may motivate its actions, differs from what matters to Moscow, Tehran, and other countries.

In the Ukraine conflict, a one-size-fits-all approach to opponent cyber-operations could cause significant challenges. Anticipating possible Russian assaults on NATO members, NATO leaders confirmed that Article 5, the treaty's collective defense clause, applies to cyberspace, although they were unsure what precise actions would trigger it. The pledge's credibility and the effectiveness of NATO's broader cyberstrategy may be jeopardized by a lack of clarity regarding how thresholds and responses are defined.

A third takeaway from the last decade's cyber-operations is that US officials should approach them with a more flexible perspective. Rather than focusing on retaliation, the US should invest more resources in improving resilience, or the ability to absorb and quickly recover from disruptive events. Understanding this strategy involves accepting that cyberattacks will occur and, more importantly, that the vast majority of them will not have catastrophic consequences. The US has enhanced its resilience to such attacks over the last few years by increasing the entities responsible for working with and maintaining critical infrastructure, such as the Cybersecurity and Infrastructure Security Agency. The Office of the National Cyber Director was established by the US government to coordinate its cybersecurity efforts and interact with the private sector. However, these organizations are still in their infancy, and efforts to enact effective private sector regulation to encourage resilience have a long way to go.

Is there a cyber-escape valve?

Just because cyber-operations haven't yet resulted in escalation doesn't guarantee they won't. The risks of cyber-escalation may increase if conflicts like the one in Ukraine lead to more instability in the international order and increasing great-power competition. However, given their lack of physical violence and relatively limited impacts, cyber-operations could provide an important outlet for recurring tensions in a more unstable society. As international politics becomes increasingly hazardous, cyberspace can provide a means for states to respond to perceived aggressions without causing physical harm or loss of life, giving a measure of stability in and of itself.

In the end, escalation is a matter of perception—it depends as much on the target's perception of an event as it does on the perpetrator's intent or the strategic context's actuality. As a result, a top objective for US officials should be to better understand how enemies interpret Washington's cyber-activity and use that knowledge to undertake cyber-operations that reduce the danger of escalation. For example, during a crisis, the US may want to avoid conducting cyber-operations in a way that an opponent would interpret as a prelude to conflict or a military strike, even if that is not the intention. If conducting these types of operations is a compelling strategic or military need, it should be done in concert with efforts to communicate its objective to avoid misunderstandings.

Policymakers have been drawing the incorrect conclusions from cyber-operations for far too long. The lack of escalation in cyberspace over decades of strategic interaction—a record that has only been reinforced by the crisis in Ukraine—should compel policymakers to rethink long-held beliefs about the domain. They may be able to grasp how cyber-actions are only one of a variety of strategic tools that, when properly understood, can both reduce and enhance the danger of conflict. Of course, the possibility of cyberattacks temporarily paralyzing massive information networks or perhaps entire economic sectors should not be overlooked. However, in a world where armed war continues to devastate entire cities and inflict horrific human tolls, both civilian and military, cyber-operations should be viewed as a mechanism for nations to accomplish strategic goals by other means rather than as another kind of hard power.

======

Related Video:

** Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of USA GAG nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

Follow us on Google News