Whether or not the spiral of conflict spirals out of control depends on the ability to understand the extent of the hostility as well as the existence of good communication. Unfortunately, when it comes to cyber conflict, there is no agreement on the scope or how it relates to traditional military measures. What some consider to be a concerted, agreed-upon game or fight may look different to another party.
Ten years ago, the US used saber sabotage instead of bombs to destroy Iran's nuclear enrichment facilities. Iran responded with cyber attacks that destroyed 30.000 Saudi Aramco computers and disrupted American banks. That summer, after US President Donald Trump's administration imposed sanctions on it, Iran shot down an American drone. There were no victims. Trump initially planned to respond with a missile strike, but changed his mind at the last minute and opted for a cyber attack that destroyed a key Iranian military database used to target oil tankers. And again there were losses, but no casualties. Then Iran directly or indirectly struck two major Saudi oil facilities using more sophisticated drones and cruise missiles. Regardless of the fact that, by all accounts, there were no victims, or they were small, the attack represents a significant increase in costs and risks.
The problem of perception and control of escalation is not new. In August 1914, the major European powers were in the mood for a quick and decisive "Third Balkan War". The army was supposed to be home by Christmas. After the assassination of the Austrian heir to the throne in June, Austria-Hungary wanted to defeat Serbia, and Germany gave its Austrian ally freedom of action so as not to see him humiliated. But when the Kaiser returned from vacation at the end of July and learned that Austria had taken advantage, it was already too late for his efforts to stop the escalation. However, he counted on winning and he almost succeeded.
If in August 1914 the kaiser, the emperor and the emperor knew that in a little more than four years they would all lose their thrones and watch their states disintegrate, they would not have entered that war. Since 1945, nuclear weapons have been a crystal ball in which leaders can see the catastrophe that a major war would cause. After the Cuban Missile Crisis of 1962, leaders realized the importance of de-escalation, arms control communication, and rules of conduct in conflict resolution.
In cyber technology, of course, there are no obvious destructive effects of nuclear weapons, so this creates a problem of another kind - there is no crystal ball. During the Cold War, major powers avoided direct involvement, but this does not apply to cyber conflicts. And yet, the cyber threat of Pearl Harbor was exaggerated. Most cyber conflicts occur below the threshold established by the rules of armed conflict. They are economic and political rather than lethal. It is simply impossible to imagine that one could threaten a nuclear strike in response to Chinese cyber-theft of intellectual property or Russian cyber-meddling in elections.
According to US doctrine, deterrence is not limited to a cyber response (although it is possible). The US will respond to cyber attacks on domains or sectors with any weapon of its choice, proportionate to the damage caused. This can range from name-calling and shaming to economic sanctions and kinetic weapons. At the beginning of this year, the new "permanent presence" doctrine was described not only as a crushing attack but also as an aid to enhanced deterrence. But the technical overlap of intruding into networks to gather intelligence or disrupt attacks and execute compromise operations often makes it difficult to distinguish between escalation and de-escalation. Rather than relying on tacit negotiations, as advocates of a "permanent presence" emphasize, clear communication may be needed to limit escalation.
After all, we cannot rely on having enough experience to understand what consensual competition in cyberspace is, or we cannot be sure how actions taken by other countries in other networks will be interpreted. For example, Russian cyber interference in the US election was not consensual competition. With a domain like cyberspace, open rather than tacit communication can expand our limited understanding of boundaries.
Negotiating cyber arms control treaties is problematic, but that doesn't mean diplomacy is impossible. In cyberspace, the difference between a weapon and a non-weapon can come down to a single line of code, and one and the same program can be used for both legal and illegal purposes, depending on the user's intentions. But if this makes it impossible to verify traditional arms control agreements, it is still possible to establish limits on certain types of civilian targets (rather than weapons) and agree on firm rules of conduct that limit conflict.
Either way, it will be difficult to maintain strategic stability in cyberspace. Because technological innovation is faster than that in the nuclear sphere, a characteristic of cyber warfare is heightened mutual fear of the unpredictable.
Nevertheless, over time, a more efficient attribution of judicial expertise may strengthen the role of punishment; and the best protection through coding or machine learning can reinforce the role of prevention and deterrence. In addition, as states and organizations begin to better understand the limitations and uncertainties of cyberattacks, and the growing importance of Internet connectivity to their economic well-being, the cost-effectiveness calculations for the use of cyberwarfare may change.
Overall, at this stage, the key to containment, conflict management, and de-escalation in cyberspace is to recognize that we all have much to learn and expand the communication process among adversaries.
The author is a professor at Harvard University Copyright: Project Syndicate, 2019.
Bonus video:
