Book Review: ‘Cyber Strategy: The Evolving Character of Power and Coercion’
Cyber security is one of those rare fields that concerns almost everybody, from emailers to governments. We’re all trying to reap the economic, social, and political benefits of cyber space without the negative risks.
Thus, books on cyber security are in demand, which perversely encourage a rash of poor offerings, ranging from hysteria to complacency. The latest offering is rare in posturing itself explicitly as an academic counter to hysteria about the risks at the highest level.
“The coercive effects of these cyber strategies are limited. First, neither disruptions nor espionage compel in the traditional sense. States use them to shape future interactions and limit escalation more than they do to seek concessions in the present…Cyber operations complement rather than replace traditional statecraft. We find that cyber means serve as an additive foreign policy tool in modern strategic competition.”
The authors admit that cyber strategies are low in expense and exposure compared to other malicious international behaviours, but otherwise characterize most as no different to their alternatives. “Just like spy-craft of old, cyber espionage allows rivals to steal information and alter the balance of information to enhance their bargaining position while gaining access for future actions.”
The book reduces the debate to two sides. Either cyber threats are revolutionary or evolutionary. They change international relations either fundamentally or incrementally. The book’s position is evolutionary.
“We treat cyber operations as a modern form of covert signaling and coercion with limited effects. Rival states develop cyber strategies, using these operations to amplify rather than replace other instruments and power in long-term competition. Furthermore, only higher-cost and complex cyber degradation attacks, designed to undermine adversary networks, tend to produce coercive concessions.”
On cyber sabotage, the book reduces the debate to a contest between hysteria about potentials versus serenity about norms.
“Our understanding of cyber strategy and its coercive potential is much more complicated than the discourse evident in scholarship. Moving away from dramatic cyber effects brings us to the more realistic position that the effects of cyber operations might be marginal based on cost and effort as well [as] more oriented toward tacit bargaining between rival states engaged in long-term competition.”
The book challenges warnings of the potential for cyber sabotage to rival nuclear war, such as a recently published warning that nuclear weapons could be hacked to detonate or launch without the owner’s control.
For years, US government officials have warned of the capacity for states to use cyber-attacks to cause physical damage that they could not achieve any other way short of kinetic war. In April of this year, Britain and the US accused Russia of cyber-attacks on their networks in retaliation for their airstrikes against Syrian chemical weapons. In July this year, the US Director of National Intelligence said that Russia, China, Iran, and North Korea (in order) are launching daily cyber-attacks on America, with a growing chance of a “crippling cyber attack on our critical infrastructure.”
The book under review is attempting to refute the official consensus.
“What we witness in cyberspace is not war and mainly falls in the domain of limited coercive operations and actions designed to alter the balance of information as well as manage escalation risks in long-term competitive interactions.”
For credibility, the book promises “empirically-based evidence,” which is a welcome differentiation from most cyber security books, which tend to be personal and anecdotal. The empirical claim is founded on a longitudinal dataset created by the book’s authors in the last few years (Dyadic Cyber Incidents and Dispute). The book is welcome also in its clear structure and articulation of its hypotheses.
The trouble begins with the interpretation of the data. The book’s “major finding” is “that cyber operations produce only limited concessions. Examining 192 episodes of cyber exchanges between rivals, we find that only 5.7% achieve compelling success and lead to an observable concession.”
I find this statement misleading, and I doubt the authors weren’t aware of its potential. They explicitly theorize that most of the time states aren’t seeking to compel – they’re stealing secrets or spreading misinformation to aggrandize themselves or degrade their targets, but not change the targets’ behavior. (Indeed, the attackers have self-interests in doing these things without being discovered, so that the targets don’t correct their exposures and vulnerabilities, and don’t retaliate.) The authors don’t clarify this theoretical caveat in the context of the empirical statement. Instead, they contextualize it with a lot of problematic concepts, such as “power” and the “escalation ladder.” They seem to be maximizing the drama of this empirical finding for an audience drowning in a sea of hysteria without data.
The authors are in danger of falling into the same reassuring counter-hysteria into which commentators on terrorism can fall. To find that most of the time cyber-attacks don’t compel states to change behaviour is as unprofound as to find that most of the time terrorism doesn’t compel states to change behaviour. Most of the time these attackers don’t expect to change their targets’ behaviours.
The finding is open to misinterpretation as evidence that attacks are pointless, that “terrorism does not work” because it attains its political objectives only 7% of the time (as Max Abrahms “proved” empirically), but most terrorist political objectives are extreme, such as secession or religious revolution. Most terrorist attacks are not so ambitious – most of them are little more than hate crimes.
Another example of complacent counter-hysteria is to point out that terrorist and cyber-attacks don’t kill as many people as are lost to traffic accidents or diseases, but this dimension ignores the greater economic and social costs per event.
Hysteria about these risks is an unhelpful digression from empirical reality, but so is counter-hysteria. I’d rather aim at the empirical reality.
The book further undermines its empirical promise by falling into the convention of reviewing tedious and impractical definitions of “strategy” and “power” – almost invariably from self-invented “strategists” of no relevance to cyber. Thus, the book’s rigorous presentation of its hypotheses appears on the same page as a section entitled “What is cyber strategy?” This section is a short and barely justified list of unhelpful and contradictory definitions, such as Lawrence Freedman’s “art of creating power.” A book that studies international cyber strategies should be reviewing official definitions of cyber strategy, but the section contains none.
Like the stereotypical book that will get you tenure in a political science department, this book is more interested in outside theory than inside practice, in a question of relativity rather than utility, in remote judgmental correlations rather than proximate objective observations.
Chapter 2 reviews abstract theories of nuclear strategy, strategic bombing, and terrorism in its focus on “coercion,” and reviews studies of coercion rates in those other contexts (including Abrahms’ 7%), without admitting the controversies of these studies.
Cyber theorists are unambitiously following the precedent of Cold War nuclear strategists – deducing logically from abstract assumptions, such as rationality, rather than inducing from the practices and technologies.
Chapter 2 continues into questionable coding of known attempts at cyber coercion. For instance, in 2014 confidential information from Sony Pictures was hacked and leaked; the attackers also damaged the company’s network. The hackers demanded that Sony should not release its movie about a comic plot to assassinate North Korean leader Kim Jong-Un (The Interview). Distributors capitulated, followed by Sony itself, although eventually it went straight to downloadable distribution. Other producers upgraded the risks of content that could upset governments. Yet the book codes the attack as failed coercion: “While the behaviour of the target changed, the outcome was not what North Korea intended.”
The book is most useful in its case studies of Russian, Chinese, and US cyber behaviours (chapters 5, 6, and 8 respectively), where you’ll learn more about history than theory, real than abstract behaviours, and how the Dyadic Cyber Incidents and Dispute can be used to produce frequencies and rates, rather than correlates.