George Perkovich, Ariel Levite, eds. Understanding Cyber Conflict: Fourteen Analogies. Washington, DC: Georgetown University Press, 2017. 304 pp. $34.95 (paper), ISBN 978-1-62616-498-7; $104.95 (cloth), ISBN 978-1-62616-497-0.
Reviewed by Erica Borghard (Army Cyber Institute, United States Military Academy at West Point)
Published on H-Diplo (March, 2018)
Commissioned by Seth Offenbach (Bronx Community College, The City University of New York)
Understanding Cyber Conflict, edited by George Perkovich and Ariel E. Levite, is the second iteration of a cyber analogies anthology. The first, Cyber Analogies, edited by Emily O. Goldman and John Arquilla, was published in 2014. The original impetus behind using analogies to understand key topics and problems in the study of cyber strategy and conflict is that analogies can serve as useful foils for illuminating key attributes and dynamics of a new technology or domain of warfare. Analogies can be especially useful for deriving insights about technologies that can be opaque, highly technical, and difficult for nonexperts to grasp. The second volume seeks to build on the contributions of the first by extending cyber analogies beyond the United States to provide a more global perspective on cyberspace. Understanding Cyber Conflict contains four revised essays from the 2014 volume (chapters 8, 9, 11, and 12), so this review focuses on the entirely new scholarship. Perkovich and Levite note that the contributors to the volume are American, British, Israeli, and Swiss. The book is organized into three conceptual categories: “What Are Cyber Weapons Like?,” “What Might Cyber Wars Be Like?,” and “What Are Preventing and Managing Cyber Conflict Like?”
The editors of the volume should be commended for extending the analysis of cyber strategy and conflict beyond the US perspective, and this volume represents an important first step in this direction. However, the collection would have been even stronger if this had been tackled more explicitly. In particular, many of the contributors to the volume implicitly rely on the contributions of the strategic culture literature to inform their analysis. Yet nowhere in the book is strategic culture directly addressed as a body of literature that could inform the contributors’ lines of inquiry. For instance, several of the chapters implicitly contend that a state or an organization’s approach to a new technology or innovation is a function of its culture or history but do not tackle strategic culture explicitly. Furthermore, while it is laudatory to try to move beyond a US-centric perspective, especially for a domain in which the United States faces peer competitors, most of the chapters remain focused on the US. Expanding the scope of the analysis to include more non-US perspectives would have improved the volume. Finally, the book raises a fundamental question regarding whether using analogies to understand cyberspace continues to provide returns for policymakers and the academic community. The time may be ripe for experts to move beyond analogies to derive unique theories and doctrines for the cyber domain.
Michael Warner compares cyber weapons to espionage. This is an important comparison, because, unlike technologies and capabilities in other domains of warfare, there is a fundamental intelligence component to offensive cyber operations, the most sophisticated of which require significant intelligence preparation to deliver an effect against a specific target. More important, the value of cyber capabilities was initially seen as entirely for the purposes of espionage; the offensive, warfighting component developed later. There is, therefore, an inherent tension between cyber as an intelligence capability and cyber as a warfighting one—although this could have been explored more explicitly in the chapter. Warner focuses on the comparison between cyber weapons and traditional human espionage (HUMINT). He concludes that “what is new is old,” and that the primary difference associated with cyber weapons is the scale of the capability (p. 20). The choice of HUMINT as the analogy is not one that I would have made. Given the inherently technical nature of cyber weapons, particularly as applied for the purposes of intelligence collection, it seems that a more natural analogy would be to signals intelligence (SIGINT). Indeed, at least in the United States, cyber capabilities emerged out of SIGINT capabilities within the intelligence community. There are several compelling research topics that emerge from this chapter that warrant further consideration. For example, how did the organizational culture in which cyber capabilities emerged (for instance, in the United States, the SIGINT community) shape how states think about its uses, especially the tension between cyber as an intelligence capability versus as a warfighting one, and does this vary cross-nationally or across different organizations within a state’s military/intelligence apparatus? Another fascinating aspect of intelligence in the context of the cyber domain that could have been explored in this chapter is the role of private actors (for example, FireEye, Symantec, CrowdStrike, and others) in conducting intelligence assessments and, in many instances, acting as a “first mover” in public attribution for cyber attacks. Intelligence capabilities are traditionally viewed as an inherently governmental function and one in which the government has an advantage in collection capabilities, but this may not be the case in cyberspace.
Lieutenant General Robert E. Schmidle Jr., Michael Sulmeyer, and Ben Buchanan compare cyber and nonlethal weapons. They note that, because “no one has ever been killed by a cyber capability,” the default comparison between cyber weapons and “powerful, strategic capabilities with the potential to cause significant death and destruction” seems inappropriate or misplaced (p. 31). They, therefore, evaluate cyber and nonlethal weapons across four categories: incapacitation, reduction of collateral damage, reversibility of effects, and deterrence. They find notable overlap between cyber and nonlethal weapons across these categories but note that using nonlethal weapons as an analogy may impose limits on their use, similar to the constraints on approvals for employing nonlethal weapons. The authors’ decision to use nonlethal weapons as the benchmark for assessing the implications of cyber capabilities makes an important contribution by drawing attention to the limits of more commonly used analogies, such as those between cyber and nuclear weapons, and provides a useful and novel lens for assessing cyber weapons. The discussion of deterrence, however, would benefit from some conceptual clarification. For instance, the authors state that the first questions of deterrence are: “whom do we wish to deter from doing what, and what would we like them to do instead?” (p. 38). In fact, the classic deterrence literature has already posited an answer to this question: the desired outcome of deterrence, by definition, is the maintenance of the status quo. The negative object of deterrence is precisely what makes the causes of successful deterrence so difficult to evaluate. As the authors note, the analogy between cyber and nonlethal weapons is perhaps least applicable to the sphere of deterrence, but more explicitly relying on the extensive academic literature on deterrence, as well as signaling and compellence/coercion, would help refine the implications of the authors’ analysis and highlight some important differences between cyber and traditional deterrence. For instance, Schmidle, Sulmeyer, and Buchanan contend that cyber capabilities can “send a signal threatening greater non-cyber cost imposition ... [by] reveal[ing] a cyber operation to another state” (p. 39). However, while revealing capabilities in other domains may buttress a deterrent threat, states run significant risks in revealing cyber capabilities because doing so enables a target to remediate the vulnerabilities the capability exploits, rendering it and the deterrent threat moot, and risks losing valuable intelligence assets.
In a fascinating comparison between cyber weapons and precision-guided munitions (PGMs), James M. Acton explores how three challenges associated with PGMs—intelligence, surveillance, and reconnaissance; battle damage assessment (BDA); and utility in achieving political objectives—may apply to cyber weapons. In particular, Acton’s discussion of the importance of BDA in evaluating the success of a strike is interesting and not often prioritized in the literature. As he notes, there is negligible treatment of this issue in the cyber literature, which raises important empirical questions regarding how we evaluate and measure the outcome of a cyber operation. Acton also makes the novel and underappreciated point that “efforts to defeat BDA perhaps could become a significant feature of cyber warfare” (p. 53). The author’s treatment of the strategic implications of cyber weapons would have benefited from more explicit leveraging of the academic literature on coercion.
David Sanger ponders the comparison between the use of drones and offensive cyber capabilities that developed covertly during the George W. Bush and Barack Obama administrations, raising the puzzling question of why there has been less reticence to using the more lethal capability (drones) in comparison to the less lethal one (cyber). He concludes that this can be better understood through exploring how these programs developed, particularly the role the American public came to play in shaping the debates about the costs and utility of drones versus the highly secretive nature of cyber capabilities. Sanger traces a detailed history of how two successive administrations viewed the utility of these capabilities and the nature of their employment. He does not offer a clear explanation for why decision makers in the United States are allegedly less willing to use cyber capabilities. In fact, as Sanger notes, the secret nature of cyber operations means that we do not have a good way of knowing “how many cyber strikes take place” (p. 71). This raises some questions about the premise of the initial question. Perhaps the question should be reframed to focus on how and why secret programs are revealed and what the the implications for their use are in a democracy. Furthermore, there could be other explanations for limits on the employment of cyber capabilities, such as the difficulty or complexity of an operation. In this vein, the analysis could take into account the range of offensive cyber operations, from relatively simple, non-access dependent ones, such as Distributed Denial of Service (DDoS) operations, to highly tailored and specific operations targeting critical infrastructure, such as Stuxnet.
The volume then turns to a collection of chapters on the nature of cyber warfare. Going beyond analogies between cyber and information warfare, Stephen Blank demonstrates how “Russia has integrated cyber and information warfare organically into its planning and capabilities to project power” (p. 81). This chapter, therefore, is the first time the reader gets to experience an explicitly non-US perspective on cyber strategy and conflict. Blank notes that there is no meaningful distinction between cyber warfare and information operations from the Russian perspective. He shows how Russian cyber operations against Estonia in 2007 and Georgia in 2008 emerged from Soviet strategies and tactics. Blank makes an important contribution by laying out the historical roots of Russia’s cyber strategy, but he could have drawn more extensively on the strategic culture literature as a conceptual framework for his discussion. The chapter also prompts several interesting research questions that are largely untouched by the chapter and warrant considerable future exploration. Is the Russian conception of cyber as an inherent component of information operations unique? What are the causes of cross-national variation in how states integrate cyber strategies with preexisting ones? There is also an important strategic interaction component that has implications for policymaking: how does the Russian use of cyber information operations terms stack up against other approaches? The integrity of democratic elections in the United States and western Europe may depend on the answer to this question.
John Arquilla assesses the analogy of the preventive use of force to highlight cyber capabilities for counter-proliferation purposes, as was reportedly the case with Stuxnet. While Arquilla notes that the concept of preventive war has a long and complicated history (for example, preventive war logic justified the 2003 invasion of Iraq), cyber preventive action may be appealing to policymakers due to its covert nature and the fact that it does not require extensive military operations. Arquilla’s discussion of preventive war is notable in that it draws on early nineteenth-century history, beginning with strategic competition between the British and the Danes in 1801 and 1807 and tracing the path of the use of preventive force through the twentieth century. This is a refreshing approach. In assessing the implications for the contemporary era, Arquilla shows how the preventive use of cyber force can “enable and empower protracted campaigns as opposed to limited, short-duration strikes against particular targets” (p. 107). This is an important point that could be unpacked more. The typical unit of analysis in the literature on cyber conflict, at least in the United States, is the cyber operation (although whether this varies cross-nationally is a separate and interesting question). Evaluating cyber campaigns—their structure, strategic utility, and feasibility—is an important and underexplored topic in the literature. There are some obvious limits and complexities associated with the protracted use of cyber capabilities. For instance, states may be incentivized to use their best capabilities first (a “use it or lose it” incentive) out of the fear that the adversary may realize the vulnerabilities being exploited and take measures to defend themselves. This, coupled with the fact that tools and access to strategic targets are difficult and have long development timelines, may mean that we are likely to observe states shifting to softer and easier targets in a protracted cyber conflict.
Francis J. Gavin leverages the analogy of the July 1914 crisis that sparked the First World War and the role of technological developments, specifically railroads, that contributed to it. He evaluates the extent to which we can derive insights or how cyber capabilities may affect great power crises and the stability of the international system. In doing so, he notes the important distinction between what actually occurred in 1914 and how 1914 has come to be perceived by social scientists. Gavin explores the similarities and differences between railroads in the lead up to 1914 and cyber in the current era. One similarity, in particular, has implications that could be probed in greater depth. Gavin argues that “rail and cyber are dual-use technologies with both civilian and military applications that are sometimes hard to distinguish.” He goes on to point out that “the military applications of these tools were poorly understood” (p. 116). We are, unfortunately, far too aware of the devastating effects that misunderstanding technology had on the nature of warfare in the beginning of the twentieth century—the sixty thousand casualties suffered by the British alone on the first day of the Battle of the Somme are testament to that. However, the dynamics of this for cyberspace remain under-scrutinized, and the chapter would have benefited from an equal empirical treatment of this issue for cyberspace as for the First World War. What is the extent to which military and political leaders have misunderstood the effect of cyber innovations on the nature of warfare, and what are the costs? How does this compare to the time it took them to assimilate other new technologies into strategy and doctrine? Are some militaries or states better at this than others, and why? Another interesting nugget in the chapter is the difference between the public way in which states mobilize for war via railroads versus the secretive nature of cyber mobilization. There is an important implication here for threat assessment and intelligence collection that Gavin may want to explore further, namely, whether it is possible to develop observable indicators and warning of adversary behavior in cyberspace.
Turning to preventing and managing cyber conflict, Steven E. Miller assesses adaptation of dual-use technologies, with a focus on the trajectory of nuclear technology as a lens for understanding cyber. Miller finds that there are more differences than similarities between the nuclear and cyber stories, and charts these in a broad overview of the emergence of nuclear weapons, the civilian applications of nuclear technology, and state attempts to achieve security in a nuclear world. Miller presents a summary of deterrence theory that would benefit from greater nuance, such as the distinction between deterrence by denial versus punishment, the stability-instability paradox, the relationship between deterrence and escalation dynamics, and, of particular relevance to this volume, differing perceptions on nuclear strategy between the United States and the Soviet Union. Miller outlines some of the challenges in applying deterrence to cyberspace, but this is a well-trodden path and there are few new insights in this discussion. He astutely notes the difficulties of arms control regimes for cyberspace and posits that confidence-building measures (CBMs) may be more tenable, but this discussion would be enhanced by a more comprehensive treatment of existing efforts to develop CBMs and the potential causes of recent failures, such as the failure to come to an agreement at the latest United Nations Group of Governmental Experts round in 2017.
Peter Feaver and Kenneth Geers consider the concept of pre-delegation in nuclear and cyber scenarios to vest lower-level commanders with the authority to launch weapons under certain conditions. In games of chicken, pre-delegation can enhance the credibility of one side’s threat to retaliate if the execution of it is taken out of decision makers’ hands. The merits and risks of pre-delegation for cyber are particularly salient given the recent trend in the cyber strategy literature exploring the escalatory nature of the domain. Feaver and Geers note that the same issues that drove policymaking to pre-delegation for nuclear weapons—the speed, novelty, and technical nature of the capability—also exist for cyber weapons. However, cyber is different in two important ways that make pre-delegation risky: the attribution problem and the fact that cyber weapons are far less destructive than nuclear ones. Given these risks, the authors posit that pre-delegation for defensive cyber operations “may be all that is needed and may even be more than is necessary to confront many cyber threats.” Feaver and Geers acknowledge the blurred lines between offense and defense, in that “cyber defenders ... [may need] to go ‘outside the wire’” to target adversary command and control nodes. They assert that these operations fall outside of the scope of pre-delegation because they are “unlikely to occur in real time” (p. 223). However, it is entirely plausible that a state’s military cyber organization maintains persistent access to known adversary command and control (C2) nodes and could launch an attack on them on command (for example, in real time) in response to or during the course of an attack. Further exploring the relationship between offense and defense (at different levels of analysis or different stages in an operation) would be useful for assessing the implications of pre-delegation for defensive operations.
The volume’s final chapter, by Florian Egloff, makes a comparison between cyber conflict and thirteenth- through nineteenth-century profiteering, in which the government employed private vessels in times of war to operate against enemies on the sea. The cyber realm shares attributes of the maritime world in the age of privateering, particularly the role of non-state actors and the nexus of economic and security affairs. Egloff’s discussion of the relationship between the government and private actors in cyberspace ranges from the issue of whether companies should “hack back” in response to cyber attacks, to the different types of non-state actors who may operate with implicit or explicit backing from a government (such as cyber militias, patriotic hackers, or criminal networks). The analysis would have benefited from taking this a step further by developing a framework for evaluating the different types of public-private relationships and their implications for policymaking. And, taking a cue from the overarching theme of the edited volume, Egloff may want to explore variations across different countries in terms of how public-private relationships in cyberspace are structure and develop plausible hypotheses that account for that variation. For instance, is Russia more likely to work with such criminal groups as the Russian Business Network, while China relies on patriotic hackers? Do authoritarian governments create different authority and command and control relationships with non-state cyber groups than democratic ones? How do market forces and the structure of a state’s economy interact with these factors?
This edited volume adds to the range of the analogies experts can leverage to gain insights into the dynamics of cyber strategy and conflict. More explicitly capitalizing on the extensive strategic culture literature would enhance the contributions of this volume, as well as more dedicated efforts to move beyond the US case.
. See, for instance, Robert J. Art’s 1980 article that offers a concise description of deterrence or Thomas Schelling’s extensive discussion of deterrence . Robert J. Art, “To What Ends Military Power?” International Security 4, no. 4 (Spring 1980): 3-35; and Thomas Schelling, Arms and Influence (New Haven, CT: Yale University Press, 1966).
. For instance, Jack L. Snyder’s seminal article on Soviet strategic culture and limited nuclear options, “The Soviet Strategic Culture: Implications for Limited Nuclear Options,” The RAND Corporation (September 1977); or Peter J. Katzenstein’s excellent edited volume on this topic, The Culture of National Security: Norms and Identity in World Politics (New York: Columbia University Press, 1996).
The views expressed here are personal and do not reflect the policy or position of the US government.
If there is additional discussion of this review, you may access it through the network, at: https://networks.h-net.org/h-diplo.
Erica Borghard. Review of Perkovich, George; Levite, Ariel, eds., Understanding Cyber Conflict: Fourteen Analogies.
H-Diplo, H-Net Reviews.
|This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.|