Revolutions in technology shape economies, state politics, and international relations (IR), often resulting in inter-state competition for advantage. Sometimes, technological advances result in new weapons that upend the strategic paradigms of the day.
Writing in Geopolitical Futures, Jacek Bartosiak describes these kinds of advances as Revolutions in Military Affairs (RMA), a tectonic shift in capabilities that ushers in a new phase in the way wars are conducted. Other times, a revolutionary discovery in the natural world opens an entirely unexplored theatre for competition and conflict. Yet, it is worth questioning; what would happen if such a revolutionary discovery and a game-changing RMA occurred simultaneously?
We are living through such a time. The advent of the digital age ushered in what has come to be known as the Fourth Revolution; a fundamental change in the way societies function as a result of information and communications technologies (ICT). This creation of paradigm-shifting cyber weapons, as well as ongoing competition for the so-called fifth domain of conflict – cyberspace – makes this question practical, not theoretical.
The Cold War: A Recent Lesson
There is a range of classical IR theories that attempt to explain competition for resources within the domains of military competition that existed at the time. How instructive are they for navigating competition and conflict in the cyber domain? Does the West need an updated, modern ‘grand strategy’ for our digital world?
The Cold War provides an interesting case study for the evaluation of these questions. It extended a new domain of conflict brought about by technological innovations, namely the advent of nuclear power and the first generation of atomic weapons. At the same time, advances in manned space flight opened an entirely novel domain of conflict in previously uncontested space. This novel domain of conflict challenged an age-old understanding dating back to the Peace of Westphalia. Since 1648, scholars had confined their theorizing to conflict in the terrestrial world, and applied over it a framework built on an understanding of inviolability of borders and non-interference by third-party nations in the domestic affairs of a state. With the opening of space for competition and conflict, these assumptions no longer held. There existed a borderless theatre for conflict with no clear, shared understanding of where states defined their critical national interest. Combined with the RMA in atomic weapons and ballistic missiles, states had no mutually understood doctrine for the use of these new weapons, should conflict arise, whether within the Westphalian world or outside it.
Described by the New York Times as ‘the Dean of the Cold War,’ John Lewis Gaddis’ writings on this subject are an appropriate lens through which
to reflect on the history of the Cold War and the lessons it teaches for modern deterrence of cybercrime. In his seminal work on the Cold War, Strategies of Containment, Gaddis describes the approach taken by the two rival blocs as one of ‘strategic deterrence.’ Yet, for your state’s weapons to have a deterrent effect, the other side’s population—and especially its leaders—need to fear the power you possess. This logic led to the creation and public testing of weapons of such immense power that they constituted a show of force overwhelming enough to deter any rational actor. In sum, it is estimated that more than 2,000 nuclear tests were conducted in the second half of the 20th century. The largest of these was conducted in 1961 over Mityushikha Bay, which resulted in an explosion with the destructive effect of more than 50 megatons, or 50 million metric tons, of TNT.
Predictably, the escalation in the size of the weapons and the public nature of the tests led to an arms race between rival factions, with both sides needing to possess power sufficiently capable of deterring the action of the other. However, given the strength of the weapons possessed by each side, and the risk of misunderstanding, both sides engaged in a practice of publicly documenting their rules for use of these weapons, in a framework that came to be known as an ‘escalation ladder.’ The use of strategic weapons under this doctrine was largely confined to the protection of vital national interests.
Conventional, not nuclear, forces were used to defend the periphery. Furthermore, asymmetrical tactics such as assassination, propaganda, and so-called low intensity conflict helped defend peripheral interests while also sowing doubt in the legitimacy and efficacy of the opposing power block.
Applying These Lessons to the Fifth Domain
There are lessons to learn from the Cold War’s clear parallels with modern cyber challenges. First, the emergence of a new type of weapon which precedes the formation of any established doctrine for its use, combined with the modern ambiguity about the sources of a cyberattack, nearly mirrors the Cold War example above. Like nuclear weapons, cyber weapons are able to strike a state’s industry, critical infrastructure, and commerce without warning. Cyber defence is difficult, so deterrence theory is certainly relevant. The lack of a doctrine for the use of these new cyber weapons results in a similar ‘strategic ambiguity,’ where leaders can misunderstand the risk posed to them by a potential adversary.
The second parallel is the need for a weapon’s capability to be understood by an adversary for it to have any deterrent effect. In the Cold War, weapons were tested in public. Today, cyber weapons are tested by proxy. Thus, we regularly see the use of deniable, low-intensity cyber conflict and propaganda by state-affiliated actors. Each act probes an adversary’s digital borders, un-covering weaknesses, while simultaneously revealing more about where a state defines its national interest in digital space. Finally, states appear to be self-organizing into digital spheres of interest, mirroring the Cold War pattern of aligning into power blocs for the purpose of mutual security and advantage.
Yet there are some limitations to this framing as well. Even in a well-understood global environment with long-established norms for state behaviour, the strategic actions of a state are seldom predictable or mechanistic. There are a range of actors within the system, other than a country’s leaders, who exert significant influence on the actions of a state. These include field commanders, political functionaries, leaders of industry, and the state’s population itself. This was certainly true during the Cold War and is even more true in cyberspace. Many IR theorists have tried to account for these other, more nuanced factors in their theorizing. Counterposed to the ‘grand strategy’ theory of statecraft is a tradition of more detailed micro-analysis, understanding internal state factors as the main drivers of its behaviours. This approach not only adds a level of state introspection, but it also offers some important insights when applied to the question of the state’s role in cyber conflict.
Sociologist Jack Goldstone’s work explained the role of social movements and how demography shapes states’ security strategies. In Goldstone’s Political Demography, human behaviour, and more importantly, material human need, drives actions that are largely independent of national identity and state interest. Demography and resource scarcity create pressure in a social system that compels civil society toward innovation and consumption while simultaneously driving the state towards expansion. The actions
of states are subordinate to the factors influencing their domestic population and the resource constraints within their geography. In the digital age, for the first time, economies are able to create assets and resources that exist outside of the physical world. As argued by Andrew McAffee in his book More from Less; software, digital currency, and data operate in a new special paradigm. This has changed (or at least offers the possibility of changing) the volume of the ‘pressurized container’ of the state.
Applied to the cyber domain of conflict, no longer is a state’s stability tied to the relationship between population and consumable, physical resources. Grand strategy can now consider conflict – over and through digital resources – without altering Westphalian borders. For example, a report in Privacy Affairs shows clearly that criminal gangs originating from Russia and China, which account for large amounts of disruptive cybercrime, target entities exclusively outside of those states. Cyberspace extends borderless digital theft, as well as protest through cybercrime and ‘hacktivism,’ unmoored from the constraints of proximity in the physical world. Repression too takes more than just physical forms and now includes digital propaganda, privacy infringement, and censorship.
States Need a New Approach to Defence that Accounts for Both Cyber Weapons and Cyber Space
So what are we to make of these parallels between the Cold War and cyber warfare? They paint a full, though imperfect, picture of the problem posed by cyber weapons, and explain the differing state approaches to incorporating cyber capabilities in their wider arsenal . They also reveal the blurring lines between the foreign and domestic, as well as the external and internal. Cyber conflict could happen in isolation or be inextricably linked with a broader national aim, resulting in far more complicated challenges. It often incurs collateral damage in unintended areas, leading to the transnationalization of cyberspace and implicating spheres ranging from criminal justice, economics, security, and defence. This reality requires states to possess a clearly defined conception of their national interests in cyberspace.
Aristotle is credited with saying, ‘nature abhors a vacuum.’ There needs to be a treaty-based collective establishment and enforcement of norms (as was the case with
the Nuclear Non-Proliferation Treaty), as well as a stated doctrine for the state use of cyber weapons, to avoid potentially unsuitable ad hoc approaches to these cases. A clear understanding of red lines and escalation ladders would reduce ambiguity and the likelihood of miscalculation.
Moreover, where the parallels paint an imperfect picture, we should improve it. The framing of cyber both as zero-sum and an existential struggle for survival between two hegemons seems misplaced. The current world is multipolar, with the European Union operating outside of this bipolar hegemonic system to exert significant pressure around digital sovereignty and data subject rights. Also, corporations have a significant—maybe dominant—role in the development of cyber norms, the nature of defence, and the limitations of state power in cyberspace. The recognition of individual actors and their impact on the state is also key to framing the cyber picture. Individuals often act in their own interests in the commission of cybercrime, targeting both domestic and foreign enterprises without much regard for territorial boundaries. This makes redress of cyber conflict difficult without cooperation. Inter-state investments that provide disincentives for cybercrime, as well as the treaty-based adjudication of claims against entities in other nations that violate these norms, would also be necessary. This level of cooperation is presently lacking from global governance of cyberspace as the relics of geopolitical rivalries among actors still primarily define the landscape of international relations, inherited from the Cold War context.
Finally, it seems that any model must go further and address the role played by corporations. In the current day, corporations develop most cyber infrastructure as well as the cyber defences that protect it. The cyber weapons created by even the most sophisticated states both rely upon and often attack the technology and architecture created by these corporations. Workable models of cyber strategy should recognize the incentive structures within which corporate actors operate and should also propose solutions in the state geographies where they are regulated. It is clear that a state’s critical national interest is no longer limited to territory and physical resources. A state’s strategy must also determine how it will protect digital resources and the companies that create them.
Joshua Jaffe is a part-time DPhil Candidate at the Oxford Internet Institute and a Cybersecurity lead at Dell Technologies.