Last week the New America Foundation hosted its launch for an interdisciplinary cybersecurity initiative. I was fortunate enough to be asked to attend and speak, but the real benefit was that I was afforded an opportunity to listen to some really remarkable people in the cyber community discuss cybersecurity, law, and war. I listened to a few very interesting comments. For instance, Assistant Attorney General, John Carlin, claimed that "we" (i.e. the United States) have "solved the attribution problem, and the National Security Agency Director & Cyber Command (CYBERCOM) Commander, Admiral Mike Rogers, say that he will never act outside of the bounds of law in his two roles. These statements got me to thinking about war, cyberspace and international relations (IR).
In particular, IR scholars have tended to argue over the definitions of "cyberwar," and whether and to what extent we ought to view this new technology as a "game-changer" (Clarke and Knake 2010; Rid 2011; Stone 2011; Gartzke 2013; Kello 2013; Valeriano and Maness 2015). Liff (2012), for instance, argues that cyber power is not a "new absolute weapon," and it is instead beholden to the same rationale of the bargaining model of war. Of course, the problem for Liff is that the "absolute weapon" he utilizes as a foil for cyber weapons/war is not equivalent in any sense, as the "absolute weapon," according to Brodie, is the nuclear weapon and so has a different and unique bargaining logic unto itself (Schelling 1977). Conventional weapons follow a different logic (George and Smoke 1974).
One might object here and claim that the nature of the weapon does not matter, as it is the game and its frame that are important. But this is exactly where the game breaks down for cyber and for IR theorists. The classic bargaining model assumes two rational actors (usually states), where the sending state issues a public demand to the target state, usually due to some disagreement where negotiation and diplomacy are insufficient to resolve the dispute. Thus the first step of the bargaining model of war presupposes that there are two actors already publicly discussing some issue or good. Yet in cyber this is not the case. There is no discussion. If there is some good or issue in "dispute" it is more than likely some overarching foreign policy goal or objective and has little to do with a specific ultimatum. In fact, there is no ultimatum and we do not (contrary to Mr. Carlin) know who our interlocutors are. We are off to a poor start then.
The first step in the game tree for a bargaining model is for the sending state to issue the public ultimatum. The target can either accept or reject. If the target rejects, then it goes to a second round and escalates. Here is the rub though, if the causes of the kerfuffle are nowhere to be seen (Junio 2013), and the target is not aware of any problem or issued an ultimatum in the first round, then any subsequent step in the model is a moot (and frankly impossible) step. There is no bargain.
Empirically, moreover, cyber attacks have not yet risen to the level of a use of force tantamount to an armed attack. In other words, the few cases we have of cyber attacks either cause physical damage (Stuxnet 2010; Saudi Aramco 2012) or widespread functionality issues (Georgia 2008, Estonia 2007; Sony 2014?), and they have not come on the heels of some sort of classic bargaining model. Georgia in 2008 is the only attack to have been perpetrated during an armed conflict, though Russia denies any involvement. What we have, then, is not a bargaining model of war, where war is the most costly tool in the stateperson's toolbox. Rather, we have a strategic interaction, where one side calculates what its payoff will be if it attacks below the threshold for war. The key about a strategic interaction is not what the target actually does in response, but what the attacker calculates the target is likely to do.
For cyber "war" then, what we see is a continual barrage of below the threshold attacks (what I refer to as "sub limina attacks") undertaken on the assumption that the target will calculate that it is not worth responding in an escalatory manner. Due to this calculation, escalation does not occur. What does appear to happen, however, is some sort of public response that is nonescalatory and weakly punitive in nature. There may be tit-for-tatting covertly, but the publicly acknowledged responses are either to ignore or to respond in a nonmilitary way. A case in point is President Obama's use of the term "cyber vandalism" to refer to the Sony hack, and his "proportionate" response as imposing more economic sanctions on the Kim regime.
The public posturing of the Obama administration is thus very telling as to how it views, and would like to view, cyber weapons and cyber "war." First, cyber weapons are not akin to nuclear weapons. Cyber weapons have the potential to discriminate between (non)combatants. Moreover, they do not (presently) risk destroying the world in which we live. In fact, treating them as anything more muddies our conceptual frameworks. Second, the norms emerging for the use of cyber weapons and the response to cyber attacks are proving to be nonescalatory and risk averse. Indeed, the very labeling of an attack as a crime and not a use of force signals to the target and to the rest of the international community that there is cyber restraint (Valeriano and Maness, 2014), and I would add that this restraint is intentional because states are trying to forge norms to govern the use of coercive cyber force.
Where does this leave us? Well, if Assistant Attorney General Carlin is right, and "we have solved the attribution problem," then leaders can bargain in private or name and shame in public. If, however, this statement is merely a ploy at deterring would-be-cyber-attackers from hacking the US, then we are still in need of IR scholars to do some novel and creative work on how states can pursue foreign policy objectives in a coercive relationship where there are no public demands. If NSA/CYBERCOM Director Admiral Mike Rogers is correct, and he will not act outside of the bounds of law, then it is also imperative for the US and the international community to start making laws governing activities in cyberspace. The present strategy of slow norm development has not and will not stop militarization of the Internet and the proliferation of new and much more frightening cyber weapons. The bargaining model will not help us in either situation.
*Note: This blog first appeared on The Duck of Minerva