During the cold war the risks of nuclear war stemmed not as much from covertly or planned attacks, as it did from miscalculations. In the age of cyber warfare risks have multiplied tenfold, but without policy makers or politicians being sufficiently aware.
Finally after months of surreal suspense, but without a Hitchcock twist at the end, the FBI indicted on 13 July twelve Russian military intelligence officers on the grounds of meddling with the US 2016 Presidential election through cyber-attacks. According to the indictment, the intelligence officers were working for Russia’s GRU intelligence agency, when they stole emails from the DNC, targeted election infrastructure and stole user names and password of volunteers in Hillary Clinton’s campaign. In other words, Russia in no ambiguous terms, made a deliberate attack on the United States, which legally could call for grounds on engaging in a state of war.
Indeed the gravity of the accusations has given way for pundits and politicians to call for stronger measures than sanctions and expulsions of Russian diplomats. Most notably, some have called for retaliation through the use of cyber-attacks. After the Salisbury poisoning attack in Britain, Prime Minister Theresa May also openly considered retaliating with cyber-attacks against Kremlin’s interests. But before international or clearly stated national doctrines have emerged in this field, this should be avoided by all costs. As the Head of Russian International Affairs Council Andrei Kortunov stressed in the aftermath of the Salisbury attack; a cyber-attack retaliation would have been “very dangerous” due to the risk of escalation.
These open considerations of cyber-attack as retaliation measures speak to a general international trend, namely the inability of policy makers to place cyber warfare in the hierarchy of their weaponry. This is to a large extent due to the complexity of calculating potential consequences and impacts of engaging in even small acts of cyber warfare, which in turn is due to the lack of international doctrines, its disruptive novice nature and the changing circumstances of international relations. When examining these, it should however be crystal clear that floating cyber threats around, not to mention deploying attacks, should be dealt with in the most careful matter.
The Reassurance of MAD
It will be no news for scholars of International Relations that miscalculation of others intentions is one of the most dangerous and fatale risks. When Kenneth Waltz, the father of neorealism, described why the bipolar world of the Cold War was in fact a stable system, the keyword was deterrence. Deterrence was during the Cold War often equal to Mutual Assured Destruction (MAD), something that was as scary as it was reassuring.
The doctrines that lived on policy-papers, at universities and in the publics’ minds, created a pattern of recognisable consequences. It created a navigating structure for policy makers in an otherwise foggy world – making it clear that if you do X I will do Y. Of course risks did not disappear nor did the real possibility of a fatale miscalculation, as genuine considerations of pre-emptive strikes between the US and Russia are evidence of. However, it did provide a baseline of certainty of consequences, which decision makers could judge their decision on with the information they had available.
The Need for Doctrines
In today’s world, this is not the case. Not only are decision makers under a new cloud of a multi polar world, uncertainty inducing fake news and an American President that deliberately makes his actions unpredictable until the last moment, they do not have the necessary doctrines of responses in place in terms of cyber warfare to make just a baseline of clarity in today’s international relations. It is not a new phenomenon that states will test the borderline scenarios, where it is uncertain whether certain doctrines or pledges will apply, as Russia’s “small green men” are schoolbook examples of.
Thus as there is no clear way of determining the reactionary patterns, i.e. how a state will react in case of a cyber-attack, it will pose unprecedented risks of miscalculations as foreign policy makers cannot calculate risk tolerance nor potential retaliation. When risks are not clearly understood, all actions become risky. States are fortunately beginning to catch up, with NATO aiming at an agreement by early 2019 on cyber warfare principles to define what justifies the deploying of cyber-attacks as reactions, while Estonia, the apparent frontrunner in anything cyber, is creating a cyber command with offensive cyber weapons in cases of attack.
However while this development is indeed called for, it effectively brings the world into an increasingly serious form of cyber arms race, trapping us once again in the familiar security dilemma. While the bipolar world would have diminished risks of such an arms race developing into a fatale accidental confrontation, the explosive emergence of an increasing number of “Great Cyber Powers” and the still novice nature of these offensive capabilities leaves little trust in the motto of international stability; “with great power comes great responsibility”.
We Cannot Comprehend What We Have Not Experienced
So while when well-understood doctrines eventually have emerged we will have gotten a minimum of clarity, features of the international sphere have fundamentally changed, making deterrence as a core concept hollow and increasing chances of miscalculations. Because deterrence against what and whom? One of the scariest features about cyber warfare is not what we have experienced, it is that we have not experienced the effect of anything close to our current capabilities.
We have yet to experience a cyber-attack that upsets key infrastructure or financial services, which could trigger chaos, panic or a financial meltdown to an extend that would resemble consequences of material acts of war. This could be through a planned state-initiated cyberattack meant to devastate critical infrastructure, but it could more likely be the unintended consequence of a smaller cyberattack or from rouge agents otherwise aligned with a state.
A cyberattack meant only to disrupt or create mistrust, could unintentionally escalate and create a chaos, forcing politicians to show decisiveness and opening the road for escalations. As long as there is a certain tolerance for small cyberattacks, due not least to the lack of doctrines and so-far lack of any genuine international norms framework, this risks of unintended consequences and overreactions are constantly and more than necessary present.
Then there is also the risks of so-called “rouge agents” – associated, former or current state officials that take matters into their own hands. The classical Cold War example is of course the nuclear submarine general, who due to a false information, ideological fanatsism or mental instabilities, launch a self-initiated attack on a third-state. Besides the devastating impact of the attack, the high risk of it being perceived as a blatant first-strike would be considerable.
In the age of cyber warfare, the arsenal needed to launch such attacks by rouge agents is considerable different. You do not need to be a general, be in a rank of authority or to have the resources of the mighty state available. All you need is a computer and coding skills. In the 2014 alleged FSB-sponsored cyber-attacks on Yahoo, it was done by four for-hire hackers, including a 22 years old Canadian, which resulted in a massive data breach of at least half billion user accounts.
It did not take a sophisticated apparatus, all it took was intentions and skills. While it seems evident that the FSB was behind these attacks, other cases might not be as clear cut-out. Eventually, it will be up to the attacked state to determine the extent to which these groups are ordered, aligned or only using the territory of the state they are associated with. The fog of information and mistrust could easily lead to concluding the worst and respond accordingly, or reaching a wrong conclusion and thereby giving green light for such operations to continue.
Lastly, there is also the very real temptation for decision makers across these many Great Cyber Powers to simply use these new offensive capabilities without comprehending the devastating effect their new ironmongery can cause. The psychological barrier for us human to comprehend past our own or others experiences is infamously against our intuition. We needed to test nuclear weapons before we understood that they could never be used.
While this remains a real option, such an exchange would seem unlikely between Great Powers, but rather coming from a smaller rouge state. Here it is worth dwelling over the new cyber multi-polar world we live in, with at least a dozen of Great Cyber Power. The risks of miscalculations increase when interactions between capable powers of diverging interest increase.
To return to the Salisbury incident and the aforementioned lack of a clear-cut place for cyber-attacks, one could easily imagine a scenario where a cyber-attack was used in the context of a harsh diplomatic response amongst Great Cyber Powers that do not happen to be Great Powers. The risks of a spill over effect to more conventional attacks between these would thus be considerable greater due to its lack of Great Power attributes.
No Simple Solution
While there is no simply solution to address these risks, a keyword is once again deterrence. The US imposed sanctions on Russia following the electoral meddling, naming and shaming tactics and international norms setting are important features in this brave new world. However, the question remains, whether the many new coinciding factors have sealed the fate of some kind of miscalculation happening and whether countries react, overreact or .. ? I think it just might.
The information used to determine the intentions of other actors was of course still conceived and interpreted under the fog of anarchy, which created room for miscalculations, but it nevertheless had the comforting feature of being within a bipolar and in this regard more structured world.