Cyber Conflict: The State of the Field

Carnegie Corporation Visiting Media Fellow Scott Malcomson examines the many meanings of cyber security.

Carnegie Corporation Visiting Media Fellow Scott Malcomson examines the many meanings of cyber security.

Cyber is an adjective that wants to be a noun. International relations, political science, and international law are all being transformed by "cyber"; but cyber is still its own world. Its practitioners, its year-round citizens, have their own new or sometimes repurposed language (vulnerabilities, botnets, exploits, advanced persistent threats) and their own markers of history’s pivots (PD20, Stuxnet, GameOver ZeuS). Most importantly and distinctively, they have their own understanding of the paradoxes and ambiguities that keep cyberworld turning on its axis, without resolution: the root reality of dual use (marketing is targeting), and the uncomfortable realization that cyber defense and cyber offense are not easily distinguishable. The familiar term that cyber never, ever modifies is “victory."

The strange autonomy of cyberworld—the independence that leads "cyber" to modify war and espionage without being dominated by them—was on full display at the recent two-day State of the Field for Cyber Conflict Conference in New York held by the Cyber Conflict Studies Association (CCSA). Sponsored by The William and Flora Hewlett Foundation and Carnegie Corporation of New York, the conference was hosted by Columbia University’s School of International and Public Affairs (SIPA).

Cyber conflict is a new field of study; like the term “cyber” itself, the study of cyber conflict crosses multiple disciplines and is dominated by none. The CCSA-Columbia conference was an initial attempt to map a rapidly changing field.

In a Lawfare blog post afterward, Paul Rosenzweig, former deputy assistant secretary for policy in the U.S. Department of Homeland Security, wrote, “This was the first time—that I am aware of—that a significant portion of the professional historians who are studying the history of cyber conflict got together.” Session topics were: international relations; tactical and operational level dynamics of cyber conflict; intelligence and adversaries; strategic dynamics of cyber conflict; cyber conflict history; and legal issues. Discussion was not for attribution, but the organizers expect to publish a summary of the arguments this fall.

Mapping the Field

Cyber-conflict studies is such a new field that there is not even a canon of basic works. Each conference session included an animated discussion of . . . yes, bibliography. Participants would call out an article or name a scholar, all duly noted by a rapporteur. The idea was to create a minimum base on which to build research agendas, offering some signposts for graduate students interested in pursuing cyber themes in international relations, political science, and international law.

It’s odd to think one might have been present at the birth of an academic subdiscipline. Some participants attempted to place cyber within classic categories of international relations like realism or constructivism, recognizing that almost all of the professional incentives for a scholar point toward fitting into an existing academic field. They had little success. The international relations panel, in particular, generated far more questions than it did answers. (What is a cyber weapon? How do you measure cyber power?) As a participant in another panel noted, “Cyber attack is such an easy term to use, but nobody really knows what it means.”

The indeterminacy of the field is not surprising. Information in the classified and unclassified realms differs significantly, and conclusions drawn on the basis of unclassified information might well be misleading. The field’s conceptual language is also very much a work in progress. Two factors—the apparently apocalyptic potential of cyber weaponry and the non-use (so far) of large-scale attack capabilities—often lead to strategic nuclear concepts being imported into cyber discussions. Participants mainly agreed that such borrowed language creates more problems than it solves, but a more functional terminology remains elusive. The line between espionage and warfare in cyber is also vanishingly thin: code inserted into a network in order to gather intelligence might also be a hook for cyber OPE—operational preparation of the environment—and therefore part of warfare. In these cases and others, cyber conflict resists the language and concepts of existing academic disciplines while not yet being able to offer strong alternatives of its own.

At the conference, international law provided the most stable disciplinary platform, in that the Tallinn Manual on the International Law Applicable to Cyber Warfare—which represents both an actual manual, written by a collective and published in 2013, and an ongoing process of revision and application by an international group of experts—has gained wide acceptance. But even here, some governments, notably that of China, have questioned the basic premise that international law developed for other spheres can also apply in cyberspace.

Naming the Actors

As the legal instance shows, one can recognize a norm in cyber space—such as the applicability of established laws of armed conflict—but if a major player doesn’t agree, what does the norm really mean? In cyber conflict, this is not simply a question of being able to include all states in the analysis. Nonstate actors are a large and ever-changing presence, from hacker groups (which might, or might not, be state proxies to terrorist groups) to multilateral bodies, criminal organizations, and technology companies. As cybersecurity is itself a sizable industry, much of the nonclassified information on cyber conflict comes from the commercial sector. So do many of the offensive and defensive capabilities, as private companies are themselves the targets of much cyber aggression. The distinction between acting for profit and acting for political reasons breaks down continually. This is not made any easier to analyze by the reality that spyware, influence operations, malware, OPE, and other capabilities are being deployed around the clock by multiple actors, some of whom firmly believe, according to one participant, that “restraint is for suckers.” The operational tempo means cyber conflict changes so rapidly that strategic and theoretical concepts are themselves subject to change.

Given the extreme disparity among nations in innovative capacity and technological sophistication—and the perceived costs to sovereignty of remaining technologically inferior—conference participants recognized the need to bring in many different perspectives, including those of small and medium-sized countries as well as those of the leading cyber powers.

In such a contested environment, the basic idea of an open and free Internet has been weakened. Several participants noted that the U.S. has led both in advocating an open Internet and in developing the tools to weaponize it—which inevitably draws the Internet into the competition among sovereign states. As James Mulvenon, chairman of the Cyber Conflict Studies Association board, put it: “Beijing’s description of Internet sovereignty is an accurate description of global reality. There is no cyber commons; the architecture falls pretty neatly into Westphalian categories of nation states. The U.S. State Department is largely alone in advocating the opposite; the rest of the U.S. government believes in a sovereigntist Web and works to defend it. Even the Europeans aren’t with us, because of their hate-speech and other norms. It’s a question whether widespread cyber conflict would change this equilibrium of balkanization and state power. For now, each nation wants its own cyber version of itself.” 

Michael Warner, official historian of the U.S. Cyber Command, replied in a measured tone: “Saying we want an open, peaceful Internet while also having offensive cyber capabilities is not necessarily contrasting. We advocate freedom of the seas, but we still have a Navy.”

The quotations from James Mulvenon and Michael Warner are published here by permission. The conference also marked the publication of CCSA's second book, "Cyber Conflict After Stuxnet: Essays from the Other Bank of the Rubicon," by the Council on Foreign Relations' Adam Segal, et al.