https://orcid.org/0000-0002-8337-7190
ABSTRACT
Cyberspace experiences worrying trends that could have a negative impact on the international strategic landscape. The lack or erosion of norms and risky practices and behaviors could lead to greater uncertainty and thus greater instability. Set against a context of renewed competition between great powers, these developments are also tied to the strategic structure of cyberspace. This forum is devoted to discussing factors leading to stability or and instability.
The impact of the digital domain on the international strategic landscape appears to be experiencing worrying trends. The theft and dissemination of the U.S. National Security Agency’s computer tools (as seen in the case of the EternalBlue exploit used for Wannacry and NotPetya), the global rapid and uncontrolled propagation of malwares exemplifying the systemic risk for cyberstability, the ever-increasing creativity of Russian security bodies in trying to influence perceptions, the tendency to let private actors go on the offensive, and the failure of the round of deliberations of the United Nations (UN) Group of Governmental Experts (GGE) on Information Security in June 2017 are just several examples of current instabilities when it comes to cyber (Douzet, Citation2018).
On the other hand, even rival states seem to refrain from using digital weapons to cause major physical damages to critical infrastructures, thereby eschewing to cross the threshold of war (Valeriano & Maness, Citation2015). The revival of the multilateral discussions on cyber conflict and cybersecurity under the aegis of the UN at the end of 2018 is a case in point. While it testifies to the willingness of governments to continue the dialogue and to reach sets of standards, it also exemplifies their continued mistrust because of two parallel initiatives respectively launched by Russia and the United States (Grisby, Citation2018). Based on the General Assembly Resolution 73/27, the first calls for the creation of an open-ended working group to further develop the norms of the 2015 report of the GGE and to envision regular institutional dialogue under the UN. According to the General Assembly Resolution 73/266, the U.S. initiative calls for the establishment of another GGE to further study norms and confidence-building measures.
These competing perspectives try to make sense of these developments. On the one hand, these developments could be seen as evidence that states are engaged in a learning process and hence that they are adjusting their behaviors and managing their expectations regarding the use of cyberspace in international relations (Kello, Citation2017, pp. 131–132; Valeriano, Jensen, & Maness, Citation2018). On the other hand, they could be a first step toward the disintegration of norms and the worsening of security dilemmas (Segal, Citation2016). Unregulated actions could cause inadvertent escalation, uncontrollable spread of damaging malwares, or the loss of escalation control in case of crisis. What is clear is that these trends potentially result in greater uncertainty about the intentions and behavior of governments, which in turn could lead to greater instability in the international system and in cyberspace itself. This instability is reflected in three dimensions. First, the difficulties of states to regulate cyberspace at the internal and international levels. Second, the strategic uncertainty inherent in the use of the digital domain for political purposes. Finally, the growing and disruptive role of non-state actors in cyberspace-related political dynamics.
Three processes help us to interpret the current developments regarding the future of collective security related to cyberspace. They are firstly tied to the structure of the digital domain. This depends on the vast number and on the diversity of the actors involved (ranging from the government through individuals to corporations and non-state actors). It is thus a strategic space limited by what the actors made of it. Second, these developments are part of the increasing blurring of norms and practices relating to the conventional distinction between war and peace. Finally, they must be understood in the broader context of the challenges to collective security mechanisms and norms that emerged in late- and post-Cold War periods. A broad set of questions arise from this perspective:
What are the dynamics at play in this instability-uncertainty cycle? Since this is as much a matter of technological development as it is of strategic and political practices, a research agenda must be premised on a multi-disciplinary approach and must rely on the articulation of multiple levels of analysis. By improving and refining the study of the processes and logics at work in these dynamics, it becomes possible to construct explanatory and interpretative models.
More specifically, how do emerging practices impact collective security? The first step toward regulating and limiting these practices is to understand the incentives and the political logics underlying the recourse to state-sponsored actors, the development and temptation to hack-back and active defense, the representations embodied in organizations and doctrines, the proliferations of malwares and cyber weapons, and the benefits and limitations of Vulnerabilities Equities Processes.
Since collective security is mainly the realm of governments, with the addition of a growing number of stakeholders in the private sector and in the public sphere, what could be the paths to better and enhance the cooperation between the numerous actors who have a stake in maintaining stability or improving a stable development for the digital domain in a foreseeing future?
Contribution of this forum
This forum includes two articles which focus on the strategic characteristics of cyberspace and try to outline the conceptual and analytical means to better understand the impact of cyberspace on collective security. The article by Leuprecht, Szeman, and Skillicorn (Citation2019) addresses the specificity of offensive cyber operations (OCO) by postulating their qualitative differences with conventional kinetic operations. The ensuing opportunities and constraints produce new strategic frameworks that carry emerging risks for both national security and collective security. As a result, policy makers should take note of these specificities in order to balance between strategic expectations and unintended consequences. The article by Taillat (Citation2019) focuses on cyber conflict as both an analytical and a practical concept. Current debates in the academic and political spheres are further compounded by the divergences at the international level on what constitutes the parameters of cyber conflict, with profound consequences on the ability of states to regulate this dimension of international politics. By thinking about cyber conflict as an evolving process, it becomes possible to understand how and why it poses a challenge to collective security.
Considering the findings of these two articles, future research should focus on three related agendas. First, since private and non-state actors play more than an ancillary role in the cyber conflict, there should be more inquiries to understand and explain their impact on both stability and instability. Initiatives such as Microsoft’s so-called “Digital Geneva Convention” (Smith, Citation2017) and “Cybersecurity Tech Accord” (Smith, Citation2018) or as Siemens’ “Charter of Trust” (Breuer & Webel, Citation2019) remain both a theoretical and a political puzzle to be solved to better assess their prospects for positive impact. While there exists a nascent literature on non-state actors with regards to offensive operations (Kello, Citation2019; Lachow & Grossman, Citation2019; Maurer, Citation2017), researchers should explore their role in promoting stability.
Second, the link between cyber strategies and collective security is just beginning to be explored (Lin & Smeets, Citation2018). The publication of the U.S. National and Department of Defense (DoD) Cyber Strategies in September 2018 has generated debates on their implications for strategic stability, with some concerned about their negative impact on escalation processes, especially with regards to “defend forward” (Borghard, Citation2019; Buchanan, Citation2018; Lyu, Citation2018; Sanger, Citation2018). Discussions should benefit from comparative analyses both of different national strategies and of the links between the declaratory and operational aspects in each of these cases (Healey, Citation2019). Further inquiries should help assess the effects of such practices as public attribution or offensive doctrines and capabilities (Hare, Citation2019).
Third, in addition to non-state actors and governmental strategies and agencies, future research should focus on legal, bureaucratic, and political processes at the international level, especially regarding governance and norms. The literature on Internet governance as a political issue (DeNardis, Citation2014; Mueller, Citation2010, Citation2017) and works on norms entrepreneurship and contestation (Lantis & Bloomberg, Citation2018; Stevens, Citation2012) provide a starting point. Future scholarship could benefit from it to further map the processes and actors in such fora as the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security or as the Global Commission on the stability of cyberspace.
Disclosure statement
No potential conflict of interest was reported by the authors.
Additional information
Notes on contributors
Stéphane Taillat
Stéphane Taillat is Associate Professor of War and Strategic Studies in the Department of International Relations, St Cyr French Army Academy, and a researcher at the Geopolitics of Datasphere (GEODE) Center.
Frédérick Douzet
Frédérick Douzet is Professor of Geopolitics at the French Institute of Geopolitics, University Paris 8 and director of the Geopolitics of the Datasphere (GEODE) Center.
References
- Borghard, E. (2019, March 22). What a U.S. operation against Russian trolls predicts about escalation in cyberspace. War on the Rocks. Retrieved from https://warontherocks.com/2019/03/what-a-u-s-operation-against-russian-trolls-predicts-about-escalation-in-cyberspace/
- Breuer, H., & Webel, S. (2019, February 15). Time for action: Building a consensus for cybersecurity. Pictures of the Future. Retrieved from https://www.siemens.com/innovation/en/home/pictures-of-the-future/digitalization-and-software/cybersecurity-charter-of-trust.html
- Buchanan, B. (2018, September 25). The implications of defending forward in the new Pentagon cyber strategy. Council on Foreign Relations blog. Retrieved from https://www.cfr.org/blog/implications-defending-forward-new-pentagon-cyber-strategy.
- DeNardis, L. (2014). The global war for Internet governance. New Haven, CT: Yale University Press.
- Douzet, F. (2018). Cybersecurity challenges. In H. Meijer & M. Wyss (Eds.), The handbook of Europeans armed forces (pp. 523–542). Oxford: Oxford University Press.
- Grisby, A. (2018, November 15). The United Nations doubled its workload on cyber norms and not everyone is pleased. Council on Foreign Relations blog. Retrieved from: https://www.cfr.org/blog/united-nations-doubles-its-workload-cyber-norms-and-not-everyone-pleased.
- Hare, F. (2019). Precision cyber weapon systems: An important component of a responsible national security strategy? Contemporary Security Policy, 40, 193–213. doi: 10.1080/13523260.2018.1529369
- Healey, J. (2019). The cartwright conjecture: The deterrent value and escalatory risk of fearsome cyber capabilities. In H. Lin & A. Zegart (Eds.), Bytes, bombs and spies. The strategic dimensions of offensive cyber operations (pp. 173–194). Washington, DC: Brookings Institution Press.
- Kello, L. (2017). The virtual weapon and international order. New Haven, CT: Yale University Press.
- Kello, L. (2019). Private sector cyber weapons: An adequate response to the sovereignty gap? In H. Lin & A. Zegart (Eds.), Bytes, bombs and spies. The strategic dimensions of offensive cyber operations (pp. 357–378). Washington, DC: Brookings Institution Press.
- Lachow, I., & Grossman, T. (2019). Cyberwar Inc.: Examining the role of companies in offensive cyber operations. In H. Lin & A. Zegart (Eds.), Bytes, bombs and spies. The strategic dimensions of offensive cyber operations (pp. 379–400). Washington, DC: Brookings Institution Press.
- Lantis, J. S., & Bloomberg, D. J. (2018). Changing the code: Norm contestation and US antipreneurism in cyberspace. International Relations, 32, 149–172. doi: 10.1177/0047117818763006
- Leuprecht, Ch., Szeman, J., & Skillicorn D. B. (2019). The damoclean sword of offensive cyber: Policy uncertainty and collective insecurity in hybrid operations. Contemporary Security Policy, 40, 382–407. doi: 10.1080/13523260.2019.1590960
- Lin, H., & Smeets, M. (2018, November 28). An outcome-based analysis of U.S. cyber strategy of persistence & defend forward. Lawfare. Retrieved from https://www.lawfareblog.com/outcome-based-analysis-us-cyber-strategy-persistence-defend-forward.
- Lyu, J. (2018, October 19). A Chinese perspective on the Pentagon’s cyber strategy: From “active cyber defense” to “defend forward”. Lawfare. Retrieved from https://www.lawfareblog.com/chinese-perspective-pentagons-cyber-strategy-active-cyber-defense-defending-forward.
- Maurer, T. (2017). Cyber mercenaries. The state, hackers and power. Cambridge: Cambridge University Press.
- Mueller, M. (2010). Networks and states: The global politics of Internet governance. Cambridge, MA: The MIT Press.
- Mueller, M. (2017). Will the Internet fragment? Sovereignty, globalization and cyberspace. Cambridge: Polity Press.
- Sanger, D. (2018, June 17). Pentagon puts cyberwarriors on the offensive, increasing the risk of conflict. The New-York Times. Retrieved from https://www.nytimes.com/2018/06/17/us/politics/cyber-command-trump.html.
- Segal, A. (2016). The hacked world order. How nations fight, trade, maneuver and manipulate in the digital age. New York, NY: PublicAffairs.
- Smith, B. (2017, February 14). The need for a digital geneva convention. Microsoft on the issues. Retrieved from https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.
- Smith, B. (2018, April 17). 34 companies stand up for cybersecurity with a tech accord. Microsoft on the issues. Retrieved from https://blogs.microsoft.com/on-the-issues/2018/04/17/34-companies-stand-up-for-cybersecurity-with-a-tech-accord/.
- Stevens, T. (2012). A cyberwar of ideas? Deterrence and norms in cyberspace. Contemporary Security Policy, 33, 148–170. doi: 10.1080/13523260.2012.659597
- Taillat, S. (2019). Disrupt and restraint: The evolution of cyber conflict and the implications for collective security. Contemporary Security Policy, 40, 368–381. doi: 10.1080/13523260.2019.1581458
- Valeriano, B., Jensen, B., & Maness, R. (2018). Cyber strategy. The evolving character of power and coercion. Oxford: Oxford University Press.
- Valeriano, B., & Maness, R. (2015). Cyber war versus cyber realities. Cyber conflict in the international system. Oxford: Oxford University Press.