After two years of intensive study and research, the Cyber Conflict Studies Association is preparing to release their book-length monograph on “Addressing Cyber Instability.” Last month, the CCSA released an executive summary previewing the work, which is available for download.
The impetus for “Addressing Cyber Instability” is that, though cyberspace has become indispensable and irreplaceable for people, companies, and nations, it remains insecure due to technical and policy challenges. On the technical side, the Internet was not designed with security in mind, and as for policy, the new technology evolves faster than the legal, doctrinal, organizational, and conceptual framework around it. As a result, the CCSA concludes that cyberspace in its current form is inherently insecure and needs to be handled accordingly.
The monograph begins by defining its key terms. Though there are many technical definitions of cyberspace, the most accessible is that “cyberspace is all interconnected information technologies.” The CCSA deals primarily with cyber conflict, which it defines as “the conduct of large scale, politically motivated conflict based on the use of offensive and defensive capabilities to disrupt digital systems, networks, and infrastructure, including the use of cyber-based weapons or tools by non-state/transnational actors in conjunction with other forces for political ends.” This is broader than “cyber war” as it includes the likes of nonstate actors, covert action, and espionage, but excludes cyber crime committed strictly for commercial gain with the exception of economic warfare. The executive summary also lays out the focus of the monograph, which will be strategic rather than tactical or technical, and the five research vectors that the CCSA has been pursuing.
The first vector is strategic level issues. Despite predictions to the contrary, there has not yet been any massive cyber attack, suggesting some level of deterrence may be at play in cyberspace. Yet, according to the CCSA, the offense-defense balance in cyberspace makes deterrence by denial difficult as offense has the clear upper hand. Deterrence by punishment is more feasible but suffers from difficulty in attribution and credibility. It is often difficult to pinpoint an attacker to punish and to establish a credible threat of effective punishment. As a result, the CCSA concludes that deterrence is weak in cyberspace, causing instability.
The second research vector is military and operational. The monograph will explore how military and intelligence doctrine, strategy, and organization has evolved in the United States to deal with cybersecurity challenges. The monograph will also suggest the future direction of this evolution, noting that practitioners and bureaucracies must be agile to adapt to fast-paced threats and that military cyber defense must grow more collaborative and needs sufficient knowledge capture to build on existing lessons and experience.
The third vector will examine nonstate actors in cyberspace. The monograph will explore the role of nonstate actors in cyber conflict and the greater role nonstate actors such as Computer Emergency Readiness Teams and researchers must play in managing future conflicts. The CCSA concludes that there is a pressing need to develop mechanisms which foster defensive collaboration between a wide range of nonstate actors.
The fourth research vector that the monograph addresses is domestic and international law. The CCSA will first explain the current domestic and international frameworks for cyber operations and the growing consensus on legal issues. Implementing these frameworks is hindered, however, by an immaturity in applying legal constructs to malicious activity in cyberspace and more time is needed for norms and customs for behavior to develop.
The last research vector will deal with approaches for mitigating cyber conflict. The CCSA suggests three models for dealing with cyber instability. The first is based on public health and emphasizes useful norms such as hygiene, with practices such as patching vulnerabilities the equivalent of hand washing. The next model is environmental, focusing on cleaning up the cyber environment through legal regimes like those in place to battle pollution. Lastly, irregular warfare can serve as a model for cyber conflict, thought the CCSA is careful to note that this does not mean we are engaged in irregular warfare in cyberspace, merely that we face assymetric forces and irregular tactics.
The executive summary concludes with an overview of the CCSA’s future research agenda and a call to action. Current studies raise many more questions that the Cyber Conflict Studies Association hopes to explore such as balancing intelligence gain and intelligence loss in cyberspace and how norms surrounding cyber conflict can be developed. Having found cyberspace to be inherently unstable, the CCSA urges focusing on resilience in the face of threats and cleaning up the cyber environment to reduce them.