1 Introduction
The cyber war long promised by pundits has yet to arrive, failing to match the dramatic predictions of destruction many have been awaiting. Despite fears that digital death is on the horizon (Clarke & Knake, Reference Clarke and Knake2014), the international community has seen little evidence. While cyber operations have been used in concert with conventional military strikes from Ukraine (Kostyuk & Zhukov, Reference Kostyuk and Zhukov2019) to operations against the Islamic State (Martelle, Reference Martelle2018), they have focused more on intelligence collection than shaping direct interdiction. Worst-case scenario nuclear-grade cyberattacks (Straub, Reference Straub2019) are unlikely and counterintuitive to the logic of cyber action in the international system (Borghard & Lonergan, Reference Borghard and Lonergan2017) where most operations to date tend to reflect political warfare optimized for digital technology, and deniable operations below the threshold of armed conflict (Jensen, Reference Jensen2017; Valeriano et al., Reference Valeriano, Jensen and Maness2018).
Decades of research in the field of cybersecurity have laid bare two findings so far: (1) We have failed to witness the death and destruction (Rid, Reference Rid2020; Valeriano & Maness, Reference Valeriano and Maness2015) that early prognosticators predicted and (2) digital conflict is typically not a path toward escalation in the international system (Valeriano et al., Reference Valeriano, Jensen and Maness2018). Based on survey experiments, when respondents were put in a situation where they had to respond to a militarized crisis using a wide range of flexible response options, more often than not cyber response options were chosen to de-escalate conflicts (Jensen & Valeriano, Reference Jensen and Valeriano2019a, Reference Jensen and Valeriano2019b).
Beyond their raw potential, emergent capabilities like cyber operations are just one among many factors that shape the course of strategic bargaining (Schneider, Reference Schneider2019). New technologies often lead more to questions of resolve and human psychology than objective power calculations about uncertain weapons. The uncertainty introduced by new strategic options, often called exquisite capabilities and offsets, can push states toward restraint rather than war. While these capabilities can certainly lead to dangerous arms races and future risks (Craig & Valeriano, Reference Craig and Valeriano2016), they tend to play less of an escalatory role in more immediate crisis bargaining. This finding follows work on nuclear coercion in which even nuclear weapons often fail to alter calculations during crises, or have little effect on the overall probability of a crisis (Beardsley & Asal, Reference Beardsley and Asal2009a, Reference Beardsley and Asal2009b; Sechser & Fuhrmann, Reference Sechser and Fuhrmann2017).
How do cyber security scholars explain the evident restraint observed in the cyber domain since its inception (Valeriano & Maness, Reference Valeriano and Maness2015)? Why have the most powerful states, even when confronted with conventional war, avoided cyber operations with physical consequences? Is it fear or uncertainty that drives the strategic calculus away from escalation during cyber conflicts?
In this chapter, we unpack the strategic logic of interactions during a crisis involving cyber capable actors. We outline the limits of coercion with cyber options for nation-states. After proposing a theory of cyber crisis bargaining, we explore evidence for associated propositions from survey experiments linked to crisis simulations, and a case study of the US-Iranian militarized dispute in the summer of 2019.
2 Toward Cyber Peace and Stability
We are now a field in search of a theory, a theory of cyber peace that explains why cyber capabilities and digital technology offer stabilizing paths in the midst of crisis interactions (Valeriano & Maness, Reference Valeriano and Maness2015). When we refer to cyber peace, we do not mean the absence of all conflict or positive peace (Roff, Reference Roff2016), what we have in mind is rather a more measured statement that, while cyber conflicts continue to proliferate, their severity and impact will remain relatively minor (Valeriano & Maness, Reference Valeriano and Maness2015; Valeriano et al., Reference Valeriano, Jensen and Maness2018). This vision of negative peace assumes that violence will continue in the system, but we offer the perspective that during strategic bargaining, cyber options may provide a path toward de-escalation. Cyber operations have the potential to stabilize crisis interactions between rival states. This finding is especially important given that most state-based cyber antagonists are also nuclear armed states (Pytlak & Mitchell, Reference Pytlak, Mitchell, Fris and Ringsmose2016).
On the road to war a state faces many choices regarding the utilization of force and coercion (Schelling, Reference Schelling1960, Reference Schelling1966). Seeking to compel an adversary to back down, a state attempts to display credibility, capability, and resolve (Huth, Reference Huth1999). To avoid outright conflict, a state can dampen the crisis by making moves that avoid conflict spirals. Much akin to the logic of tit-for-tat struggles of reciprocity (Axelrod & Hamilton, Reference Axelrod and Hamilton1981), evidence suggests that actors may choose digital operations to proportionally respond to aggression.
Here we explore the role of cyber operations in producing crisis off-ramps that can stabilize interactions between rival states. That is, during a crisis a state actor is faced with response options to either escalate the conflict, deter further violence, de-escalate the situation, or do nothing. This choice is especially acute during interactions with rivals where tensions are higher. A cyber off-ramp is a strategic choice to either respond in kind, or to de-escalate during a crisis by launching a cyber operation that helps a state set favorable bargaining conditions without losing a significant strategic advantage. By demonstrating weak signals and commitment to the issue at stake, crisis actors can seek to leverage information effects to forestall further escalation.
Cyber operations are not clear paths to peace, but in the context of more dramatic options digital technologies can lead us down a road away from war. During crisis situations, digital technologies can push states away from the brink of escalation by mitigating risks and revealing information to adversaries that helps to manage escalation risks.
3 When Do Crises Escalate?
There is well-established literature on international crises and escalation dynamics, that grew out of the Cold War, which analyzes great power competition as a bargaining process (Schelling, Reference Schelling1958, Reference Schelling2020; Fearon, Reference Fearon1995; Powell, Reference Powell2002). Conflict as a process is the result of a strategic interactions in which participants attempt to gain an advantage short of the costly gamble of war (Fearon, Reference Fearon1995). During a crisis, each side attempts to signal its capabilities and resolve to the other through deploying military forces, conducting a show of force, making credible threats, and leveraging nonmilitary instruments of power like sanctions and diplomatic demarches.
In this delicate dance, most leaders look to preserve their flexibility to manage escalation risks against the probability of achieving their political objectives. Work on international crises and militarized disputes illustrates this posture through a demonstrated preference for reciprocation strategies in which states adopt a proportional response to threats as a means of maximizing their position short of escalation (Axelrod & Hamilton, Reference Axelrod and Hamilton1981; Braithwaite & Lemke, Reference Braithwaite and Lemke2011).
Yet, the uncertainty and pressure of a crisis, along with preexisting factors shaping strategic preferences, can pull statesmen away from prudence to the brink of war. States that are rivals are prone to arms races and place a high premium on gaining an advantage in a crisis increasing the probability of escalation (Vasquez, Reference Vasquez1993; Sample, Reference Sample1997; Valeriano, Reference Valeriano2013). Territorial disputes tend to be particularly intractable and prone to escalation, especially when there is a recurring history of disputes (Vasquez & Henehan, Reference Vasquez and Henehan2010; Toft, Reference Toft2014; Hensel & Mitchell, Reference Hensel and Mitchell2017).
Misperception looms large, causing signals to be misinterpreted (Jervis, Reference Jervis2017). Shifts in military capabilities can trigger different risk appetites as the offense–defense balance shifts (Jervis, Reference Jervis1978). There is an open debate about the extent to which espionage and subterfuge in cyberspace alters the security dilemma (Buchanan, Reference Buchanan2016). Some work argues that cyber is the perfect weapon and will redefine warfare (Kello, Reference Kello2017), while other assessments contend it creates a new stability–instability paradox (Lindsay & Gartzke, Reference Lindsay, Gartzke, Greenhill and Krause2018). Rather than increasing the risk of escalation, cyber operations could act as a crisis management mechanism allowing decision makers to make sharp distinctions between the physical and digital worlds and build active defenses on networks (Libicki, Reference Libicki2012; Jensen & Valeriano, Reference Jensen and Valeriano2019a; Valeriano & Jensen, Reference Valeriano and Jensen2019).
4 The Logic of Cyber Off-Ramps
This chapter helps develop a midrange theory hypothesizing that cyber operations are a possible mechanism for helping states manage crises in a connected world.
First, in crisis settings between rival states cyber operations are best thought of as a coercive capability (Borghard & Lonergan, Reference Borghard and Lonergan2017). In addition to their value in intelligence operations (Rovner, Reference Rovner2019), they allow states to disrupt and degrade rival networks.
As instruments of coercion, cyber operations tend to produce fleeting and limited effects, best characterized as ambiguous signals (Valeriano et al., Reference Valeriano, Jensen and Maness2018). Ambiguous signals are “covert attempts to demonstrate resolve that rely on sinking costs and raising risks to shape rival behavior” (Valeriano et al., Reference Valeriano, Jensen and Maness2018, p. 13). States engage in covert communication, probing each other during a crisis (Carson, Reference Carson2020). The benefit of cyber operations is that they are a weak signal that can be denied, preserving bargaining space while still demonstrating a willingness to act. This makes cyber operations a low cost, low payoff means of responding early in a crisis.
Second, experimental studies show that the public tends to treat cyber operations different than they do other domains. There are also key threshold dynamics associated with cyber operations. In a recent study, Kreps and Schneider (Reference Kreps and Schneider2019) found that “Americans are less likely to support retaliation with force when the scenario involves a cyberattack even when they perceive the magnitude of attacks across domains to be comparable.” For this reason, cyber operations offer a means of responding to a crisis less likely to incur domestic audience costs that could push leaders to escalate beyond their risk threshold.
Avoiding escalation is especially appealing since there are indications that most twenty-first century great powers maintain a public aversion to casualties. Even authoritarian regimes limit reporting and use a mix of private–military companies and proxies to hide the true cost of war from their citizens (Reynolds, Reference Reynolds2019). Given this emerging dynamic, cyber operations offer states a means of responding to a crisis without triggering direct, immediate human costs that can often lead to an emotional, as opposed to a rational, conflict spiral. Cyber operations help states manage thresholds in crisis interactions.
Third, and less explored by the cyber security literature to date, cyber operations are defined by unique substitutability dynamics. To say cyber operations are subject to substitution effects implies that states evaluate the trade-offs inherent in using cyber instruments when signaling another state.
In economics, there is a long history of using marginal analysis (Marshall, Reference Marshall1890; Krugman et al., Reference Krugman, Robin and Olney2008) to evaluate trade-offs in production and consumption. In microeconomics, the marginal rate of substitution is the extent to which a consumer will give up one good or service in exchange for another (Krugman & Wells, Reference Krugman and Wells2008). The two goods or services, even courses of action, can be perfect substitutes, in which case they are interchangeable, or imperfect substitutes – in which case the indifference curve shifts. Furthermore, there is a distinction between within-group and crosscategory substitution in economics and psychological studies of consumer choice (Huh et al., Reference Huh, Vosgerau and Morewedge2016). There is also a long history of work on foreign policy substitutability in international relations (Most & Starr, Reference Most and Starr1983; Starr, Reference Starr2000; Most & Starr, Reference Most and Starr2015). This research maps out when similar acts, as substitutes, trigger different (Palmer & Bhandari, Reference Palmer and Bhandari2000) or similar foreign policy outcomes (Milner & Tingley, Reference Milner and Tingley2011).
Applied to contemporary escalation and foreign policy, contemporary leaders evaluate whether to substitute a cyber effect for a more conventional instrument of power. We propose that there are unique substitutability dynamics involved with selecting cyber operations during strategic bargaining episodes. If cyber operations are not efficient substitutes, then they require an increased number or complements. To the extent that cyber operations are an imperfect substitute, a state would have to use more cyber effects to compel an adversary than, for example, traditional diplomatic demarches or threats of military action. The central question for decision makers thus concerns the ideal typical crosselasticity of demand for cyber operations.
We theorize that cyber operations are subject to certain characteristics that make them weak substitutes, and better thought of as complements. In microeconomics, a complement implies the use of one good or service that requires the use of another complementary good or service. If you use a printer, you are going to need a constant supply of toner and paper. With respect to cyber operations, it means that, as shaping mechanisms, they will tend to be paired with at least one more instrument of power to compensate for their weak substitutability as an ambiguous signal subject to threshold effects. This logic follows earlier findings that states will tend to use cyber operations in conjunction with other instruments of power that include both positive and negative inducements (Valeriano et al., Reference Valeriano, Jensen and Maness2018).
Two additional dynamics alter the elasticity of demand for cyber effects in crisis bargaining. First, the elasticity of demand is skewed by the dual-use dynamic of cyber operations. Cyber operations tend to be a use and lose capability limiting when states will risk employing high-end capabilities (Jensen & Work, Reference Jensen and Work2018). Leaders who have cyber probes spying on adversary systems worry about sacrificing their digital scouts for fleeting attack opportunities, a calculation known in US Joint doctrine as intelligence gain/loss.Footnote 1 They also worry about burning capabilities by exposing their operations. Many cyber capabilities can be both intelligence and tools of subterfuge simultaneously. A tool kit used to access a rival states computer networks and extract information can also be used to deliver malicious code.
Back to the concept of substitution, this dynamic means that states must pay information costs to burn access and deliver their payload. Once you attempt to achieve an effect beyond espionage, one increases the risk that the rival state knows you are accessing their networks. Information costs and the opportunity cost of future intelligence lost to achieve a cyber effect skew elasticity and lowers escalation risks. When a state does employ cyber capabilities to respond to a crisis scenario, they will prefer lower end capabilities to reduce information costs. There are unlikely to employ more exquisite tools to achieve a cyber fait accompli that produces an escalation spiral. More importantly, they will look for specific conditions to use cyber substitutes, such as when a rival state has less cyber capability and thus reduces information costs associated with burning a digital spy.
Second, the elasticity of demand is further skewed by a second category of information cost, the shadow of the future (Axelrod, Reference Axelrod1984; Axelrod & Keohane, Reference Axelrod and Keohane1985). States like the United States have more than one rival, and even when a state has a single rival they expect to interact with them in the future. Therefore, burning a tool or tool kit in the present risks losing that capability relative to either another rival in the present or a target state in the future. This compounds the information costs that skew the indifference curve. As a result, cyber operations will tend to be used as complements, combined with other instruments of power to increase the expected marginal effect. They can be used as substitutes, but only under conditions where states assess a lower likelihood of paying additional information costs associated with the dual-use dimension and shadow of the future. On its own, the extent to which a cyber operation is substitutable could trigger a security dilemma (Herz, Reference Herz1950; Glaser, Reference Glaser1997; Booth & Wheeler, Reference Booth and Wheeler2007).Footnote 2 Yet, the substitution of cyber capabilities occurs in a larger context defined by ambiguous signals and threshold effects that dampen escalation risks. These properties help states escape the security dilemma and view cyberattacks as less escalatory than conventional military operations. In the end, cyber capabilities are weak substitutes and will be used more as complements to manage escalation outside of narrow conditions.
Taken together, the above logic of weak coercive potential, thresholds, and substitution effects produces the following three hypotheses.
H1. Cyber operations are not escalation prone.
Observations from cases and survey experiments should demonstrate that when cyber capabilities are present they are not associated with increased escalation. The null hypothesis is that cyber operations are associated with escalation spirals. The hypothesis is better evaluated through large-N methods associated with either past, observed cyber incidents or survey experiments examining escalation preferences when compared actively to the use of other instruments of power. Case studies would show more the process and sequence associated with using cyber operations. One would expect to see cyber instruments used to check escalation as a weak, proportional alternative before crossing into higher thresholds.
H2. Cyber operations are more likely to be used as complements when states consider escalating a crisis.
Due of their weak substitutability, cyber operations will tend to complement other instruments of power. There are inherent cross-domain effects associated with modern crisis management (Gartzke & Lindsay, Reference Gartzke and Lindsay2019). When examining survey experiments on crisis decision making involving selecting between cyber and noncyber response options, there should more instances of combining cyber effects with other instruments of power. The null hypothesis would be that there is no relationship between cyber escalation and using multiple instruments of power.
H3. Cyber operations are more likely to be used as substitutes for other measures of power when there are no indications of rival cyber activity.
Since cyber operations tend to be weak substitutes, due to information costs and the elasticity of demand, there should be narrow scope conditions that shape when and how they are used in place for more traditional instruments of power. The state will want to minimize the shadow of the future and avoid losing the inherent value of cyber capabilities that are unknown to the adversary. This dynamic implies that in survey experiments one would expect to see a higher percentage use of cyber tools in treatments where there are no indications the adversary is using cyber operations. This initial indication helps respondents gauge the substitutability costs and inherent trade-offs of using cyber capabilities.
5 Hope amongst Fear: Initial Evidence
5.1 Research Design
Demonstrating that cyber operations can serve as crisis off-ramps and represent a common strategic choice to respond proportionally during crisis interactions can be a difficult proposition. The goal is to find evidence, under a controlled setting, when a state will have to make a choice between an option that might cause significant damage, an option that will cause little or no harm, the option of doing nothing, and the ability to wage a cyber operation against the opposition.
We propose two methods to investigate our propositions, a theory-guided case study investigation and a survey experiment using crisis simulations and wargames. Once the plausibility of our propositions is determined, we can follow-up our examinations with further support and evidence through follow on experiments. This is not a simple process and we only begin our undertaking here.
The case study presented here represents a theory-guided investigation according to Levy’s (Reference Levy2008) typology. These case studies are “structured by a well-developed conceptual framework that focuses attention on some theoretically specified aspects of reality and neglects others” (Levy, Reference Levy2008, p. 4). In these cases, we cannot rule out other theoretical propositions for the cause of de-escalation, but can demonstrate the process of how cyber activities provide for off-ramps on the road to conflict.
Such case studies can also serve as plausibility probes. According to Eckstein (Reference Eckstein, Greenstein and Polsby1975, p. 108), plausibility probes “involve attempts to determine whether potential validity may reasonably be considered great enough to warrant the pains and costs of testing.” We can only pinpoint the impact of a cyber operation as a choice and examine the outcome – de-escalation during a case study investigation.
Case studies are useful, but do not provide controlled situations where there are clear options and trade-offs for leadership. It might be that a cyber option was decided before the crisis was triggered, or that a cyber option in retaliation was never presented to the leader. Here, we will use a short case study to tell the story of how a cyber operation was chosen and why it represented a limited strike meant to de-escalate a conflict, but will pair this analysis with an escalation simulation.
Deeper investigations through proper controlled settings can be done through experimental studies. In this case, experimental wargames where a group of actors playing a role must make choices when presented with various options. Our other option is survey experiments to demonstrate the wider generalizability of our findings, but such undertakings are costly and time intensive.
Experiments are increasingly used in political science to evaluate decision making in terms of attitudes and preferences (Hyde, Reference Hyde2015; Sniderman, Reference Sniderman2018). While there are challenges associated with external validity and ensuring that the participants reflect the elites under investigation, experiments offer a rigorous means of evaluating foreign policy decision making (Renshon, Reference Renshon2015; Dunning, Reference Dunning2016). For the experiment below, we employ a basic 2 × 2 factoral design.
5.2 Wargames as Experiments
To date, research on cyber operations have focused either on crucial case studies (Lindsay, Reference Lindsay2013; Slayton, Reference Slayton2017), historical overviews (Healey & Grindal, Reference Healey and Grindal2013; Kaplan, Reference Kaplan2016), and quantitative analysis (Valeriano & Maness, Reference Valeriano and Maness2014; Kostyuk & Zhukov, Reference Kostyuk and Zhukov2019; Kreps & Schneider, Reference Kreps and Schneider2019). Recently, researchers have expanded these techniques to include wargames and simulations analyzed as experiments.
There is a burgeoning literature on the utility of wargames and simulations for academic research. Core perspectives generally define the purpose and utility of wargames, failing to include the wider social science implications of new methodologies defaulting toward the perspective that war-gaming is an art (Perla, Reference Perla1990; Van Creveld, Reference Van Creveld2013). More recently, there has been an increasing amount of research offering a social science perspective on war-gaming as a research methodology (Schneider, Reference Schneider2017; Pauly, Reference Pauly2018; Jensen and Valeriano, Reference Jensen and Valeriano2019a, Reference Jensen and Valeriano2019b). The perspective that wargames can add to our knowledge about crisis bargaining under novel technological settings is one we follow herein (Reddie et al., Reference Reddie, Goldblum, Lakkaraju, Reinhardt, Nacht and Epifanovskaya2018; Lin-Greenberg et al., Reference Lin-Greenberg, Pauly and Schneider2020).
To evaluate the utility of cyber operations in a crisis, the researchers used a conjoint experiment linked to a tabletop exercise recreating national security decision making. Small teams were given packets that resembled briefing materials from US National Security Council (NSC) level deliberations based on guidance from NSC staffers from multiple prior administrations. The packets outlined an emerging crisis between two nucleararmed states: Green and Purple. The graphics and descriptions tried to obscure the crisis from current states, such as China and the United States. The respondents were asked to nominate a response to the crisis, selecting from a range of choices capturing different response options using diplomatic, information, military, and economic instruments of power. Each instrument of power had a scalable threshold of options, from de-escalatory to escalatory. This range acted as a forced Likert scale. Figure 4.1 shows a sample page from the respondent packets outlining the road to crisis and balance of military capabilities.
Figure 4.1 Diagram from Wargame Simulation.
The packets were distributed to a diverse, international sample of 400 respondents in live session interactions. In the terms of the types of respondents who participated, 213 were students in advanced IR/political science classes, indicative of individuals likely to pursue a career in foreign policy, 100 were members of the military with the most common rank being major (midcareer), 40 were members of a government involved with foreign policy decision-making positions, 19 were involved with major international businesses, and 13 opted not to disclose their occupation, while 15 left it blank. Of these respondents there were 267 male respondents, 110 female respondents, and 4 who preferred not to say, while 19 opted to leave it blank.Footnote 3 With respect to citizenship, 295 respondents were US citizens, 87 were non-US citizens, and 4 preferred not to say, while 14 left their response blank.Footnote 4
These participants were randomly assigned to one of four treatment groups:
Scenario 1. A state with cyber response options (cyber resp) that thinks the crisis involves rival state cyber effects (cyber trig);
Scenario 2. A state with no cyber response options (no cyber resp) that thinks the crisis involves rival state cyber effects (cyber trig);
Scenario 3. A state with cyber response options (cyber resp) that thinks the crisis does not involve rival state cyber effects (no cyber trig); and
Scenario 4. A state with no cyber response options (no cyber resp) that thinks the crisis does not involve rival state cyber effects.
These treatments allowed the researchers to isolate cyber response options and assumptions about the role of rival state cyber effects in the crisis. These treatment groups are listed in Table 4.1.
Table 4.1 Treatment groups
Treatment | Number | ||
|---|---|---|---|
1. | Cyber Response Options (Yes) | Assumed Rival Cyber Activity (Yes) | 100 |
2. | Cyber Response Options (No) | Assumed Rival Cyber Activity (Yes) | 100 |
3. | Cyber Response Options (Yes) | Assumed Rival Cyber Activity (No) | 100 |
4. | Cyber Response Options (No) | Assumed Rival Cyber Activity (No) | 100 |
N = 400.
To measure escalation effects associated with cyber capabilities (H1), the survey experiment examined participant response preferences using the respondent initial preference (RESP) variable. This variable asked the survey respondents to indicate their initial reaction and preferred response to the crisis as de-escalate (1), adopt a proportional response (2), escalate (3), or unknown at this time (4). Coding along these lines allowed the researchers to factor in uncertainty and capture if there were any differences between what the survey respondents wanted to do initially, and what they selected to do after reviewing approved response options across multiple instruments of power. Furthermore, as a 2 × 2 experiment focused on attitudes and preferences, the RESP variable helped the team determine if the four different treatments altered the decision to escalate as a cognitive process, and how each participate viewed their options given limited information in a rivalry context. The results are shown in the contingency table (Table 4.2 and Figure 4.2).
Table 4.2 Contingency results by treatment
Treatments | Total | ||||||
|---|---|---|---|---|---|---|---|
Cyber Trig Cyber Resp | Cyber Trig No Cyber Resp | No Cyber Trig Cyber Resp | No Cyber Trig No Cyber Resp | ||||
RESP | De-escalate | Count | 41 | 44 | 57 | 28 | 170 |
Expected Count | 42.5 | 42.5 | 42.5 | 42.5 | 170.0 | ||
% within RESP | 24.1 | 25.9 | 33.5 | 16.5 | 100.0 | ||
% within SCENARIO | 41.0 | 44.0 | 57.0 | 28.0 | 42.5 | ||
% of Total | 10.3 | 11.0 | 14.2 | 7.0 | 42.5 | ||
Standardized Residual | −.2 | .2 | **2.2 | **−2.2 | |||
Proportional | Count | 51 | 46 | 35 | 67 | 199 | |
Expected Count | 49.8 | 49.8 | 49.8 | 49.8 | 199.0 | ||
% within RESP | 25.6 | 23.1 | 17.6 | 33.7 | 100.0 | ||
% within SCENARIO | 51.0 | 46.0 | 35.0 | 67.0 | 49.8 | ||
% of Total | 12.8 | 11.5 | 8.8 | 16.8 | 49.8 | ||
Standardized Residual | .2 | −.5 | **−2.1 | **2.4 | |||
Escalate | Count | 5 | 3 | 7 | 5 | 20 | |
Expected Count | 5.0 | 5.0 | 5.0 | 5.0 | 20.0 | ||
% within RESP | 25.0 | 15.0 | 35.0 | 25.0 | 100.0 | ||
% within SCENARIO | 5.0 | 3.0 | 7.0 | 5.0 | 5.0 | ||
% of Total | 1.3 | 0.8 | 1.8 | 1.3 | 5.0 | ||
Standardized Residual | .0 | −.9 | .9 | .0 | |||
Count | 3 | 7 | 1 | 0 | 11 | ||
Expected Count | 2.8 | 2.8 | 2.8 | 2.8 | 11.0 | ||
% within RESP | 27.3 | 63.6 | 9.1 | 0.0 | 100.0 | ||
% within SCENARIO | 3.0 | 7.0 | 1.0 | 0.0 | 2.8 | ||
% of Total | 0.8 | 1.8 | 0.3 | 0.0 | 2.8 | ||
Standardized Residual | .2 | **2.6 | –1.1 | –1.7 | |||
Total | Count | 100 | 100 | 100 | 100 | 400 | |
Expected Count | 100.0 | 100.0 | 100.0 | 100.0 | 400.0 | ||
% within RESP | 25.0 | 25.0 | 25.0 | 25.0 | 100.0 | ||
% within SCENARIO | 100.0 | 100.0 | 100.0 | 100.0 | 100.0 | ||
% of Total | 25.0 | 25.0 | 25.0 | 25.0 | 100.0 | ||
X2 = 32.723, p < .000 (two-sided), ** = standardized residual is ±1.966.
Figure 4.2 Response preferences from wargame simulation.
Escalation was generally low with only twenty respondents preferring escalation. When they did opt to escalate, neither the presence of cyber response options nor the adversary use of cyber seemed to affect their response preference. Alternatively, when states had cyber response options and there were no signs of rival state cyber effects, participants opted to de-escalate (57) more than expected (47.5). The results were inverse when states were in a crisis that lacked cyber options and adversary cyber effects (treatment 4). Here there were less observed preferences to de-escalate (28) than expected (42.5) and more instances of proportional responses (67) than expected (49.8). The results also lend themselves to categorical variable tests for association using the phi coefficient (Sheskin, Reference Sheskin2020). The phi coefficient is 0 when there is no association and 1 when there is perfect association. The value is .286 indicating a weak but significant relationship between the treatment group and escalation preferences consistent with the hypothesis. Cyber options were not associated with escalation and were, in fact, linked to preferences for de-escalation.
A second measure of escalation allows the team to differentiate between the RESP and the overall degree of potential escalation based on the instruments of power selected. This measure is less effective since it does not capture the attitude and preference as a cognitive process in line with best practices in experiments, but does allow the researchers to further triangulate their findings. The researchers created a variable odds of escalation (OES) and average odds of escalation (OESAAVG). OES is a summation and adds the escalation scores from across the actual response options selected. OESAAVG is a binary variable coded 1 if the OES score is over the average and 0 if it is under the average (Table 4.3). OESAAVG allows the researchers to look across the treatments and see if there are differences when cyber response options are present and absent.
Table 4.3 Expected count of escalation events
SCENARIO | Total | ||||||
|---|---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | ||||
OESAAVG | 0 | Count | 71 | 52 | 70 | 59 | 252 |
Expected Count | 63.0 | 63.0 | 63.0 | 63.0 | 252.0 | ||
Standardized Residual | 1.0 | −1.4 | .9 | −.5 | |||
1 | Count | 29 | 48 | 30 | 41 | 148 | |
Expected Count | 37.0 | 37.0 | 37.0 | 37.0 | 148.0 | ||
Standardized Residual | −1.3 | 1.8 | −1.2 | .7 | |||
Total | Count | 100 | 100 | 100 | 100 | 400 | |
Expected Count | 100.0 | 100.0 | 100.0 | 100.0 | 400.0 | ||
X2 = 10.725, p < .013 (two-sided), ** = standardized residual is ±1.96.
The results cast further doubt on cyber operations as being escalatory. Both treatments 1 and 3 had less combined instruments of power above the average coercive potential (29, 30) than expected (37, 37). Of particular interest, when states had cyber response options and escalated, the magnitude tended to be less with treatment 1 seeing 29 instances of above average coercive potential versus 37 expected (−1.3 standardized residual) and treatment 3 seeing 30 instances versus 37 expected (−1.2 standardized residuals). These contrast with treatment 2 where there is a cyber trigger and no cyber response options available. Here there were 48 instances of above average coercive potential versus 37 expected (1.8 standardized residual). Cyber appears to have a moderating influence on how participants responded to the crisis.
Turning to the second hypothesis, to measure complementary effects associated with the survey experiment, the researchers examined how participants combined instruments of power. Participants were allowed to recommend three response options to the crisis. These response options were organized by instruments of power on the aforementioned Likert scale. Each instrument had six options. In treatments where participants had cyber response options, six additional options were added each with an equivalent level of escalation. This gave participants a total of twelve responses in cyber treatments. Since the packets involved four instruments of power (diplomatic, information, military, economic), participants had a total of 24 response options in noncyber treatments (treatments 2, 4) and 48 in cyber response treatments (1, 3). Participants could choose three response options all in one instrument of power, or spread them across multiple instruments of power. Table 4.4 shows the number of response options selected for each instrument of power across the treatments below. There were no statistically significant differences across the treatments with respect to the distribution of the responses.
Table 4.4 Treatment groups and instrument of power response preferences
Treatment | Diplomatic | Information | Military | Economic |
|---|---|---|---|---|
1 | 80 | 88 | 57 | 53 |
2 | 81 | 84 | 54 | 67 |
3 | 70 | 85 | 77 | 50 |
4 | 71 | 86 | 60 | 62 |
X2 = 12, p < .213 (two-sided).
In each survey experiment, the researchers used this information to create a variable called COMB (combined) that measured the number of instruments of power a respondent used. This number ranged from one to three. Since the survey experiments asked participants to select three options, they could either select three options from any one instrument of power or employ up to three combined instruments of power. To confirm the second hypothesis, one would need to see a higher than expected instances of combining instruments of power comparing conventional versus cyber escalation preferences.
To evaluate hypothesis two along these lines, the researcher separated treatments 2 and 4 and 1 and 3 to compare escalation preferences and combined instruments of power. In Table 4.5, the conventional escalation column shows how many times respondents used 1, 2, or 3 instruments of power, differentiating between treatments that saw escalation and no escalation.Footnote 5
Table 4.5 Conventional versus cyber escalation
Conventional Escalation | Cyber Escalation | |||
|---|---|---|---|---|
Inst Power | No Escalation | Escalation | No Escalation | Cyber Escalation |
1 | +0(.5) | +1(.5) | 6(6.4) | +1(.6) |
2 | 18(16.8) | 15(16.2) | 19(23.8) | **7(2.2) |
3 | 84(84.7) | 82(81.7) | 158(152.8) | 9(14.2) |
X2 = 1.217, p < .544 (two-sided) N = 200 (Treatments 2, 4) | X2 = 13.726, p < .005 (two-sided) N = 200 (Treatments 1, 3) | |||
** = standardized residual > 1.96.
+ = count is less than 5 (cannot evaluate).
Third, to evaluate substitution, the researchers compare percentages. There should be a higher rate of substitution, measured as using a cyber option, in treatment 3 than in treatment 1. In treatment 3, participants have no evidence the rival state is using cyber capabilities thus making them more likely to substitute cyber effects due to the lower, implied information costs. A respondent would look at the situation and see more utility in using cyber because no adversary cyber effects are present. Alternatively, when adversary cyber effects are present, participants will assess higher information costs. They will be more concerned about adversaries being able to mitigate the expected benefit of any cyber response (Table 4.6).
Table 4.6 Coercive potential
Treatment | Escalation | Escalation Involved Cyber |
|---|---|---|
1 | 35 | 6 (17.14%) |
2 | 50 | NA |
3 | 21 | 11 (52.38%) |
4 | 48 | NA |
N = 400.
As predicted, there was more observed substitution in treatment 3, as opposed to treatment 1. In treatment 3, 52.38% of the response options selected (i.e., coercive potential) involved cyber equivalents compared with 17.14% for treatment 1. Because there were no indications of adversary cyber capabilities in this treatment, participants likely perceived a cross-domain advantage, hence less information costs. This alters the hypothetical elasticity of demand making cyber a more perfect substitute. Table 4.7 breaks out the substitution further.
Table 4.7 Coercive potential and cyber substitution
Treatment | Diplomatic | Information | Military | Economic |
|---|---|---|---|---|
1 | 20(3) | 10(4) | 12(1) | 7(1) |
3 | 10(5) | 7(5) | 14(7) | 4(2) |
N = 2,000.
In treatment 1, cyber responses were substituted at a higher rate for information effects (40%) than other instruments of power. Three of the four substitutions involved the option to “burn older exploits in adversary systems disrupting their network operations in order to signal escalation risks.”
In treatment 3, cyber responses were heavily used to substitute for conventional responses over 50% of the time. The most common military substitution (4/7) involved opting to “compromise data of individual members of the military to include identify theft, fraud, or direct social media messaging.” This option substituted for the conventional response: “Conduct a public show of force with air and naval assets challenging known defense zones and testing adversary response.” Participates opted for information warfare, or more conventional displays of military force. The most common information substitution remained burning “older exploits in adversary systems disrupting their network operations in order to signal escalation risks.” The most common diplomatic substitution in the packet was “use spear phishing, waterholing, and other methods to expose sensitive political information.” Again, information warfare was a substitute for more conventional forms of coercion when the adversary posture suggests a low probability of response to information operations.
Another factor stands out when looking at the descriptive statistics associated with differentiating conventional and cyber escalation, measured as coercive potential. As seen in Table 4.6, there is a higher observed rate of coercive potential in noncyber response treatments. The available of cyber response options appears to reduce the coercive potential by substituting information warfare for more traditional approaches to coercion.
Overall, we have evidenced that cyber response options can moderate a conflict between rival powers. Respondents generally used cyber options to either respond proportionally or seek to de-escalate the situation until more information can be gathered. What we cannot explain is whether or not the results were influenced by the presence of nuclear weapons on both sides, different regime types, and other possible confounding variables because our sample was not large enough to enable additional treatments.
6 Case Study Probe: The United States and Iran
To further examine the concept of cyber off ramps and contemporary escalation dynamics, we turn to a theory-guided case study examination (Levy, Reference Levy2008). Since survey experiments are prone to external validity challenges (Renshon, Reference Renshon2015), a case analysis helps triangulate the findings from the three hypotheses. To this end, interactions between the United States and Iran in the summer of 2019 offer a viable case for examination (Valeriano & Jensen, Reference Valeriano and Jensen2019). Referring to the prior hypotheses, we argue that cyber operations are not escalation prone (H1). We also note that cyber operations are more likely to be used as complements when states do consider escalating (H2), and that cyber operations are more likely to be used as substitutes when there are no indications of rival cyber activity (H3). We now examine our developing theory’s plausibility in the context of this case.
6.1 Origins
The full picture of what happened between Iran and the United States in the summer of 2019 will continue to develop as classified information is released, but what we do know suggests there was a significant confrontation with cyber operations playing a role as a coercive instrument alongside diplomatic, economic, and military inducements in the dispute. Given that Iran and the United States maintain an enduring rivalry and have a history of using force, even if through proxies, this case was particularly escalation prone. Yet, instead of going to war, Tehran and Washington pulled back from the brink. The key question is why?
As long-term rivals, the United States and Iran have been at loggerheads over the control of the Middle East and resource access for decades (Thompson & Dreyer, Reference Thompson and Dreyer2011). The origins of the contemporary rivalry between Iran and the United States started, from an Iranian perspective, in 1953 when the CIA helped their UK counterparts stage a coup (Kinzer, Reference Kinzer2008). From the US perspective, the rivalry dates to the Iranian Revolution and the overthrow of the Shah in 1979, installed in the 1953 coup (Nasri, Reference Nasri1983). The new regime, led by Ayatollah Ruhollah Khomeini, launched a revisionist series of direct and proxy challenges against US interests in the region (Ramazani, Reference Ramazani1989) that culminated in a protracted conflict with Iraq. During the Iran–Iraq War, the United States backed Iran’s rivals, including Iraq and the larger Gulf Cooperation Council. Iran in turn backed Shiite groups across the Middle East implicated in attacking US forces in the Lebanon.
In the aftermath of the Iranian Revolution and during the subsequent Iran–Iraq War, the United States engaged in limited but direct military engagements with Iran, including the failed Desert One raid to rescue American hostages (1980), and during Operation Earnest Will (1987–1988) in which the US Navy escorted Gulf State oil tankers in a convoy to protect them from Iranian military forces (Wise, Reference Wise2013). This period included multiple naval skirmishes such as Operational Praying Mantis (1988) and Operational Nimble Archer (1988) in which US forces attacked Iranian oil rigs and military forces in retaliation for Iranian mining in the Strait of Hormuz and repeated attacks. Contemporary US perspectives on Iranian motives and likely foreign policy preferences emerged during this period, with the Washington foreign policy establishment seeing Iran as a revisionist, revolutionary state.Footnote 6 Similarly, Iranian attitudes toward the United States hardened even further as Washington labeled the country part of an Axis of Evil (Shay, Reference Shay2017) and invaded its neighbor, Iraq. Iran opted to counter by funding proxy Shiite groups in Iraq and undermining the transitional Iraqi government.Footnote 7
Parallel to its proxy struggle with the United States in Iraq, Tehran sponsored terror groups that attacked US interests across the region and accelerated its nuclear weapons program.Footnote 8 Starting in 2003, the International Atomic Energy Agency started pressuring Iran to declare its enrichment activities, which led to multilateral diplomatic efforts starting in 2004. These efforts culminated in UN Security Council resolutions expanding sanctions on Iran over the subsequent years, and the US joining the multilateral effort (P5+1) in April 2008 following a formal Iranian policy review. Backed by the larger range of diplomatic and economic sanctions that had been in place since the Iranian Revolution, the pressure resulted in the 2015 Joint Comprehensive Plan of Action (JCPOA). This agreement limited Iran’s ability to develop nuclear weapons and included European allies as treaty members distributing the burden of enforcement internationally (Mousavian & Toossi, Reference Mousavian and Toossi2017).
In 2018, the Trump administration withdrew from the agreement, arguing that Iran was still building nuclear weapons and directing proxy warfare against US allies (Fitzpatrick, Reference Fitzpatrick2017). The Trump administration wanted to move past the JCPOA agreement, which had reduced tensions in the region. Instead, the Trump administration ramped up sanctions and designated the Islamic Revolutionary Guard Corps, with the Quds force (Tabatabai, Reference Tabatabai2020), a terrorist organization in 2019 (Wong & Schmitt, Reference Wong and Schmitt2019). The leader of the organization, QasemSoleimani, became a prime target (Lerner, Reference Lerner2020).
6.2 Cyber and Covert Operations
Given Iran’s use of proxies, covert operations generally color the relationship between Iran and United States. These activities included the use of cyber capabilities. The United States and Iran were deep in a cyber rivalry, with twenty cyber conflicts between 2000 and 2016 (Valeriano et al., Reference Valeriano, Jensen and Maness2018). Data on cyber interactions only begin in 2000, making it difficult to catalog the full range of covert and clandestine activity between 1979 and 2000.
With respect to cyber operations, the United States likely initiated seven cyber operations while Iran launched thirteen (Maness et al., Reference Maness, Valeriano and Jensen2019). The most significant event was when the United States and Israel launched the Stuxnet attack, which disabled centrifuges in the Natanz nuclear power plant (Lindsay, Reference Lindsay2013). The overall impact of the attack on the Natanz plant is intensely debated, but assessment at the time suggested a limited overall impact on Iran’s ability to produce nuclear materials (Barzashka, Reference Barzashka2013). It is still unknown what effect the Stuxnet attack had on Iranian internal calculations and assessment of US capabilities.
The pattern between the United States and Iran has often been for the United States to rely on cyber espionage and degrade operations to harm Iranian interests and activities, while Iran generally seeks to avoid direct confrontation in cyberspace (Valeriano & Maness, Reference Valeriano and Maness2015). Saudi Arabia is a frequent proxy cyber target of Iran, given that the United States is seen as its protector and ally. Iran’s actions against the United States mostly entail basic espionage, economic warfare, and the typical probes and feints in cyberspace (Eisenstadt, Reference Eisenstadt2016).
Another key aspect of the covert competition, and the prime threat that Iran offered to the United States, was the use and control of proxy forces in the region. The Iranian Quds force controlled proxy actors in the region (Eisenstadt, Reference Eisenstadt2017), with Houthi forces seeking to attack forces in the region with Scud missiles (Johnston et al., Reference Johnston, Lane, Casey, Williams, Rhoades, Sladden, Vest, Reimer and Haberman2020). The awareness that Hezbollah was taking clear direction from Iran altered the dynamics of the dispute between Israel and its regional rivals (Al-Aloosy, Reference Al-Aloosy2020). Entering the summer of 2019, Iran’s use of proxy forces dominated the concerns of the Trump administration (Simon, Reference Simon2018; Trump, Reference Trump2018).
6.3 The Summer 2019 Crisis
As the summer began in 2019, tensions accelerated due to concerns about Iranian proxy warfare, the use of cyber actions in the region, and the pursuit of nuclear weapons after the end of the JCPOA (see Figure 4.3 for the timeline of events). In addition to increased hacking activities, Iran attacked tankers in the Persian Gulf, with two incidents occurring in May of 2019. At one point, Iranian operatives were seen placing unidentified objects on the hull of a tanker before it was disabled. Iran “called the accusations part of a campaign of American disinformation and ‘warmongering’” (Kirkpatrick et al., Reference Kirkpatrick, Perez-Pena and Reed2019).
Figure 4.3 Iran–United States Case Timeline.
Following intelligence reports that Iran was plotting an attack on US interests in the Middle East on May 5, 2019, National Security Adviser, John Bolton, announced (Bolton, Reference Bolton2019) the deployment of a carrier strike group and bomber task force to the Middle East to “send a clear and unmistakable message to the Iranian regime that any attack on the United States interests or those of our allies will be met with unrelenting force.” In response, on May 12 the crisis escalated with four commercial vessels, including two Saudi Aramco ships, targeted by sabotage attacks attributed to Iran in the Gulf of Aden (Yee, Reference Yee2019). By May 13, the Pentagon announced plans to deploy as many as 120,000 troops in the region in additional fighter squadrons and naval task forces already headed to the region (Schmitt & Barnes, Reference Schmitt and Barnes2019). In response, on May 14 Iranian proxies in Yemen launched a massive attack against Saudi oil infrastructure using a mix of drones and cruise missiles (Hubbard et al., Reference Hubbard, Karasz and Reed2019). By the end of May, the United States implicated Iran proxies in firing rockets at US interests in Iraq and responded with additional troop deployments and weapon sales to Saudi Arabia. These measures added to the range of economic sanctions the Trump administration initiated following its departure from the JCPOA (News, Reference News2018).
The increasingly militarized crisis continued into June. On June 6, 2019, Iranian-backed rebels in Yemen shot down a MQ-9 Reaper, leading the US Central Command (CENTCOM) Commander to warn that US forces faced an imminent threat throughout the region (Kube, Reference Kube2019). On June 13, magnetic mines, likely delivered by Iranian unmanned subsurface vehicles, damaged two additional commercial vessels, leading the United States to announce additional troop deployments.
The downing of a US RQ-4A Global Hawk UAV on June 20, 2019, served notice that conflict was likely to escalate. The United States deemed it an unprovoked attack of an aircraft in international waters. President Trump ordered a military strike on June 20, but halted the operation over fears of mass casualties on the Iranian side, or fears of the impact of a war with Iran on reelection. He stated on Twitter, “We were cocked & loaded to retaliate last night on 3 different sights when I asked, how many will die. 150 people, sir, was the answer from a General. 10 minutes before the strike I stopped it, not proportionate to shooting down an unmanned drone.” (Olorunnipa et al., Reference Olorunnipa, Dawsey, Demirjian and Lamothe2019).
Instead of escalating the conflict, on June 22 the United States leveraged a series of cyber operations to respond proportionally to Iranian provocations. There seems to have been a few distinct operations; it is unclear how many separate teams or tasks were directed against Iran. One operation disabled Iran’s ability to monitor and track ships in the region by attacking their shipping databases (Barnes, Reference Barnes2019b). Another operation by US Cyber Command was said to have disabled Iranian missile sites, making them vulnerable to air attacks (Nakashima, Reference Nakashima2019). In addition, the United States was also likely dumping Iranian code on the site VirusTotal (Vavra, Reference Vavra2019), potentially impairing Iranian’s ability to retaliate by spilling their tools so other defenders were prepared.
The cyber operations served to signal risk to the Iranians and preserve further options to manage the crisis if it was to continue. The proportional response to Iran’s activities possibly allowed for the conflict to stabilize and helped push the two states away from the brink of war. On the road to war, cyber options provide a critical path away from confrontation while still managing to service domestic audience concern
On June 24, cyber security scholar, Bobby Chesney, observed, “Indeed, reading the tea leaves from the past weekend, it appears the cyber option helped ensure there was an off-ramp from a kinetic response that might have led to further escalation.” (Pomerleau & Eversden, Reference Pomerleau and Eversden2019). On June 25, Valeriano and Jensen (Reference Valeriano and Jensen2019) wrote a column in The Washington Post that stated, “contrary to conventional wisdom, cyber options preserve flexibility and provide leaders an off-ramp to war.”
Following a tense summer, the conflict moved into a new phase in late 2019 and 2020 with the killing of an American contractor after a rocket attack on the US base in Iraq on December 27, 2019 (Barnes, Reference Barnes2019a). The United States retaliated with strikes against Iranian proxies, the Hezbollah, in Iraq and Syria. Hezbollah then attacked the American embassy in Iraq, leading to the US president authorizing the assassination of IRGC Commander, Qasem Solemani, on January 3, 2020 (Zraick, Reference Zraick2020). The United States moved to deploy 4,000 addition troops in the region and Iran retaliated by launching missile strikes on US bases in Iraq, wounding over a hundred soldiers (Zaveri, Reference Zaveri2020). The conflict was finally de-escalated, with the United States choosing to not respond to the Iranian attack by claiming that no one had been killed. Since there was six months between the summer and winter 2019/2020 incidents, they are treated as two distinct, albeit linked, crisis cases.
6.4 Assessing the Case
Assessment of the events suggests that the crisis with Iran could have escalated in June 2019 after the downing of the Global Hawk UAV, seen as a significant piece of military hardware costing around $220 million (Newman, Reference Newman2019). Demands for retaliation and escalation were rife in the foreign policy community and within the Trump Administration (Trevithick, Reference Trevithick2019).
Instead of escalation, the United States took a different path, consistent with Hypothesis 1. By responding through cyber actions, the United States did two things. First, it demonstrated commitment and credibility to counter Iranian operations by signaling intent for future operations that could have dramatic consequences on Iranian power in the region. Second, these cyber operations also served as Phase 0 operations meant to shape the environment and set the conditions should the United States want to use additional military options in the future. With Iranian defensive systems compromised, Iran was vulnerable to an American attack that never came, and simultaneously subject to a cyber substitute consistent with Hypothesis 3. Cyber operations served to de-escalate the conflict by vividly illustrating the shadow of the future for continued Iranian harassment in the region.
President Trump also increased targeted sanctions directed at Iran’s leadership and threated further strikes, stating that he did not need Congressional approval due to the existing authorization for military forces in the region to respond to terrorist threats (Crowley, Reference Crowley2020).Footnote 9 These moves are consistent with Hypothesis 2, which suggests that cyber operations are used to complement other forms of power if there is a consideration for escalation.
When challenged by a strike on an American asset in the region, the United States had two options, respond in kind or escalate the conflict. Doing nothing would incur significant audience costs among President Trump’s base of support because it would demonstrate weakness. Escalation would likely provoke retaliation by proxy forces all over the Middle East leading to significant US casualties. War would also harm the President’s reelection chances after promising a reduction in tensions and an end to the wars in the region (Tesler, Reference Tesler2020).
Choosing the option of cyber operations and increased sanctions fits clearly with an off-ramp perspective on crisis bargaining. As Hypothesis 3 argued, cyber operations are likely to be used as substitutes when there are no indications of adversary cyber activity. Here cyber options substituted military options because Iran did not escalate in the cyber domain in response to US cyber moves, and Washington likely judged it had a domain advantage.
Cyber options offered a path out of the conflict through responding in ways that target Iran’s command and control functions directly, demonstrating decreased capacity for Iran to control their battlespace. Of particular interest, some of the cyber operations specifically limited Iran’s ability to retaliate in cyberspace by leaking the malicious code Tehran was likely to use. No other military response options were utilized, although they were considered, after cyber operations were leveraged. Cyber options can serve as off-ramps from the path to war.
7 Conclusion: The Promise and Limit of Cyber Off-Ramps
Based on the observations from experiments and a case study of a US-Iranian crisis in the summer of 2019, we conclude that cyber response options limit the danger of escalation. If used correctly to signal to the opposition to moderate behavior, or as demonstrations of resolve, cyber operations allow states to check the behavior of the opposition with minimal danger of escalation. Cyber options allow a state to express discontent and reshape the balance of information between two opposing parties.
To date, states appear to use cyber options to decrease tensions. This is a counterintuitive finding when many in the discipline suggest that either cyber is inherently escalatory or the nature of conflict has changed. It might be true that conflict has changed, but information operations and cyber operations are generally less escalatory and therefore less dangerous than confronting the opposition with conventional weapons. In other words, the logic of substitution and complements appears to apply to the digital domain. The nature of research suggests that there is less danger in using cyber operations as off-ramps to initial confrontations. We must be clear that we are not suggesting cyber operations as a first strike option. To the contrary, cyber operations likely risk sparking a security dilemma when the target is less capable. Yet, as reactions to initial hostility, cyber options provide a path away from war.
Despite a demonstrated case, as well empirical and experimental evidence suggesting cyber operations are not associated with crisis escalation, there are still limits to these findings. Inequality and the inability of a state to respond to a cyber action with cyber response options increases the dangers of escalation. The behavior and strategic posture of the target can be a critical part of the equation. A history of disputes that create overall tension in a dyad can lead to escalation if the issue is salient enough, even if there are cyber response options (Vasquez, Reference Vasquez1993). Our simulation was constricted to one interaction, meaning that we did not test the conditions for escalation across a series of disputes.
The policy advice that emerges from this research is to integrate cyber options into a “whole of government” response tailored to each contingency. In an extended bargaining situation, cyber responses to initial moves can reveal information and decrease tensions, countering much of the hype and hysteria about digital technology exacerbating conflict. That said, cyber operations must be evaluated in terms of the extent to which they act as a complement or substitute, as well as how they might lead to misperception or undermine global connectivity, given the fact that the networks cyber operations target and rely on are largely owned by the private sector. Misperception is still a risk in the digital domain.
The policy goal should be to adopt moderate cyber operations that seek to shape the environment to avoid escalation risks, even if those risks are generally low. By revealing and gathering information in a bargaining situation, cyber options can help decrease tensions by giving states the space they need to maneuver and seek to end a conflict. Using cyber operations, especially cyber operations meant to critically wound command and control facilities or cause death in an offensive manner early during the precrisis period, would likely lead to escalation.
Open access