The Cyberwar That Never Was: Reassessing Choices During Cyber Conflicts – Analysis
The long road towards the Russian invasion of Ukraine gave rise to speculation about the strategic value of cyber operations to complement or replace conventional means. Nevertheless, the expected cyber ‘bang’ has so far been more of a ‘whimper’.
Summary
The action and rhetoric leading to the invasion of Ukraine early this year led to speculation about the effective use of Russian cyber capabilities to complement or replace conventional means at the outbreak of the conflict. Noting the observed and declared Russian prowess in cyberspace, some observers held that the deteriorating situation provided the opportunity to demonstrate the strategic value of cyber operations. Nevertheless, despite the seemingly favourable conditions, the exercise of Russian cyber power at the onset of hostilities –and throughout them– is limited at best.[1] Although disruptive tactics such as defacement and wiper malware were documented, the expected cyber ‘bang’ was more of a ‘whimper’, remaining much the same throughout the past three months.
Analysis
Responding to the limited strategic role of cyber operations thus far, both cybersecurity scholars and policy analysts weighed in on possible explanations. While the possibility exists of increasingly destructive action with notable strategic effects, most acknowledge its supportive or complementary value once a dispute is militarised.[2] Proponents of this view recognise: (1) the difficulty of planning and initiating cyber operations; (2) their limited effects; and (3) and the potential for escalation, which may temper decisions surrounding their use.
However, the question of whether such constraints are unique to this case or speak more broadly of the role of cyber operations during instances of armed conflict must be addressed. Due to the rarity of interstate war, there is limited empirical evidence available. Nevertheless, such questions need to be asked as our understanding of interaction between states in cyberspace has, thus far, been limited to periods of relative peace. Consequently, to be able to delve into the extent to which the exercise of cyber power delivers strategic gains in war has been the focus of analysis of the conflict’s cyber dimension thus far. Analysis, however, should not be limited solely to the expected utility of actions in and through cyberspace but should also account for the rationale behind these choices. Specifically, do decision-makers carefully consider the strategic environment and the capabilities of cyber operations when deciding how best to employ these instruments to obtain their strategic objectives?
This paper expands on the explanations advanced thus far by shifting the focus from structural and technological attributes to socio-cognitive constructs that shape preference formation. Doing so serves two purposes. First, it acknowledges the bounded nature of human rationality given the complexities of cyberspace and the action within it. Decision-makers revert to established socio-organisational practices and cognitive constructs to alleviate the ambiguity surrounding the international system and cyberspace. Secondly, it highlights the possibility that the limited use of offensive cyber operations may be case-specific, rooted in the process used to interpret the strategic environment. This should not be understood as an indictment of the possible irrationality of decision-makers. Instead, the lens with which Russian and other decision-makers interpret the environment shapes their preferences on how best to express power through cyberspace.
Consequently, future instances of conflict featuring a distinct cyber dimension may not unfold in the same manner as the Russia-Ukraine War. Nevertheless, the article recognises that Russian decision-making artifacts are unavailable. Consequently, arguments contained in the following sections rely on recently published case and wargaming data.
The remainder of this paper is organised into three further sections. Immediately following this introduction, it summarises the current rationale, grounded in structural and technological constraints, explaining the limited use of cyber operations in the ongoing Russia-Ukraine War. Bearing in mind that the conflict provides favourable conditions for the offensive use of cyber operations, their absence leads one to question whether this is indeed the true character of cyber conflict. The discussion then pivots by arguing that Russian cyber operations may be less a function of the material constraints they face but are, instead, a reflection of how the latter are interpreted using specific socio-cognitive devices. Finally, the paper concludes by explaining the possible consequences of the existing policy and security discourse surrounding cyber conflicts and draws attention to the need to understand the decision-making processes that generate specific policy choices rather than just evaluating the efficacy of operations.
Material limitations
Proponents of the revolutionary potential of cyber operations often centre their arguments on the underlying vulnerability of cyberspace and its implications for national power. Owing to its complexity, it is impossible –and in some cases undesirable– to completely secure this environment.[3] Moreover, this complexity limits our ability to predict where compromises can occur and what their consequences are.[4] This state of insecurity encourages exploitation by states as a means of shaping the environment in their favour, a cyber fait accompli.[5] While accurately depicting the vulnerability of this human-made environment, the paradigm does not account for the complexity and effects of these operations.
While it has become easier to acquire the skills required to inflict damage through cyber means, tactical and strategic effects remain a function of the resources invested.[6] Several scholars readily acknowledge that consequential operations are limited to a handful of states with the necessary technological, organisational and economic resources.[7] This is not to say that smaller powers are to be dismissed; instead, less complicated disruptive operations (eg, web defacement) are unlikely to result in strategic gains. Paradoxically, if this is the case, does Russia not have the capability to conduct more advanced operations than those seen thus far? While possible, the complexity of cyber operations, their consequences and their escalatory potential must be considered.
Operational success is not simply a function of technical prowess. As illustrated by Stuxnet, complex operations require careful coordination across different entities.[8] While there is as yet no evidence of operational planning in Russian cyber operations, it could be posited that intelligence failures and a lack of coordination may indicate organisational or cultural practices that inhibit the coordination necessary for effective cyber operations. Alternatively, it could also be asserted that the Russian leadership recognised these challenges and opted for conventional means (eg, it is simpler to bomb a power station than to hack it) that are far easier to deploy in a shorter timeframe.
Relatedly, cyberspace is a resilient domain. Inflicting damage to cyber infrastructure is often resolved in hours –as in the case of the Russian operation targeting the Ukrainian power grid in 2015–.[9] Unsurprisingly, the acknowledged vulnerability of cyberspace encourages coordination and preparation involving both the private and public sectors, blunting the effects of offensive operations. In the current conflict, Russian behaviour since 2014 and support from state and non-state actors outside Ukraine continue to hinder malicious Russian activity.[10]
Finally, even if the above constraints are addressed, there remains the question of escalation. The lack of a documented case of escalation serves to assuage the concerns of some. Fischerkeller & Harknett noted that constant interaction in this space results in a tacitly agreed-upon range of acceptable action.[11] Maness & Valeriano posit that long-standing rivalries define the status-quo and its corresponding behaviour, deviations from which could signal possible escalation.[12] However, operations levelled against Ukraine thus far do not differ significantly from those prior to militarisation.
Arguments that Russia may simply be incapable of more complex operations are easily dismissed given its past actions.[13] Alternatively, restraint may be an effort to prevent adversaries from misconstruing this as an intent to escalate. While this may seem counterintuitive, since hostilities have already broken out in the conventional space, evidence from wargames suggests that elites continue to perceive cyber operations as escalatory even in the context of increasing physical violence.[14] In another wargame, participants do not perceive cyber operations as substitutes for conventional capabilities but as supporting other means or as a complementary option to generate other effects. Given the continued prominence of information operations, the latter may explain the nature of operations thus far.
Considering the points above, contemporary commentary attributes limited Russian cyber operations to: (1) the ease with which conventional operations may be used to achieve the desired effect; (2) the transient nature of damage inflicted through cyber means; and (3) the desire to avoid potential escalation and instead employing cyber capabilities to achieve other, complementary effects. Suppose these factors drive Russian decision-making regarding the use of their cyber capabilities. In that case, scepticism regarding the strategic value of these tools may be warranted even under conditions of interstate war.[15] However, this is contingent on the ability of Russian decision-makers to objectively recognise the limitations of cyber operations and the possible reaction from Ukraine and its benefactors should Russia decide to engage in more aggressive operations. This assumes the objective interpretation of the strategic and technological environment.
Beyond material and structural factors
The seemingly limited ability of Russian decision-makers to correctly evaluate the strategic environment is an observation that most commentators have agreed upon over the past few months. While the poor performance of Russian forces during the opening days and weeks of the conflict may be attributed to intelligence failure, the slow pace with which they adapted and the continuation of certain practices hints at a profoundly ingrained pathology.[16] In his book Painful Choices, David Welch asserts that decision-makers stubbornly hold on to established beliefs so long as the consequences of doing so do not generate enough cognitive dissonance or emotional stress to encourage a re-assessment.[17] While political and cognitive psychology over the past three decades provides enough evidence to support this argument, the nature of these beliefs and how they shape preferences are less clear. Furthermore, the extent to which they influence the exercise of cyber capabilities determines whether decision-makers recognise structural and technological limitations or interpret them in the context of established beliefs.
Scholars of international relations, particularly those that identify as neoclassical realists, recognise that decision-makers contextualise the strategic environment using ideas and beliefs which may not adequately capture the reality they face.[18] To paraphrase Rose,[19] policymakers see the world ‘through a glass, darkly’. In the case of the Russia-Ukraine War, statements made by Putin prior to the invasion appear to reflect the underlying worldview that drives his strategic preferences.[20] This is unsurprising and readily observed in other states as well. However, the extent to which these beliefs shape preferences in cyberspace, a technological environment whose rules define what is possible, is less understood
The earliest mention of how prior beliefs govern strategic preferences in cyberspace can be traced to the work of Valeriano, Jensen & Maness.[21] They suggest the existence of ‘national ways’ in cyberspace. The authors argue that states such as China, Russia and the US employ cyber operations that reflect beliefs pre-dating cyberspace without explicitly stating what these beliefs are. Building on this work, Kari & Pynnöniemi associate Russian threat perception and preferences with Russia’s strategic culture. The authors note that the persistent sense of vulnerability and the narrative of a besieged fortress is cited in documentary sources as driving preferences.[22]
While numerous definitions abound, this paper treats strategic culture as a ‘set of beliefs held by elites concerning strategic objectives and the most effective method of achieving them’.[23] Suppose cyberspace is perceived as a novel means for attaining strategic objectives. It could be argued that prior beliefs that shape the means towards these objectives contribute to preference formation. For instance, if a state views information operations as enabling a favourable strategic environment, then dependence on such a belief would see decision-makers gravitating towards means with which this preference may be realised. Unsurprisingly then, this logic raises questions about whether decision-makers are bound to adhere to these beliefs or whether agency exists to assess its suitability considering circumstances that enable and constrain state behaviour.
Most political psychologists would agree that rationality exists in a gradient. Depending on the environment in which they operate, decision-makers may exert greater or lesser cognitive effort when formulating strategic preferences reflected in observed behaviour. In the case of cyberspace, uncertainty relating to the effects of operations and the pervasive lack of expertise is shown to increase reliance on cognitive structures such as beliefs. The situation is further compounded by latent uncertainty within the international system that decision-makers would have to contend with. Experiments and simulations over the past decade confirm this phenomenon.[24]
Results from an ongoing cross-national wargame show up the conditions in which decision-makers are likely to undertake a greater effort of cognition to develop an appropriate policy response during a crisis.[25] The wargames conducted in Taiwan, the Philippines, the US, Singapore and Switzerland involving cybersecurity, policy and military experts highlight the tendency to move by default to nationally-distinct practices associated with underlying strategic cultures. Singapore, for instance, opted for policies that demonstrated its resolve while simultaneously pursuing a diplomatic option, reflecting its preferences given its historical experience and unique geographic features. Similarly, Swiss participants gravitated towards policies that avoided further aggravating the situation and granted them flexible diplomatic options. As one participant notes, their choices were governed by their Swiss identity and the expectations that flowed from it.
However, this tendency to rely on beliefs and prior preferences was moderated by the need to avoid policy failure. Participants who assumed that incorrect policy choices would result in severe consequences were motivated to assess the situation carefully and were open to deliberative strategies that challenged prior beliefs. In effect, the wargames demonstrated the tendency of individuals to slip ‘between policy-guiding mental representations of reality and reality itself’.[26]
Consequently, both the wargames and preceding research call for caution when advancing claims regarding the choices made by states vis-à-vis cyberspace. While there is less doubt that strategic effects from the independent use of cyber operations are limited, it cannot be concluded that decisions surrounding the exercise of power in and through cyberspace are the sole function of the objective interpretation of the strategic environment. The preference of Russian decision-makers to engage in low-level disruption and influence operations may have as much to do with their realisation of the limits of this new environment as it does with their established beliefs as to how best to meet their strategic objectives.
Conclusions
Reassessing choices and the future of cyber conflict
While the Russia-Ukraine War tells us much about the limits of cyber operations, it is less informative as to why states act the way they do. On a positive note, this situation sheds light on the need to investigate further the mechanisms that govern the decision to use cyber capabilities. Specifically, it calls for greater attention towards immaterial factors such as beliefs that may serve as the lens through which decision-makers interpret the strategic environment resulting in behaviour-shaping preferences.
That being said, our attempts to understand the future of cyber conflict must extend beyond debates surrounding the efficacy of cyber operations. While this does not imply surrendering to calls of technological exceptionalism, it requires a greater effort on the part of scholars and policy experts alike to consider the underlying decision-making processes. Consequently, this not only requires accounting for the consequences of operations, but also considers how policymakers and public opinion alike perceive these activities. Although cyberspace is unquestionably enabled by technology, actions within and through it are shaped by individuals who remain far more unpredictable than the technologies they use.
*About the author: Miguel Alberto Gomez
Source: This article was published by Elcano Royal Institute
[1] Erica D. Lonergan, Shawn W. Lonergan, Brandon Valeriano & Benjamin Jensen (2022), ‘Putin’s invasion of Ukraine didn’t rely on cyberwarfare. Here’s why’, The Washington Post, 7/III/2022.
[2] Jacquelin Schneider, Benjamin Schechter & Rachael Shaffer (2022), ‘A lot of cyber fizzle but not a lot of bang: evidence about the use of cyber operations from wargames’, Journal of Global Security Studies, vol. 7, nr 2, June, ogac005.
[3] Myriam Dunn Cavelty (2013), ‘From cyber-bombs to political fallout: threat representations with an impact in the cyber-security discourse’, International Studies Review, vol. 15, nr 1, March, p. 105-122; Jon R. Lindsay (2017), ‘Restrained by design: the political economy of cybersecurity’, Digital Policy, Regulation and Governance, 11/IX/2017.
[4] Charles Perrow (1999), Normal Accidents: Living with High-risk Technologies, Princeton University Press, Princeton NJ.
[5] Michael P. Fischerkeller & Richard Harknett (2020), ‘Cyber persistence, intelligence contests, and strategic competition’, Texas National Security Review, 17/IX/2020.
[6] Adam P. Liff (2021), ‘Cyberwar: a new “absolute weapon”? The proliferation of cyberwarfare capabilities and interstate war’, Journal of Strategic Studies, vol. 35, nr 3, May, p. 401-428.
[7] Erica D. Borghard & Shawn W. Lonergan (2017), ‘The logic of coercion in cyberspace’, Security Studies, vol. 26, nr 3, May, p. 452-481; Allison Pytlak & George E. Mitchell, “Power, rivalry, and cyber conflict: an empirical analysis”, in Karsten Friis and Jens Ringsmose (Eds.) (2016), Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Routledge, London, p. 65-82; Rebecca Slayton (2017), ‘What is the cyber offense-defense balance? Conceptions, causes, and assessment’, International Security, vol. 41, nr 3, January, p. 72-109.
[8] Jon R. Lindsay (2013), ‘Stuxnet and the limits of cyber warfare’, Security Studies, vol. 22, nr 3, August, p. 365-404.
[9] Kim Zetter (2016), ‘Inside the cunning, unprecedented hack of Ukraine’s power grid’, Wired Magazine, 3/III/2016.
[10] Erica Lonergan & Keren Yarhi-Milo (2022), ‘Cyber signalling and nuclear deterrence: implications for the Ukraine crisis’, War on the Rocks, 21/IV/2022.
[11] Michael P. Fischerkeller & Richard J. Harknett (2017), ‘Persistent engagement, agreed competition, cyberspace interaction dynamics and escalation’, Orbis, vol. 61, nr 3, Summer, p. 381-393.
[12] Ryan C. Maness & Brandon Valeriano (2015), ‘The impact of cyber conflict on international interactions’, Armed Forces & Society, vol. 42, nr 2, March, p. 301-323.
[13] Brandon Valeriano, Benjamin Jensen & Ryan C. Maness (2018), Cyber Strategy: The Evolving Character of Power and Coercion, Oxford University Press, New York.
[14] Jacquelin Schneider (2017), Cyber and Crisis Escalation: Insights from Wargaming, US Naval War College.
[15] Schneider et al. (2022), op. cit.; Nadiuya Kostyuk & Yuri M. Zhukov (2017), ‘Invisible digital front: can cyber attacks shape battlefield events?’, Journal of Conflict Resolution, vol. 63, nr 2, November, p. 317-347.
[16] Boris Kormych (2022), ‘Putin’s miscalculations’, Wilson Center, Kennan Institute, 9/III/2022.
[17] David A. Welch (2011), Painful Choices: A Theory of Foreign Policy Change, Princeton University Press, Princeton NJ.
[18] Brian Rathbun (2008), ‘A rose by any other name: neoclassical realism as the logical and necessary extension of structural realism’, Security Studies, vol 17, nr 2, June, p. 294-321.
[19] Gideon Rose (1998), ‘Neoclassical realism and theories of foreign policy’, World Politics, vol. 51, nr 1, October, p. 144-172.
[20] Bloomberg News, Transcript: ‘Vladimir Putin’s televised address on Ukraine, February 24, 2022’.
[21] Brandon Valeriano, Benjamin Jensen & Ryan Maness (2018), Cyber Strategy: The Evolving Character of Power and Coercion, Oxford University Press, New York.
[22] Marti J. Kari & Katri Pynnöniemi (2019), ‘Theory of strategic culture: an analytical framework for Russian cyber threat perception’, Journal of Strategic Studies, September, p. 1-29.
[23] Yitzhak Klein (2007), ‘A theory of strategic culture’, Comparative Strategy, vol. 10, nr 1, September, p. 3-23.
[24] Schneider (2017), op. cit.; Miguel Alberto Gomez (2019), ‘Past behavior and future judgements: seizing and freezing in response to cyber operations’, Journal of Cybersecurity, vol. 5, nr 1, September, tyz012; Miguel Alberto N. Gomez (2019), ‘Sound the alarm! Updating beliefs and degradative cyber operations’, European Journal of International Security, vol. 4, nr 2, March 2019, p. 190-208.
[25] M.A. Gomez & Christopher Whyte (2022), ‘Unpacking strategic behavior in cyberspace: a schema-driven approach’, Journal of Cybersecurity, vol. 8, nr 1, April, tyac005.
[26] J.M. Goldgeier & P.E. Tetlock (2001), ‘Psychology and international relations theory’, Annual Review of Political Science, nr 4, June, p. 79.
Elcano Royal Institute
The Elcano Royal Institute (Real Instituto Elcano) is a private entity, independent of both the Public Administration and the companies that provide most of its funding. It was established, under the honorary presidency of HRH the Prince of Asturias, on 2 December 2001 as a forum for analysis and debate on international affairs and particularly on Spain’s international relations. Its output aims to be of use to Spain’s decision-makers, both public and private, active on the international scene. Its work should similarly promote the knowledge of Spain in the strategic scenarios in which the country’s interests are at stake.
