Can cyberwarfare be regulated?
Joseph S. Nye

Editor's note: Joseph S. Nye, Jr. is a professor at Harvard and author of the forthcoming "Do Morals Matter? Presidents and Foreign Policy from FDR to Trump." The article reflects the author's opinion, and not necessarily the views of CGTN.

Whether or not a conflict spirals out of control depends on the ability to understand and communicate about the scale of hostility. Unfortunately, when it comes to cyber conflict, there is no agreement on scale or how it relates to traditional military measures. What some regard as an agreed game or battle may not look the same to the other side.

A decade ago, the United States used cyber sabotage instead of bombs to destroy Iranian nuclear enrichment facilities. Iran responded with cyber attacks that destroyed 30,000 Saudi Aramco computers and disrupted American banks. This summer, following the imposition of crippling sanctions by U.S. President Donald Trump's administration, Iran shot down an unmanned American surveillance drone. There were no casualties. Trump initially planned a missile strike in response, but canceled it at the last moment in favor of a cyber attack that destroyed a key database used by the Iranian military to target oil tankers. Again, there were costs but not casualties. Iran then carried out, directly or indirectly, a sophisticated drone and cruise missile strike against two major Saudi oil facilities. While it appears there were no or only light casualties, the attack represented a significant increase in costs and risks.

The problem of perceptions and controlling escalation is not new. In August 1914, the major European powers expected a short and sharp "Third Balkan War." The troops were expected to be home by Christmas. After the assassination of the Austrian archduke in June, Austria-Hungary wanted to give Serbia a bloody nose, and Germany gave its Austrian ally a blank check rather than see it humiliated. But when the Kaiser returned from vacation at the end of July and discovered how Austria had filled in the check, his efforts to de-escalate were too late. Nonetheless, he expected to prevail and almost did.

Had the Kaiser, the Czar, and the Emperor known in August 1914 that a little over four years later, all would lose their thrones and see their realms dismembered, they would not have gone to war. Since 1945, nuclear weapons have served as a crystal ball in which leaders can glimpse the catastrophe implied by a major war. After the Cuban Missile Crisis in 1962, leaders learned the importance of de-escalation, arms-control communication, and rules of the road to manage conflict.

A member of the Iranian Revolutionary Guards presented what he said was a downed U.S. drone reportedly recovered within Iran's territorial waters at Tehran's Islamic Revolution and Holy Defence museum during the unveiling of an exhibition of what Iran claims are U.S. and other drones captured in its territory, September 21, 2019. /VCG Photo

A member of the Iranian Revolutionary Guards presented what he said was a downed U.S. drone reportedly recovered within Iran's territorial waters at Tehran's Islamic Revolution and Holy Defence museum during the unveiling of an exhibition of what Iran claims are U.S. and other drones captured in its territory, September 21, 2019. /VCG Photo

Cyber technology, of course, lacks the clear devastating effects of nuclear weapons, and that poses a different set of problems, because there is no crystal ball. During the Cold War, the great powers avoided direct engagement, but that is not true of cyber conflict. And yet the threat of cyber Pearl Harbors has been exaggerated. Most cyber conflicts occur below the threshold established by the rules of armed conflict. They are economic and political, rather than lethal. It is not credible to threaten a nuclear response to cyber theft of intellectual property by China or cyber meddling in elections by Russia.

According to American doctrine, deterrence is not limited to a cyber response (though that is possible). The U.S. will respond to cyberattacks across domains or sectors, with any weapons of its choice, proportional to the damage that has been done. That can range from naming and shaming to economic sanctions to kinetic weapons. Earlier this year, a new doctrine of "persistent engagement" was described as not only disrupting attacks, but also helping to reinforce deterrence. But the technical overlap between intrusion into networks to gather intelligence or disrupt attacks and to carry out offensive operations often makes it difficult to distinguish between escalation and de-escalation. Rather than relying on tacit bargaining, as proponents of "persistent engagement" sometimes emphasize, explicit communication may be necessary to limit escalation.

After all, we cannot assume that we have enough experience to understand what is an agreed competition in cyberspace or that we can be certain of how actions taken in other countries' networks will be interpreted. For example, Russian cyber meddling in U.S. elections was not an agreed competition. With a domain as new as cyber, open rather than mere tacit communication can enlarge our limited understanding of the boundaries.

Negotiating cyber arms-control treaties is problematic, but this does not make diplomacy impossible. In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or the same program can be used for legitimate or malicious purposes, depending on the user's intent. But if that makes traditional arms-control treaties impossible to verify, it may still be possible to set limits on certain types of civilian targets (rather than weapons) and negotiate rough rules of the road that limit conflict.

U.S. officials announced that seven Russian GRU intelligence officers had been indicted for their alleged roles in hacking and related influence and disinformation operations targeting international anti-doping agencies, sporting federations and anti-doping officials in Washington, October 4, 2018. /VCG Photo

U.S. officials announced that seven Russian GRU intelligence officers had been indicted for their alleged roles in hacking and related influence and disinformation operations targeting international anti-doping agencies, sporting federations and anti-doping officials in Washington, October 4, 2018. /VCG Photo

In any event, strategic stability in cyberspace will be difficult to maintain. Because technological innovation there is faster than in the nuclear realm, cyberwarfare is characterized by a heightened reciprocal fear of surprise.

Over time, however, better attribution forensics may enhance the role of punishment; and better defenses through encryption or machine learning may increase the role of prevention and denial. Moreover, as states and organizations come to understand better the limitations and uncertainties of cyberattacks and the growing importance of internet entanglement to their economic well-being, cost-benefit calculations of the utility of cyberwarfare may change.

At this point, however, the key to deterrence, conflict management, and de-escalation in the cyber realm is to acknowledge that we all still have a lot to learn and expand the process of communication among adversaries.

Copyright: Project Syndicate, 2019.

(If you want to contribute and have specific expertise, please contact us at opinions@cgtn.com.)