A Tale of Three Cyber Security Articles

15 May 2014, 1259 EDT

Cyber security has been on the general security agenda for some time now, but it is only recently that Political Scientists have really engaged the topic in a serious manner befitting of the theoretical and empirical advances in the field.  In general, we have ceded this ground to those who either have a vested interest in the question (the cyber security industry) or to those who seek to inflate the threat based on imagined fears.  This blog will review some recent work in the field and evaluate the state of knowledge plus future directions.arguing duck

Many pundits comment and pontificate on cyber security issues without much evidence or knowledge about the course of International Relations as it applies to cyber security.  Articles such as this are typical, they start out with a frightening scenario and then devolve into a motif that repeats the mantra that we should all be scared by example.   Take for instance this quote from the linked article above

“We think this could just be a smokescreen,” one said, finally. And it was. Before the end of next day, the attack had spread from banks to transport and utilities, culminating in an attack on a nuclear power station. The mounting horror of the analysts, the outrage and lack of understanding from the execs was all disturbingly authentic, but fortunately, none of it was real. The scene formed part of a wargame, albeit one designed by the UK’s GCHQ surveillance agency among others to attract new recruits into the field of cybersecurity.”

It appears that these flaws of avoidance are being rectified with new scholars entering the cyber security field.  Recently two of the major journals, International Security and the Journal of Peace Research published three new pieces in the cyber security field and it would be illustrative to take a look at them in depth.

First, we start with the Kello piece, “The Meaning of the Cyber Revolution”, which is amazing in its reckless use of ‘evidence’ and theory to give credence to the idea that we are entering a dangerous cyber era.  There are two main points in the article, one that the political science field has failed to engage the cyber security problem and that a cyber attack is easier than defense, therefore we are in danger of cyber war.  I will engage each point in turn.

The first task would be to engage the title of the article, the idea what we are in a cyber revolution.  Many have suggested this theme but few have really engaged the idea.  Jon Lindsay did a wonderful job of dissecting the argument in his Security Studies article, “Stuxnet and the Limits of Cyber Warfare.”

Lindsay’s main point is that Stuxnet was largely a failure.  Iran actually increased uranium enrichment during the height of the Stuxnet attack, nullifying suggestions that the attack set them back anywhere from three months to a few years.  In fact, Stuxnet, an attack launched by a major power that cost millions of dollars, involved many states, relied on luck and innovation, and developed over years -failed.  Lindsay asks an important question, if it fails in this instance (large rich power taking on a small to middle power), what chance is there that the cyber revolution hypothesis holds for small states engaging major powers?  Conjecture could lead one to argue that a small power could be likely to achieve greater success, but such frames are purely speculative.  Just because something could happen, does not mean is likely.  Given the evidence to date, the idea of a cyber revolution in military affairs is unlikely and remote.

Kello moves forward with this idea regardless, noting “if decision makers are right – and their views are not equivocal – the contemporary world confronts an enormous cyber threat.” This sort of notion perpetuates the notion that vulnerabilities, real and imagined, directly translate into strategic weakness.

The most infuriating claim in the Kello article is that few in political science has been working on cyber security questions, that we are ignoring the issue, and unless the issue is subjected to rigorous scholarship – the gap between policy and academia will grow.  While it is true that not many have published on the issue (as I admitted from the start here), the fact is many have been working on the issue recently and it is widely available in cyberspace, one would only need to search the recent ISA program for evidence.  Instead, as Kello puts it, “establishes guidelines for the scholar study of cyber conflict” himself, with little engagement or awareness of the volumes of interesting and new work going on the field.

No one would doubt we need more scholars working in the cyber security field; the issue is how we go about this research and on what terms.  For many, the introduction to the field has been to assume weakness and vulnerability, but these perspectives have yet to be documented in observed reality.  Stuxnet was largely a failure.  The Estonian Bronze Solider attack on 2007 did little actual damage and the widespread internet outages in Estonia were more of a precautionary measure by the Estonians.  Other major cyber incidents, such as the Russia attack on Georgia in 2008 were little more than nuisances in the wider picture of the conventional military campaign with which they coincided.

A key statement that Kello makes is that while cyber weapons are not overtly violent, their use expands the range of possible harm in the system.  This is remarkable contradiction within one sentence.  This follows the typical path of cyber security scholars in that they recognize the limits of cyber violence (i.e. the translation from digital to physical violence), but at the same time suggests that this also allows for an expansion of possible methods of harm.  Violence is violence, pure and simple.  For Kello the problem with cyber weapons is the expansion of possible avenues of harm to non-combatants.  I see this as a positive development, because harming civilians is clearly a bridge too far in modern international interaction and will thus restrain cyber actions (a major point of my book).  The dialogue between Obama and the military over the use of Stuxnet in Sanger’s Confront and Conceal is enlightening of this discourse.  Expanding possibilities of harm is not a threat in and of itself, it is a threat if the norms in the system allow civilian harm by external powers, but they do not or are at least in decline.  That Obama was deeply concerned with civilian harm and limiting damage to non-combatants is heartening.

The article ends on a treatise of the merits of the attack versus defense.  Cyber defense is hard, a statement that does not require much dissection.  The problem is that in this version of the cyber security field, there are only two options, offense and defense.  This leaves out resiliency, redundancy, deterrence, and restraint.

Kello’s article is disastrous for its conjecture, its illogical and misapplied statements, and selective reading of the cyber security scholarship.  It serves as an example of what not to do for future scholars.  Don’t speculate based on limited information.  Don’t write an article based on conjecture.  Don’t publish something critical of the entire field for not doing what they paradoxically are already working on.

There are many odd things in the Kello article, like the suggestion political scientists avoid cyber security because of the high bar of technical knowledge (a problem that certainly has not stopped generations of scholars from writing about war without experiencing it).   He advances a strawman argument that some people argue that the cyber threat does not warrant investigation (a point there is little evidence for).  His version of theoretical development relies on “reducing complex empirical facts to a manageable degree of simplicity” without either making things simple or even evaluating empirical facts.

I should be supportive of the Kello article because I agree that cyber scholars should engage the cyber issue more and that it is possible to collect cyber data, a point he makes.  Our differences relate more to the use of theory, the selective engagement of a very wide and developing branch of IR scholarship, and the reliance on perceptions of threat and change that have little evidence in reality or theoretical plausibility.  This is why the Garztke article in the same issue of International Security is so important.

Gartzke brings us a bit back down to earth, in the “Myth of Cyber War”, Gartzke is able to effectively counter many of Kello’s grandiose statements with careful and rational thought.  It is amazing how the article reads like a dialogue to counter the other even though they were developed with little awareness of each other.

Gartzke’s main point is that “predictions about the nature or significance of cyberwar generally commit a common fallacy in arguing from opportunity to outcome, rather than considering whether something that could happen is likely at all.” Put simply, we cannot let what could happen distract us from making predictions about what will happen.  There is a great divergence between what is possible and what is probable.  All kinds of situations are possible, zombies, aliens, rampaging teddy bears and their duck armies (sorry, bad dream), but none of these things are probable.

The point for Gartzke is that there is little benefit from taking severe cyber actions because the payoff is so tenuous.  We must consider the exchange between consequences and benefits in our constructions of how the world works.  As Gartzke argues, cyber coercion is limited because the threats are not credible, demonstrating power actually becomes a military weakness, the inability of cyber actions to impose total pain on the target, and the need for cyber actions to be supported by conventional military operations to make the payoff rational.  It is important to read the Gartzke article to understand how he is able to make such sweeping claims.   He thus argues that “it is far from clear that the internet is transformational in military terms, let alone revolutionary” and cyber defense is more available than the offense, points directly countering the suggestions of Kello.

Gartzke ends his article by arguing the real fear is in cyber espionage.  This is the true domain of the cyber problem.  “The internet makes it possible for the spy to telecommute.” This suggests that this rush to place cyber technologies in an offensive and defensive framework really misses the real danger of cyber actions.  We have seen a dramatic expansion of the ability of states to spy on other states and their own citizens, yet we rush to put this development in the context of war.  The development of cyber espionage is not a transformation of the system, but more of the same with new methods.

Finally there is my own contribution (if you want to cite, and of course you do, its Valeriano, Brandon and Ryan Maness. “The Dynamics of Cyber Conflict between Rival Antagonists, 2001-2011” Journal of Peace Research  51(3): 347-360), which does exactly many of the things Kello asks for and was published in short form in Foreign Affairs back in the end of 2012.  Kello notes one of the concerns of the cyber skeptics is the lack of data and cases of cyber actions to analyze.  (Which begs the question how can we suggest a new cyber conflict future is emerging if there are no cases to support such a contention?)  I felt this was an empirical question, and with my coauthor and partner in crime Ryan Maness, we set out to collect data on all publicly known cyber incidents and disputes.[1]

Collecting cyber data is tough proposition.  Many were skeptical it could even be done given the supposed classified nature of cyber actions.  We did not let these concerns deter us from trying and set out to collect our data using traditional Correlates of War methods, gather as much evidence and sources as possible to connect the dots.  Sometimes datasets do not work out as intended, as I learned when I tried to collect a global immigration dataset, but if you have some experience, good help, and are through; collecting data does not have to be an impossible proposition.

Depending on how you frame the data, we found very little evidence of cyber actions in the international system during what might be called the early era of cyber activities.  Using interstate rivals as a data investigation strategy, but not confining ourselves to rivals alone, we find 20 dyads engaged in cyber conflict with 111 incidents and 45 disputes (this is a bit of an updated count as reflected in our book manuscript).

We argue that cyber powers have showed a remarkable amount of restraint when engaging in cyber conflict.  The average severity, out of 5, is 1.65.  In addition, most cyber actions appear to be regional actions connected to traditional foreign policy issues and territorial disputes.  The idea that cyber represents a completely new domain and diverges from traditional international relations questions is not a contention one can make with our data.

In looking at this recent set of articles about cyber security, what do we know?  For one, there is much debate as to the nature of cyber conflict and cyber warfare.  The empiricists and rationalists are skeptical given the theoretical and functional limitations on cyber actions.  Avoiding the hype and the rush to justify a new domain, it is tough to argue that cyber conflict represents a new way of warfare, will proliferate in any meaningful way, or diverges from international relations concepts as currently constructed.  In fact, those that promote the cyber threat and a future way of warfare mesh pretty well with some forms of traditional realist thought, just making the point that we are seeing not a new way of warfare, but traditional international relations field dividing lines coming to fore in recent scholarship in the cyber realm.

My own perspective is the cyber security future is an open question.  We should avoid conjecture without evidence because it is dangerous.  Making policy based on worst case scenarios is problematic.  We must first guard against the mundane, the typical in cyber security.  This means that concepts such as redundancy, resiliency, and pragmatism should dominate, but this also leaves room for other interpretations.  Looking at the data we collected, one could also argue we have seen the birth of a new future of conflict studies.  Your perspective is determined by where you sit and what you got you there.  If you are a realist, fear and threat motifs dominate.  If you are an empiricist that argues that war is either in the error term or is in decline, you might view the current cyber era positively because restraint might dominate.  The future is really up in the air here, the goal should be to leverage our understandings, techniques, and abilities in a responsible manner.

Cyber security  is an interesting avenue for new scholars to pursue since there is so much untended ground in the cyber security field.  We have started to really engage the cyber conflict question, what about cyber repression, cyber activism as it relates to civil conflict, cyber human rights violations, and the future of war in light of cyber weapons.  There is much ground to till.  As teachers and educators, our job is to give students and analysts the tools to examine the evidence as it is.  That is the best we can hope for.


*There are two issues here, one, the data is what is publicly known.  We obviously cannot code what we do not know about.  Is this a real limitation to the data?  I suggest not because of the need to justify the cyber domain, the loose lips in government and industry, the interest of the media, and the need for cyber security professionals to tout their capabilities.  For these reasons, I am skeptical about the issue of missing cyber data.  But that is an open empirical question and all datasets are a work in progress.  New cases need to be added to through time.  Our data is a snapshot of the current era of cyber conflict.