The United States will likely find itself in the middle of a cyberspace crisis, or cyber crisis, because the reported number of cyber incidents is increasing while the risks arising from cyberspace are perceived as growing more consequential, according to a recent report released by the RAND Corp.
In his 2012 report prepared for the Air Force, “Crisis and Escalation in Cyberspace,” RAND senior management scientist Martin Libicki described a cyber crisis as the escalation of tensions associated with a major cyber attack, suspicions that one has taken place or fears that an attack may take place soon. Libicki defines crisis as an event, or events, that forces a state to take relatively quick action or risk the consequences of inaction.
Libicki said the United States can manage a cyber crisis by taking steps to reduce incentives for other states to step into such a crisis, controlling the narrative and managing escalation if conflicts arise from crises. Libicki said the United States can reduce incentives for other states to get involved in a cyber crisis by creating norms, or accepted standards of behavior. While norms may be unenforceable or amount to lip service, Libicki said norms like obligations to assist investigations of cyber attacks can help build mutual confidence and put nations on record against certain behaviors.
Libicki also said the secretive, often incomprehensible and frequently ambiguous nature of cyber operations allow states to drive perception using narrative. Libicki said the lack of physical violence in cyber warfare also allows narrative to frame events. Libicki said since the level of cyber knowledge, much less expertise, in government is quite low, this gives both state and non-state actors an opportunity to shape perceptions as they want until people become more savvy.
“Until then, states, non-state actors and partisans on all sides have a great opportunity to make something of nothing or vice versa,” Libicki said. “If cyber war becomes more consequential, look for states to avail themselves of such opportunities more often.”
Libicki said there is no substitute for careful and nuanced understanding of other states because anticipating how the other side will react to one’s cyber actions is a core focus of escalation management. Libicki said local commanders are more likely than remote ones to have such an understanding. Libicki also suggested “tit-for-tat” strategies can also be a way of managing the other side’s escalation, though he said strategic cyber war is inherently escalatory.
Libicki said there were numerous ways the Air Force could contribute to assisting cyber crisis management. The Air Force should, for starters, find ways of conveying to others that it can successfully carry out missions in the face of a full-fledged cyber attack, lest adversaries come to believe that a large-scale, no-warning cyber attack can provide a limited, but sufficient, window of vulnerability to permit non-cyber operations. Libicki said the Air Force should also “carefully watch” the messages it sends out about operations, both explicit and implicit. Libicki said since cyber is an “indoor, and not outdoor” arena, it may be hard to predict what others will infer about offensive Air Force operations in cyber.
The Air Force should also consider how cyberspace plays in its own master narrative as a source of potentially innovative alternatives to military and national security objectives, Libicki said. Libicki added it is self-evident that Air Force operations support, rather than contradict, such a narrative.
Libicki said the Air Force should develop itself as an independent source of expertise on cyber warfare because it needs a precise understanding of how potential adversaries would perceive the escalatory aspect of potential cyber operations. More work on this end, with particular attention to specific foes, is warranted, Libicki said.
Read the report here: http://bit.ly/TNefGj