From Arms and Influence to Data and Manipulation: What Can Thomas Schelling Tell Us About Cyber Coercion?

On July 22, 2016 hackers suspected of links to the Kremlin passed thousands of emails stolen from the Democratic National Committee (DNC) to Wikileaks. According to the U.S. Intelligence Community, the hack—along with a wave of propaganda circulated online—was part of an information warfare campaign designed to weaken faith in U.S. political institutions and potentially swing the election in favor of Donald Trump.

Information warfare campaigns of this kind—combining data stolen from cyber-attacks with propaganda modified for a world scornful of facts—are here to stay. We are standing at the precipice of a new era of strategic competition. Unfortunately, the strategist best suited to guide us in this new world died on December 16, 2016. Nobel laureate Thomas Schelling’s seminal work on strategy and bargaining theory provide a language to understand modern information warfare. In Schelling’s writings, we find a logic of coercion that can help us understand the changing character of cyber conflict.

Schelling on Coercion: Influence and Risk

In his seminal work, Strategy of Conflict, Schelling argues that strategy in the nuclear age was less about the application of force and more about the “exploitation of potential force.” Competitors sought to coerce each other through threats. The power to make threats was not reducible to capabilities or clear commitments alone. Rather, one could also gain leverage through deception and bluffing. That is, you could manipulate the other party and gain a concession. The art of strategy involved constraining an adversary’s attacks by manipulating their expectations of costs and risks.

In Arms and Influence, Schelling further elaborates on a vision as shifting from an “application of brute force” to a “diplomacy of violence” through coercive threats and competitive risk-taking. According to Schelling: “It is a tradition in military planning to attend to an enemy’s capabilities, not his intentions. But deterrence is about intentions—not just estimating enemy intentions but influencing them.” In short, one can make up for a lack of strength with demonstrated resolve and a persuasion.

For Schelling, “it is the essence of a crisis that the participants are not fully in control of events; they take steps and make decisions that raise or lower the danger, but in a realm of risk and uncertainty.” As each side threatens one another and seeks a position of advantage, leaders ask themselves if they are willing to risk pushing a crisis closer to war for a small concession. This uncertainty elevates the role of risk in strategy. “The fact of uncertainty,” Schelling goes on, “not only blurs things, it changes their character. It adds an entire dimension to military relations: the manipulation of risk.”

As applied to Russia, for example, we find the state routinely signals its willingness to assume more risk through snap exercises, resumed long-range air patrols, and escalating threats by its political elite. By using intermediaries and the connectivity of the West—from the Internet and social media to 24-hour “news”—to disrupt the elections indirectly, Moscow further increases the risks Washington confronts in countering their actions.

Towards a Theory of Cyber Coercion

The DNC Hack is a crucial case for understanding how coercive tools are used in cyberspace. The crisis reflects typical behavior between rival adversaries. In probing the adversary for weaknesses, Russia sought to exploit information to gain a position of advantage. Based on early Soviet ideas about psychological warfare and reflexive control, Kremlin operatives likely assessed that they could influence events in the election by dismissing, distorting, distracting, and dismaying the public through circulating the leaked emails coupled with “fake news.” Undermining American resolve has the potential to lift sanctions and undermine NATO––key Russian policy objectives consistent with their geopolitical vision of a Yalta-like world divided up into spheres of influence. The information warfare campaign also had a secondary benefit: it showed the Russian populace just how messy democracy can be and why a Moscow Maidan is not a great idea. This Russian information warfare campaign seems to highlight a modern twist to political warfare.

In our developing work on cyber coercion, we consider a typology of three influence types: disruptions, espionage (manipulation), and degradation campaigns. These event types are divided up by the intent of the attack, the typical targets, and severity of impact. We advocate looking at cyber-attacks not as isolated attacks, which would number in the thousands, but as the accumulation of various attack methods into incidents. Taking this perspective suggests the DNC hack was an espionage attack that the Russians exploited through a broader information warfare campaign to achieve influence. The hack was a modern form of coercion.

The DNC case also highlights that cyber power, like other instruments of power, works best in combination with other forms of coercion. These coercive combinations together change the relative threat of force and increase the probability of generating a concession. Cyber actions often occur with the support and collaboration of other attack methods. Russia constantly signals its resolve to confront the United States and NATO militarily if necessary. Kremlin associates and insiders have repeatedly escalated their aggressive rhetoric in response to changes in frontline state posture—such as if Finland joins NATO or US Marines increase activity in Norway—and political events, such as the threat of war if President Trump lost the election. Against the backdrop of these threats, the cyber-attacks offered a supporting coercive instrument by flooding the media cycle with hacked emails and Russian-backed propaganda campaigns. Cyber was one component of a larger coercive campaign—more than espionage, but less than war.

While it is difficult to determine the extent to which the attack altered the political outcome in the United States, Russia’s information warfare campaign achieved a broader coercive objective. The campaign altered the balance of risk in future crises with the United States without incurring a significant repercussion.

There was little assurance that Russia thought it would succeed in its campaign. President Trump’s own team did not think he would win on the day of the election. In fact, there were many reports that Russia stopped the hacking activities after being warned privately by President Obama last September. No poll thus far conducted has shown that WikiLeaks had a significant impact on the ballots cast by American voters (though a recent Morning Consult/POLITICO poll showed that, among Republicans, support for the recent Vault 7 CIA leaks rose when the organization was mentioned as the source behind the leaks). Yet, every major media outlet reported the news from WikiLeaks with little consideration of where the information came from, WikiLeaks was a top trending topic on Facebook, and the information dumps paradoxically became an important (imagined) source of information for actual fake news.

If the attack didn’t tip the election in a direct sense, what did it achieve? In all likelihood, the attack was about more than the low-probability, high-payoff near-term objective of installing a pro-Kremlin leader in the White House. The attack objective concerned, to use Schelling’s terms, “exploiting potential force in future crises and manipulating risk.”

Cyber power can be a form of bargaining power, used to compel an adversary with the threat of punishment now or in the future; but it is difficult, costly, and takes time to achieve results. In fact, truly compelling action with near-term measurable effects is rare in cyber operations. In our updated data of cyber coercion campaigns, we coded only 12 concessions out of 165 cyber-incidents from 2000 to 2014.

Furthermore, the story of these 12 events is much more complicated than an observable change in behavior due to cyber coercion in isolation. For example, take the Stuxnet and Flame attacks against Iran and its nuclear infrastructure. What changed Iranian behavior—in this case pushing them to negotiate—was the combined effect of lifting sanctions, restoring frozen assets, and a diplomatic opening, alongside targeted assassinations against nuclear scientists and the threat of an air campaign.

Cyber Coercion and the Changing Character of Strategic Competition

The DNC hack is a harbinger of a new period of strategic competition. Cyber coercion will increasingly be a tool of statecraft. Just as nuclear states used political warfare—from propaganda to economic coercion—to coerce one another without risking nuclear escalation, states will use cyber coercion to probe one another and change the projected risks and costs of escalation. This form of confrontation will rarely be decisive. Just as there was no victory in the nuclear age, decisive outcomes in cyberspace will be rare.

Exerting direct influence through cyber power is difficult, but collecting information, sniping at the enemy, and eroding confidence in institutions will be easy as along as the population has little trust in their government and little ability (or willingness) to sort fact from fiction. Even if cyber coercion fails to topple governments, it will erode confidence and manipulate risk by dividing domestic populations and reducing their will to resist. Therein lies the real danger.