Published by The Lawfare Institute
in Cooperation With
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
Those observing the cyber domain have strong beliefs regarding the potential for escalation in cyberspace. But, though understanding escalation is critical for managing risk as new cyber strategies are implemented, the community knows very little about escalation patterns in this domain. Without a firm grasp on the potential for escalation, the United States will be unable to contain the fallout when assertive operations are conducted.
Comprehending when action is risky and when factors might promote an increased risk of escalation is essential in the cyber domain. Under the strategy of layered cyber deterrence, the United States seeks to minimize the risk of escalation by maintaining forward defense, imposing costs to avoid action, seeking to create resilient defensive networks, and communicating shared standards and norms in the international system. The Cyberspace Solarium Commission considered escalation in designing its strategy, which seeks, in part, to minimize escalation risks in cyberspace.
What Is Cyber Escalation?
The modern study of crisis escalation emerged during the Cold War through the examination of strategic competition as a bargaining process. Bargaining involves both implicit and explicit threats of violence that seek to achieve the maximum benefit relative to the perceived costs and risks inherent in escalation. In a bargaining situation, escalation results when one side tries to demonstrate resolve and “win” by increasing directed efforts or violence in the diplomatic, military, information or economic domains.
In the view of Herman Kahn, the key theorist on escalation in conflict situations, escalation can result in situations that represent a competition in risk-taking. Kahn maintains there are three ways to escalate: by increasing intensity (that is, more violence), by widening the arena (known as horizontal escalation), or by compounding escalation (meaning attacking allies and compatriots).
Accordingly, perceptions matter a great deal for escalation dynamics. Actions taken to ensure your security can actually decrease security if the opposition perceives a decrease in its power, which then moves the opposition to increase and assert dominance in a relationship. Moves taken to assert escalation dominance can backfire if the attacking state is not clear about its demands and the limits of its aggression.
If escalation is defined as an increase in the nature or intensity of a conflict, then extending escalation theory to cyberspace would include situations in which “the target responds with more intense and costly cyber means (cyber escalation within the domain) or through breaching the cyber-kinetic threshold (cross-domain escalation).” Martin C. Libicki simplifies cyber escalation into two factors—intensity (striking deeper, lasting longer) or more extensive (striking new targets)—and adds the consideration that “attacks can jump from cyberspace to physical space.”
Endemic competition is critical to creating the conditions for conflict and escalation. Without the competitive and interactive context, there is no dilemma, only action without reaction. Therefore, understanding the dynamics of international conflict and diplomacy outside of the cyber domain is critical to estimating the probability of escalation within cyberspace.
Cyber Escalation Patterns
Understanding escalation processes requires, in turn, a better understanding of the empirical patterns that provide clear descriptions of how cyber conflict works in the domain. Failing to recognize patterns limits understanding of what is out of the ordinary, because there is little comprehension of what is “normal.”
Without a clear grasp on how escalation and response patterns work in cyberspace, policymakers and analysts are operating blind when constructing strategies that seek to control escalation and maintain stability. It is akin to making rules for operating a motor vehicle without having driven a car before. Greater efforts to understand the patterns of escalation in cyberspace can only lead to better strategies for how to operate in this domain without triggering international conflict.
Erica Borghard and Shawn Lonergan suggest that cyber operations are “poor tools of escalation” offering four considerations: the potential absence of offensive options during a time of need, uncertain effects, trade-offs such as the one-shot nature of the weapons and tool spillover, and the limited costs that cyber operations offer. Cyber operations, they suggest, often fail to operate as tools of strategic dominance in international confrontations. Benjamin Jensen, Ryan C. Maness and I went further: After conducting analysis on known cyber actions between rivals from 2001 to 2014, we suggested that “cyber strategies can be viewed as ambiguous signals that limit escalation. Escalation in cyberspace is likely a function of norms, past behavior, and resolve rather than capability leveling.”
A few patterns of escalation have been explored thus far. First, the cyber domain is not escalation dominant. Most cyber operations exhibit no responses, let alone escalatory responses, that prevent future action. Second, there are vastly different escalation patterns based on nationality or state. There is no uniform view of how escalation should work in cyberspace. We polled the public-at-large in Russia, the United States and Israel, and found that Americans prefer proportional responses, while Russians prefer escalatory or deescalatory response patterns. Assuming uniformity in responses across nationalities is folly. Third, there is a danger of escalation in cyberspace when a power with technological superiority attacks a state lacking technological capabilities. A feeling of inadequacy likely provokes an escalatory response to keep control of a situation.
When escalatory options are used, they tend to appear in ongoing conflict situations, such as Israel’s kinetic attack on Hamas cyber operators in 2019. Placed in the proper context, these cross-domain operations are not escalatory but, rather, are deescalatory when compared to other kinetic operations being run or considered at the same time—such as a massive retaliatory bombing campaign or a ground operation to root out terrorist operators.
Strategies to Minimize the Risk of Escalation
U.S. policy on cyber escalation is speculative under persistent engagement. According to Michael Fischerkeller and Richard Harknett, there are only two observable escalatory operations, Stuxnet in 2010 and the German steel mill attack in 2014. The Stuxnet case is escalatory when viewed within domain context, moving from the probing exercises of Stuxnet 0.5 to 1.0 where the centrifuges were attacked is clearly escalation within domain, but it is not interactive escalation. Iran’s responses were to attack American financial networks with minimal effect and a proportional attack on the Saudi gas giant Aramco. Within an interactive framework between rivals, Stuxnet was deescalatory, since at the same time Israel was demanding a conventional strike on the Natanz plant. Stuxnet was an off-ramp to war.
Fischerkeller and Harknett note that “if/when the United States adopts a strategic approach of persistent engagement, an entirely new strategic space that has heretofore been unexplored for interaction and escalation dynamics is laid bare.” This suggests that persistent engagement as a strategy is an untested concept put into operation—which is troubling from a strategic perspective, where viability and feasibility should be paramount before implementation.
The underlying logic of persistent engagement is that through competitive interactions, states will establish a ceiling of operations and avoid escalation. The precision of cyber operations will limit the intensity of cyber actions, thus limiting escalation. Overall, the field has found the effect of cyber capabilities limited, making it difficult to find if a demonstration strategy forestalls escalation. In fact, the uncertainty around the impact of cyber actions, not precision, forestalls escalation rather than enables it.
Defend forward, as a strategy, is not necessarily escalatory in and of itself. Rather, escalation depends on the conditions of the crisis and who is involved. Defending forward against adversaries who do not possess cyber response options could be triggering. It may be likely that attacking a state over and over again with cyber options will provoke dramatic escalation after a certain point, much as the international relations scholarship has found previously. Punch me once, shame on you; punch me twice, shame on me; punch me three times and it is cyber war.
The continuing policy dilemma for the U.S. is how to ensure that escalation is not the dominant response to cyber operations. The low risk of cyber escalation does not remove the possibility that escalation can happen. It might even become more common because of the dangers of misperception of intentions that offensive doctrines can engender.
Clearly signaling intentions is critical to make theories of defending forward a positive force in escalation management rather than escalatory. This is exactly the concern that Fischerkeller and Harknett note: They write that, “in certain scenarios, covert cyber operations designed to generate well-directed effects that only leadership are able to detect would send a message of resolve but may also create an environment more conducive to de-intensification and non-escalation.” Tailored messages preceding or running concurrently with persistent engagement are critical to managing escalation risks. Yet how signaling works in cyberspace is not well specified.
Escalation could result in an accumulation of crises in a short time period between two adversaries. What matters is the buildup of grievances over time. It would be unwise, therefore, to suggest that defend forward operations are without escalation risks. As Schneider notes, technology decreases the need for first-strike actions but increases uncertainty because of the dependency that states now have on information. This can exacerbate conflict. So the fact remains that substantial risks are involved in forward action.
We are in unexplored territory here. There is a high risk of inadvertent escalation if defend forward operations are not signaled accurately. Defending forward is not an escalatory strategy, yet operations at the contact layer can be considered as such by the opposition if not carried out in parallel with efforts to communicate intent. For the strategy of defend forward to work as a method of fostering stability in the domain, it must be expressed as such through strategic communications indicating that operations are meant to manage risk rather than operating as risk-taking strategies.