Armed Conflict Cybersecurity & Tech

What Are The Important Cyber Conflict Questions (and Answers)?

Paul Rosenzweig
Saturday, June 18, 2016, 5:04 PM

As I mentioned earlier, this past week I was privileged to attend a conference on the State of the Field in the study of Cyber Conflict sponsored by the Columbia School of International and Public Affairs and the Cyber-Conflict Studies Association.

Published by The Lawfare Institute
in Cooperation With

As I mentioned earlier, this past week I was privileged to attend a conference on the State of the Field in the study of Cyber Conflict sponsored by the Columbia School of International and Public Affairs and the Cyber-Conflict Studies Association. The idea behind the conference was to bring together more than 30 experts to assess the state of the field from an academic perspective and a practical one. The signal-to-noise ratio of the discussion was quite high -- unusually so for academic conferences. As a result it was truly an unique conference -- for example this was the first time that I am aware of that a significant portion of the professional historians who are studying the history of cyber conflict got together. The discussion, which was conducted under Chatham House rules, ranged from the history of the telegraph to this past weeks hack of the DNC, and covered everything in between.

Our goal was to identify the key questions in the field and then assess what progress has been made (or not made) in answering these questions since we first identified them.

Some conclusions were relatively easy -- we acknowledged, for example that the publication of the Tallinn manual was a significant, perhaps even transformative, step in applying the laws of armed conflict to cyber. Most at the conference were, likewise, convinced based on the evidence of the past year or so that the question of the viability of norms in cyberspace had been settled. There is much to say about their efficacy and their content, but given how many of them have been adopted in the past year (one participant called 2015 the "year of the cyber norm") the idea that they cannot even be contemplated in the cyber domain has been fairly well answered.

But, candidly, from my personal perspective that's about it. Almost all of the other questions we identified had yet to be answered. Many had not even be considered in any rigorous way. Given that there were 35+ experts; 6 panels; 3 plenary discussions and plenty of side discussions over coffee and wine, it will have to await the conference proceedings (due out in the Fall) for a comprehensive listing. Herewith a few of the questions and issues that caught my attention and interest (in no particular order):

  • How do we define cyber power? In other words, how do we measure who is stronger (or weaker) in the exercise of cyber force? In this domain we lack any equivalent to counting tanks or airplanes. What are the alternative measures?
  • How does the mechanism of deterrence function with respect to non-state cyber actors? Do those groups possess sufficient characteristics of rationality and heirarchy that deterrence, escalation and compellance practices can work?
  • What is a cyber weapon? Without a working definition, is cyber arms control possible?
  • What do we know of the sociology and psychology of non-state groups? How are the organized (if they are organized at all) and how do they function?
  • What are the long term strategic prospects for maintaining the unified, ubiquitous nature of the network? If that changes (see Great Chinese Firewall; data localization; etc.) how does that effect America's strategic posture in the domain?
  • What do we know about the cyber doctrine and military structure of our adversaries and allies? While we may have some sense of Russian and Chinese actors, do we have any understanding of other actors (Syria, Iran, Israel, Germany, etc.)?
  • Now that we have a normative statement about the application of the laws of armed conflict to cyber space (in the Tallinn manual) how do those principles apply in practice? Are they effective or not?
  • What law governs information conflict of the sort evolving from, e.g. ISIS's use of social media for propaganda and recruitment? As a tactical matter how successful (or unsuccessful) have efforts to conteract that use of social media been?
  • How can or should cyber capabilities be used in peace operations? What laws, principles and norms would control?

And that's just a small sample. As you can see, the area of conflict studies is rich and relatively unmined. Many excellent theoretical questions (often ones with great practical import) have yet to be considered in any rigorous way. I look forward to returning to the conference next year and seeing what progress has been made.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare