What War Games Tell Us About The Use Of Cyber Weapons

Uploaded on 2018-07-02 in INTELLIGENCE--USA, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, NEWS-Cybersecurity News

Recently, Jason Healey a senior research scholar at Columbia University’s School of International and Public Affairs and past  member of the USDefense Science Board’s task force on cyber deterrence has argued that “there is now a well-documented instance of cyber deterrence,” pointing to a report of conversations within the Obama administration. 

Some White House officials argued against a cyberattack, citing asymmetric vulnerabilities in tit for tat engagements within the cyber domain. Healey highlights a powerful example of cyber restraint within the Obama administration, but is it deterrence? 

The United States has also exercised restraint in the nuclear domain, but it is unclear even now whether that restraint is a result of adversary deterrence efforts or a normative nuclear taboo. So what is driving the cyber restraint Healey identified?

In order to understand the motivations behind cyber behaviors, a longitudinal analysis of strategic war games was conducted at the US Naval War College from 2011-2016. These free-play games, which feature 150-200 U.S. government experts and senior leader players, situate players within crisis scenarios and then allow them to play all instruments of national power to resolve the crisis. 

Over the years, these war games varied the adversary, the intensity of the crisis, and the players. Like the evolution of cyber operations in real life, the way cyber capabilities were designed in the games evolved in complexity, representing the institutions and capabilities that developed from 2011 to 2016. Bottom line: a lot of things changed between the games. 
However, what remained remarkably consistent across the games was how players utilised cyber operations. In five of the six games, players launched offensive cyber operations only after conventional weapons conducted destructive attacks. 

Additionally, players were more willing to place systems on nuclear alert than to launch cyberattacks or even cyber-enabled information operations. Over and over players cited concerns about escalation in their cyber restraint, articulating fears that cyberattacks could “lead to nuclear war.” 

Further, in all of the six games, despite large scale adversary cyberattacks (up to nuclear effects in allied countries), none of the “blue” teams chose to respond to cyber-attacks. In one game, a player explained, “this is cyber, it’s different psychologically.” 

In all of these games, players were told who had attacked them in cyberspace, essentially priming them for retaliation. The lack of support for retaliation in these games is, therefore, especially compelling.

This research suggests two types of restraint: restraint in using cyber operations and an overall restraint in responding to cyber operations. 

What causes this restraint? Is it deterrence or is it a cyber taboo?  These games couldn’t definitively answer this puzzle, but they do suggest a series of potential hypotheses about cyber restraint. 

First, restraint in utilizing cyber operations could be a uniquely US phenomenon tied to a perception of asymmetric cyber vulnerabilities combined with overwhelming conventional superiority (what Healey’s article alludes to). 
In other words, why open the Pandora box of cyber operations when the United States has the option to respond to any significant problems with economic punishment or military might? 

A secondary hypothesis suggests that cyber restraint derives from a false cyber-nuclear equivalency in which the institutional legacy of Strategic Command and the narrative of “strategic” cyber weapons has led to an extension of the nuclear taboo to the cyber domain. 

These hypotheses are largely agnostic to the adversary, mainly because the games analysed, featured different adversaries with different cyber, conventional, and nuclear capabilities. Restraint was consistent despite these threat differences, suggesting that cyber restraint was not a product of adversary-tailored deterrence but instead internally derived incentives.

Perhaps more puzzling is why these games also show restraint when responding to cyber operations, a phenomenon not found in the nuclear domain. 

Once again, this could be a strictly US form of restraint, in which the United States, as the largest economic and military power, can withstand significant cyberattacks without retaliation because it relies on a greater conventional and nuclear superiority. However, there could be a more generalisable explanation which links cyber restraint to emotions and argues that the virtual and novel threat of cyber operations fail to generate the kind of fight or flight gut reaction created by more evolutionarily-primed threats. 

If this final hypothesis is true, then the restraint in cyber response may permeate beyond US borders and suggest that cyber operations are highly unlikely to lead to escalation in other domains.

Finally, the one war game which did not display cyber use restraint has important implications for foreshadowing the long-term strength of the cyber taboo. 

In that game, the player leading the blue team executed an extraordinarily risk-acceptant “escalate to dominate” strategy that featured early first use of cyber-attacks against a series of domestic and military targets followed by a large-scale conventional offensive. 

This game highlighted how important the risk proclivity and personality of leaders are to when and how cyber operations are used. 

Previous research highlighted the large role that risk aversion played in the Obama administration and restraint across a series of domains. The Trump administration is much more risk acceptant, which may lead to less incentives for self-restraint in cyber-space.

CouncilOnForeignRelations:      Journal of Conflict Resolution

You Might Also Read: 

AI In Conflict: Cyberwar & Robot Soldiers:

AI Increases The Risks of Nuclear War:

 

« Cyber Attackers Tunnel Into Financial Services Firms
Get Started with Predictive Analytics »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Arista Networks

Arista Networks

Arista Networks is an industry leader in data-driven, client to cloud networking for large data center, campus and routing environments.

CyberSecurity Malaysia

CyberSecurity Malaysia

CyberSecurity Malaysia is the national cyber security specialist agency under the Ministry of Science, Technology and Innovation (MOSTI).

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

SafeCharge

SafeCharge

SafeCharge is a global provider of technology-based multi-channel payments services and risk management solutions for demanding businesses.

Secure Decisions

Secure Decisions

Secure Decisions focus on research and product development related to national security including information assurance, computer network defense, cyber security education, and application security.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

DAtAnchor

DAtAnchor

Anchor is simply a better way to protect and control sensitive data. Zero-trust, data-centric security. Simplified.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

Etisalat and (e&)

Etisalat and (e&)

Etisalat Group is one of the world’s leading telecom groups in emerging markets.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.

CyberEPQ

CyberEPQ

CyberEPQ (Cyber Extended Project Qualification) is the UK’s first and only Extended Project Qualification in Cyber Security.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.

SiyanoAV

SiyanoAV

SiyanoAV's range of antivirus products delivers strong protection against various cyber threats, including malware, ransomware, phishing schemes, and beyond.