Although for over a quarter century an increasing number of states have acquired and used cyber capabilities, and cyberspace has become an increasingly important arena for international security interaction, far too many national intelligence and defense scholars, practitioners, and policymakers have sidestepped its vital role, either claiming that the technical barriers to entry are too great for them to directly assess its value or clinging to dismissive assessments that cyber operations will never constitute the central communication and influence channel in international relations. In today’s world, it is frankly way too dangerous and too irresponsible to consider cyberspace operations as anything other than a core component of global power politics. In that context, Erica Lonergan and Shawn Lonergan have crafted a landmark study exploring cyber operations’ security impact on interstate conflict and crisis escalation. Despite this topic’s under-exploration, the questions these authors raise seem crucial both to deep-context understanding by academic scholars and to wise actions and responses by government decisionmakers.
H-Diplo | Robert Jervis International Security Studies Forum
Roundtable Review 16-17
Erica D. Lonergan and Shawn W. Lonergan, Escalation Dynamics in Cyberspace. Oxford. Oxford University Press, 2023. ISBN: 9780197550885 (hardcover, $99.00).
6 December 2024 | PDF: https://issforum.org/to/jrt16-17 | Website: rjissf.org | Twitter: @HDiplo
Editor: Diane Labrosse
Commissioning Editor: Jennifer Erickson
Production Editor: Christopher Ball
Pre-Production Copy Editor: Katie A. Ryan
Contents
Introduction by Robert Mandel, Lewis & Clark College. 2
Review by Gil Baram, University of California Berkeley. 7
Review by Lennart Maschmeyer, ETH Zürich, Center for Security Studies 12
Review by Jacquelyn Schneider, Stanford University. 17
Introduction by Robert Mandel, Lewis & Clark College
Although for over a quarter century an increasing number of states have acquired and used cyber capabilities, and cyberspace has become an increasingly important arena for international security interaction, far too many national intelligence and defense scholars, practitioners, and policymakers have sidestepped its vital role, either claiming that the technical barriers to entry are too great for them to directly assess its value or clinging to dismissive assessments that cyber operations will never constitute the central communication and influence channel in international relations. In today’s world, it is frankly way too dangerous and too irresponsible to consider cyberspace operations as anything other than a core component of global power politics. In that context, Erica Lonergan and Shawn Lonergan have crafted a landmark study exploring cyber operations’ security impact on interstate conflict and crisis escalation. Despite this topic’s under-exploration, the questions these authors raise seem crucial both to deep-context understanding by academic scholars and to wise actions and responses by government decisionmakers.
As with closely related, rapidly-changing digital technology areas, such as “big data” and artificial intelligence, most studies of cyberspace’s national security implications have tended to be broad, sweeping, and overly general in assessing future prospects. So, it is indeed refreshing to see the Lonergan and Lonergan study tackling the narrower issue of cyber operations and escalation, facilitating their ability through detailed case-study analysis to make much more carefully qualified judgments about causes, consequences, functioning modes, and security impacts. It is particularly praiseworthy to see that in examining cyber operations’ potential to trigger dangerous escalatory spirals threatening to transform into bloody real-world kinetic warfare, Lonergan and Lonergan sharply deviate from the common tendency to emphasize the most negative alarming fear-inducing scenarios or to construct ominous rigid cyber-escalation ladders[1] designed to be universally applied. Instead, taking into account broader insights about escalation from relevant literature, Lonergan and Lonergan appropriately identify the specific conditions under which cyber operations may have differing kinds of security consequences.
This book is decidedly iconoclastic. Most centrally, Lonergan and Lonergan highlight how, rather than serving to escalate hostility or war, cyber operations can counterintuitively serve a set of conflict-minimizing cooperation-maximizing purposes which up to this point have been exceedingly difficult to pursue successfully in today’s volatile multipolar global security setting. Jacquelyn Schneider underscores that Lonergan and Lonergan’s book’s primary thrust about cyber operations actually signaling willingness to avoid escalation could not be more opposite to early dominant fear-promoting widely accepted assertions preceding it. Schneider also nicely underscores how Lonergan and Lonergan effectively rebut the widely held notion that because cyber operations are characterized by secrecy and plausible deniability, the consequence is automatically escalation. Moreover, Gil Baram and Schneider comment that Lonergan and Lonergan strongly challenge the widely-held view that within cyberspace offense has the advantage over defense, reflected by the common complaint about how disconcerting it is to realize “how steeply new technology has tipped the balance in favor of those—from free-lance hackers to Russian mobsters to terrorists to states like China and Iran—who want to learn the secrets we keep, whether for national, corporate, or personal security.”[2] Furthermore, despite the wide consensus mentioned by Lonergan and Lonergan that cyber operations are poor cross-national signaling tools,[3] the authors constructively reveal when cyber operations are in reality most useful for this state-to-state signaling, including to deescalate crises, and indeed Lonergan and Lonergan’s emphasis on cyber operations’ capacity to serve as accommodative signals of restraint constitutes a major contribution to international bargaining theory.
This research undertaking is courageous in ways that go beyond its willingness to challenge widely accepted security assumptions. Lennart Maschmeyer underscores the key tradeoffs faced by Lonergan and Lonergan when undertaking rigorous social scientific research in a rapidly evolving technical field like cyberspace escalation. Although significant policy changes and groundbreaking technological advances have the potential to quickly render outmoded the conclusions that are reached, that should never constitute an excuse for burying one’s head in the sand and being unwilling to tackle such vital topics while waiting for stable behavior patterns to emerge and for voluminous previously confidential data to become available. So Lonergan and Lonergan are to be commended for their choice to enter the fray—especially with a counterintuitive central message—despite the inherent risks.
The perceptual nature of cyberspace escalation, acknowledged by Lonergan and Lonergan and noted by Baram, highlights that the interpretation of cyber operations can differ markedly in the eye of the beholder. One might well assume that because one state could misinterpret another state’s cyberspace actions, an unintended but nonetheless highly ominous action-reaction cycle could ensue. Yet Lonergan and Lonergan argue that such dangerous escalatory spirals are actually quite unlikely. In a related manner, Maschmeyer notes that the unpredictability embedded in cyber operations could over time cause risky state behavior to generate destabilizing collateral damage, with the inherent impact ambiguity preventing those who initiate offensive cyber operations from guarding against the full range of possible target responses.[4] Thus Maschmeyer legitimately calls for more consideration of the role of uncertainty on escalation in cyberspace.
The particular manner in which Lonergan and Lonergan delineate their research questions and gather their evidence is not without controversy, as voiced by the book’s reviewers. It is no surprise that Lonergan and Lonergan’s definition of offensive cyber operations involves tradeoffs: given the controversy surrounding sharply distinguishing offensive from defensive military behavior and weapons systems more generally, this distinction remains contentious in cyberspace, with Baram noting the authors’ arbitrary exclusion of computer network exploitation. Baram also points out the selection bias in Lonergan and Lonergan’s dataset, which is based largely on publicly reported cyber operations, and productively suggests that experimental war games could help remedy this deficiency. Last, Baram’s plea is well taken for the Lonergans to expand their research focus to incorporate more the intentions surrounding state initiation of cyber operations, for finding patterns here could unravel key uncertainties surrounding the timing and frequency of states’ foreign cyber operations.
The American cyberspace policy inconsistencies, which are noted in Lonergan and Lonergan’s response to Maschmeyer’s comments, are symptomatic of broader hypocrisy. The political leaders of many countries, including the United States, bemoan others’ offensive cyber operations while themselves undertaking similar kinds of offensive foreign cyber operations, usually covertly. Most states possessing relevant capabilities have not been reluctant—with purely defensive publicly-stated rationales—to engage in various forms of foreign cyber-intrusion, leading to intensified international cross-penetration: for example, even back in 2010 former American Assistant Secretary of Defense William Lynn suggested that over 100 foreign government intelligence organizations had been illegitimately trying to break into American defense networks.[5] Following security dilemma logic, a given state’s cyber-defense strategy, even if relatively restrained, can be seen by others as sovereignty-violating. Today’s tightly networked information systems can serve equally as weapons for penetrating foreign databases and as targets needing protection.[6] These patterns support Maschmeyer’s call for more consideration of the relevant parallels between cyber operations and foreign intelligence operations.
While Lonergan and Lonergan make clear that they stress systemic explanations for why cyber operations do not lead to escalation, and as Maschmeyer notes they do consider some alternative explanations, Schneider makes an important amendment to the authors’ conclusions by asserting that bureaucratic issues also contribute to cyber operations’ non-escalation, as for example cyber operations for intelligence purposes may limit the desirability of undertaking offensive escalatory cyberspace actions. This point is critical because systemic elements are not necessarily always more important or always require prior explanation relative to other contributors to cyber operations’ non-escalation.
This volume nicely sets the stage for follow-up research. First, in pursuing the premise that cyber operations can be used as a means of deescalating cross-state tensions, the hope is that subsequent studies will flesh out exactly when and how this could occur effectively and legitimately in state policies, with an underlying question surfacing about under what conditions government security decisionmakers would choose to use cyber operations as a primary means to pursue this stabilizing objective. Second, rather than emphasizing exclusively nation-state rivals, follow-up studies could productively examine cyber operations’ impact on escalation when one of the parties is a subversive subnational or transnational group[7] (especially a terrorist group or a criminal organization) or a cooperation-promoting intergovernmental organization[8] (especially the United Nations). Third, follow-up research could extend this book’s policy recommendations for the US Cyber Command to encompass advice to American allies with differing strategic objective hierarchies. Finally, integrating cyberspace operations’ impact on conflict escalation more fully into broader national security doctrine seems valuable in subsequent research efforts, for cyber-threat does not exist and cannot be evaluated in a vacuum.
There is so far a key gap in systematically formulated and executed research about the most security-relevant dimensions of cyberspace behavior. Due to careful choices made in pursuing its central thrust, Escalation Dynamics in Cyberspace provides a model useful as a future guide about how to do so—even with inevitable data limitations—in a scholarly reputable and convincing and a policy-relevant way.
Contributors:
Erica D. Lonergan is an Assistant Professor in the School of International and Public Affairs at Columbia University. Erica also currently serves as a member of the Board of Visitors of the US Army War College. Previously, Erica held several positions at the United States Military Academy at West Point. These include serving as an Assistant Professor in the Departments of Social Science and Electrical Engineering and Computer Science; a fellow at the Army Cyber Institute; and the Executive Director of the Rupert H. Johnson Grand Strategy Program. Erica served as a Senior Director on the US Cyberspace Solarium Commission and continues to serve as a Senior Advisor to the Cyberspace Solarium Commission 2.0. She also held an appointment as a Council on Foreign Relations International Affairs Fellow, with placement at JPMorgan Chase and US Cyber Command at the Cyber National Mission Force. Erica received her PhD in Political Science from Columbia University.
Shawn W. Lonergan is a Lieutenant Colonel in the US Army Reserve 75th Innovation Command. Prior to joining the Reserves, Shawn was an active-duty cyber officer and played key roles in the National Security Agency (NSA) in the office of Tailored Access Operations; the United States Cyber Command in the Cyber National Mission Force; and the United States Military Academy at West Point, where he taught courses on cyber operations. Shawn is also the former head of the Department of Defense pilot program to protect critical infrastructure from systemic cyber attacks. Shawn is a graduate of the United States Military Academy at West Point and holds two Masters’ degrees and a PhD in Political Science from Columbia University. Shawn most recently served as a Senior Advisor to the US Cyberspace Solarium Commission and also served as an Advisor to the Biden-Harris Presidential Transition.
Robert Mandel is Marc Messina Chair and Professor of International Affairs at Lewis & Clark College. He is the author of seventeen books and numerous articles and book chapters on global security matters, incorporating a recent skew toward integrating cybersecurity, data science, and artificial intelligence concerns. He has worked for multiple American intelligence agencies and testified before the United States Congress.
Gil Baram is a Research Scholar at the Center for Long-Term Cybersecurity and the Berkeley Risk and Security Lab, University of California Berkeley. Her work interests include states’ decisionmaking during offensive cyber operations, intelligence and covert actions, and empirical cyber research. Her work appeared in journals such as the Journal of Global Security Studies, Contemporary Security Policy, Journal of Cyber Policy, and Israel Studies Review.
Lennart Maschmeyer is a Senior Researcher in Cybersecurity at the Center for Security Studies at ETH Zurich. He holds a PhD from the University of Toronto and an MPhil from the University of Oxford. Lennart is also a co-chair of the FIRST Threat Intel Coalition (https://threatintelcoalition.com/) and the ECCRI Virtual Research Workshop series (https://eccri.eu/virtual-research-workshops/).
Jacquelyn Schneider is a Hoover Fellow at Stanford University and a faculty affiliate at the Center for International Security and Cooperation, also at Stanford University.
Review by Gil Baram, University of California Berkeley
Why has the international system not experienced meaningful cyber escalation? This is the main question Erica D. Lonergan and Shawn W. Lonergan examine in their new book, Escalation Dynamics in Cyberspace. Their answer is both detailed and comprehensive. In their view, the conventional wisdom about cyber escalation—that expects a “cyber Pearl Harbor” and a “cyber war”[9]—is wrong, mainly because it does not reflect empirical reality.[10] They argue that escalation, whether intentional or accidental, is fundamentally a political action made by individuals within organizations—it is not driven solely by technology. Importantly, what is considered an act of escalation, regardless of the tools used, is always subject to the perception of the observer.
Lonergan and Lonergan proposed an important distinction between escalation in crises and potential escalation patterns during outright conflict. They show that vast majority of cyber activities take place in scenarios of strategic rivalry among nations that do not reach the threshold of military conflict. In such circumstances, they find minimal proof that cyber activities prompt escalation. Rather, they offer a very interesting argument—which they test empirically—that the characteristics that render cyber activities ineffective for escalation might also allow countries to employ these operations to de-escalate tensions. Their goal is to “reframe the conversation away from binary debates about whether or not escalation is likely, and we identify the conditions under which escalation—or de-escalation—may be more or less likely as a result of cyber operations” (9). The robust investigation they conduct, which includes detailed case studies and scholarship discussions, certainly achieves this aim.
Throughout Escalation Dynamics in Cyberspace, Lonergan and Lonergan follow a clear and straightforward analytical path: after discussing the main definitions of offensive cyber operations, they discuss and examine their main argument that cyber operations do not escalate. Lonergan and Lonergan then go a step further and argue that cyber operations can de-escalate crises because they are visible but not clearly linked to a government and do not have costly effects that would compel the other side to retaliate painfully and thus escalate the crisis. As a final part of their analysis, they discuss plausible although hypothetical escalation scenarios, which, while they have yet to occur, greatly enrich their argument.
Escalation Dynamics in Cyberspace makes an important contribution to the scholarship in both International Relations and Cybersecurity, as well as the combination of the two areas, which for a while were studied almost separately. In the book, secrecy and plausible deniability are discussed extensively in the context of cyber operations. The authors demonstrate that cyber operations extend beyond technical feats to become instruments of national strategy and policy by revealing the intricate political and strategic layers governing these actions. Furthermore, Lonergan and Lonergan examine cyber capabilities’ dual-use potential. They offer a nuanced analysis of how cyber technologies are used both for military purposes and for intelligence gathering, thus demonstrating the blurred lines between different forms of statecraft. To counter the concept that cyberspace technology favors offensive strategies, Lonergan and Lonergan demonstrate the extensive time, skill, and resources that are required for a successful cyber offensive.
Moreover, the authors offer a number of insights regarding cyber operations as a crisis management tool. By doing so, Escalation Dynamics in Cyberspace contributes to the literature on cyberwarfare and signaling,[11] suggesting that cyber operations can de-escalate crises because of their limited effects. According to Lonergan and Lonergan, cyber engagements can be used to de-escalate conflicts due to their limited physical effects and their perception among adversaries. Since cyber operations are often covert and ambiguous in their origins and intentions, they are often seen as ineffective signals of resolve. They argue that in certain contexts cyber operations can, however, be advantageous due to their unique characteristics. As the discreet and controlled nature of these operations permits nuanced communication and strategic flexibility in tense international scenarios, they can be particularly useful for accommodative signaling and crisis de-escalation. Adding this dimension to our collective understanding of cyber warfare allows it to function not only as an instrument of aggression but also as a potential conflict resolution and signaling mechanism.
Another important contribution of Escalation Dynamics in Cyberspace involves the ongoing debates on intelligence and cyber operations, and the question of whether offensive cyber operations should be seen as intelligence operations.[12] Lonergan and Lonergan acknowledge the importance of cyber operations in intelligence gathering, with intelligence serving as a key element aimed at strategic, secure targets that require specialized access and exploits. There are trade-offs involved in accessing an adversary’s network for both military and intelligence purposes. Intelligence gained by infiltrating an adversary’s network is often more valuable than the results of an offensive operation. In that sense, the excellent timing of the book is worth mentioning, as it contributes to the evolving scholarly “competition” between perceptions of cyber operations as intelligence operations versus cyber operations as an ongoing conflict and a kind of “agreed competition.”[13]
Moving from the book’s scholarship to its empirical research, the robust methodology and an awareness of the limitations of data stand out. According to Lonergan and Lonergan, their theory is derived from the technical foundations of offensive cyber operations, and not from a theory of resources or political will. They are thus able to examine the states in the case studies clearly and independently (78).
It is important to highlight Lonergan and Lonergan’s transparent acknowledgment of the inherent bias in their data. Their approach to data selection is particularly commendable; they consciously chose cases that present a more strenuous test of their theory, rather than opting for those that would easily corroborate their hypotheses. The authors’ dataset, covering a range of cyber incidents from 2005 to 2020, is primarily composed of publicly reported and observable cyber operations. The dataset suffers from an inherent selection bias, as it is predominantly based on cyber operations that have been observed and publicly reported. By focusing on incidents that have gained public attention, the dataset may inadvertently emphasize the more “visible” aspects of cyber operations, potentially overlooking the subtler, less observable tactics.[14] This selection criterion, while necessary, introduces a selection bias that the authors openly recognize.
Interestingly, Lonergan and Lonergan argue that this bias may actually work against their thesis. The observable nature of these cyber operations implies that they are the “noisiest” cases, those with some level of public knowledge. This visibility could potentially heighten the risks of escalation, as publicly known cyber operations might elicit more pronounced responses from states, seeking to defend their public image or retaliate for perceived aggressions. As noted, in their approach to case selection and analysis, Lonergan and Lonergan intentionally challenge their own theory with difficult cases. This, combined with their recognition of data limitations, enhances the discussion on cyber operations and makes a substantial contribution to the field of international politics. Although this limitation exists, the authors attempt to cover the full range of state responses to cyberattacks. It is particularly valuable, since it allows us to see how states respond to various types of cyber aggressions.
Lonergan and Lonergan have also demonstrated a commendable ability to distill complex technical cybersecurity concepts into simpler terms, which significantly enhances the accessibility of the topic of cyber operations for non-specialists. Their effective demystification of technical jargon allows the subject matter to resonate with a broader audience. This approach is not merely a pedagogical triumph but also plays a vital role in expanding the conversation surrounding cyber warfare to encompass a more diverse range of participants. Escalation Dynamics in Cyberspace stands out for its inclusion of technical terminology, which Lonergan and Lonergan skillfully elucidate in an exceptionally clear manner. This clarity is instrumental in making the content of the book understandable and engaging for a wider audience.
Furthermore, Escalation Dynamics in Cyberspace’s relevance to policy cannot be overstated. Lonergan and Lonergan dedicate the last chapter for policy relevance recommendations for the United States. As a part of the “Bridging the Gap” book series, this chapter comes as an important practical contribution. Here, Lonergan and Lonergan focus on the US Cyber Command strategy, emphasize the importance of defining the scope of the “defend forward” strategy, currently lacking clear boundaries (226). The recommendation is to narrow its focus to specific offensive cyber operations, which aims to disrupt and degrade adversaries’ cyber capabilities. This approach would force adversaries to divert resources into less effective areas. Additionally, the authors highlight a critical need for clarity in defining the threshold for the use of force in offensive cyber operations (237-239). They note that while to date no cyberattack against the US has crossed this threshold, adversaries of the US are exploiting this vagueness for smaller-scale cyber campaigns. Lonergan and Lonergan argue for a more explicit delineation of different thresholds for various cyber actions. Such clarity, they suggest, would aid in conveying US intentions, manage escalation risks, and facilitate coherent communication about the US cyber strategy. This, in turn, supports shared objectives and mutual understanding.
In their analysis of escalation dynamics, Lonergan and Lonergan acknowledge that there are disagreements in the literature about how to define offensive cyber operations, especially regarding the distinction between computer network exploitation, which involves gaining access to a targeted network, and computer network attack. They draw a clear distinction between exploitation and offensive cyber operations:
we categorize exploitation itself as distinct from an offensive cyber operation, which we define as a cyber operation that causes some type of effect against a network or system […] we exclude exploitation operations that lack a follow-on attack from our definition of offensive cyber operations, which enables us to explore the implications of the links between espionage and military action in cyberspace (15-16).
For the authors’ purposes, and to allow them to offer such a detailed analysis, it is reasonable to use a definition that does not include exploitation. However, the primary challenge in this approach lies in the operationalization of what constitutes an offensive cyber operation. Depending on the types of exploitation excluded, the analysis might focus on less impactful attacks such as Distributed Denial of Service (DDoS) and website defacement. As a result, it might leave behind other types of cyberattacks—such as hack-and-leak—that may not have a follow-up attack, but may cause chaos and panic in the public, for which government action is needed. The ongoing cyberattacks between Iran and Israel during the years 2020-2022, and specifically the ones targeting civilians, are an example for such dynamics.[15]
Lonergan and Lonergan also delve into the significance of dyadic relationships and historical rivalries in the context of cyber capabilities. They rightly focus “on the technical aspects of cyber operations and the constraints and opportunities they provide to leaders, because these are a necessary foundation to exploring the political aspects of decision-making around their employment” (9). The analysis could have been strengthened by delving into the intentions of the leaders who are behind these cyber operations. Intentions play a crucial role in shaping a state’s cyber strategy and are as influential as technical capabilities. For instance, Lonergan and Lonergan could have drawn a comparative analysis between North Korea and China in their strategic use of cyber operations. North Korea’s approach, which is primarily focused on using cyber capabilities as a source of revenue,[16] contrasts sharply with China’s inclination towards information gathering and intelligence and even harming the US critical infrastructures.[17] This distinction is not merely technical but is deeply rooted in the strategic objectives and political intentions of the leadership in these countries. Although it is beyond the scope of the book, understanding these intentions is vital, as they can provide a lens through which the impact and potential escalations of cyber operations can be assessed.
In conclusion, Escalation Dynamics in Cyberspace is a pivotal contribution to the scholarship on cybersecurity and international relations. Its comprehensive exploration of state behavior in cyberspace–with the focus on the United States–is underpinned by a rigorous methodology and a rich data, providing a well-founded analysis of the potential for escalation in offensive cyber operations. Overall, I find their argument to be persuasive, despite some initial decisions regarding data selection and bias. It not only offers a broad examination of various escalation and de-escalation patterns but also acknowledges the complexities and limitations inherent in such an analysis, adding a layer of depth and realism to its findings. Lonergan and Lonergan’s book successfully bridges the technical and political aspects of cyber escalation, making Escalation Dynamics in Cyberspace a valuable resource for both practitioners and scholars in the field.
Review by Lennart Maschmeyer, ETH Zürich, Center for Security Studies
For decades, scholars and defense planners have warned of dire escalation risks of cyber conflict. Yet in practice, there has been no escalation. Russia’s full-scale invasion of Ukraine in February 2022 provides the most recent example. Ever-more dramatic warnings of impending cyberwar and escalation preceded it. A Politico piece summed up assessments by senior military leaders and cybersecurity experts in January 2022 as follows: “in a full-scale cyber assault, Russia could take down the power grid, turn the heat off in the middle of winter and shut down Ukraine’s military command centers and cellular communications systems.”[18] Mark Warner, meanwhile, stressed wider escalation risks such as a scenario where “a Russian cyber-attack causes deliberate or inadvertent harm to civilians in Europe, prompting NATO to retaliate.”[19] Former NSA Director Keith Alexander went even further, highlighting that escalating cyberwar in Ukraine “poses a threat to the global system.”[20]
These fears reflect longstanding assumptions about the escalatory nature of cyber conflict among scholars, which are perhaps best summed up by Robert Jervis and Jason Healey’s diagnosis of cyber conflict being “quintuply dangerous” and thus in a league of its own ahead even of nuclear conflict.[21] Yet such escalation has not happened, either in Ukraine or in other scenarios. This mismatch between expectations and observed practice poses a puzzle for a large chunk of cybersecurity scholarship. While it is not the first to tackle this question, Erica and Shawn Lonergan’s new book provides the most authoritative answer yet to this puzzle. It is persuasive, tightly argued, and rich in empirical analysis—in short, it is one of the best books on cyber conflict yet.
Building on their excellent work over the past years, Lonergan and Lonergan make a persuasive case that the inherent limitations of cyber operations have prevented not only intentional, but also inadvertent, escalation. While cyber conflict continues to evolve, they argue, cyber operations have four stable attributes that severely limit their escalatory potential: the importance of secrecy, the challenges involved in planning and conducting them, the modest costs they can impose, and the trade-offs resulting from their importance for espionage. Building on this analysis, Lonergan and Lonergan proceed to challenge assumptions about offensive advantages in cyber conflict as a military endeavor, instead pointing out the underappreciated intelligence value of cyber operations. This analysis shows both deep technical expertise and a firm grasp of IR theory, linking technical characteristics with strategic consequences to build a bulletproof case. In a nutshell, the core argument is that escalation has not occurred because “offensive cyber operations are challenging, unreliable, and limited in their decisiveness, making a decision to escalate a crisis through employing them unlikely to net the desired returns” (78). This conclusion accurately reflects observable reality in cyber conflict, as Lonergan and Lonergan later underline with an impressive array of empirical investigations. It is also congruent with conclusions other more skeptical scholars—including myself—have reached over the past years.[22]
The final point above highlights a significant trade-off when conducting thorough work in a fast-moving field: timeliness. Developing excellent social scientific research takes years, especially when empirics are involved. Meanwhile, both the practice and theory of cyber conflict continue to evolve rapidly, meaning that long-held assumptions may be disrupted. The fear of cyber escalation is one such assumption, which was almost universally held only a few years ago, and is still very much alive, as the quoted material that opens this review attests. Among academics, however, this assumption has increasingly been subsumed by a more nuanced expectation of cyber conflict as a new form of low intensity conflict.[23] Similarly, contrary to the authors’ assertion on page 3, deterrence no longer universally serves as the underpinning framework for United States cyber strategy. That was certainly true in 2018, when the strategy statement that Lonergan and Lonergan cite in support of their claim was issued.
Much has changed since, however, with deterrence now having disappeared entirely from the 2023 National Cybersecurity Strategy.[24] Similarly, the Department of Defense’s 2023 Cyber Strategy highlights that “The Department’s experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own.”[25] Increasingly, deterrence is being superseded by the alternative strategies of persistent engagement and “defend forward.”[26] In these regards, Lonergan and Lonergan are at risk of overstating their case regarding the established wisdom they challenge both in scholarship and in policy when setting up their argument. These issues are, however, relatively minor. To be clear, the field benefits much more from a thoroughly researched and tightly argued book that trails somewhat behind latest developments than a book that sacrifices maturity for half-baked speculation in order to be at the cutting edge.
Moreover, to their credit, Lonergan and Lonergan do address these more recent developments and the implications later in the book. The concluding chapter with policy recommendations addresses the new strategy of persistent engagement head-on, noting its underlying optimistic assumptions about the non-escalatory nature of cyber operations and criticizing the absence of any consideration of escalation dynamics. There is a clear tension here though: is the main problem with US strategy that it continues to rely on deterrence, as the authors argue at the start of the book, and that it thus overstates escalation risks? Or is it the opposite, namely that US strategy downplays or outright ignores possible escalation risks?
This tension reflects a wider consequence of the book’s focus on escalation: its core argument and theory explain what cyber operations are not, namely offense dominant military capabilities. Given the recalcitrance of cyberwar narratives and associated threat scenarios like Cyber Pearl Harbor or Cyber 9/11, that is both important and useful. Yet in making such a convincing case for what cyber operations are not, the book naturally poses the key question what, then, cyber operations are instead.
Fortunately, Lonergan and Lonergan tackle this question in chapter 4, and their second major contribution to the field emerges from this analysis. Contrary to fears of a cybersecurity dilemma and associated escalation risks, the chapter makes the fascinating case that cyber operations constitute signals of a willingness to avoid escalation. After dispensing with established notions of cyber operations as acting as signals of resolve, akin to conventional military options, the chapter develops a theory of cyber operations as accommodative signals. Because of the inherent limitations in these signals, Lonergan and Lonergan argue, an actor’s very choice in favor of cyber operations over other, more cost-imposing options, can be interpreted as a signal of restraint. Their secrecy and the resulting plausible deniability further facilitate such accommodation, enabling actors to maneuver outside the public sphere and associated escalation pressures. This argument, which partially builds on recent work that understands covert operations as fulfilling a similarly de-escalatory role,[27] is a crucial intervention in a debate mired in military analogies and associated threats. Their conclusion is particularly pertinent for the discourse on cyber norms, a core strain of which is based on the underlying assumption that cyber weapons are so destructive and destabilizing they should be banned, given that they are analogous to chemical or biological weapons.[28]
Because this is a key insight turning much of the established strategic thinking on cyber conflict on its head, it opens multiple questions that are worth further exploration. Most importantly, there is the question of whether cyber operations continue an existing strategic dynamic around de-escalation, whether they change it, or whether they perhaps herald a new one? Given the authors’ emphasis on the secret nature of cyber operations and their effectiveness for espionage, it is surprising they did not dive more deeply into the parallels between cyber operations and intelligence operations, as well as potential differences. To be sure, that question goes beyond the core focus on explaining the absence of escalation. Yet since the authors’ theory of cyber operations as accommodative signals offers a powerful explanation for the absence of escalation, this argument and its implications would have been worth further developing—not least in order to build a foundation for the critique of persistent engagement in the concluding chapter. The theory underlying persistent engagement assumes that cyber operations herald a new strategic dynamic in conflict short of war.[29] Lonergan and Lonergan’s theory indicates the opposite, however, namely a continuation of existing strategic dynamics around accommodative signaling. Making a stronger case for these historical continuities would thus also help strengthen the critique of persistent engagement and the refinements around signaling and bargaining that the authors suggest in the concluding chapter.
On the topic of explanatory power, another strength of this manuscript is the systematic evaluation of alternative explanations, which is still too rare in many publications. The authors consider three alternate explanations for the absence of escalation: deterrence, escalation dominance or hegemony, and subcrisis maneuvering (81-83), and then proceed to show why the latter best aligns with the empirical evidence. The analysis and supporting evidence in the empirical chapters is convincing. Yet, I missed an important potential alternative explanation for the observed outcomes: perception. A growing body of research examines the distinct and significant threat perception associated with cyber operations among the public and policy-makers.[30] Meanwhile, recent wargaming experiments have not only shown that cyber conflict is not as escalatory as expected, but also that participants refrained from using cyber operations because they perceived them as uniquely escalatory.[31]
If that is the case, there is a potential paradox here: what if cyber conflict has been non-escalatory precisely because key actors have perceived it to be escalatory? If this perception changes, say because decision-makers read this book and accept its conclusions, what if they then change their approach and take more risks? Could the expectation that cyber conflict is non-escalatory, which also underlies the persistent engagement strategy that has now been adopted by the US and an increasing number of its allies, paradoxically lead to escalation? The book’s theory suggests that the inherent limitations of cyber operations would preclude escalation in this scenario as well—and I would tend to agree given my own research into these limitations. Yet as Lonergan and Lonergan highlight, one of the key limitations of cyber operations is their unpredictability. Unpredictability produces uncertainty, and the more risks actors take, the more likely it becomes that eventually cyber operations produce (unintended) collateral damage that becomes destabilizing. I was surprised not to see a dedicated analysis of the implications of the uncertainty that results from the unpredictability of cyber effects in the otherwise excellent discussion of plausible escalatory scenarios in chapter seven.
To conclude, this book excels in its core task of explaining the absence of escalation. Perhaps because it does this job so well, the questions about the strategic implications raised above assume such perceived importance, and the relative brevity of the associated analysis leaves the reader wanting. In short, this is an excellent manuscript that will make a lasting contribution to the field thanks to its theoretical clarity, its systematic and rigorous empirical strategy, and its innovative strategic conclusions.
Review by Jacquelyn Schneider, Stanford University
In order to understand the importance of Erica D. Lonergan and Shawn W. Lonergan’s book, Escalation Dynamics in Cyberspace, you have to know what came before. In 2012, Secretary of Defense Leon Panetta warned of a “cyber Pearl Harbor.”[32] The warning reflected a widespread concern about cyber attacks and escalation that defined the first decade of US cyber strategy.[33] These concerns weren’t simply a policy-maker’s predilection. The first books and articles on cyber and international relations, the ones that became foundational to knowledge on this topic, overwhelmingly warned of the escalatory effects of cyber operations to international stability.[34] In 2011, John Arquilla wrote that, “now, cyberattacks have the potential to serve as preemptive weapons that could cripple a massing force preparing to attack.”[35] In 2018, journalist David Sanger warned in his book, The Perfect Weapon, of a potential violent escalation if the United States used offensive cyber operations.[36] Works on cyber, nuclear escalation, and modern warfare warned of the dangers of cyber vulnerabilities to both conventional and nuclear warfare—citing the “emergence of a cyber-nuclear security dilemma that must be factored into future crisis management and strategic stability.”[37] A decade after Arquilla first warned of cyber escalation, his 2021 book Bitskrieg: The New Challenge of Cyberwarfare continued to ring the bell of alarm about the dangers of cyber vulnerabilities to both conventional and nuclear warfare.[38] Meanwhile, US cyber strategy for much of its first decade focused on escalation management and the risks of cyber operations, leaning heavily on the assumption that cyber operations would likely lead to violence and conflict.[39]
These cyber escalation warnings draw heavily from theories of uncertainty and escalation that dominate realist international relations and much of American Cold War nuclear policy.[40] Cyber escalation scholars often look at the characteristics of cyber: it is difficult to differentiate between offense and defense, there is an offensive advantage, operations are covert and difficult to attribute—and conclude that these are all characteristics that can lead to windows of opportunity for early and escalatory strikes. The natural conclusion from this line of reasoning is that cyber operations create the kind of uncertainty that leads to both inadvertent and deliberate escalation.[41] Most of these works leaned heavily on hypothesis generation and theory development, relying on hypotheticals to provide evidence (often from analogies with nuclear weapons, airplanes, or other technologies) for their arguments.[42] In this way, these early cyber works were clear descendants—both in logic and form—of the type of nuclear escalation literature written by Herman Kahn, Bernard Brodie, and other Cold War scholars and practitioners that formed US nuclear canon.[43]
The problem for these foundational cyber works is that, unlike in nuclear politics, there are a lot of cyber operations occurring and while these cyber operations have increased in complexity and volume, escalation to violence has not. Empirical evaluations of cyber operations and escalation—whether large n-datasets,[44] experiments,[45] wargames,[46] or case studies—found no relationship between cyber operations and escalation. In fact, the enduring puzzle that emerged from the empirical work on cyber and escalation was not the ways in which cyber operations created escalation but instead whether cyber operations could in fact work in the opposite direction and actually de-escalate otherwise contentious crises and conflicts.[47]
Despite this empirical literature on cyber escalation, skeptics of the new wave of cyber literature continued to argue that these data explorations were flawed, and were either missing data, containing substantive bias, or too narrowly scoped to comprehend the danger of cyber escalation.[48] Leading into the Russian invasion in Ukraine these critics continued to argue that cyber de-escalation research had not fully anticipated the potentially escalatory effect of cyber operations in a large-scale war or crisis. As warning alarms of a Russian invasion into Ukraine grew increasingly loud, they predicted that Russian cyber operations would play a pivotal role in the onset and conduct of a Russian invasion. As Jason Healey wrote in March of 2022, “With the world worried about the risk of nuclear escalation between Russia and the West, now might also be a good time to worry about the risk of cyber conflict escalating to war as well.”[49]
But this was not what occurred. Russian cyber operations largely fizzled in the early days of the war and subsequent cyber activity by both Ukraine and Russia fell below the violence of missile and artillery barrages, drone attacks, and tank warfare. Cyber may have increased the uncertainty and fog of that war, but there has been no evidence that cyber operations on their own or in concert with other means of conventional warfare changed the onset, duration, or violence of the war in Ukraine. This stunning repudiation of cyber alarmism left academia with a different set of questions than it began with. Whereas the cyber literature began with a puzzle about how to de-escalate necessarily escalatory cyber means, instead the puzzle after Ukraine and, indeed the puzzle suggested by the empirical work before Ukraine, is why cyber operations had so little impact on the violence or propensity of war. Were they too technically difficult? Did the Russians or Ukrainians hold back for fear of reprisals? Were they holding on to good cyber weapons and accesses for later in the conflict? Were the effects of cyber operations too uncertain, too limited when compared to other conventional means of warfare? Were cyber signals poor tools to convince the other side to back down?
Answering these questions is where Lonergan and Lonergan’s volume makes its significant contribution to the understanding of cyber and escalation. In Escalation Dynamics in Cyberspace, Lonergan and Lonergan explain why cyber operations do not escalate conflicts and present a supplementary explanation of how cyber operations could actually de-escalate conflict. Lonergan and Lonergan argue that previous scholars mischaracterized the impact of the technical attributes of cyber operations. While they agree with many previous works that cyber operations are secret and deniable, they disagree that these characteristics create incentives for escalation. Instead, they explain that “attribution requirements place a pause on response times, they inject a break into a potential escalatory cycle. Crises are defined by temporal pressure . . . the extension of time, therefore, creates breathing room for parties to ratchet down potential escalatory tensions” (76).
But while they may agree with others about the inherent secrecy of cyber operations, they disagree about other key assumptions of cyber escalation arguments. In particular, they disagree that there is an offensive advantage in cyberspace. Instead, they explain that in order for states to create and use offensive cyber operations with strategic effects they must overcome significant challenges, including “endeavoring to gain access to these types of networks, maintain that access over time, achieve the intended effect against a specific target set, and at the desired time of employment” (38). Lonergan and Lonergan further push back against previous work, which claimed that cyberspace operations could be accomplished via keystroke and that it therefore increased the speed of conflict and escalation. Instead, they demonstrate that cyber operations take extensive planning and time and yet are vulnerable to adversary network changes and defensive measures—all of which induce caution, restraint, and sustained cyber tit-for-tat campaigns instead of preemptive strike and offensive onslaughts.
Finally, Lonergan and Lonergan argue that cyber operations’ tight relationship with intelligence creates incentives for restraint that were too often overlooked in previous work. They note that extensive intelligence is required for gaining cyber accesses and quite often the use of cyber operations for military operations “burns” those accesses with their associated intelligence value. Further, while offensive cyber operations struggle to create costly effects, they often provide significant intelligence that can be used to target adversaries with conventional weapons, provide situational awareness in crises and military campaigns, and reveal adversary intentions and will. This incentivizes states to use cyber accesses for intelligence instead of attack.
Lonergan and Lonergan do a fantastic job of explaining not only how cyber works and the technical logic behind their argument, but also demonstrating how these technical characteristics and logics play out in real-world cases. Part of why this is so successful is because they start the project by presenting important definitions. In particular, they define escalation as “a meaningful increase in the nature or intensity of a conflict or crisis situation,” including a breach of a perceived threshold, a qualitative change in an effect or a means, or a quantitative expansion of conflict (10). By looking at US-China or US-North Korea cyber exchanges they are able to explain why it can be true that cyber exploitation (spying), cyber intellectual property theft, and cybercrime are all increasing and yet that this increase in cyber activity does not translate to the escalation they define at the beginning of the book.
Lonergan and Lonergan’s work is explicitly structural, logically sitting next to other realist explanations for technology and conflict. However, there also compelling bureaucratic reasons to explain why cyber operations may not escalate. For example, in states like the US with powerful intelligence organizations, the utility of cyber operations for intelligence may lead these powerful intelligence organizations to exert influence to limit the offensive use of cyber accesses. Further, Lonergan and Lonergan’s explanation for cyber (de)escalation may underemphasize the role of American presidential administrations’ risk proclivities; the Obama administration, for example, was famously risk averse[50] and created extensive bureaucratic processes to decrease the risk of escalation from US cyber operations.
Healey’s March 2022 essay concluded, “With luck, escalation will not happen, and I will be written off as a ‘cyber catastrophist.’ ‘Cyber doesn’t work like that,’ we will tell ourselves.”[51] What Lonergan and Lonergan have done in this book is explain how cyber works, giving cyber catastrophists a clear and compelling explanation of the mechanisms behind how cyber operations affect escalation. This is a significant maturation of our understanding of when and why cyber operations impact international stability. This volume, therefore, represents the first of a new era in work on cyber and international security, and will be the new foundation of future explorations about cyber and other emerging technologies and international stability.
Response by Erica D. Lonergan, Columbia University and Shawn W. Lonergan, 75th Innovation Command[52]
We are immensely grateful for the thoughtful and constructive reviews of our book, Escalation Dynamic in Cyberspace, by Gil Baram, Lennart Maschmeyer, and Jacquelyn Schneider, as well as the introduction by Bob Mandel. We are especially humbled by the contribution each of the reviewers sees our book making, both to the cyber literature as well as international politics more broadly. In the interests of further enriching and advancing the scholarly debate about the relationship between cyberspace and escalation, below we provide our feedback and responses to the reviewers’ suggestions, queries, and areas of disagreement.
Baram’s review identifies three areas in our analysis that she posits merit further clarification and exploration. One is the issue of the inherent bias in our data, a challenge that is endemic to observational studies of cyberspace. Indeed, Baram and other scholars have pioneered excellent work on the challenge of “missingness” in cyber data and how it may skew researchers’ understandings about the nature of cyber conflict.[53] As Baram notes, our work is up front about recognizing the bias in our data; specifically, our case studies are biased toward more “visible” types of cyber operations.[54] Moreover, as Baram points out, we assert that this form of bias is perhaps less problematic than other forms of bias because it actually works against our argument, making it a more difficult test of the theory. It stands to reason that “noisier” cyber operations are more likely than stealthier ones to increase the risks of escalation. Therefore, if we do not observe escalation even in the wake of such cyber operations, our argument is further strengthened. That said, we concur with Baram’s analysis of the difficulties associated with systemic bias in cyber data and believe that complementing our methodological approach with experimental approaches, such as experimental war games, would help compensate for the limitations of the former.[55]
Baram also questions the scope conditions we impose on our analysis, specifically our exclusion of cyber exploitation operations—those that entail gaining access to a target’s networks or systems but that do not cause effects—from our definition of offensive cyber operations. In the book, we acknowledge that this definition is contested, and that other experts take a more expansive view of what constitutes an offensive cyber operation.[56] Baram notes that some types of cyber exploitation, such as “hack and lack” operations, may not cause effects against targeted networks but could “cause chaos and panic in the public, for which government action is needed.” She refers to the reciprocal cyber operations between Israel and Iran between 2020 and 2022 as one such example; another plausible example is Russia’s 2016 hack and leak operation, which was carried out by the Main Intelligence Directorate (GRU), to publish stolen Democratic party emails in venues such as WikiLeaks.[57] Our aim in applying a narrower definition of offensive cyber operations was, in part, to draw a clear distinction between purely cyber operations and those that spill over into cyber-enabled information operations. While we do not believe that applying a more tightly scoped definition is detrimental to the overall analysis, we concur with Baram that extensions of our work could more deeply explore the escalation implications at the intersection of cyberspace and the information environment.
Finally, Baram reflects that our analysis could be strengthened by a deeper dive into the role of intentions in shaping how different states employ cyber capabilities. We agree, though this would take the analysis beyond attempting to account for variation in escalation/de-escalation to include variation in how states develop cyber strategy and doctrine and employ cyber capabilities.
Maschmeyer similarly identifies several areas for further refinement and presents a few caveats to our analysis. In terms of the latter, Maschmeyer notes the tradeoff between scholarly research projects, which typically take years to complete, and the evolving nature of the cyber landscape, especially when it comes to policy-relevant research. As a result, Maschmeyer argues that one limitation of our analysis is that it may not be as applicable to current-day US cyber strategy. He notes that, for instance, “deterrence no longer universally serves as the underpinning framework for United States cyber strategy.” Therefore, he concludes that we are “at risk of overstating their case regarding the established wisdom they challenge.”
On this point, we respectfully disagree. Maschmeyer is correct that US cyber strategy has certainly evolved considerably over the years, and that strategies of deterrence now exist alongside other operational concepts introduced in 2018, including “defend forward” and “persistent engagement.”[58] However, the evidence does not support the proposition that deterrence is has been “superseded” by those concepts, especially from a practitioner perspective. As Maschmeyer notes, the 2023 Department of Defense (DoD) Cyber Strategy recognizes the limitations of cyber operations as tools of deterrence when they are employed in isolation.[59] However, an important contribution of that strategy was reaffirming the role of deterrence in cyber strategy, relative to persistent engagement and defend forward. The 2023 DoD Cyber Strategy operationalized the 2022 National Defense Strategy, which articulated a clear role for cyberspace in deterrence: “The Department will employ an integrated deterrence approach that draws on tailored combinations of conventional, cyber, space, and information capabilities, together with the unique deterrent effects of nuclear weapons.”[60] Far from ushering in a seismic shift in cyber strategy (perhaps to the chagrin of the ardent advocates of persistent engagement),[61] the 2023 strategy buckets persistent engagement under the umbrella of “campaigning,” which represents only one several strategic concepts in the document.[62] Indeed, in his April 2024 posture statement to Congress, General Timothy Haugh, Commander of US Cyber Command, underscored how the command is implementing the concept of integrated deterrence. It is “laser focused” on deterring conflict in the Indo-Pacific; on deterring China from using cyber exploitation of US critical infrastructure to attack America; on “deterring and countering aggression” in the Indo-Pacific and around the world; on deterring Iran, especially in the context of the ongoing Israel-Hamas war; on deterring conflict on the Korean peninsula; and on “setting the conditions for the Joint Force to deter and prevail in crisis and armed conflict.”[63] Suffice to say, deterrence in a cyber context is alive and well.
That said, Maschmeyer deftly identifies a key tension that our analysis gives rise to, particularly regarding policy implications: that US strategy both over- and under-emphasizes the escalation risks associate with cyberspace. Despite adopting more offensive approaches to cyberspace (which suggests reduced concerns about escalation), senior leaders continue to publicly express apprehension about the cyber domain’s escalatory potential. For instance, Secretary of Defense Llyod Austin has described cyberspace as an environment in which “norms of behavior aren’t well established and the risks of escalation and miscalculation are high.”[64] The 2023 DoD Cyber Strategy similarly notes that the Department will “remain closely attuned to adversary perceptions and will manage the risk of unintended escalation.”[65] From our perspective, it is not surprising that there are unresolved tensions in US cyber strategy. Many strategies (and certainly grand strategies) contain elements of internal inconsistency or incoherence.[66] A core goal of this project is to move beyond the prevailing binary debate (i.e., cyber is or is not escalatory) to articulate a more nuanced perspective about the different types of risks (and the conditions under which they may arise) cyberspace poses, as well as the opportunities. It is here that our argument about the de-escalatory potential of cyber operations, through accommodative signaling mechanisms, is especially relevant. Maschmeyer’s insight that our findings about accommodative signaling are more suggestive of the continuity of cyber operations with other strategic dynamics, rather than the revolutionary potential of cyberspace, and his suggestion to further elaborate on how cyber fits into broader patterns of behavior, are especially helpful to guide our future work.
Finally, Maschmeyer notes that our analysis could do more to engage arguments about how perception and uncertainty shape the prospects of escalation. He poses an interesting hypothetical, namely, that the absence of escalation might be due to leaders’ (misplaced) fears about escalation. In turn, as leaders become increasingly inclined to employ cyber power, eventually the unpredictability of cyber operations may have destabilizing effects on rival interactions. As Machmeyer’s own excellent work has similarly demonstrated, we expect that the escalatory potential of the unpredictability of cyber operations would likely be constrained by other factors, such as the lack of physical violence associated with cyber attacks and their non-universal lethality.[67] The latter point is particularly important and often overlooked in discussions about the unintended consequences of offensive cyber operations. Some cyber operations can and do cause effects beyond their intended targets (such as the 2017 NotPetya attack, which was ostensibly aimed at targets in Ukraine but spread around the world and caused significant economic damage).[68] However, others may spread with limited consequences, given their tailored nature (such as the 2010 spread of the Stuxnet virus beyond the Natanz nuclear enrichment plant in Iran).[69] Relatedly, contrary to the perception that cyber operations are unpredictable, actors can design them in ways that limit their unintended effects.[70]
Schneider quite helpfully situates our book in historical context and shows how the influence of early cyber doomsayers, such as those who sounded the alarm bells about an impending cyber Pearl Harbor, has not waned. Instead, they continue to shape how academics and practitioners understand and theorize about cyber conflict.[71] As Schneider notes, a paradigmatic example is the breathless debate surrounding the role cyber operations were expected to play in the lead-up to Russia’s 2022 invasion of Ukraine. Ultimately, as Schneider puts it, “Russian cyber operations largely fizzled in the early days of the war.” This suggests extensions for future research. The debate about cyber escalation has largely focused on the potential role of cyber operations in triggering or exacerbating crises and the risks of escalation from crisis to conflict. But there has been comparably less research on how cyber operations may transform interactions during conflict itself.[72] Our book provides some plausible scenarios of wartime cyber escalation, but the 2022 Russo-Ukrainian war illustrates the opportunity for future research to empirically study this issue.
Schneider’s primary critique of our book centers on its structuralist approach. Along the lines of traditional neorealist approaches to international politics, our argument aims to explain the systemic factors that account for why cyber operations, in general, are not associated with escalation.[73] We agree with Schneider that this means that our framework can only go so far, and that other unit- and individual-level variables (such as domestic politics, strategic and organizational culture, bureaucratic politics, civil-military relations, leader attributes, political psychology, and so on) are needed for a more complete explanation of the determinates of state behavior in cyberspace. That said, we posit that understanding the systemic characteristics of cyberspace and cyber operations is a necessary condition to evaluating their strategic implications.
In sum, we are grateful to all three reviewers for sharing their reflections on our work. Most importantly, we are heartened that a core impetus behind authoring this book—to bridge the gap between the academic study of cyberspace and the crafting and implementing of cyber strategy and policy in practice—was clearly apparent across all of the reviews. Looking ahead, we look forward to continuing to advance the conversation in academic and policy circles about the ways in which cyberspace is shaping (and being shaped by) international politics.
[1] For an example of such cyber-escalation ladders, see Defense Science Board, Resilient Military Systems and the Advanced Cyber Threat (U. S. Government Printing Office, January 2013), 40-43; and Vincent Manzo, Deterrence and Escalation in Cross-Domain Operations (National Defense University Institute for National Strategic Studies Strategic Forum, December 2011), 1-4.
[2] Joel Brenner, Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World (Penguin Books, 2013), 2.
[3] See, for example, Sarah Weiner, “Searching for Cyber-Deterrence,” (Center for Strategic and International Studies, November 26, 2012) http://csis.org/blog/searching-cyber-deterrence
[4] Robert Mandel, Optimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacks (Georgetown University Press, 2017), 196.
[5] William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs, 89 (September/October 2010), 98- 99.
[6] Gregory J. Rattray, Strategic Warfare in Cyberspace (MIT Press, 2001), 99-100.
[7] For early exploration of the importance of nonstate groups in cyberspace escalation, see Carl Hunt and Nancy Chesser, eds., Deterrence 2.0: Deterring Violent Non-State Actors in Cyberspace (Strategic Multi-Layer Analysis Team for the US Strategic Command Global Innovation and Strategy Center, January 9-10, 2008), 50.
[8] For early exploration of the potential role of intergovernmental organizations in cyberspace escalation, see Patrick M. Morgan, “Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm,” in National Research Council, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy (National Academies Press, 2010), 74.
[9] See for example John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” Comparative Strategy 12, no. 2 (April 1, 1993): 141–65, https://doi.org/10.1080/01495939308402915; Leon E Panetta, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security,” October 2012, https://archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136.
[10] Brandon Valeriano and Ryan C Maness, Cyber War versus Cyber Realities (Oxford University Press, 2015); Valeriano, Benjamin M. Jensen, and Maness, Cyber Strategy: The Evolving Character of Power and Coercion (Oxford University Press, 2018); Valeriano, “The Need for Cybersecurity Data and Metrics: Empirically Assessing Cyberthreat,” Journal of Cyber Policy 7, no. 2 (May 4, 2022): 140–54, https://doi.org/10.1080/23738871.2022.2111997.
[11]Brandon Valeriano, Benjamin M. Jensen, and Ryan C. Maness. Cyber Strategy: The Evolving Character of Power and Coercion. (Oxford University Press, 2018); Erica D. Lonergan and Shawn W. Lonergan. “Cyber Operations, Accommodative Signaling, and the De-Escalation of International Crises,” Security Studies 31, no. 1 (2022): 32-64.
[12] Joshua Rovner, “What Is an Intelligence Contest?,” Texas National Security Review, 2021, https://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest/#essay1; Robert Chesney and Max Smeets, “Introduction: Is Cyber Conflict an Intelligence Contest?,” Texas National Security Review, September 17, 2020, https://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest; Rovner, “The Elements of an Intelligence Contest,” in Chesney and Smeets, eds., Deter, Disrupt, or Deceive: Assessing Cyber Conflict as an Intelligence Contest (Georgetown University Press, 2023), 17-42.
[13] Michael P. Fischerkeller, Emily O. Goldman, and Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace (Oxford University Press, 2022); Michael Fischerkeller and Harknett, “Cyber Persistence, Intelligence Contests, and Strategic Competition,” in Chesney and Smeets, eds., Deter, Disrupt, or Deceive, 109-133.
[14] Gil Baram, Jelena Vićić, and Erik Gartzke, “What’s Below the Tip of the Iceberg? Accounting for the ‘Missingness’ Problem in Cyber Events Data,” American Political Science Association Annual Conference, Los Angeles, August 2023.
[15] Baram and Kevjn Lim, “Israel and Iran Just Showed Us the Future of Cyberwar With Their Unusual Attacks,” Foreign Policy (June 2020), https://foreignpolicy.com/2020/06/05/israel-and-iran-just-showed-us-the-future-of-cyberwar-with-their-unusual-attacks/; Baram, “A Sliding Scale of Secrecy: Toward a Better Understanding of the Role of Publicity in Offensive Cyber Operations.” Journal of Cyber Policy, 7 no. 3 (2023): 275-293 .
[16] See for example “Cyber-Attacks by North Korea Raked in $3bn to Build Nuclear Weapons, UN Monitors Suspect,” The Guardian, 7 February, 2024. https://www.theguardian.com/world/2024/feb/08/cyber-attacks-by-north-korea-raked-in-3bn-to-build-nuclear-weapons-un-monitors-suspect.
[17] Joint Cybersecurity Advisory, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), 7 February, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a.
[18]Maggie Miller, “Russian Invasion of Ukraine Could Redefine Cyber Warfare,” POLITICO, January 28, 2022, https://www.politico.com/news/2022/01/28/russia-cyber-army-ukraine-00003051.
[19]Mark Warner, “Will War in Ukraine Lead to a Wider Cyber-Conflict?,” The Economist, February 23, 2022, https://www.economist.com/europe/2022/02/23/will-war-in-ukraine-lead-to-a-wider-cyber-conflict.
[20]Keith Alexander, “Cyber Warfare in Ukraine Poses a Threat to the Global System,” Financial Times, February 15, 2022, https://www.ft.com/content/8e1e8176-2279-4596-9c0f-98629b4db5a6.
[21]Jason Healey and Robert Jervis, “The Escalation Inversion and Other Oddities of Situational Cyber Stability (Fall 2020),” Texas National Security Review 3, no. 4 (2020): 30-53, https://doi.org/10.26153/tsw/10962.
[22]Jon R. Lindsay, “Restrained by Design: The Political Economy of Cybersecurity,” Digital Policy, Regulation and Governance 19, no. 6 (July 26, 2017): 493-514, https://doi.org/10.1108/DPRG-05-2017-0023; Lennart Maschmeyer, “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations,” International Security 46, no. 2 (October 25, 2021): 51-90, https://doi.org/10.1162/isec_a_00418; Max Smeets, NO SHORTCUTS: Why States Struggle to Develop a Military Cyber-Force. (Hurst & Company, 2022).
[23] Thomas Rid, Cyber War Will Not Take Place (Oxford University Press, 2013); Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace,” Security Studies 24, no. 2 (April 3, 2015): 316-48, https://doi.org/10.1080/09636412.2015.1038188; Aaron Franklin Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-Making (University of Georgia Press, 2016), http://muse.jhu.edu/book/45365; Lucas Kello, The Virtual Weapon and International Order (Yale University Press, 2017); Michael Warner, “A Matter of Trust: Covert Action Reconsidered,” Studies in Intelligence 63, no. 4 (2019), https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol-63-no-4/pdfs/Covert-Action-Reconsidered.pdf; Michael P. Fischerkeller, Emily O. Goldman, and Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace, 1st ed., Bridging the Gap (Oxford University Press, 2022).
[24] https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
[26] Jason Healey, “The Implications of Persistent (and Permanent) Engagement in Cyberspace,” Journal of Cybersecurity 5, no. 1 (January 1, 2019): tyz008, https://doi.org/10.1093/cybsec/tyz008; Nina Kollars and Jacquelyn Schneider, “Defending Forward: The 2018 Cyber Strategy Is Here,” War on the Rocks (blog), September 20, 2018, https://warontherocks.com/2018/09/defending-forward-the-2018-cyber-strategy-is-here/; Paul M. Nakasone, “A Cyber Force for Persistent Operations,” Joint Force Quarterly, 2019; Fischerkeller, Goldman, and Harknett, Cyber Persistence Theory.
[27] Austin Carson, Secret Wars: Covert Conflict in International Politics, Princeton Studies in International History and Politics (Princeton University Press, 2018); Lindsey A. O’Rourke, Covert Regime Change: America’s Secret Cold War, Cornell Studies in Security Affairs (Cornell University Press, 2018).
[28]Brian M Mazanec, “Towards a Cyber War Taboo?” (ISA Annual Convention, San Francisco, CA, 2013), http://files.isanet.org/ConferenceArchive/e2b7eefd536e462fa4ed980dfe93bf17.pdf; Cameron S. Brown and David Friedman, “A Cyber Warfare Convention?: Lessons from the Conventions on Chemical and Biological Weapons,” Arms Control and National Security: (Institute for National Security Studies, 2014), https://www.jstor.org/stable/resrep08938.6.
[29]Fischerkeller, Goldman, and Harknett, Cyber Persistence Theory.
[30]Miguel Alberto Gomez and Eula Bianca Villar, “Fear, Uncertainty, and Dread: Cognitive Heuristics and Cyber Threats,” Politics and Governance 6, no. 2 (June 11, 2018): 61-72, https://doi.org/10.17645/pag.v6i2.1279; Keren LG Snider et al., “Cyberattacks, Cyber Threats, and Attitudes toward Cybersecurity Policies,” Journal of Cybersecurity 7, no. 1 (2021): tyab019; Ryan Shandler, Michael L. Gross, and Daphna Canetti, “Cyberattacks, Psychological Distress, and Military Escalation: An Internal Meta-Analysis,” Journal of Global Security Studies 8, no. 1 (2023): 1-19.
[31]Jacquelyn Schneider, “Cyber and Crisis Escalation: Insights from Wargaming” (U.S. Naval War College, 12 2017), https://pacs.einaudi.cornell.edu/sites/pacs/files/Schneider.Cyber%20and%20Crisis%20Escalation%20Insights%20from%20Wargaming%20Schneider%20for%20Cornell.10-12-17.pdf.
[32] Elisabeth Bumiller and Thom Shanker, “Dire Threat of Cyberattack on U.S.,” New York Times, 11 October, 2012.
[33] Erica Lonergan and Jacquelyn Schneider, “The Power of Beliefs in US Cyber Strategy: The Evolving Role of Deterrence, Norms, and Escalation,” Journal of Cybersecurity 9:1 (2023): https://doi.org/10.1093/cybsec/tyad006.
[34] Martin Libicki, Crisis and Escalation in Cyberspace (Rand Corporation, 2012); Lawrence Cavaiola, David C. Gompert, and Martin Libicki. “Cyber House Rules: On War, Retaliation and Escalation,” Survival 57:1 (2015): 81-104; Jason Healey and Karl Grindal, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (Cyber Conflict Studies Association, 2013).
[35] John Arquilla, “The Computer Mouse that Roared: Cyberwar in the Twenty-First Century,” The Brown Journal of World Affairs 18:1 (2011): 43.
[36] David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (Crown, 2018).
[37] Andrew Futter, Hacking the Bomb: Cyber Threats and Nuclear Weapons (Georgetown University Press, 2018): 5.
[38] John Arquilla, Bitskrieg: the New Challenge of Cyberwarfare (John Wiley & Sons, 2021).
[39] Lonergan and Schneider, “The Power of Beliefs in US Cyber Strategy.”
[40] Robert Jervis, “Cooperation under the Security Dilemma,” World Politics 30:2 (1978): 167-214; Charles Glaser, “The Security Dilemma Revisited,” World Politics 50:1 (1997): 171-201; Charles Glaser and Chaim Kaufmann, “What is the Offense-Defense Balance and Can We Measure It?” International Security 22:4 (1998): 44-82.
[41] Ben Buchanan, The Cybersecurity Dilemma: Hacking,Trust, and Fear Between Nations (Oxford University Press, 2016); Herbert Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” Strategic Studies Quarterly 6:3 (2012): 46-70.
[42] Futter, Hacking the Bomb: Cyber Threats and Nuclear Weapons; Emily Goldman and John Arquilla, eds., Cyber Analogies (Naval Postgraduate School, 2014); George Perkovich and Ariel Levite, eds., Understanding Cyber Conflict: 14 Analogies (Georgetown University Press, 2017).
[43] Herman Kahn, On Escalation: Metaphors and Scenarios (Routledge, 2017); Bernard Brodie, Strategy in the Missile Age (Princeton University Press, 2015); Bernard Brodie, Escalation and Nuclear Option (University Press, 2015).
[44] Brandon Valeriano and Ryan C. Maness, “The Dynamics of Cyber Conflict Between Rival Antagonists, 2001–11,” Journal of Peace Research 51:3 (2014): 347-360; Brandon Valeriano and Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford University Press, 2015); Brandon Valeriano, Benjamin M. Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (Oxford: Oxford University Press, 2018); Nadiya Kostyuk and Yuri M. Zhukov, “Invisible Digital Front: Can Cyber Attacks Shape Battlefield Events?” Journal of Conflict Resolution 63:2 (2019): 317-347.
[45] Nadiya Kostyuk and Carly Wayne, “The Microfoundations of State Cybersecurity: Cyber Risk Perceptions and the Mass Public.” Journal of Global Security Studies 6:2 (2021): https://doi.org/10.1093/jogss/ogz077; Sarah Kreps and Jacquelyn Schneider, “Escalation Firebreaks in the Cyber, Conventional, and Nuclear Domains: Moving Beyond Effects-based Logics,” Journal of Cybersecurity 5:1 (2019): https://doi.org/10.1093/cybsec/tyz007; Miguel Alberto Gomez, “Past Behavior and Future Judgements: Seizing and Freezing in Response to Cyber Operations,” Journal of Cybersecurity 5:1 (2019): https://doi.org/10.1093/cybsec/tyz012; Miguel Gomez and Christopher Whyte, “Breaking the Myth of Cyber Doom: Securitization and Normalization of Novel Threats,” International Studies Quarterly 65:4 (2021): 1137-1150; Kathryn Hedgecock and Lauren Sukin, “Responding to Uncertainty: The Importance of Covertness in Support for Retaliation to Cyber and Kinetic Attacks,” Journal of Conflict Resolution 67:10 (2023): 1873-1903.
[46] Jacquelyn Schneider, Benjamin Schechter, and Rachael Shaffer, “A Lot of Cyber Fizzle But Not A Lot of Bang: Evidence about the Use of Cyber Operations from Wargames,” Journal of Global Security Studies 7:2 (2022): https://doi.org/10.1093/jogss/ogac005; Jacquelyn Schneider, Benjamin Schechter, and Rachael Shaffer, “Hacking Nuclear Stability: Wargaming Technology, Uncertainty, and Escalation,” International Organization 77:3 (2023): 633-667; Miguel Gomez and Christopher Whyte, “Cyber Uncertainties: Observations from Cross-national War Games,” in Cyber Security Politics: Socio-Technological Transformations and Political Fragmentation (Routledge, 2022): 111-127.
[47] Benjamin Jensen, Brandon Valeriano, and Sam Whitt, “How Cyber Operations can Reduce Escalation Pressures: Evidence from an Experimental Wargame Study,” Journal of Peace Research (2024): https://doi.org/10.1177/00223433231219440.
[48] Jason Healey and Robert Jervis, “The Escalation Inversion and Other Oddities of Situational Cyber Stability,” Texas National Security Review 3:4 (2020): 30-53.
[49] Jason Healey, “Preventing Cyber Escalation in Ukraine and After,” War on the Rocks, March 9, 2022: https://warontherocks.com/2022/03/preventing-cyber-escalation-in-ukraine-and-after/.
[50] Jacquelyn Schneider and Julia Macdonald, “Presidential Risk Orientation and Force Employment Decisions: The Case of Unmanned Weaponry,” Journal of Conflict Resolution 61:3 (2017): 511-536. https://doi.org/10.1177/0022002715590874.
[51] Healey, “Preventing Cyber Escalation in Ukraine and After.”
[52] The views expressed by the authors are personal and do not reflect the policy or position of any US government entity with which they currently are or previously were affiliated.
[53] See, for example, Gil Baram, Jelena Vićić, and Erik Gartzke, “What’s Below the Tip of the Iceberg? Accounting for the “Missingness” Problem in Cyber Events Data,” American Political Science Association Annual Convention, Los Angeles, CA, 2023. Harry Oppenheimer, “How the Process of Discovering Cyberattacks Biases our Understanding of Cybersecurity,” Journal of Peace Research 61, no. 1 (2024): 28-43. Lennart Maschmeyer, Ronald J. Deibert, and Jon R. Lindsay, “A Tale of Two Cybers—How Threat Reporting by Cybersecurity Firms Systematically Underrepresents Threats to Civil Society,” Journal of Information Technology & Politics 1, no. 1 (2021): 1-20. Christos Makridis, Lennart Maschmeyer, and Max Smeets, “If it Bleeps it Leads? Media Coverage on Cyber Conflict and Misperception,” Journal of Peace Research 61, no. 1 (2024): 72-86.
[54]Baram, Vićić, and Gartzke, “What’s Below the Tip of the Iceberg?”.
[55] Jacquelyn Schneider, Benjamin Schechter, and Rachael Shaffer, “Hacking Nuclear Stability: Wargaming Technology, Uncertainty, and Escalation,” International Organization 77, no. 3 (2023): 633-667.
[56] One example of a more expansive definition is Herbert S. Lin, “Offensive Cyber Operations and the Use of Force,” Journal of National Security Law and Policy 4, no. 63 (2010): 63-86.
[57] United States Senate, “Report of the Select Committee on Intelligence, United States Senate, on Russian Active Measures Campaigns and Interference in the 2016 Election,” Volume II, https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume2.pdf.
[58] Erica D. Lonergan and Jacquelyn Schneider, “The Power of Beliefs in US Cyber Strategy: The Evolving Role of Deterrence, Norms, and Escalation,” Journal of Cybersecurity 9, no. 1 (2023): 1-10. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF. https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf.
[60]https://media.defense.gov/2022/Oct/27/2003103845/-1/-1/1/2022-NATIONAL-DEFENSE-STRATEGY-NPR-MDR.PDF, 10.
[61] Emily O. Goldman, Michael P. Fischerkeller, and Richard Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace (Oxford University Press, 2022).
[62] Emerson T. Brooking and Erica D. Lonergan, “Welcome to Cyber Realism: Parsing the 2023 Department of Defense Cyber Strategy,” War on the Rocks, September 25, 2023, https://warontherocks.com/2023/09/welcome-to-cyber-realism-parsing-the-2023-department-of-defense-cyber-strategy/.
[63] “Posture Statement of General Timothy D. Haugh 2024,” U.S. Cyber Command, April 12, 2024, https://www.cybercom.mil/Media/News/Article/3739700/posture-statement-of-general-timothy-d-haugh-2024/.
[64] Erica Lonergan and Jacquelyn Schneider, “Cyber Challenges for the New National Defense Strategy,” War on the Rocks, December 17, 2021, https://warontherocks.com/2021/12/cyber-challenges-for-the-new-national-defense-strategy/.
[66] Nina Silove, “Beyond the Buzzword: The Three Meanings of ‘Grand Strategy,’” Security Studies 27, no. 1 (2018): 27-57. Rebecca Friedman Lissner, “What Is Grand Strategy? Sweeping a Conceptual Minefield,” Texas National Security Review 2:1 (2018): 52-73.
[67] Lennart Maschmeyer, “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectation,” International Security 46, no. 2 (2021): 51-90.
[68]https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.
[69] Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown, 2015).
[70] For an exception, see Steve Bellovin, Susan Landau, and Herb Lin, “Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications,” Journal of Cybersecurity 3:1 (2017): 59–68.
[71] On “cyber doom” narratives, see Sean T. Lawson, Cybersecurity Discourse in the United States: Cyber-Doom Rhetoric and Beyond (Routledge, 2020).
[72] An exception is Nadiya Kostyuk and Yuri M. Zhukov, “Invisible Digital Front: Can Cyber Attacks Shape Battlefield Events?,” Journal of Conflict Resolution 63:2 (2019): 317-347.
[73] Kenneth N. Waltz, Theory of International Politics (McGraw-Hill, 1979).