21 July 2022

The Cyberwar That Never Was: Reassessing Choices During Cyber Conflicts – Analysis

Miguel Alberto Gomez

The action and rhetoric leading to the invasion of Ukraine early this year led to speculation about the effective use of Russian cyber capabilities to complement or replace conventional means at the outbreak of the conflict. Noting the observed and declared Russian prowess in cyberspace, some observers held that the deteriorating situation provided the opportunity to demonstrate the strategic value of cyber operations. Nevertheless, despite the seemingly favourable conditions, the exercise of Russian cyber power at the onset of hostilities –and throughout them– is limited at best.[1] Although disruptive tactics such as defacement and wiper malware were documented, the expected cyber ‘bang’ was more of a ‘whimper’, remaining much the same throughout the past three months.
Analysis

Responding to the limited strategic role of cyber operations thus far, both cybersecurity scholars and policy analysts weighed in on possible explanations. While the possibility exists of increasingly destructive action with notable strategic effects, most acknowledge its supportive or complementary value once a dispute is militarised.[2] Proponents of this view recognise: (1) the difficulty of planning and initiating cyber operations; (2) their limited effects; and (3) and the potential for escalation, which may temper decisions surrounding their use.

However, the question of whether such constraints are unique to this case or speak more broadly of the role of cyber operations during instances of armed conflict must be addressed. Due to the rarity of interstate war, there is limited empirical evidence available. Nevertheless, such questions need to be asked as our understanding of interaction between states in cyberspace has, thus far, been limited to periods of relative peace. Consequently, to be able to delve into the extent to which the exercise of cyber power delivers strategic gains in war has been the focus of analysis of the conflict’s cyber dimension thus far. Analysis, however, should not be limited solely to the expected utility of actions in and through cyberspace but should also account for the rationale behind these choices. Specifically, do decision-makers carefully consider the strategic environment and the capabilities of cyber operations when deciding how best to employ these instruments to obtain their strategic objectives?

This paper expands on the explanations advanced thus far by shifting the focus from structural and technological attributes to socio-cognitive constructs that shape preference formation. Doing so serves two purposes. First, it acknowledges the bounded nature of human rationality given the complexities of cyberspace and the action within it. Decision-makers revert to established socio-organisational practices and cognitive constructs to alleviate the ambiguity surrounding the international system and cyberspace. Secondly, it highlights the possibility that the limited use of offensive cyber operations may be case-specific, rooted in the process used to interpret the strategic environment. This should not be understood as an indictment of the possible irrationality of decision-makers. Instead, the lens with which Russian and other decision-makers interpret the environment shapes their preferences on how best to express power through cyberspace.

Consequently, future instances of conflict featuring a distinct cyber dimension may not unfold in the same manner as the Russia-Ukraine War. Nevertheless, the article recognises that Russian decision-making artifacts are unavailable. Consequently, arguments contained in the following sections rely on recently published case and wargaming data.

The remainder of this paper is organised into three further sections. Immediately following this introduction, it summarises the current rationale, grounded in structural and technological constraints, explaining the limited use of cyber operations in the ongoing Russia-Ukraine War. Bearing in mind that the conflict provides favourable conditions for the offensive use of cyber operations, their absence leads one to question whether this is indeed the true character of cyber conflict. The discussion then pivots by arguing that Russian cyber operations may be less a function of the material constraints they face but are, instead, a reflection of how the latter are interpreted using specific socio-cognitive devices. Finally, the paper concludes by explaining the possible consequences of the existing policy and security discourse surrounding cyber conflicts and draws attention to the need to understand the decision-making processes that generate specific policy choices rather than just evaluating the efficacy of operations.

Material limitations

Proponents of the revolutionary potential of cyber operations often centre their arguments on the underlying vulnerability of cyberspace and its implications for national power. Owing to its complexity, it is impossible –and in some cases undesirable– to completely secure this environment.[3] Moreover, this complexity limits our ability to predict where compromises can occur and what their consequences are.[4] This state of insecurity encourages exploitation by states as a means of shaping the environment in their favour, a cyber fait accompli.[5] While accurately depicting the vulnerability of this human-made environment, the paradigm does not account for the complexity and effects of these operations.

While it has become easier to acquire the skills required to inflict damage through cyber means, tactical and strategic effects remain a function of the resources invested.[6] Several scholars readily acknowledge that consequential operations are limited to a handful of states with the necessary technological, organisational and economic resources.[7] This is not to say that smaller powers are to be dismissed; instead, less complicated disruptive operations (eg, web defacement) are unlikely to result in strategic gains. Paradoxically, if this is the case, does Russia not have the capability to conduct more advanced operations than those seen thus far? While possible, the complexity of cyber operations, their consequences and their escalatory potential must be considered.

Operational success is not simply a function of technical prowess. As illustrated by Stuxnet, complex operations require careful coordination across different entities.[8] While there is as yet no evidence of operational planning in Russian cyber operations, it could be posited that intelligence failures and a lack of coordination may indicate organisational or cultural practices that inhibit the coordination necessary for effective cyber operations. Alternatively, it could also be asserted that the Russian leadership recognised these challenges and opted for conventional means (eg, it is simpler to bomb a power station than to hack it) that are far easier to deploy in a shorter timeframe.

Relatedly, cyberspace is a resilient domain. Inflicting damage to cyber infrastructure is often resolved in hours –as in the case of the Russian operation targeting the Ukrainian power grid in 2015–.[9] Unsurprisingly, the acknowledged vulnerability of cyberspace encourages coordination and preparation involving both the private and public sectors, blunting the effects of offensive operations. In the current conflict, Russian behaviour since 2014 and support from state and non-state actors outside Ukraine continue to hinder malicious Russian activity.[10]

Finally, even if the above constraints are addressed, there remains the question of escalation. The lack of a documented case of escalation serves to assuage the concerns of some. Fischerkeller & Harknett noted that constant interaction in this space results in a tacitly agreed-upon range of acceptable action.[11] Maness & Valeriano posit that long-standing rivalries define the status-quo and its corresponding behaviour, deviations from which could signal possible escalation.[12] However, operations levelled against Ukraine thus far do not differ significantly from those prior to militarisation.

Arguments that Russia may simply be incapable of more complex operations are easily dismissed given its past actions.[13] Alternatively, restraint may be an effort to prevent adversaries from misconstruing this as an intent to escalate. While this may seem counterintuitive, since hostilities have already broken out in the conventional space, evidence from wargames suggests that elites continue to perceive cyber operations as escalatory even in the context of increasing physical violence.[14] In another wargame, participants do not perceive cyber operations as substitutes for conventional capabilities but as supporting other means or as a complementary option to generate other effects. Given the continued prominence of information operations, the latter may explain the nature of operations thus far.

Considering the points above, contemporary commentary attributes limited Russian cyber operations to: (1) the ease with which conventional operations may be used to achieve the desired effect; (2) the transient nature of damage inflicted through cyber means; and (3) the desire to avoid potential escalation and instead employing cyber capabilities to achieve other, complementary effects. Suppose these factors drive Russian decision-making regarding the use of their cyber capabilities. In that case, scepticism regarding the strategic value of these tools may be warranted even under conditions of interstate war.[15] However, this is contingent on the ability of Russian decision-makers to objectively recognise the limitations of cyber operations and the possible reaction from Ukraine and its benefactors should Russia decide to engage in more aggressive operations. This assumes the objective interpretation of the strategic and technological environment.

Beyond material and structural factors

The seemingly limited ability of Russian decision-makers to correctly evaluate the strategic environment is an observation that most commentators have agreed upon over the past few months. While the poor performance of Russian forces during the opening days and weeks of the conflict may be attributed to intelligence failure, the slow pace with which they adapted and the continuation of certain practices hints at a profoundly ingrained pathology.[16] In his book Painful Choices, David Welch asserts that decision-makers stubbornly hold on to established beliefs so long as the consequences of doing so do not generate enough cognitive dissonance or emotional stress to encourage a re-assessment.[17] While political and cognitive psychology over the past three decades provides enough evidence to support this argument, the nature of these beliefs and how they shape preferences are less clear. Furthermore, the extent to which they influence the exercise of cyber capabilities determines whether decision-makers recognise structural and technological limitations or interpret them in the context of established beliefs.

Scholars of international relations, particularly those that identify as neoclassical realists, recognise that decision-makers contextualise the strategic environment using ideas and beliefs which may not adequately capture the reality they face.[18] To paraphrase Rose,[19] policymakers see the world ‘through a glass, darkly’. In the case of the Russia-Ukraine War, statements made by Putin prior to the invasion appear to reflect the underlying worldview that drives his strategic preferences.[20] This is unsurprising and readily observed in other states as well. However, the extent to which these beliefs shape preferences in cyberspace, a technological environment whose rules define what is possible, is less understood

The earliest mention of how prior beliefs govern strategic preferences in cyberspace can be traced to the work of Valeriano, Jensen & Maness.[21] They suggest the existence of ‘national ways’ in cyberspace. The authors argue that states such as China, Russia and the US employ cyber operations that reflect beliefs pre-dating cyberspace without explicitly stating what these beliefs are. Building on this work, Kari & Pynnöniemi associate Russian threat perception and preferences with Russia’s strategic culture. The authors note that the persistent sense of vulnerability and the narrative of a besieged fortress is cited in documentary sources as driving preferences.[22]

While numerous definitions abound, this paper treats strategic culture as a ‘set of beliefs held by elites concerning strategic objectives and the most effective method of achieving them’.[23] Suppose cyberspace is perceived as a novel means for attaining strategic objectives. It could be argued that prior beliefs that shape the means towards these objectives contribute to preference formation. For instance, if a state views information operations as enabling a favourable strategic environment, then dependence on such a belief would see decision-makers gravitating towards means with which this preference may be realised. Unsurprisingly then, this logic raises questions about whether decision-makers are bound to adhere to these beliefs or whether agency exists to assess its suitability considering circumstances that enable and constrain state behaviour.

Most political psychologists would agree that rationality exists in a gradient. Depending on the environment in which they operate, decision-makers may exert greater or lesser cognitive effort when formulating strategic preferences reflected in observed behaviour. In the case of cyberspace, uncertainty relating to the effects of operations and the pervasive lack of expertise is shown to increase reliance on cognitive structures such as beliefs. The situation is further compounded by latent uncertainty within the international system that decision-makers would have to contend with. Experiments and simulations over the past decade confirm this phenomenon.[24]

Results from an ongoing cross-national wargame show up the conditions in which decision-makers are likely to undertake a greater effort of cognition to develop an appropriate policy response during a crisis.[25] The wargames conducted in Taiwan, the Philippines, the US, Singapore and Switzerland involving cybersecurity, policy and military experts highlight the tendency to move by default to nationally-distinct practices associated with underlying strategic cultures. Singapore, for instance, opted for policies that demonstrated its resolve while simultaneously pursuing a diplomatic option, reflecting its preferences given its historical experience and unique geographic features. Similarly, Swiss participants gravitated towards policies that avoided further aggravating the situation and granted them flexible diplomatic options. As one participant notes, their choices were governed by their Swiss identity and the expectations that flowed from it.

However, this tendency to rely on beliefs and prior preferences was moderated by the need to avoid policy failure. Participants who assumed that incorrect policy choices would result in severe consequences were motivated to assess the situation carefully and were open to deliberative strategies that challenged prior beliefs. In effect, the wargames demonstrated the tendency of individuals to slip ‘between policy-guiding mental representations of reality and reality itself’.[26]

Consequently, both the wargames and preceding research call for caution when advancing claims regarding the choices made by states vis-à-vis cyberspace. While there is less doubt that strategic effects from the independent use of cyber operations are limited, it cannot be concluded that decisions surrounding the exercise of power in and through cyberspace are the sole function of the objective interpretation of the strategic environment. The preference of Russian decision-makers to engage in low-level disruption and influence operations may have as much to do with their realisation of the limits of this new environment as it does with their established beliefs as to how best to meet their strategic objectives.

Conclusions

Reassessing choices and the future of cyber conflict

While the Russia-Ukraine War tells us much about the limits of cyber operations, it is less informative as to why states act the way they do. On a positive note, this situation sheds light on the need to investigate further the mechanisms that govern the decision to use cyber capabilities. Specifically, it calls for greater attention towards immaterial factors such as beliefs that may serve as the lens through which decision-makers interpret the strategic environment resulting in behaviour-shaping preferences.

That being said, our attempts to understand the future of cyber conflict must extend beyond debates surrounding the efficacy of cyber operations. While this does not imply surrendering to calls of technological exceptionalism, it requires a greater effort on the part of scholars and policy experts alike to consider the underlying decision-making processes. Consequently, this not only requires accounting for the consequences of operations, but also considers how policymakers and public opinion alike perceive these activities. Although cyberspace is unquestionably enabled by technology, actions within and through it are shaped by individuals who remain far more unpredictable than the technologies they use.

No comments: