7 June 2017

ON CYBER COERCION: LESSONS FROM THE SONY HACK THAT WE SHOULD HAVE LEARNED, BUT DIDN’T


Can cyber coercion succeed? In other words, can threatening or conducting a cyber operation persuade an adversary to comply with one’s demands? The answer matters now more than ever. Beliefs about cyber coercion’s effectiveness are shaping U.S. decisions about technology, doctrine, and partnerships, particularly after Russia’s interference in last year’s presidential election. Regrettably, both officials and scholars offer unconvincing assessments.

Officials believe cyber coercion can succeed. Due to classification barriers, however, they cannot explain their rationales in detail. So, they must convince the public by being either authoritatively cryptic or persuasively alarmist. U.S. intelligence officials usually go cryptic, of course, while members of Congress love going alarmist — even after leaving the Hill. Both approaches leave the informed skeptic feeling dissatisfied.

Scholars, on the other hand, believe that policymakers have overhyped everything “cyber,” including cyber coercion. Yet they too suffer from secrecy, which limits the evidence they can collect about past incidents. Lacking empirical facts, they have turned to drawing nuclear analogies and invoking higher authorities. As a result, the cyber strategy literature often feels like Herman Kahn’s internal monologue, or a new war college drinking game where everyone takes a shot when someone mentions Clausewitz or Schelling. Make no mistake: One paragraph of Arms and Influenceis worth more than a lifetime subscription to the American Political Science Review. But raining down heavy Schelling is not enough to win the intellectual battle over cyber coercion. Scholars should also dissect evidence from actual cyber incidents, however imperfect, to substantiate their claims. While analysts have made progress, they need to do better.

Imposing Costs and Destabilizing Leaders

In a new academic article, I seize the middle ground between ardent officials and skeptical scholars by arguing that cyber coercion can succeed under certain conditions. I begin with the key conceptual problem: Cyber operations are secretive, but secrets cannot coerce. Or, as Dr. Strangelove put it, “The whole point of the Doomsday Machine is lost, if you keep it a secret!” With an assist from War on the Rocks, I outline six ways an aspiring cyber coercer can sap this secrecy problem of its precious bodily fluids. I then present my main argument: Cyber operations coerce by imposing costs and destabilizing an opponent’s leadership. As costs grow and destabilization spreads, backing down eventually becomes less painful than standing tall, causing the adversary to comply with the coercer’s demands.

Cyber operations are well suited to impose costs. The interconnectedness of modern information technology enables a cyber operation to reach beyond the targeted system, including into the victim’s economy. The private sector controls 85 percent of the Internet’s critical infrastructure, offering a vulnerable pressure point for cost imposition. A victim might have to take systems offline for repairs and disrupt other activities, including security operations. Resolving the vulnerability might entail a large repair bill if the technology or human capital are scarce. The target might suffer reputational costs, too, if trade partners or consumers lose confidence.

Cyber operations also offer unique ways to destabilize leaders, in case you had not noticed that Vladimir Putin has transformed Washington into his own personal petrushka show. Cyber operations can target leaders in remarkably personal ways by disclosing embarrassing information that would invite censure if revealed. The responsibility for managing information technology is diffused throughout most organizations and governments. Powerful leaders from the Intelligence Community, military, and private sector will jockey for position when things go wrong. By destabilizing these far-flung leadership circles, cyber operations can scramble governing coalitions, potentially causing them to adopt new policies.

The 2014 Sony Incident

Cost-destabilization dynamics played a decisive role in the 2014 North Korean cyber operation against Sony. Forget everything you think you know about North Korea’s attacks on “The Interview,” a ridiculous Sony movie about assassinating Kim Jong Un. The controversy surrounding the attack neither boosted the movie’s viewership nor increased Sony’s profit. Instead, the cyber operation altered the movie’s release, caused fewer people to see it, inflicted $80 million worth of damage on Sony, and led a top studio executive to step down, all while demonstrating Kim Jong Un’s revolutionary bona fides. Each of these outcomes advanced North Korean interests at Sony’s expense. All that Pyongyang suffered in response were new U.S. sanctions carrying mostly symbolic value. While it is hard to know North Korea’s precise motives, these results suggest that its cyber coercion operation generally yielded more favorable outcomes than many people realize.

Skeptics might say North Korea only achieved these outcomes because the target was a puny non-state actor. That objection is both true and irrelevant, for two reasons. First, most scholars believe cyberspace actually favors strong states, contrary to policymakers’ fears about super-empowered non-state actors. The Sony incident supports the scholarly position. Policymakers should consider updating their beliefs and rhetoric accordingly.

Second, analysts tend to think about cyber coercion defensively, as something that aggressors will attempt against the United States or its allies. However, the United States could just as easily become a perpetrator as a victim. In other words, the United States could be North Korea, not Sony. From this offensive perspective, the incident usefully illustrates how to use cost-destabilization to coerce a weaker actor. Before launching any offensive operation, of course, policymakers must seriously consider the risks involved, including the damage to international norms and the disclosure of technology that enemies might reverse engineer.

Implications for Policy

The Sony incident suggests that the United States should reorient its technology investments, intelligence collection, and operational doctrine towards cost imposition and leadership destabilization, the two pathways to cyber coercion success. These policy changes will help during a defensive scenario in which the United States must deter or thwart an aggressor. However, they will also help during an offensive scenario in which the United States uses cyber coercion to compel an adversary.

Shaping domestic and global attitudes towards cyber operations will become an increasingly important political priority for the United States and other countries. To date, U.S. policymakers have emphasized building political support to prevent the United States and its allies from falling prey to cyber coercion. Yet they must also invest political capital in the scenario we cannot discuss in polite company — offensive cyber coercion — in case it becomes necessary.

A day may be coming when cyber coercion helps countries achieve laudable goals in international politics such as defending allies, preventing genocide, or halting human rights abuses. In those future situations, U.S. policymakers will have to decide whether using cyber coercion to do right justifies the risk that future adversaries use it to do wrong.

Travis Sharp is a Ph.D. candidate in security studies at Princeton University’s Woodrow Wilson School of Public and International Affairs and a non-resident fellow at the Modern War Institute at West Point. The views expressed are his own and do not reflect the position of the U.S. government.

No comments: