Authored by researchers from American University and published by the UC Berkeley Center for Long-Term Cybersecurity, this report details findings from a novel experiment that assessed how diverse actors—including nation-states, non-state organizations like ISIS, cyber-activist groups such as Wikileaks, and other groups—are likely to use cyber operations in the context of an escalating conflict.
The study’s authors, Benjamin M. Jensen, associate professor at the Marine Corps University and scholar-in-residence at American University’s School of International Service, and David Banks, professorial lecturer at American University, found that cyber operations are not likely to be used for provocative conflict escalations, but rather to provide a moderating influence by offering states a means of managing escalation ‘in the shadows’.
The authors used analytic wargames, an innovative tool that investigates competition among diverse actors, to identify strategic preferences in two hypothetical contexts: in a narrative called “Island Impact,” players represented either the U.S. or China in a simulated crisis in the South China Sea; in “Netwar,” players took on the role of either a national government or one of three opposition groups (a violent non-state actor, major international firm, or cyber activist network) in the context of an escalating conflict. The researchers first ran the wargames with university students and national security professionals to identify strategic preferences, and then surveyed more than 3,000 Internet users to assess which strategies would be chosen in different crisis contexts. A majority of players selected less escalatory responses in each game.
The report provides an overview of implications for policymakers and military leaders as they anticipate how rivals will use cyberspace in future crises. “Many of the key influencers in the conversation around cyber promote a sense of alarm, yet our research suggests that the threat inflation is not necessarily warranted,” the authors conclude. “Further research may be merited to determine whether institutions are investing too much in cyber deterrence and may want to shift the investment to other related priority areas, such as defense and authentication.”