Dr. Jacquelyn G. Schneider is an assistant professor and associated faculty member at the US Naval War College’s Center for Cyber Conflict Studies. The opinions expressed in this article are her own and do not reflect the views of the US Naval War College, the US Navy, or the Department of Defense. You may find her on Twitter at @jackiegschneid.
Jason Healey stated last week that “there is now a well-documented case of cyber deterrence,” citing a story of Obama administration meetings. Some White House officials felt that a cyberattack would be counterproductive, given asymmetric weaknesses in tit for tat cyber operations. Healey cites a great example of the Obama administration’s cyber restraint, but is it deterrence? The US has also shown caution in the nuclear arena, albeit it is still unclear whether this constraint is due to enemy deterrence efforts or a normative atomic taboo. So, what is the source of Healey’s cyber restraint?
I conducted a longitudinal analysis of strategic war simulations held at the Naval War College from 2011 to 2016 to understand better the motives underlying cyber activities. These free-play simulations, which include 150-200 US government specialists and senior leaders, place players in crisis scenarios and then let them use all of the nation’s might to address the problem. These war simulations changed the enemy, the severity of the crisis, and the participants during the years I studied them. How cyber capabilities were constructed in the games expanded in complexity, mirroring the growth of cyber operations in real life, depicting the institutions and powers that emerged from 2011 to 2016. In the end, a lot changed between the two games.
However, one aspect of the games that remained fairly consistent was how participants used cyber operations. Participants only initiated offensive cyber activities in five of the six simulations after conventional weaponry had destroyed the environment. Players were also more ready to put systems on nuclear alert than initiate cyberattacks or cyber-enabled intelligence activities. Players expressed concerns about an escalation in their cyber restraint on many occasions, expressing fears that hacks may “lead to nuclear war.” Furthermore, despite large-scale opponent cyber attacks (with nuclear consequences in friendly nations), none of the “blue” teams opted to retaliate against cyberattacks in any of the six games. “This is cyber—different it’s mentally,” one participant stated in one game. Players were told who had attacked them in cyberspace in these games, preparing them for retribution. As a result, the absence of support for revenge in these games is very persuasive.
Caution in the use of cyber operations and general restraint in responding to cyber operations are suggested in this study. What is the source of this restraint? Is it a virtual taboo or a deterrent? These games cannot provide a conclusive answer to this problem, but they offer several possible possibilities concerning cyber restriction. First, cyber operations caution may be a distinctively American phenomenon linked to a view of asymmetric cyber weaknesses mixed with overwhelming conventional dominance (as Healey’s article suggests).
To put it another way, why open Pandora’s box of cyber operations when the US can respond to any great difficulties with economic sanctions or military force? A supplementary theory is that cyber restraint stems from a misunderstanding of the cyber-nuclear equivalence. The Strategic Command’s institutional heritage and the narrative of “strategic” cyber weapons have resulted in the nuclear taboo being extended to the cyber realm. Because the simulations I looked at had multiple opponents with varied cyber, conventional, and nuclear capabilities, these assumptions are mostly indifferent to the enemy. Despite these threat changes, restraint was constant, implying that cyber restraint resulted from internal incentives rather than an adversary-tailored deterrent.
Perhaps even more perplexing is why these games display restraint while responding to cyber activities—a pattern not seen in the nuclear sector. Once again, this might be a purely American version of control, in which the US—as the world’s most powerful economic and military power—can absorb substantial cyberattacks without reprisal because of its superior conventional and nuclear capabilities. However, there may be a more general explanation that connects cyber restraint to emotions, arguing that the virtual and unfamiliar danger of cyber operations fails to elicit the same type of fight or flight gut reaction as more evolutionarily-primed threats. If this last theory is correct, the caution in cyber reaction may extend beyond US boundaries, implying that cyber activities are unlikely to escalate in other areas.
Finally, the one war scenario in which cyber usage was not restrained has significant consequences for the cyber taboo’s long-term strength. In one game, the player in charge of the blue side employed an extremely risk-averse “escalate to dominate” plan, which included the deployment of cyberattacks against a number of domestic and military targets before launching a large-scale conventional offensive. The importance of risk proclivity and leadership style in determining when and how cyber operations are deployed was stressed in this game. Risk aversion and restraint played a big influence in the Obama administration and constraint across a number of disciplines, according to previous studies. The Trump administration is significantly more risk-averse, which might lead to fewer incentives for cyber self-control.