Tech. Sgt. Johnathan Ransbottom, software development NCO in charge for the Curtis E. LeMay Center for Doctrine Development and Education Wargaming Center, and 2nd Lt. Matthew Hendricks at Squadron Officer College Maxwell Air Force Base, Alabama, in 2015.

Tech. Sgt. Johnathan Ransbottom, software development NCO in charge for the Curtis E. LeMay Center for Doctrine Development and Education Wargaming Center, and 2nd Lt. Matthew Hendricks at Squadron Officer College Maxwell Air Force Base, Alabama, in 2015. US Air Force / Melanie Rodgers Cox

Ideas

What War Games Tell Us About the Use of Cyber Weapons in a Crisis

Recent U.S. war games have shown that decision makers are surprisingly reluctant to use cyber weapons during a crisis scenario that escalates into armed conflict. Why?

Jacquelyn G. Schneider,
Council on Foreign Relations

|
Assistant Professor, U.S. Naval War College

Last week, Jason Healey argued that “there is now a well-documented instance of cyber deterrence,” pointing to a report of conversations within the Obama administration. Some White House officials argued against a cyberattack, citing asymmetric vulnerabilities in tit for tat engagements within the cyber domain. Healey highlights a powerful example of cyber restraint within the Obama administration, but is it deterrence? The United States has also exercised restraint in the nuclear domain, but it is unclear even now whether that restraint is a result of adversary deterrence efforts or a normative nuclear taboo. So what is driving the cyber restraint Healey identified?

In order to understand the motivations behind cyber behaviors, I performed a longitudinal analysis of strategic war games conducted at the Naval War College from 2011-2016. These free-play games, which feature 150-200 U.S. government experts and senior leader players, situate players within crisis scenarios and then allow them to play all instruments of national power to resolve the crisis. Over the years that I analyzed, these war games varied the adversary, the intensity of the crisis, and the players. Like the evolution of cyber operations in real life, the way cyber capabilities were designed in the games evolved in complexity, representing the institutions and capabilities that developed from 2011 to 2016. Bottom line: a lot of things changed between the games. 

However, what remained remarkably consistent across the games was how players utilized cyber operations. In five of the six games, players launched offensive cyber operations only after conventional weapons conducted destructive attacks. Additionally, players were more willing to place systems on nuclear alert than to launch cyberattacks or even cyber-enabled information operations. Over and over players cited concerns about escalation in their cyber restraint, articulating fears that cyberattacks could “lead to nuclear war.” Further, in all of the six games, despite large scale adversary cyberattacks (up to nuclear effects in allied countries), none of the “blue” teams chose to respond to cyberattacks. In one game, a player explained, “this is cyber—it’s different psychologically.” In all of these games, players were told who had attacked them in cyberspace, essentially priming them for retaliation. The lack of support for retaliation in these games is, therefore, especially compelling.

This research suggests two types of restraint: restraint in using cyber operations and an overall restraint in responding to cyber operations. What causes this restraint? Is it deterrence or is it a cyber taboo? These games couldn’t definitively answer this puzzle, but they do suggest a series of potential hypotheses about cyber restraint. First, restraint in utilizing cyber operations could be a uniquely U.S. phenomenon tied to a perception of asymmetric cyber vulnerabilities combined with overwhelming conventional superiority (what Healey’s article alludes to). In other words, why open the Pandora box of cyber operations when the United States has the option to respond to any significant problems with economic punishment or military might? A secondary hypothesis suggests that cyber restraint derives from a false cyber-nuclear equivalency in which the institutional legacy of Strategic Command and the narrative of “strategic” cyber weapons has led to an extension of the nuclear taboo to the cyber domain. These hypotheses are largely agnostic to the adversary—mainly because the games I analyzed featured different adversaries with different cyber, conventional, and nuclear capabilities. Restraint was consistent despite these threat differences, suggesting that cyber restraint was not a product of adversary-tailored deterrence but instead internally derived incentives.

Perhaps more puzzling is why these games also show restraint when responding to cyber operations—a phenomenon not found in the nuclear domain. Once again, this could be a strictly U.S. form of restraint, in which the United States—as the largest economic and military power—can withstand significant cyberattacks without retaliation because it relies on a greater conventional and nuclear superiority. However, there could be a more generalizable explanation which links cyber restraint to emotions and argues that the virtual and novel threat of cyber operations fail to generate the kind of fight or flight gut reaction created by more evolutionarily-primed threats. If this final hypothesis is true, then the restraint in cyber response may permeate beyond U.S. borders and suggest that cyber operations are highly unlikely to lead to escalation in other domains.

Finally, the one war game which did not display cyber use restraint has important implications for foreshadowing the long-term strength of the cyber taboo. In that game, the player leading the blue team executed an extraordinarily risk-acceptant “escalate to dominate” strategy that featured early first use of cyberattacks against a series of domestic and military targets followed by a large-scale conventional offensive. This game highlighted how important the risk proclivity and personality of leaders are to when and how cyber operations are used. Previous research highlighted the large role that risk aversion played in the Obama administration and restraint across a series of domains. The Trump administration is much more risk acceptant, which may lead to less incentives for self-restraint in cyberspace.

NEXT STORY: Turkey's Slow-Cooking Crisis With Its Allies Is Coming to a Boil

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.