What Drives — and Deters — Cyber Warfare?

BOOK REVIEW:  RETHINKING CYBER WARFARE: THE INTERNATIONAL RELATIONS OF DIGITAL DISRUPTION

By:  R. David Edelman/ Oxford University Press

Reviewed by: Glenn S. Gerstell

The Reviewer — Cipher Brief Expert Glenn S. Gerstell is a Principal with the Cyber Initiatives Group and Senior Adviser at the Center for Strategic & International Studies.  He served as General Counsel of the National Security Agency and Central Security Service from 2015 to 2020 and writes and speaks about the intersection of technology, national security and privacy.

REVIEW — Cyberattacks are ubiquitous and constant; Russia, China, Iran and North Korea launch cyber-maliciousness with impunity; and traditional concepts of deterrence seem useless.  As the old saying about the weather goes: everybody talks about it, but nobody does anything about it.

Rethinking Cyber Warfare seeks to fix this.

In author R. David Edelman’s view, Russia’s massive cyber offense against Estonia on the morning of April 27, 2007, was the first nation-state cyberattack intended to have a national security outcome. Subsequently, as we all know too well, countries around the world have suffered from an ever-increasing barrage of cyber mischief ranging from theft to espionage to destruction to disinformation.

And yet nations aren’t in full-fledged cyberwar. There has been some restriction on the extent of cyberattacks – whether due to limits on offensive resources, the effectiveness of cyber defenses, or, most significantly – and this is what Edelman explores – some set of geopolitical dynamics that inhibit nation-states from unbridled cyber conflict.

The central question of Edelman’s deeply thoughtful book is: “Which, if any, forces in the international system might restrain state use of cyberattacks, despite the strategic advantage they confer?” For this purpose, Edelman is concerned with cyberattacks defined as “an act of coercion or sabotage that exploits the security vulnerabilities of network systems, disrupting or destroying information infrastructure or the critical infrastructure dependent on it, to significant national security effect.”

Edelman argues that 17 years after the Estonian attacks, we should have a better understanding of the answer to that central question:

It is the persistence [of such a question] that motivates this work. How could it be, with all of the cumulative insights of the past decade and a half, that so much of state policy [regarding cyber warfare] appears to be furtive, unpredictable, and disconnected from the lessons of the past? What is missing about the way we as scholars are thinking about the international relations of cybersecurity?


Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.


Edelman addresses these questions from the perspective of his current position as a professor at MIT’s Internet Policy Research Initiative and Center for International Studies, informed by his prior experience as a senior staff member of the President Obama’s National Security Council.  From that vantagepoint, he notes that the three fundamental constraining forces – deterrence, international law and humanitarian concerns – in one way or another inhibit (but manifestly do not prohibit) nations from engaging in physical warfare. Yet somehow those forces seem far weaker in curtailing cyber wrongdoing.

Edelman cogently and persuasively explains why deterrence isn’t adequate in the cyber realm. It obviously works in the case of, say, nuclear weapons, where nations can make an informed and rational judgement that the benefit of using such a weapon would be far outweighed by the risk of retaliation and consequent unacceptable losses. That calculation clearly doesn’t apply in the case of cyber – a nation can inflict significant cyber damage to another, accepting the risks that the victim will be able to attribute the attack to it with sufficient certainty and that whatever action the victim country will take in response (ranging from public denunciation to cyber retaliation to economic sanctions) will not be sufficiently harmful to yield a net loss. In short, as Edelman asserts, “cyberattacks deprive [nations] of the ability to make meaningful rationalist calculations, rendering cyber capabilities both poor deterrence and difficult to deter. Consequently, restraining cyberattacks requires more than amassing greater, similar capabilities in the manner of most conventional and nuclear deterrence”

But what Edelman calls “structural deterrence” has some greater effect. This consists of nations “shaping the international environment through alliances and law to favor their strengths within an overall deterrence relationship.”  In other words, China might impose limits on its cyber wrongdoing if it knew that it risked engendering global opprobrium and jeopardizing its trade and political relationships with not only a potential victim country but also a wide group of Western democracies.

International law is an additional element of restraint. Even though there are few, if any, direct enforcement mechanisms outside of the United Nations regime, most countries, even the authoritarian ones, want to be seen as in compliance with international norms. But Edelman argues that “practical ambiguities” — over exactly what constitutes a cyber act of war (entitling the victim to respond militarily) and what responses are appropriate even in the case of a cyber act that causes loss of life or other serious harm — limit the utility of international law in curtailing cyber maliciousness. He concedes, however, that there are potential further benefits to be garnered from a more developed system of international law, thus pointing the way to future work by the UN and individual nations.


Subscriber+Members have a higher level of access to Cipher Brief Expert Perspectives and get exclusive access to The Dead Drop, the best national security gossip publication, if we do say so ourselves.  Find out what you’re missing. Upgrade your access toSubscriber+ now.


The book’s most novel assertion is also potentially its most powerful: Edelman argues that “shared notions of humanity” – of the sort that have led to largely effective prohibitions on the use of chemical or biological weapons or land mines – are the most promising sources of restraint on cyberattacks. The final section of the book notes that there already is some informal consensus about the inappropriateness of cyberattacks causing injury to “protected classes,” such as medical personnel, food, water and other indispensable civilian supplies, and civil defense and rescue personnel. Edelman sketches out how it might be possible (admittedly over many years) to build on that consensus to develop a more concrete international norm against cyberattacks.

Rethinking Cyber Warfare is not an easy read for someone wanting to lightly acquaint themselves with current concepts of cyber deterrence and international law and norms. At 340 pages of elegantly written but dense text, and with an extraordinarily rich 36-page bibliography, the book was written for academics and, perhaps to a lesser extent, serious policy makers. In conformity with the volume’s academic approach, many pages are devoted to formal discussions of the organization of the book and the arguments. Given that format, the book will be an important addition to the curriculum in military academies and university level courses on regulating cyberspace. Moreover, it will be exceptionally useful for those in the world of statecraft and the military who want to think more deeply about how the international order can and should bring some level of control to cyberweapons. Whatever tools of restraint nations have been using thus far have proven wholly inadequate, and Edelman is pointing us to a possible new approach.

Rethinking Cyber Warfare earns a prestigious 4 out of 4 trench coats

4

The Cipher Brief participates in the Amazon Affiliate program and may make a small commission from purchases made via links.

Interested in submitting a book review?  Send an email to [email protected] with your idea.

Sign up for our free Undercover newsletter to make sure you stay on top of all of the new releases and expert reviews.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.


More Book Reviews

Search

Close