Models of Escalation and De-escalation in Cyber Conflict

Models of Escalation and De-escalation in Cyber Conflict

John C. MalleryComputer Science & Artificial Intelligence Laboratory

Massachusetts Institute of Technology

Presentation at the 2011 Workshop on Cyber Security and Global Affairs, Budapest, Hungary, May 31 – June 2, 2011.

Version: 04/10/2023 02:32 PM

John C. Mallery MIT CSAIL2

Escalation And De-escalation Models ForState-state Cyber Conflict & Cooperation

A step towards a US-Russia-China workshop on escalatory models of cyber conflict Intended to develop shared perspectives and

analytical frameworks across countries Appendices include a draft set of topics for

consideration in a longer workshop Dynamics of cyber-fueled conflict Approaches to managing cyber-fueled conflict Lessons from history or other conflictual domains

Today we will discuss a few selected topics

Background: Topic area selected as the top priority by MSU IISI team from 10 workshop topics presented last year


Possible International WorkshopsOn Critical Cyber Policy Issues

Workshop Topics1. Cyber Definitions2. Cyber Crime3. Cyber Terrorism4. Escalatory Models5. Civilian

Infrastructures6. Industrial Espionage7. Technical

Cooperation8. Codes of Conduct9. Cyber Law10. Protection of the

Commons

MSU IISI prioritization1. Escalation Models2. Civil infrastructures3. Cyber Definitions4. Cyber Law5. Codes of Conduct6. Cyber Terrorism7. Cyber Crime8. Technical

Cooperation9. Protection of the

Commons Termed “Protection of World Community”

10. Industrial Espionage


Overview Defining cyberspace Threat actors and capabilities Entropy-based model of conflict and cooperation Global cyber conflict mess Illustrative Conflictual Actions Illustrative Cooperative Actions Phase-structured Cyber Events Data Utility of cyber actions Managing Strategic

Technology Competition Cross Domain Responses Proportionality Judgments Institutions and Mechanisms

for Cyber De-escalation Cyber Conflict Characteristics


What is cyberspace? Interdependent network of information technology

infrastructures (NSPD54/HSPD23) Internet Telecommunications networks Computer systems Embedded processors Controllers in critical industries

Also virtual environment of information and interactions between people (NSPD54/HSPD23) Activities riding on cyberspace

US Military Electro-magnetic spectrum Information operations C4ISR, space

Supply chains for IT Computers, networks, software, sensors, crypto, identity

management, etc. Knowledge, information, data


Domains of Cyberspace

IC Fabrication IC Design Operating Systems Information Assurance Cryptography

Network Infrastructure Administration Application Software and Administration

Routers, Switches, Fiber, Wireless, Other PCs, Servers, Laptops, Cell Phones, PDAs

Economic & Business Activity Military And Intelligence SystemsInternational Dialogues

Information Processes, Social Networking

Research Communities IA, Certification, Accreditation International Standards

Physical Network Connectivity Enterprise ITCritical Infrastructures Consumer IT

Diplomacy Treaties Agreements AlliancesNorms IGOs NGOs Industry

Supply Chain

Cyberspace

Knowledge Formation Political DiscourseValue System Dynamics

GovernanceTechnological Level Network, Computer, Crypto, ID Mgt. Standards Universal Principles


Threat Actors And CapabilitiesThreat Actors Motive Targets Means Resources

Nation StatesDuring War Time

PoliticalMilitary, intelligence, infrastructure, espionage, reconnaissance, influence operations, world orders

Intelligence, military, broad private sector

Fully mobilized, multi-spectrum

Nation StatesDuring Peace Time

PoliticalEspionage, reconnaissance, influence operations, world orders

Intelligence, military, leverages criminal enterprises or black markets

High, multi-spectrum, variable skill sets below major cyber powers

Terrorists, Insurgents

Political Infrastructure, extortion Leverage black markets? Limited, low expertise

Political Activists or Parties

Political Political outcomes Outsourcing? Limited, low expertise

Black Markets ForCyber Crime

Financial

Hijacked resources, fraud, theft, IP theft, illicit content, scams, crime for hire

Tools, exploits, platforms, data, expertise, planning

Mobilizes cyber crime networks

Criminal Enterprises

FinancialReconnaissance, planning, diverse expertise

Professional, low end multi-spectrum, leverage of black markets

Small Scale Criminals

Financial Leverages black marketsLow, mostly reliant on black markets

Rogue Enterprises FinancialIP theft, influence on sectoral issues

Outsourcing to criminal enterprises?

Sectoral expertise, funding, organization


Conflict and Cooperation within Living Social Systems Framework

Goal: Continuous function from conflict to cooperation

Countries are autopoetic systems Prigogine, non-equilibrium thermodynamics Self-recreating living systems Network of component producing processes Recreate the socio-economic and political system over time

Key functional areas: Physical Security: Military, intelligence, terrorism Economic Security: Business, technology, science, policy Political Security: Ideation, legitimacy, diplomacy

State-state interactions Conflictual action: Increases autopoetic entropy Cooperative action: Decreases autopoetic entropy

Mesh of state-state interactions Reciprocity dimensions: economic, political, military, cultural Relationships: parasitic or mutualistic


Global Cyber Conflict Mess*

Over 100 states developing offensive cyber capabilities Various USG 2008-2010

What are their targets? Economic Political Military/intelligence

Who are their targets? G20? Major industries?

Cyber Capability Levels

Cyber Power No. IW Espionage Attack Integration

Major 3? High High High High

Important 10? Moderate? Significant Significant High

Middle 20? Lower? Crime ware Crime ware Lower

Lesser 70+

Lower? Crime ware Crime ware Lower


Illustrative Conflictual ActionsMove Type Action Std. Cyber Intensity Duration Impact

Political

Displeasure x x 1

Protest x 1

Withdraw Support x 2

Snub x 1

Threaten x x 1

Support opposition x x 4

Subversion x 5

Economic

Industrial espionage x x 2

Sabotage x x 2

Sanctions x ? 3

Quarantine x ? 4

Military

Politico-military espionagex x ?

Unconventional warfare, terrorism x x 1

Skirmishes x x 2

Limited warfare x x 4

General warfare x x 5


Illustrative Cooperative ActionsMove Type Action Std. Cyber Intensity Duration Impact

Political

Diplomatic recognition x 1Praise, hail, applaud x x 2Endorse or support policy or position x x 3Promise material support x x 3Negotiate x x 1Make substantive agreement x x 2Share data, intelligence x 4

Economic

Joint ventures, technical sharing x x 5Support capacity building x x 3Suspend Sanctions x ? 1Extend economic aid x ? 3

Military

Extend military assistancex x 4

Coordinate counter-terrorism x x 4

Coordinate defense x x 5

Cease hostilities x x 3

Settle dispute x x 3


Phase-structured Cyber Events Data

Define cyber action vocabulary Party actions Referrals to conflict managers Conflict management actions

Code state-state interaction sequences Include partial order for level of conflict or

cooperation Phase structure is given by the movement

up or down hostility/altruism Enables learning to:

Predict escalation or de-escalation as a function of event sequences

Efficacy of conflict management actions


Utility of Cyber ActionsModality Detection Complexity Reliability Consequences

IW 3 2 2 1

Intelligence 1 3 2 1

Degradation 1 3 1 2

Disrupt (precise)

3 3 1 3

Denial 3 2 3 3


Managing Strategic Technology Competition

1. Engineering networking standards and computational frameworks for national advantage

2. Developing universalizable norms for system engineering and design certification

3. Managing industrial espionage when integrated component of strategic economic competition

4. Sanctions (diplomatic, economic) against predatory behaviors in open multilateral trading systems

5. Standards for ICT intended to reduce opportunities for bad cyber behavior, enhance international stability and promote orderly international interactions


Cross Domain Responses State need not respond to cyber in kind Cross domain responses cloud anticipation of

responses to cyber actions Judgment of proportionality by initiator Judgment of perception by recipient

Example: Industrial espionage by China Possible response aiming at regime legitimacy

Example: Russia and US declare potential nuclear response

against cyber attacks on C2 systems Penetration of the wrong system could provoke

major response Cross domain responses Introduce potentially

destabilizing feedback paths


Proportionality Judgments Shared understandings of proportionality

are necessary for meaningful calibration of action

Different perspectives, approaches, traditions and cultural contexts can produce misunderstandings and unintended escalations

Errors or accidents involving cyber weapons may produce Unintended consequences via cascading

effects Unforeseen escalatory responses


Cyber Conflict Characteristics

1. Offense dominated2. Strategic reach3. Poor attribution (low frequency)4. Poor warning with short detection times5. No strategic depth -> pre-emption strategies6. Readily usable techniques for espionage7. Strong reciprocity among major actors8. Low barriers to entry9. Over 100 state players10. Lack of shared perception of action seriousness

Limited history of cyber conflict Cross cultural understanding challenges Little guidance from international law Many variations possible

Conclusion: Unstable, dangerous feedbacks


Institutions and Mechanismsfor Cyber De-escalation

Domain Activity Conflict Manager

PoliticalHacktivism

?, UNLegitimacy IW

Economic

Industrial espionage

?, IMF, G*, WTO, regional IGOsPredatory Trade

Supply chain subversion

MilitaryPrepositioning logic bombs

Conventional mediators (e.g., UN, regional IGOs)Critical infrastructure attacks


Research Questions1. What is the domain of cyber conflict and cooperation?

2. Does the rise of cyber operations, whether attack, espionage or influence operations, change inter-state conflict dynamics?

3. What are the stability characteristics of current and future international systems as cyber conflict capacity develops and diffuses?

4. How can levels of cyber conflict and cooperation be measured and compared across technical change?

5. How can strategic technical and economic competition be managed?

6. How can different perceptions of hostility or cooperation and escalation phases be managed?

7. Can legal or normative frameworks increase stability or protect non-combatants?

Appendix A

Dynamics Of Cyber-fueled Conflict


Dynamics Of Politico-military Escalation And De-escalation In State-state Cyber Conflict

1. Analysis of factors contributing to instability or stability2. Cyber as a means for strategic reach with low barriers to entry (over 100 countries

with some cyber offensive capabilities)3. Pre-emption strategies due to poor warning as a source of instability4. Problems of n-way games, including (mis-)attribution, bad reputations,

provocations5. Clusters of state-level cyber conflict and cooperation6. Dangerous feedbacks, good feedbacks7. Unintended consequences (e.g., perceptions, cascading impact, spreading impact,

collateral damage to civilians or 3rd parties)8. Precision and controllability of cyber techniques across target domains, including

impact on neutral countries or global commons9. Usability of cyber techniques for attack or exploitation (low probability of attribution,

low physical damage, low human causalities)10. Cross-domain responses to cyber as amplifiers or attenuators conflict11. Differential perception of threat (e.g., economic, legitimacy, systemic)12. Special case of nuclear powers (cyber under cover of nuclear)13. Asymmetric vulnerability of lower ICT capacity states to cyber attack by stronger

military powers14. Dynamics of collapse or rebuilding of trust across state-state transactions, with

special attention to low-to-mid level cyber provocations15. Mechanisms for de-escalation, including termination of conflict or war16. Mechanisms for establishing ground truth (e.g., monitoring, data sharing,

inspection, cross correlation)17. Institutions for international mediation and conflict management


Conflict Triggers Or Escalators

1. Misread of red lines2. Denial of service or attack on C2 or space assets3. Ambiguity of cyber actions between exploitation and

attack4. Penetration of critical infrastructure, or "preparation of

the battlefield”5. Accidental impact on 3rd parties via spread or

cascading6. Excessive espionage provoking hostile responses,

possibly cross-domain7. 3rd party provocations intended to incite major power

conflict8. Information operations targeting political legitimacy9. Conventional conflict triggering cyber responses


Cross-modality Or Cross-domain Responses To Cyber Exploitation Or Attack

1. Signaling and problems of misperception in cyber conflict (or cyber cross-domain responses)

2. Mismatches of cross cultural or doctrinal models of cyber conflict

3. Hostility spirals due to volume of exploitation or development of bad reputation

Appendix B

Approaches To Managing Cyber-fueled Conflict


Challenges

1. How can verification, monitoring and situational awareness be achieved and to what extent?

2. How is cyber defense possible without understanding and anticipating incoming cyber attacks?

3. How can proliferation of cyber weapons within or across countries be prevented or managed?


Shared International Frameworks For Designating Actions In Cyber Space As

Criminal, Hostile, Or Negligent

1. Definitions of hostility levels2. Definition of when counter-force becomes counter-value

targeting along supply chains or supporting infrastructure for an opposing military

3. Red lines with the contexts of peace, crisis or war4. Impact of red lines on dynamics of escalation control and stability5. Instabilities arising from attacks on C5ISR systems, including

nuclear systems, space assets and naval forces6. Large-scale espionage: quantity exceeds conventional hostility

calibrations7. Ambiguity of cyber-physical systems (e.g., cyber attack on power

grid causing physical damage)8. Information operations: anti-terrorism, threats to government

stability9. How should international sharing of cyber data be organized and

coordinated?10. Rebuilding trust in a low verification environment


Responsibility Of National Leadership For Controlling Cyber Offense And Exploitation

1. Government actors2. Surrogates, including state responsibility for cyber

"patriots" or criminals operating within their territory under International law regardless of whether the state has direct, indirect or no control at the time

3. Non-state actors using computing platforms within their territories

Hackivists Terrorists

4. Leakage of advanced cyber capabilities to criminals or terrorists

5. Managing different levels of conflict from strategic (e.g., nuclear weapons control and release) to theater or tactical

6. Responsibility for cleaning up botnets, or other platforms within their territories used by 3rd parties to attack or exploit 2nd parties


Managing Strategic Technology Competition

1. Engineering networking standards and computational frameworks for national advantage

2. Developing universalizable norms for system engineering and design certification

3. Managing industrial espionage when integrated component of strategic economic competition

4. Sanctions (diplomatic, economic) against predatory behaviors in open multilateral trading systems

5. Standards for ICT intended to reduce opportunities for bad cyber behavior, enhance international stability and promote orderly international interactions


Legal Or Normative Frameworks Codifying Shared Interests

1. How can cooperative activities in cyber defense or fighting cyber crime build reservoirs of trust that help prevent or attenuate cyber crises?

2. Can a "public health" approach to cyber help reduce risk of conflict and enhance trust through cooperative contributions to the cyber commons?

3. To what extent are states interpreting cyber with the framework of the Geneva Convention?

4. Where are current international legal frameworks adequate or inadequate?

5. How can they be extended to cover gaps?6. How do they serve the range of state or non-state actors in the

international system?7. Can legal or normative frameworks actually help in a timely fashion with

cyber capabilities are so widely diffused and technical change is rapid?8. What is their domain of relevance across a hostility range from,

peacetime to wartime?

9. How can adverse impacts on international cyber infrastructures be prevented or managed?

10. How can collateral damage to non-belligerents be managed?11. How can 3rd party provocations intended to initiate conflicts between

major powers be prevented beforehand or managed afterwards?


Legal Or Normative Frameworks Codifying Shared Interests

12. What is the legal or pragmatic liability of states for consequences of cyber operations, whether intentional, collateral, or accidental (including cyber proliferation)?

13. What should be the status of a cyber attack on one country that disrupts economic activity in 3rd countries? (e.g., shared infrastructure, outsourcing, linked industrial verticals) Rights of 3rd parties to respond? Non-state actor case?

14. What is the responsibility to states to prevent private actors or 3rd parties from launching attacks from with their territory by controlling bad network traffic, taking down botnets, or requiring higher assurance standards?

15. What legal recourses are available when cyber espionage exceeds standards of customary practice to reach extraordinarily high levels of hostility?

16. What should be the responsibility of Internet service providers to report bad behavior to states (e.g., tracing attacks via proxies, cyber pollution, IW)?

17. What should be the legal liability of ISPs if they act as agents of a state by providing the means to deliver cyber attacks, engage in cyber exploitation or weaponization?

18. To what extent are States and ISPs separate around the world? How does it effect the ability of states to act in cyberspace?

Appendix C

Lessons From History Or Other Conflictual Domains


Lessons From History Or Other Conflictual Domains

1. How should the definition of "armed force" be extended to cyber attacks? (e.g., by consequences, by threat level)

2. How do we measure the consequences of cyber weapons? Must they have physical manifestation?

3. How can conventional counter proliferation approaches bear on cyber capabilities?

4. How can conventional protections of neutral parties, international infrastructures or global commons (e.g., sea, space) be extended to cyber?

5. How is cyber not like nuclear deterrence? (Over worked analogy with many analytical assumptions failing.)

6. How are cyber weapons like non-nuclear kinetic weapons?

7. How can biological weapons regimes inform cyber regimes? (Similarities and differences, for example in terms of proliferation, verification, usability)