Rand: American involvement in a cyber crisis is inevitable but manageable
The United States will likely find itself in a cyber crisis owing to the fact that cybercrimes and espionage continue to rise and the risks from cyberspace are growing, according to a recently-released Rand Corporation monograph (.pdf) prepared for the Air Force. Crises are less likely to "emanate from the unavoidable features of cyberspace" than from "each side's fear, putatively exaggerated, of what may result from its failure to respond," the report says.
Rand's basic message for Air Force planners: Crisis and escalation in cyberspace can be managed as long as policymakers understand the key differences between nonkinetic conflict in cyberspace and kinetic conflict in the physical world. Nonkinetic operations also encompass psychological or information operations, but the Rand study focuses on cyberperations.
According to the report, the differences between the kinetic and nonkinetic environments are the tremendous scope that cyberdefense affords; the near impossibility and therefore pointlessness of trying to disarm an adversary's ability to carry out cyberwar; and the great ambiguity associated with cyberoperations—notably, the broad disjunction between the attacker's intent, the actual effect, and the target's perception of what happened.
"Conflicts, to be sure, have always needed explanation, but perhaps nowhere more so than for cyberwar," the report asserts. "Cyberoperations lack much precedent or much expressed declared policy on which to rely. The normal human intuition about how things work in the physical world does not always translate effectively into cyberspace."
At the same time, Rand says the government's level of cyber knowledge and expertise is quite low, which will change, but only slowly over time.
As a result, the report recommends that Air Force strategies should concentrate on: recognizing that crisis instability in cyberspace arises largely from misperception; promulgating norms that might modulate crisis reactions; knowing when and how to defuse inadvertent crises stemming from incidents; supporting actions with narrative rather than signaling; bolstering defenses to the point at which potential adversaries no longer believe that cyberattacks (penetrating and disrupting or corrupting information systems, as opposed to cyberespionage) can alter the balance of forces; and calibrating the use of offensive cyberoperations with an assessment of their escalation potential.
- download the RAND monograph (.pdf)