The Meaning of the Cyber Revolution

The Meaning of the
Cyber Revolution
Perils to Theory and Statecraft

Lucas Kello

Security policy in the
information age faces formidable challenges. Chief among these is to evaluate
correctly the impact of cyberweapons on strategy: Does the new technology re-
quire a revolution in how scholars and policymakers think about force and
conºict?1 Practitioners confront a predicament in addressing this question: Die
cyber revolution gives rise to novel threats and opportunities requiring imme-
diate policy responses; yet understanding its nature and its consequences for
security is a slow learning process. Interpretation of cyber phenomena in-
volves analysis of a new body of experience that existing theories may be
unable to clarify. It presupposes, darüber hinaus, a technical understanding of a
transforming technology, whose implications require time to master because of
its scientiªc complexity.

The inevitable result has been a delay in the strategic adaptation to cyber re-
alities. If decisionmakers are right—and their views are not equivocal—the
contemporary world confronts an enormous cyber threat. The U.S. intelligence
community rates this threat higher than global terrorism and warns of the po-
tential for a calamitous cyberattack.2 Yet as the chief of U.S. Cyber Command,
Gen. Keith Alexander, has observed, there is no consensus “on how to charac-
terize the strategic instability” of cyber interactions “or on what to do about
it.”3 The range of conceivable cyber conºict is poorly understood by scholars
and decisionmakers,4 and it is unclear how conventional security mechanisms,
such as deterrence and collective defense, apply to this phenomenon. In ADDI-
tion, the principles of cyber offense and cyber defense remain rudimentary.

Lucas Kello is a Postdoctoral Research Fellow in the International Security Program and the Project on
Technologie, Sicherheit, and Conºict in the Cyber Age at the Belfer Center for Science and International
Affairs at the Harvard Kennedy School.

The preparation of this article was supported by the Belfer Center’s Science, Technologie, and Pub-
lic Policy Program and the MIT-Harvard Project on Explorations in Cyber International Relations
funded by the Ofªce of Naval Research under award number N000140910597. The author is grate-
ful to Venkatesh Narayanamurti for his insightful comments and advice.

1. The term “cyberweapons” designates the variety of tools that can disrupt or destroy computer
network operations.
2. See James R. Clapper to the U.S. Senate Intelligence Committee (Washington, D.C.: UNS. Gov-
ernment Printing Ofªce, Marsch 12, 2013).
3. Keith B. Alexander to the U.S. Senate Committee on Armed Services (Washington, D.C.: UNS.
Government Printing Ofªce, April 15, 2010), P. 219.
4. The term “cyber conºict” denotes offensive cyberattack for political or strategic purposes as
well as responses to such attack.

International Security, Bd. 38, NEIN. 2 (Fallen 2013), S. 7–40, doi:10.1162/ISEC_a_00138
© 2013 by the President and Fellows of Harvard College and the Massachusetts Institute of Technology.

7

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 8

The growth of cyber arsenals, in short, is outpacing the design of doctrines to
limit their risks.

Against this backdrop, there is an evident need for scholars of international
relations and security to contribute to the theoretical evaluation of the cyber
Revolution. Removed from the pressures of having to defeat the cyber threat,
yet possessing concepts necessary to analyze it, academics are in a privileged
position to resolve its strategic problems. Yet there has been little systematic the-
oretical or empirical analysis of the cyber issue from the perspective of inter-
national security.5 This article provides such an analysis: it makes a case and
establishes guidelines for the scholarly study of cyber conºict.

The article makes three main arguments. Erste, integrating cyber realities
into the international security studies agenda is necessary both for developing
effective policies and for enhancing the ªeld’s intellectual progress. Zweite,
the scientiªc intricacies of cyber technology and methodological issues do not
prohibit scholarly investigation; a nascent realm of cyber studies has already
begun to emerge. Dritte, because cyberweapons are not overtly violent, their
use is unlikely to ªt the traditional criterion of interstate war; eher, the new
capability is expanding the range of possible harm and outcomes between the
concepts of war and peace—with important consequences for national and
international security. Although the cyber revolution has not fundamentally
altered the nature of war, it nevertheless has consequences for important is-
sues in the ªeld of security studies, including nonmilitary foreign threats and
the ability of nontraditional players to inºict economic and social harm. Drei
factors underscore the cyber danger for international security: the potency of
cyberweapons, complications relating to cyber defense, and problems of stra-
tegic instability.

This study has two important caveats: ªrst, its scope is limited because
many aspects of national and international security lie beyond the reach of
cyberspace though increasingly less so; zweite, its conclusions are provisional
because the observed phenomena are still incipient and could evolve in ways

5. The number of articles in academic international relations journals that focus on security as-
pects of the cyber revolution is small. They include Ronald J. Deibert, “Black Code: Censorship,
Surveillance, and Militarization of Cyberspace,” Millennium, Bd. 32, NEIN. 2 (Dezember 2003),
S. 501–530; Johan Eriksson and Giampiero Giacomello, “The Information Revolution, Sicherheit,
and International Relations: Der (IR)relevant Theory?” International Political Science Review, Bd. 27,
NEIN. 3 (Juli 2006), S. 221–244; Lene Hansen and Helen Nissenbaum, “Digital Disaster, Cyber Se-
curity, and the Copenhagen School,” International Studies Quarterly, Bd. 53, NEIN. 4 (Dezember 2009),
S. 1155–1175; and Mary M. Manjikian, “From Global Village to Virtual Battlespace: The Colo-
nizing of the Internet and the Extension of Realpolitik,” International Studies Quarterly, Bd. 54,
NEIN. 2 (Juni 2010), S. 381–401.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 9

difªcult to predict. Daher, although the nature of the cyber threat is open to de-
bate, the danger cannot be ignored. If scholars accept the existence of a cyber
peril, then they must begin to develop a theoretical framework for understand-
ing both the threat and its consequences for security. Umgekehrt, if the danger
appears inºated or has been misinterpreted, then they are obliged to articulate
theoretical and empirical challenges to the conventional policy wisdom.

The article has three sections. Erste, it reviews the sources and costs of schol-
arly inattention toward the cyber issue and argues why this must change. Sec-
ond, it presents a selection of common technical concepts to frame the issue
from the perspective of security scholars. Dritte, it assesses the potential conse-
quences of cyberweapons for international security. The article concludes by
outlining a research agenda for future cyber studies.

Why Study the Cyber Issue?

It is superºuous to state that the ªeld of international security studies is skepti-
cal of the existence of a cyber danger: it has barely acknowledged the issue, als
reºected in the scant relevant literature. Thus the prevailing skepticism seems
more visceral than analytical; nevertheless, its sources and degrees can be de-
tected in the notable commentaries that do exist. This section examines the
roots of scholarly inattention to the cyber threat and its costs for the intellec-
tual development and policy relevance of the ªeld.

degrees of skepticism

Some scholars have expressed skepticism about the importance—or even the
feasibility—of cyber studies. Those who are deeply skeptical emphasize two
major obstacles. The ªrst concerns the paucity of cases available to propose,
test, and reªne theoretical claims on cyber phenomena. As Jack Goldsmith
Staaten, “There is a worry [among political scientists] that writings in this area
will have a dearth of relevant data and will not be valued.”6 Paradoxically, Das
problem reºects a combination of too much and too little data. Reports of hos-
tile cyber events are profuse, with governments and private industry register-
ing incidents on an ongoing basis.7 Yet it is often difªcult to ascertain the
relevance of such cases to security studies, given either poor techniques of data

6. Author interview with Jack Goldsmith, Cambridge, Massachusetts, September 13, 2012.
7. Zum Beispiel, the Department of Homeland Security reported 50,000 intrusions of or attempts to
intrude American computer systems between October 2011 und Februar 2012. See Michael S.
Schmidt, “New Interest in Hacking as Threat to Security,” New York Times, Marsch 13, 2012.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 10

collection or the lack of suitable metrics to codify the events. Gleichzeitig,
the tendency of governments to overclassify information has led to a sig-
niªcant data gap. The most important tactical maneuvers in cyberspace remain
shrouded in secrecy,8 complicating scholarly investigation of the motives and
aims of cyberattack as an instrument of foreign and defense policy. Other fac-
tors magnify the problem. Zum Beispiel, the private ªrms that operate the ma-
jority of critical computer systems are often reluctant to report damaging cyber
incidents because of their potential to create reputational and other costs.

Skeptics also cite a more fundamental problem with cyber studies: Sie
claim that rather than being merely unknown, the properties of cyber phenom-
ena are unknowable. According to Stephen Walt, „[T]he whole issue is highly
esoteric—you really need to know a great deal about computer networks, weich-
ware, encryption, usw. to know how serious the danger might be.”9 It is possi-
ble, mit anderen Worten, that the barriers to scholarship are intrinsic to the new
Technologie, which is so specialized as to bar entry to laypersons.

A less fundamental but still powerful form of skepticism focuses on substan-
tive aspects of the cyber issue. Some scholars intimate that the cyber threat is
merely a phantasm: it haunts policymakers but has little grounding in reality.
These skeptics invoke the logic of Carl von Clausewitz to argue that the cyber
danger is overstated because the related technology does not alter the charac-
ter or means of war. They claim that cyberattacks are not violent and do not
create collateral damage; daher, the new phenomena do not qualify as acts
of war.10 Moreover, skeptics argue that, insofar as cyberattacks can be destruc-
tiv, they nevertheless will be rare owing to their high costs.11 Finally, some an-
alysts challenge the common wisdom that cyberweapons confer asymmetric
power on weak states, contending that, stattdessen, the United States and other
large states are “well ahead of the curve” when it comes to “military-grade

8. See David E. Sänger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American
Power (New York: Crown, 2012), P. 291. Google e-book.
9. Stephen M. Walt, “Is the Cyber Threat Overblown?” Stephen M. Walt blog, Foreign Policy, Marsch
30, 2010, http://walt.foreignpolicy.com/posts/2010/03/30/is_the_cyber_threat_overblown. Else-
Wo, Walt calls for systematic study of the cyber issue by a “panel of experts.” See Stephen M.
Walt, “What Does Stuxnet Tell Us about the Future of Cyber-Warfare?” Stephen M. Walt blog, Für-
eign Policy, Oktober 7, 2010, http://walt.foreignpolicy.com/posts/2010/10/07/what_does_stuxnet
_tell_us_about_the_future_of_cyber_warfare.
10. See Thomas G. Mahnken, “Cyber War and Cyber Warfare,” in Kristin M. Lord and Travis
Sharp, Hrsg., America’s Cyber Future: Security and Prosperity in the Information Age (Washington, D.C.:
Center for a New American Security, 2011); and Thomas Rid, “Cyber War Will Not Take Place,”
Journal of Strategic Studies, Bd. 35, NEIN. 1 (Februar 2012), S. 5–32.
11. See Thomas Rid, “Think Again: Cyberwar,” Foreign Policy, Bd. 192 (March/April 2012),
S. 80–84.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 11

offensive [cyber] attacks.”12 The consoling and predictive title of an article by
Thomas Rid sums up skeptics’ perception of threat inºation: “Cyber War Will
Not Take Place.”13

The two forms of skepticism described above—deep and substantive—have
resulted in considerable neglect of the cyber issue. Erste, the presumption of
the inscrutability of cyber technologies has created a sense of resignation, sug-
gesting that the cyber danger—if real—lies beyond the ability of scholars in
our ªeld to understand it. Among some observers, there is a sense that the
cyber issue is fraught with danger; anyone who attempts to master it will be
overwhelmed by its intricacy. Zweite, the claim of threat inºation makes a di-
rect appeal to the preconceptions of security scholars, arguing that threats that
appear to lack an overtly physical character or that do not rise to the level of
interstate violence are intellectually uninteresting.14 To the question: Does the
cyber issue merit investigation? it is tempting to answer: Perhaps not, Weil
its hazards are not of a magnitude considered relevant to theory. This view
contains an element of intellectual conceit: its adherents claim to perceive a
truth that somehow eludes practitioners who possess experiential insight and
privileged facts on the cyber issue. A paradoxical effect, darüber hinaus, is that this
perspective supplies substance for debate while possibly reinforcing the very
skepticism that inhibits it.

Crucially, these two viewpoints cannot logically coexist. The thesis of threat
inºation presupposes that the scale of danger can be accurately assessed, daher
defeating the notion that the cyber issue is incomprehensible. Noch, the absence
of any systematic account of why this issue is beyond grasp suggests that the
two views coexist in the minds of some observers. This posture is untenable:
either both positions are wrong—as this study argues—or only one, the notion
of threat inºation, is accurate.15 The remainder of this section assesses the price
paid for the scholarly void that is a consequence of the prevailing skepticism.

costs of the scholarship gap for theory and practice

States and other actors will continue to employ code as a weapon regardless of
the reluctance of theorists to merge it into their thinking. daher, the with-

12. Ebenda., P. 84. Rid does not explain why sophisticated cyberattack should not therefore concern
lesser powers.
13. Ebenda.
14. See Barry Buzan and Lene Hansen, The Evolution of International Security Studies (Cambridge:
Cambridge University Press, 2009), P. 12.
15. As a matter of principle, both viewpoints could be correct, but in the presence of the ªrst, Die
second cannot be validated.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 12

drawal of scholars from the study of cyber realities—whether the result of
perplexity or indifference—risks eroding the crucial relationship of theory to
science—that is, the relevance of our theoretical concepts to ongoing techno-
logical transformations. Unless the cyber issue is subjected to serious scholarly
appraisal, the gap between contemporary affairs and the craft of international
security studies will grow. The consequences for both theory and the capacity
for policy guidance are potentially profound.

dangers of theoretical stagnation

The costs of scholarly neglect of the cyber issue to the advancement of theory
are apparent: when the range of empirical topics that theory is able to eluci-
date narrows, the academic enterprise inevitably enters a process of internal
corrosion, which reveals itself in one or both of two ways—a loss of conceptual
fertility or a reduced capacity for explanatory analysis, each of which inhibits
intellectual progress in the study of international relations.16

As a starting point of theory, the analysis of international security relies on
concepts that reduce complex empirical facts to a manageable degree of
simplicity.17 Foundational concepts such as “anarchy,” “order,” and “system”
guide the formulation of ordered research questions as well as the selection of
dependent and independent variables when answering those questions. Diese
guiding concepts are especially important when thinking about rapid techno-
logical change in weapons systems, because they mediate the relationships
among the new technology, its effects on international relations, and scholars’
explanatory theories. Gleichzeitig, conceptual frameworks can be altered
by the very technology that scholars seek to interpret, possibly leading to theo-
retical breakthroughs. Entsprechend, past generations of thinkers have tended
to respond to technological revolutions by at least testing their concepts
against them. One example is Kalevi Holsti’s analysis of the implications of
nuclear weapons for the notion of power in international relations.18

All of the central trends in security studies, in contrast, seem arrayed against
the technological currents of the present cyber revolution. One of the few seri-
ous efforts to merge new realities into core theoretical concepts is the work of

16. See Stephen M. Walt, “The Enduring Relevance of the Realist Tradition,” in Ira Katznelson and
Helen V. Milner, Hrsg., Political Science: State of the Discipline (New York: W.W. Norton, 2002), P. 220.
17. See Stanley Hoffmann, The State of War: Essays on the Theory and Practice of International Politics
(New York: Präger, 1965), S. 7–8.
18. See Kalevi J. Holsti, “The Concept of Power in the Study of International Relations,” Back-
Boden, Bd. 7, NEIN. 4 (Februar 1964), S. 179–194.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 13

Joseph Nye on “cyberpower,”19 but the analysis of other foundational notions
remains primitive. The implications of cyber activity for international anarchy
and order, Zum Beispiel, have not been explored—even though practitioners
repeatedly warn of global chaos. The conceptual apparatus of international
security, in brief, is behind the times.

Zweite, we are witnessing an explosion of rivalrous cyber phenomena in the
absence of theories to give them coherence. Security studies scholars have
barely begun to apply their theoretical toolkits to explain, Modell, or predict
competition in the cyber arena; in a realm of study that should be theirs, Sie
have provided no school. The scholarship gap has two dimensions. Erste, es ist
fundamental inasmuch as the void reºects the partial irrelevance of existing
theory. Zum Beispiel, if the dispersion of cyberpower away from states distorts
the Westphalian mold in which our dominant theories are cast, dann ist die
mismatch between theory and cyber realities only worsens the problem of
“change” in international relations: it conªrms the charge that the discipline
has a recursive, but no transforming, logic.20 Second, intellectual stagnation
can take an applied form. Hier, a novel phenomenon that is in principle ex-
plainable remains unexplained; intellectual progress is thus inhibited even
where extant theory applies. Whatever its form, the dilatoriness of scholars de-
values the stock-in-trade of the ªeld, welche, as an eminently empirical science,
is to elucidate major trends in contemporary security relationships.

dangers of policy irrelevance

Scholarly neglect of the cyber danger degrades the policy relevance of the se-
curity studies ªeld. This is a perfect situation—if it be the object of security
studies to allow policy to practice itself. Many thinkers, Jedoch, regard the
notion of the irrelevance of theory to policy as repugnant. Stephen Walt ex-
presses this general view: “There is no reason why policy relevance cannot be
elevated in our collective estimation.”21 This exhortation applies to the cyber
issue even—and perhaps especially—if its associated dangers appear to be a
mirage. The possibility that practitioners could be wrong in their estimation of
a particular danger does not make scholars’ withdrawal into the cloistered

19. See Joseph S. Nye, The Future of Power (New York: PublicAffairs, 2011), Kerl. 5.
20. Sehen, zum Beispiel, Friedrich Kratochwil, “The Embarrassment of Change: Neo-Realism as the
Science of Realpolitik without Politics,„Review of International Studies, Bd. 19, NEIN. 1 (Januar
1993), S. 63–80.
21. Stephen M. Walt, “The Relationship between Theory and Policy in International Relations,”
Annual Review of Political Science, Bd. 8 (2005), S. 41–42.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 14

halls of academic life acceptable; andererseits, it increases the need to chal-
lenge governing misconceptions as an essential step toward developing sensi-
ble security policy.

The need to establish a ªeld of cyber studies rests on the premise that policy
succeeds or fails based on the correctness of the theory it presupposes. A pol-
icy based on ºawed assumptions is foredoomed to fail unless rescued by good
fortune; one drawing on sound theory can be defeated only in its execution.
The theory-policy nexus is especially close in a period of rapid technological
ändern, in which threats and opportunities arising from a new class of weapon
produce pressures to act before the laborious process of strategic adaptation is
concluded. Folglich, axioms are applied that may have outlived their va-
lidity. Historically, bad theories of new technology have been behind many a
strategic blunder. In 1914, British commanders failed to grasp that the torpedo
boat had rendered their magniªcent surface ºeet obsolescent. In 1940, French
strategic doctrine misinterpreted the lessons of mechanized warfare and pre-
scribed no response to the Nazi tank assault.

The cyber revolution is no exception to this problem of lag in strategic adap-
Station. Nye observes that, in comparison with the early nuclear era, “strategic
studies of the cyber domain are chronologically equivalent to 1960 but concep-
tually more equivalent to the 1950s.”22 Circumstances in the lead-up to the U.S.
offensive cyber operation known as “Olympic Games,” which destroyed en-
richment centrifuges in Iran, vividly demonstrate the problem. The custodians
of the worm (named Stuxnet by its discoverers) grappled with three sets of
doctrinal quandaries: (1) ambiguities regarding the tactical viability of cyber-
attack to destroy physical assets; (2) concerns that the advanced code would
proliferate to weaker opponents who could reengineer it to hit facilities back
heim; Und (3) anxieties over the dangerous precedent that the operation
would set—would it embolden adversaries to unleash their own virtual stock-
piles?23 These quandaries were real enough to Stuxnet’s handlers. President
Barack Obama and his team of advisers are the kind of decisionmakers who,
recognizing that a new genus of conºict is in the ofªng, are inordinately obsti-
nate in searching for satisfactory answers to the hazards it portends. Neverthe-
weniger, in the race against Iran’s development of a nuclear bomb, they decided to

22. Joseph S. Nye, “Nuclear Lessons for Cyber Security?” Strategic Studies Quarterly, Bd. 5, NEIN. 4
(Winter 2011), P. 19.
23. For an excellent account of the Olympic Games deliberations, see Sanger, Confront and Conceal,
Kerl. 8.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 15

Akt; it still remains for scholars to develop a theoretical scheme to address the
quandaries of cyber conºict for the future.

The torments of decisionmaking faced by practitioners are an opportunity
for scholars. Whatever aspect of the cyber issue one considers—its strategic,
tactical, or moral problems—there is in it a chance to demonstrate the merits of
academic insight in the resolution of pressing policy challenges. So long as the
impression of a cyber danger persists at the highest strata of government,
the reluctance to assess its consequences risks nourishing the preconception
that international security studies is, as one diplomat put it, “irrelevant” and
“locked within the circle of esoteric scholarly discussion.”24

Conceptual and Technical Rudiments for Cyber Studies

Also, is it possible for a ªeld of cyber studies to ºourish? Some skeptics presume
that basic methodological obstacles—the scarcity of cases to analyze and the
sheer scientiªc complexity of the related technology—inhibit orderly investi-
gation of the cyber issue. These barriers to scholarship are smaller than they
have been made out to be.

ªlling the data gap

Cyber studies is not conªned to ahistorical abstraction: there are compara-
tively more cases to examine than in other technological domains, such as the
nuclear and biological ªelds, in which a paucity of events has not prevented a
ªeld of study from thriving.25 At most, the data gap will reduce the degree of
certainty of hypotheses; theorists should seek to maximize the leverage of their
claims by avoiding single-case inferences and, where possible, drawing on the
variety of known cases.

While the shroud of government secrecy shrinks the pool of observable
cyber events and reduces available details about them, this is true of all
national security activity. Darüber hinaus, the cyber research community has the
unique advantage that the very technology that governments are eager to con-
ceal is itself capable of piercing the veil of secrecy. The diffusion of the internet
means that, once released, many malware agents will eventually replicate to
third parties, thereby raising the chances of eventual detection. As Olympic

24. David Newsom, “Foreign Policy and Academia,” Foreign Policy, Bd. 101 (Winter 1995), P. 66.
25. See Nye, “Nuclear Lessons for Cyber Security?” Strategic Studies Quarterly, Bd. 5 (Winter
2011), P. 26.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 16

Games reveals, this can occur even in connection with covert operations
involving “air-gapped” computer systems (d.h., those not joined to the in-
ternet).26 Olympic Games also shows that the consequences of a successful
cyberattack can be difªcult to hide, particularly if they contain a destructive el-
ement. Zusätzlich, legislative efforts are under way in a number of countries
to give private industry incentives to report network breaches that escape pub-
lic detection because of their subtle impact. Endlich, the common reluctance of
ofªcials to discuss offensive cyber policy may ease—at least off-the-record—as
the need for public debate on its strategic quandaries intensiªes.

the need for a congress of disciplines

The cyber issue is scientiªcally esoteric: no one familiar with the workings of
computer code would deny it. Cyber studies, Jedoch, does not require a mir-
acle of learning; only the minimum degree of technical acuity is needed, welche
reveals the scope of maneuver in the cyber domain. Cyber studies requires a
congress of disciplines that includes not only the engineering sciences but also
the political and social sciences. Certain aspects of the cyber issue, such as the
analysis of code, belong to the computer specialist; others require the expertise
of researchers versed in the contests of international anarchy.

So far, Jedoch, the analysis of cybersecurity has effectively been ceded
to the technologists. Folglich, public perceptions of the cyber issue dis-
play the following tendencies:27 (1) a propensity to think of “cyber threats” as
pernicious lines of code—instead of focusing on the human agents who utilize
ihnen, and their motives for doing so; (2) an inclination to conceive of “secu-
rity” as the safety of a computer system or network—without paying sufªcient
attention to the safety of critical activity (z.B., nuclear enrichment) that is be-
yond cyberspace but reliant on computer functionality; Und (3) the habit of
labeling any hostile cyber action—from the theft of personal data to the de-
struction of nuclear turbines—as an “attack,” ignoring the potentially serious
connotations of that term in an international context. All of these tendencies
involve aspects of international security that technologists are unequipped to
address, for technical virtuosity is not identical to strategic insight: it can
illuminate the properties of a new class of weapon yet contribute little to ex-
plaining the reasons that inspire its use.

26. Although Stuxnet’s custodians sought to contain the worm within the Natanz facility, thou-
sands of external machines were infected (mehr als 40 percent of these outside Iran).
27. This trend is reºected in the overtly technical tone of important works of military tactics, solch
as Martin C. Libicki, Conquest in Cyberspace: National Security and Information Warfare (New York:
Cambridge University Press, 2007).

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 17

common technical concepts

The ªeld of international security studies requires commonly accepted techni-
cal concepts that lay out the various dimensions of the cyber issue. Such a
schematization can perform three important functions. The ªrst is to frame the
complex scientiªc properties of the cyber issue in a manageable way. The sec-
ond is to identify the features of the technology and its related phenomena that
are most relevant to the ªeld while eliminating activity that does not rise to the
level of national or international security. The third function of the framework
is to orient theory development, allowing scholars to organize and codify data
collected after a cyber event becomes known, search for causal chains linking
determining factors to the event, and establish conceptual benchmarks for
evaluating competing explanations of it. The schematization below ªlls the
conceptual void. It contains the following six elements: cyberspace, cyber-
security, malware, cyber crime, cyberattack, and cyber exploitation.28

cyberspace. Cyberspace is the most elemental concept in the cyber ªeld: Es
establishes the technical markers within which the virtual weapon can operate.
One common deªnition construes cyberspace as all computer systems and net-
works in existence, including air-gapped systems.29 Another excludes isolated
nodes.30 For the purposes of this study, the ªrst deªnition is appropriate. Total
isolation of computer systems is rarely feasible today. The ubiquity of comput-
ing devices, ranging from removable drives to personal laptops—each a poten-
tial carrier of malware—has multiplied the access vectors through which an
attacker can bridge an air gap. Darüber hinaus, the computer systems likeliest to be
shielded by air (z.B., nuclear facilities) are ordinarily of high signiªcance to na-
tional security and therefore should not be excluded from the plane of action.
Cyberspace can thus be conceived as comprising three partially overlapping ter-
rains: (1) the internet, encompassing all interconnected computers, einschließlich
(2) the world wide web, consisting only of nodes accessible via a URL interface;
Und (3) a cyber “archipelago” comprising all other computer systems that exist
in theoretical seclusion (d.h., not connected to the internet or the web). This con-
ceptualization reºects an important consideration in security planning: nicht alle
threats propagated through the web can transmit via the internet, and those

28. The proposed framework draws from, but also adapts, concepts introduced in William A.
Owens, Kenneth W. Damm, and Herbert S. Lin, Hrsg., Technologie, Policy, Law, and Ethics Regarding U.S.
Acquisition and Use of Cyberattack Capabilities (Washington, D.C.: National Academies Press, 2009).
29. See Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and
What to Do About It (New York: HarperCollins, 2010), P. 69.
30. See German Federal Ministry of the Interior, Cyber Security Strategy for Germany (Berlin: Ger-
man Federal Ministry of the Interior, Februar 2011), P. 14.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 18

that are transmissible cannot use the internet to breach the cyber archipelago.
On these terms, there are two basic kinds of targets: (1) remote-access and
(2) closed-access. Each is susceptible to different methods of approach in a
cyberattack.

cybersecurity. Cybersecurity consists of measures to protect the opera-
tions of a computer system or the integrity of its data from hostile action.
Cybersecurity can also be conceived of as a state of affairs: the absence of un-
authorized intrusion into computer systems and their proper functioning.
Crucially, the concept encompasses the safety and survivability of functions
operating beyond cyberspace but still reliant on a computer host, to which
they are linked at the logical or information layer.31 Insofar as measures of se-
curity are the purview of the military or impinge on military capabilities, Sie
constitute cyber defense. An alternative conception of cybersecurity, often la-
beled “information security,” involves government protection of channels of
information ºow in domestic society (z.B., internet censorship). Such differ-
ences of interpretation of the meaning of cybersecurity have hindered efforts
to establish international regimes of rules and norms of cyber conduct.

malware. Malware involves software designed to interfere with computer
functionality or to degrade the integrity of data. It encompasses the gamut of
mischievous computer code—viruses, worms, Trojans, spyware, adware, Und
bald. Malware can be designed to open an avenue of access to an adversary’s
computer system, or to attack it, oder beides. Daher, the use of malware is an instru-
ment of cyber hostility and not, as is sometimes implied, a separate category of
action.32 Almost all cyber hostilities involve the use of malware.33

cyber crime. Cyber crime entails the use of a computer for an illicit pur-
pose under the existing penal code of a nation. It includes credit card fraud
and transmission of prohibited data such as child pornography. Because do-
mestic criminal law is unenforceable against states, cyber crime prevention fo-
cuses on private agents prosecutable in national jurisdictions. Aus diesem Grund,

31. The logical layer comprises the service platforms on which computer systems and networks
Funktion (z.B., software applications). The information layer includes the data that ºow between
interconnected nodes. The physical layer comprises physical machines. On the “layers” model, sehen
Nazli Choucri and David Clark, “Cyberspace and International Relations: Towards an Integrated
System,” paper presented at Massachusetts Institute of Technology, Cambridge, Massachusetts,
August 2011.
32. An example of such misconstrual is Myriam Dunn Cavelty, “The Militarization of Cyber Secu-
rity as a Source of Global Tension,” Strategic Trends 2012: Key Developments in Global Affairs (Zurich:
Center for Strategic Studies, 2012), P. 108.
33. One possible exception involves distributed-denial-of-service (DDoS) attacks. Although most
DDoS operations employ malware to recruit zombie machines, participants can also be mobilized
to download attack tools onto personal machines voluntarily.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 19

it is the least contentious aspect of the cyber issue at the intergovernmental
Ebene. It is also the only dimension expressly regulated by treaty (Die 2008
Council of Europe Convention on Cyber Crime). In the usage proposed here,
cyber crime lacks political or strategic intent; daher, it rarely has an impact
on national or international security.

cyberattack. Cyberattack refers to the use of code to interfere with the
functionality of a computer system for a political or strategic purpose. The ªrst
signiªcant cyberattack reportedly occurred in 1982, when a so-called logic
bomb caused a Soviet oil pipeline to explode.34 Cyberattacks are characterized
by the attackers’ desire and capability to disrupt computer operations or to de-
stroy physical assets via cyberspace; daher, if the defender unnecessarily ceases
computer operations as a consequence of misinformation or misinterpretation,
the incident does not constitute cyberattack. Neither the goal nor the effects of
a cyberattack need be contained in cyberspace. Das ist, the ªnal object may be
to incapacitate the computer system itself or to degrade social, wirtschaftlich, oder
government functions dependent on its proper operation. Entsprechend, zwei
main types of cyberattack “effects” can be identiªed: (1) direct effects, welche
unfold within the logical environment of the target machine complex (z.B., von-
struction of nuclear centrifuges by manipulating their industrial controller);35
Und (2) indirect effects, which hinder activity or functions that lie beyond the
logical habitat of the compromised computer system but which rely on that
System (z.B., interruption of the chemical process of uranium isotope separa-
tion necessary for the material’s weaponization).

This description of the effects of a cyberattack departs from common under-
Stehen, which situates the effects boundary at the physical frontier of logi-
cally tied machines.36 Take, Zum Beispiel, Olympic Games. The custom-built
Stuxnet worm was designed to attack the logical environment of the Siemens
S7-315 PLC at the Natanz nuclear facility in Iran. The attack sequence injected
malicious code into the PLC to alter the behavior of IR-1 centrifuge cascades
controlled by it.37 Commentators ordinarily describe the effects on the PLC as
direct and those on centrifuges as indirect, because the latter effects were

34. See Thomas C. Reed, At the Abyss: An Insider’s History of the Cold War (New York: Random
House, 2005), Kerl. 17.
35. The term “industrial controller” signiªes computer systems that govern processes of industrial
production. It includes supervisory control and data acquisition (SCADA) systems and program-
mable logic controllers (PLCs).
36. See Owens, Damm, and Lin, Technologie, Policy, Law, and Ethics.
37. For technical details on Stuxnet’s destructive procedure, see Nicholas Falliere, Liam O.
Murchu, and Eric Chien, “W32.Stuxnet Dossier,” ver. 1.4 (Cupertino, Calif.: Symantec, Februar
2011).

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 20

“transmitted” via the PLC. This standard deªnition is nonsensical from the
perspective of strategic analysis because it unnecessarily discriminates be-
tween effects exerted on an industrial controller and those on its constituent
machines. Im Gegensatz, the usage proposed above assumes a more general per-
spective: it separates effects occurring within a unitary logical environment
such as the Natanz facility from those affecting, sagen, Iran’s ability to purify ura-
nium—a far more useful distinction for strategic analysis. Darüber hinaus, Weil
malware manipulates the logical unison of a computer system to execute a
payload, treating effects within that system as direct and those beyond it as in-
direct makes more sense.38 In short, the interesting segmentation of cyber-
attack effects lies at the logical, not the physical, boundary of cyberspace.

If the effects of a cyberattack produce signiªcant physical destruction or loss
des Lebens, the action can be labeled “cyberwar,” a term that should be used spar-
ingly given that the vast majority of cyberattacks do not meet this criterion.39 If
the attack is perpetrated by a private actor for political or ideological purposes,
it is an example of “hacktivism.”40 Moreover, cyberattacks can be customized
or generalized. In a customized attack, the payload is designed to manipulate
only machines within a speciªc logical habitat (z.B., Olympic Games). In a gen-
eralized attack, no machine reachable via the internet is in principle spared
(z.B., the DDoS attacks that paralyzed computer systems in Estonia in 2007).
cyber exploitation. Cyber exploitation refers to the penetration of an
adversary’s computer system for the purpose of exªltrating (but not de-
ªling) data.41 One of the ªrst major acts of cyber exploitation occurred in
1986 with a foreign breach of military and government computers in the
Vereinigte Staaten. Another notable incident was the seizure by Chinese agents
of several terabytes of secret U.S. government data in 2003. Essentially an
intelligence-gathering activity, cyber exploitation relies on stealth and unde-
tectability; thus disruption of the host system, which can lead to discovery and
closure of access, defeats the purpose of exploitation.42 One objective of ex-
ploitation may be to seize a nation’s military or industrial secrets, an activ-
ity known as “cyber espionage.” The technique can also be employed to

38. The standard usage can be relabeled as follows: “ªrst-order” direct effects exerted on an in-
dustrial controller; and “second-order” direct effects inºuencing machine parts governed by it.
39. For a similar deªnition, see Nye, “Nuclear Lessons for Cyber Security?" P. 21.
40. On hacktivism as a modern form of political activism, see François Paget, Cybercrime and
Hacktivism (Santa Clara, Calif.: McAfee, 2010), S. 10–12.
41. See Owens, Damm, and Lin, Technologie, Policy, Law, and Ethics, P. S-1.
42. See ibid., S. 1–7.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 21

acquire knowledge of an adversary’s computer systems to plan future cyber-
attacks, in which case exploitation is an element of a multistage cyberattack.43

Acts of cyber exploitation are often conºated with cyberattack.44 From a
strictly technical standpoint, this makes sense. In cyber exploitation, the target
computer system is itself subjected to “attack,” because access to privileged
data usually requires aggressive measures to overcome computer defenses—
hence the tendency for the conºation of terms within the technical community.
From a tactical perspective, darüber hinaus, differentiating cyber exploitation from
cyberattack can be difªcult because both rely on the presence of a vulnerability
and the ability to manipulate it; only the nature of the payload, which may not
be immediately evident to the defender, varies. Weiter, a multistage cyber-
attack by an “advanced persistent threat” may involve preliminary rounds of
exploitation to gain knowledge of the target,45 further obscuring the two forms
of action. These technical and tactical ambiguities, Jedoch, should not con-
ceal an essential difference: cyber exploitation and cyberattack invite very dif-
ferent policy and legal consequences. As a form of espionage, exploitation by
itself does not exert adverse direct effects and is not prohibited by interna-
tional law; in contrast, a high-impact cyberattack could constitute a use of
force or even an armed attack under treaty obligations. The use of unmanned
aerial vehicles (UAVs) highlights the difference. Similar to cyber artifacts,
UAVs can be employed to conduct remote sensing or they can be ªtted with
Hellªre missiles to strike ground targets (oder beides). Like a computer operator, A
defender on the ground may not know the precise nature of the weapon until
the operation is well under way. Yet it would be senseless—politically, legally,
and strategically—to label the use of a UAV for strictly reconnaissance pur-
poses a “drone attack.” Fusion of the terms cyber exploitation and cyberattack
could, Jedoch, produce such misidentiªcation. From the perspective of inter-
national security, daher, the common conºation of labels inhibits rather
than aids understanding of the cyber issue.

The protection of military, industrial, and commercial secrets from cyber ex-

43. See David D. Clark and Susan Landau, “Untangling Attribution,” in Proceedings of a Workshop
on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington,
D.C.: National Academies Press, 2010), S. 25–40.
44. Sehen, Zum Beispiel, Alexander Klimburg and Heli Tirmaa-Klaar, Cybersecurity and Cyberpower:
Concepts, Conditions, and Capabilities for Cooperation for Action within the EU (Brussels: European
Parliament Directorate General for External Policies of the Union, Policy Department, April 2011),
P. 5.
45. The term “APT” refers to an actor (such as a large state) able to penetrate an adversary’s com-
puter systems persistently and successfully.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 22

ploitation is a key preoccupation of national security policy. Trotzdem,
cyberattack poses potentially greater dangers to international security, Weil
the threshold of proven cyberattack effects has been rising steadily in recent
years—it now includes physical destruction. Zusätzlich, the new weapons
pose enormous defense challenges while disturbing interstate strategic stabil-
ität. Whether security scholars grasp these implications of the cyber danger for
international security depends on their ability to break free from their precon-
ceptions as to what constitutes a serious threat.

The Shape of the Cyber Danger

Some skeptics argue that the cyber peril is overblown, contending that cyber-
weapons have no intrinsic capacity for violence and do not alter the nature or
means of war. This strategy to puncture the perceived threat inºation works by
conceptual ªat: because the method of harm lacks similarities with interstate
armed conºict, by deªnition there can be no such thing as cyber “war.”

In a sense, the skeptics are correct. The cyber revolution—as far as we can
tell—has not fundamentally changed warªghting. Gleichzeitig, this skep-
ticism, grounded in traditional thinking about war and peace, fails to acknowl-
edge the broader agenda of international security studies, which encompasses
issues such as protection against nonmilitary foreign threats and the ability of
nonstate actors to inºict economic and social harm. The Clausewitzian philo-
sophical framework misses the essence of the cyber danger and conceals its
true signiªcance: the virtual weapon is expanding the range of possible harm
and outcomes between the concepts of war and peace, with important conse-
quences for national and international security. Natürlich, the impact of cyber
technology on military affairs is an important concern and, for some thinkers,
will be a starting point of theory—but it is not a point of terminus. An ap-
praisal of the cyber danger in its fuller dimensions is therefore needed.
Three main factors underscore this danger: (1) the potency of cyberweapons,
(2) complications relating to defense, Und (3) the potential to disturb interna-
tional order.

the potency of cyberweapons

A unique feature of a cyberattack is its virtual method. To reach its target, A
weapon traditionally had to traverse a geographic medium—land, sea, Luft, oder
outer space. Upon arrival, it inºicted direct material harm. The cyber revolu-
tion has dramatically altered this situation. Malware can travel the information

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 23

surface and obeys the protocols of TCP/IP, not the laws of geography.46 It is lit-
tle constrained by space and obliterates traditional distinctions between local
and distant conºict. The payload, zu, is an intangible: it operates through
complex coding, which means that the weapon’s “charge” is not the most
proximate cause of damage. Stattdessen, the inºiction of harm requires a remote
object—such as an industrial controller—that can be manipulated. The use
of weaponized code, nevertheless, can have potent effects on the political and
social world.

To date, cyber instruments have produced no fatalities, though their potential
for doing so is widely recognized. Based on extrapolations of a cyberattack sim-
ulation conducted by the National Academy of Sciences in 2007, penetration of
the control system of the U.S. electrical grid could cause “hundreds or even
thousands of deaths” as a result of human exposure to extreme temperatures.47
Such an attack would be all the more damaging because, at least initially,
ofªcials would be unable to detect the source of the problem. Other calamitous
cyberattack simulations involve the derailment of trains transporting hazard-
ous chemical materials or the contamination of public water supplies.48

Until recently, the ability of cyber artifacts to damage physical facilities
remained entirely in the realm of theoretical speculation. Olympic Games
changed that. The direct effects of this operation, as revealed in a report by the
International Atomic Energy Agency, included the decommissioning of ap-
proximately 1,000 centrifuges at Iran’s Natanz facility during a three-month
Zeitraum. The indirect effects of the attack are subject to dispute, but they were al-
most certainly greater than this ªgure suggests. In der Tat, the most powerful effect
may have been psychological. Discord and mistrust within Iran’s nuclear estab-
lishment, arising from paranoia that a rogue scientist was among its ranks, Und
fears of intrusion elsewhere in the nation’s cyber archipelago, may have slowed
Iran’s ability to acquire the bomb by as many as two years—signiªcantly longer
than the time required to replace the impaired centrifuges.49

The use of cyberweapons, Jedoch, need not result in physical destruction
to pose a serious danger to society. Even if a cyberattack lacks intrinsic vio-

46. TCP/IP signiªes the suite of communications protocols that govern data transmission via the
internet.
47. National Research Council of the National Academies, Terrorism and the Electric Power Delivery
System (Washington, D.C.: National Academies Press, 2012), P. 16.
48. See Barack H. Obama, “Taking the Cyberattack Threat Seriously,” op-ed, Wall Street Journal,
Juli 19, 2012.
49. See David E. Sänger, “Obama Order Sped Up Wave of Cyberattacks against Iran,” New York
Times, Juni 1, 2012.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 24

lence because the execution of code is a remote as opposed to proximate cause
of injury, the effects can still cause serious economic and social harm. “It may
not be a bomb coming down our middle chimney of our house,” Jonathan
Zittrain explained, “but it could be something that greatly affects our way of
life.”50 Or as Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey stated,
“The uncomfortable reality of our world is that bits and bytes can be as
threatening as bullets and bombs.”51 The Estonian and Georgian cyberattacks,
according to NATO’s Supreme Allied Commander Europe, Adm. James
Stavridis, provide a “glimpse of this future [of conºict]” by demonstrating
the potent indirect effects of nonviolent and generalized cyberweapons.52 The
DDoS attacks on Estonia in 2007 froze the country’s government and ªnancial
activities for approximately three weeks.53 Because there was no physical
wreckage or loss of life, the label of cyberwar does not apply. Gleichzeitig,
the incident was far more than just a “large popular demonstration,” as
Thomas Rid portrays it;54 eher, the cyberattack in Estonia represents a wholly
new type of social and economic disturbance. Three factors explain why tradi-
tional analogies of political disturbance do not apply: (1) the perpetrators re-
sided mostly outside the affected territory; (2) the attack procedure crossed
mehr als 100 national jurisdictions via the internet with awesome speed; Und
(3) identifying and punishing the perpetrators proved very difªcult because of
Moscow’s refusal to provide forensic assistance to Estonian investigators, WHO
possessed log ªles of affected machines revealing that many of the culprits had
operated out of Russia.

The cyberattacks on Georgia further demonstrate the potency of nondis-
criminating cyberweapons. The attacks, which were carried out by nonstate
agents including Russian criminal syndicates, occurred against the backdrop
of Russia’s ground incursion into Georgia in the summer of 2008. A detailed
study of the case concludes that the disruption of Georgia’s computer systems
tactically beneªted the Russians in two important ways. Erste, it crippled the

50. “Has the Cyberwar Threat Been Exaggerated?” debate, Intelligence Squared U.S., Washington,
D.C., Juni 16, 2010, http://intelligencesquaredus.org/debates/past-debates/item/576-the-cyber-
war-threat-has-been-grossly-exaggerated.
51. Letter from General Martin E. Dempsey to John D. Rockefeller IV, chairman, UNS. Senate Com-
mittee on Commerce, Wissenschaft, and Transportation, August 1, 2012 (Washington, D.C.: UNS. Govern-
ment Printing Ofªce).
52. Donna Miles, "UNS. European Command, NATO Boost Cyber Defenses,” American Force
Press Service, UNS. Department of Defense, Mai 18, 2012, http://www.defense.gov/news/
newsarticle.aspx?id(cid:2)116394.
53. See President of Estonia Toomas H. Ilves, address given at the European Union Ministerial
Conference on Critical Infrastructure Protection, Tallinn, Estonia, April 27, 2009.
54. Rid, “Cyber War Will Not Take Place," P. 12.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 25

Georgian government’s communications infrastructures, hindering Tbilisi’s
ability to coordinate domestic civil defenses. Zweite, it paralyzed the opera-
tions of the National Bank of Georgia, which impeded procurement of essen-
tial war matériel from private industry.55 Although these same tactical effects
could have been achieved using conventional arms, it is important to note that
cyber technology offered a feasible substitute that did not directly implicate
Russia’s military services, was cheap and readily available to nonstate agents,
and proved impervious to conventional defenses.

Traditional notions of warfare confront ªve difªculties in conceptualizing
cyberattacks, as the above cases illustrate. Erste, cyberattacks lack a proximate
cause of injury and may not even be violent. Zweite, the conception of war as
the use of armed force sets a high threshold in terms of scope, Dauer, und in-
tensity that cyber actions may not meet.56 Third, the perpetrators of a cyber-
attack can be nonstate parties who are not typically considered subjects of
international law and thus are not subject to its penalties. Vierte, an offensive
cyber operation by nontraditional players, such as that conducted against
Estonia, need not involve the strategic purposes of states or their militaries.
Fünfte, at least in the case of a generalized cyberattack, the important distinction
between military and civilian targets dissolves owing to the broad diffusion of
computer systems in society and their interdependencies. Two other possible
analogies to cyberattacks, “sanctions” and “sabotage,” are also misleading.
Sanctions are an exercise in negative power: they operate through the denial of
gain rather than the direct inºiction of loss. Yet offensive cyberpower clearly
exerts positive effects. It initiates harmful activity that otherwise would not oc-
cur and causes direct injury to the victim. The label of sabotage, which has
been applied to Stuxnet,57 is an empty concept: there is no precise deªnition
of the term in this or other domains of conºict. Use of the term adds nothing
to the resolution of the conceptual problems of cyber phenomena.

The principle of “equivalence” that underpins U.S. and NATO cyber defense
policy represents an attempt to resolve the conceptual muddles attached to
the cyber issue. It maintains that the direct and indirect effects of cyberattack,
not its method, should determine the manner and severity of retaliation—
including conventional force—but without identifying speciªc thresholds of

55. See U.S. Cyber Consequences Unit (US-CCU), Overview by the US-CCU of the Cyber Campaign
against Georgia in August 2008, Special Report, US-CCU, August 2009, http://www.registan.net/
wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf.
56. See Eneken Tikk, quoted in “Could Cyber Skirmish Lead to War?” NBC News, Juni 11, 2010,
http://www.nbcnews.com/technology/could-cyber-skirmish-lead-u-s-war-6C10406234.
57. See Rid, “Cyber War Will Not Take Place.”

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 26

response. The deliberate declaratory vagueness of the principle is an attempt
to adapt the doctrine of “calculated ambiguity” to the peculiar conditions of
the cyber domain.58 Although it is tempting to see in this a crude treatment
of cyberattacks a form of “war,” the equivalence principle reºects a willingness
to reinterpret and transcend, on a case-by-case basis, the limitations that tradi-
tional concepts of violence place on the retaliator. It leaves open the possibility
of a forcible response even if the initial cyberattack is not construed as an act of
Krieg. As one U.S. soldier put it rather cavalierly, “If you shut down our power
grid, maybe we will put a missile down one of your smokestacks.”59 The impli-
cations for international security are potentially serious: according to this princi-
Bitte, a cyber event can occur that does not meet the traditional deªnition of war
but that nevertheless elicits a reprisal of commensurate severity.

In the future, war by malware may occur if a cyberattack results in a simi-
lar number of deaths or level of physical destruction as a major kinetic
strike. To make sense of such an eventuality, traditional concepts of interstate
warªghting are needed. The capacity of cyber arsenals to augment military
force is not, Jedoch, their main contribution. Eher, the new weapons ex-
pand the available methods of harm that do not ªt established conceptions of
war but that may be no less harmful to national security.

The ability of a cyberattack to inºict economic and other damage without re-
sort to traditional violence affords this virtual weapon a special utility: it ex-
pands the choice of actions and outcomes available to the strategic offense.
Wieder, Olympic Games underscores the point. The operation was part of a
broader campaign to deprive Iran of the ability to produce weapons-grade
uranium. The United States and Israel agreed on this objective but differed on
how to achieve it, with Israel eventually favoring airstrikes on Iranian nuclear
plants. Ofªcials in Washington agonized over the potential consequences of
such a move, fearing it could ignite a regional conºagration and only intensify
Tehran’s resolve to obtain the bomb. The Stuxnet worm offered the two coun-
tries at least a temporary solution to their differences: it promised to deliver
some of the tactical results of a military strike while avoiding certain retalia-
tion. Daher, the fact that the direct effects of Stuxnet were not comparable to the
scale of destruction possible in an air attack was the new weapon’s principal

58. On calculated ambiguity in other domains of conºict, see Scott D. Sagan, “The Commitment
Trap: Why the United States Should Not Use Nuclear Weapons to Deter Biological and Chemical
Weapons Attacks,” International Security, Bd. 24, NEIN. 4 (Frühling 2000), S. 85–115.
59. Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,” Wall Street Journal, Mai
30, 2011.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 27

appeal. The Stuxnet worm alone could never prevent an Iranian bomb, but it
could at least delay enrichment while averting a regional war.

Tehran’s response to Olympic Games, as far as is known, has been muted.60
This demonstrates that the phenomenon of cyberattack merits strategic analy-
sis as much for the consequences it avoids as for those it produces. In der Tat, es ist
tempting to conclude that cyberweapons promote international security—after
alle, their use may avert traditional forms of war.61 Although this argument
may have some merit in speciªc cases, it is too simplistic as a general observa-
tion; gains to the offense produce enormous losses in defense as well as condi-
tions for strategic instability.

complications of cyber defense

Security planners repeatedly warn that, in the cyber domain, the offense holds
the advantage.62 Some skeptics seek to dispel this notion by emphasizing the
high costs of staging a destructive cyberattack. They cite Olympic Games to
make their point: the operation required years of meticulous planning, In-
volved a preliminary intrusion into the Natanz PLC to gain knowledge of the
target, manipulated no less than six vulnerabilities in the PLC (each an expen-
sive technical feat), and required a skilled operative in situ or close by to de-
liver the worm across the air gap. Darüber hinaus, once the worm’s coding secrets
were revealed, systems operators were able to patch the programming defects
that the worm exploited, rendering knowledge of these weaknesses useless to
aspiring proliferants. For these reasons, skeptics assert, the defense, not the of-
fense, has the advantage.63 This conclusion is only half complete: it ignores or
downplays the other half of the strategic picture—the enormous costs of de-
fense against a cyberattack. Following is a description of ªve such costs.

offense unpredictability and undetectability. The use of code to
achieve destructive direct effects requires the manipulation of vulnerabilities
in the target’s computer system. By deªnition, the defender is unaware of such
“zero-day” weaknesses. The universe of unknown and manipulable weak-
nesses renders a cyberattack difªcult to predict, complicating the design of
measures to repulse it. Incomplete knowledge of weaknesses also hinders

60. Some ofªcials speculate that Iran retaliated for Olympic Games with DDoS attacks against
UNS. ªnancial institutions. See Sen. Joseph Lieberman, interview on Newsmakers, C-SPAN, September-
ber 23, 2012.
61. See Adam P. Liff, “Cyberwar: A New ‘Absolute Weapon?’ The Proliferation of Cyberwarfare
Capabilities and Interstate War,” Journal of Strategic Studies, Bd. 35, NEIN. 3 (Juni 2012), P. 401.
62. See William J. Lynn III, “Defending a New Domain,” Foreign Affairs, Bd. 89, NEIN. 5 (September
2010), S. 97–108.
63. See Rid, “Think Again.”

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 28

remediation of intrusion post facto, because this requires understanding the
zero-day exploits in question. Außerdem, the abundance of possible access
vectors that an attacker can utilize complicates the interception of malware “in
transit.” Olympic Games demonstrates these points. Stealth was a genial fea-
ture of this multistage operation. The method of access, which may have in-
volved the use of infected removable drives, was unanticipated. For three
Jahre, the Stuxnet worm and its antecedents (which acted as “beacons” for the
offense) resided in the logical environment of the target PLC without the plant
operators noticing their presence. Remarkably, the worm was able to mask its
damaging effects from the controllers even after the attack sequence had be-
gun. Only a few months later did the Iranians determine, with outside assis-
tanz, the source of the centrifuge malfunction.

defense denial. The possibility that attack code will reside undiscovered
in a defender’s computer system is perhaps the most worrisome feature of the
cyber strategic landscape. Residency within a logical habitat affords the in-
vader means to deprive the defense of the ability to manage its own protection
in at least two ways. One is peer-to-peer monitoring, which allows an attacker
to adjust the attack sequence remotely and in real time; another is the use of an
intelligent malware agent with self-adaptive capacities that enable it to learn
and override defensive acts. The ability of malware to generate multiple ver-
sions of itself means that the threat variants during a cyberattack are theoreti-
cally limitless. Trotzdem, permanent breach of a computer system need not
entail permanent insecurity if the defensive terrain can be organized in con-
centric zones of access so that the most prized nodes are quarantined from
less secure compartments. This approach, Jedoch, runs counter to the very
purpose of information technologies, nämlich, to ease transmission of data
between machines. Therein lies the root dilemma of cybersecurity: an impreg-
nable computer system is inaccessible to legitimate users while an accessible
machine is inherently manipulable by pernicious code.

complex defense surface. Computer systems are becoming more intricate
at all stages of design and use. As software and hardware complexity rises, Also
do the costs of customizing weaponized code. This increases the work factor of
the attacker, who requires greater resources of manpower and intelligence to
tailor the payload. Gleichzeitig, the costs to the defender, who has more
node interdependencies to map and greater vulnerabilities to patch, also in-
crease. The result is a fundamental offense-defense imbalance. Whereas the at-
tacker need understand only the procedures of entry and attack it decides to
employ, the defender must continuously protect the entire network surface
against the vast universe of conceivable attacks; the growing tendency to join

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 29

critical computer systems to the internet is multiplying the available points of
entry for use in a customized cyberattack. Darüber hinaus, society’s increasing reli-
ance on interconnected computer systems to support basic economic and
social functions is increasing the opportunities to cause harm through a gener-
alized cyberattack. The expanding network surface provides conditions for a
shock offensive or, as John Mearsheimer puts it, “the ability to choose the main
point”—indeed multiple points simultaneously—“of attack for the initial bat-
tles, to move forces there surreptitiously, and to surprise the defender.”64

defense fragmentation. The majority of critical computer infrastructures
are owned and operated by private industry.65 Thus, the challenge of cyber
security is essentially one of civil defense: how to equip the private sector to
protect its computer systems in the absence of government direction. This or-
dinarily involves passive measures, such as resiliency and redundancy (Die
equivalents of underground shelters and target dispersal in nuclear defense),
which thicken the defensive glacis and can absorb damage from offensive hits.
Yet a passive approach will pay only limited defensive returns if it is unable to
implement the highest level of protection across the entire network surface.
A proactive strategy, in contrast, seeks to neutralize threats before they can be
carried out—for instance, by dismantling an attacker’s command and control.
Proactive defenses, Jedoch, are difªcult to implement, not least because the
authority to execute offense-as-defense rarely belongs to the operators of sys-
tems subject to attack; stattdessen, it resides with the government and internet
service providers, which may not even be aware of an attack. Such fragmenta-
tion of defense responsibilities is a limiting factor when formulating a coherent
response to a cyberattack.

supply chain risks. Computer systems increasingly rely on off-the-shelf
and offshore manufacturers for components, introducing vulnerabilities into
the supply chain. Foreign agents or private contractors could preload software
and hardware components with malware, whether for attack or exploitative
Zwecke. In 2009 Britain’s Joint Intelligence Committee warned that Chinese-
stocked components of British Telecom’s phone network could be preloaded
with malware or zero-day weaknesses, giving Beijing the ability to interrupt
the country’s power and food supplies. A “sleeper” payload of this kind could
be remotely executed to achieve a preferred outcome in a future diplomatic or
military crisis. In 2012 die USA. House of Representatives Intelligence Commit-

64. John J. Mearsheimer, Conventional Deterrence (Ithaca, N.Y.: Cornell University Press, 1983),
P. 26.
65. Zum Beispiel, more than three-quarters of U.S. electrical power is supplied by private utilities.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 30

tee warned that machine parts supplied by Huawei, a Chinese company
founded by a former ofªcer of the People’s Liberation Army, could be used to
exªltrate data from government computers. Protection against such supply
chain risks requires government- and industrywide coordination, yet such ef-
forts have barely commenced.

None of the above observations is axiomatic: we are only at the early stages
of the cyber phenomenon. In combination, Jedoch, they underscore the
immense disadvantages of defense against cyberattack. Nothing in the avail-
able historical record suggests that defensive costs are low or diminishing—
certainly not Olympic Games, a case cherished by skeptics who challenge the
common wisdom of offense dominance. The enormity of the defender’s chal-
lenge is convincingly illustrated by the successful penetration of computer sys-
tems at Google and RSA, two companies that represent the quintessence
of technological ability in the current information age.66

The thesis of defense dominance misses an essential truth: the offense-
defense equation is relative; thus the absolute measurement of offensive costs
has meaning only in reference to the expenses of the defender.67 At most, Die
current high price of mounting a high-impact cyberattack limits the ability of
traditionally weak players to harness cyberspace for asymmetrical gain. Es
does not eliminate the signiªcant tactical advantages of a possessor of ad-
vanced code. Darüber hinaus, the absolute costs of cyberattack are possibly dimin-
ishing. “What was considered a sophisticated cyber attack only a year ago,”
warned Ian Lobbain, chief of Britain’s Government Communications Head-
quarters, “might now be incorporated into a downloadable and easy to deploy
internet application, requiring little or no expertise to use.”68 Former Director
of Central Intelligence George Tenet summarizes the defender’s anguish: “We
have built our future upon a capability we have not learned how to protect.”69

disturbances to strategic stability and international order

A third manifestation of the cyber danger concerns the potential for global dis-
Befehl. As Chairman of the Joint Chiefs of Staff Adm. Michael Mullen once re-

66. In 2010, Google announced that sophisticated Chinese agents had breached its systems, und in
2011, unknown parties compromised RSA’s authentication products. This was followed by at-
tempts to penetrate computers at Lockheed Martin, an RSA client.
67. See Sean M. Lynn-Jones, “Offense-Defense Theory and Its Critics,” Security Studies, Bd. 4,
NEIN. 4 (Sommer 1995), P. 665.
68. Brian Groom, “Ministers Warn on Threat from Cyber Attacks,” Financial Times, September 4,
2012.
69. Robert O’Harrow Jr., “Understanding Cyberspace Is Key to Defending against Digital At-
tacks,” Washington Post, Juni 2, 2012.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 31

marked, “We’re going to have a catastrophic [cyber] Ereignis. Some of these tools
already being built”—not least by the Pentagon—“are going to leak or be sold
or be given up to a group that wants to change the world order, and we’re in-
credibly vulnerable.”70 Admiral Stavridis voiced a similar concern. “In the
world of cyber, we are at the beach at Kitty Hawk,” he observed, referring to
the advent of aviation in 1903. “We are just at the beginning,” he went on. “We
don’t have 100 Jahre [von Erfahrung] in cyber [conºict]. . . . We have to take
steps today to bring order to [Das] chaotic world.”71 The argument of this
section—that cyber technology is exerting a limited but observable inºuence
on regularized patterns of interstate rivalry—elaborates on such apprehen-
sions and draws important observations for theory.

Concerns over global chaos lead—inevitably—to a theme familiar to the
theoretician: the nature and requirements of order under conditions of interna-
tional anarchy—most important, the stability of strategic interactions among
Staaten. Everyone knows that international politics transpires in the absence of a
constraining authority, which produces incessant rivalry and occasional vio-
lence among actors competing for security. The interesting feature of anarchy,
Jedoch, is not the recurrence of conºict—that is obvious—but its regularity.
Although conceptions of national interest differ, even quarrelling states recog-
nize the need to preserve order in their security relationships. This recognition
underpins states’ acceptance of common elementary goals (z.B., survival) als
well as rules and principles of conduct; it helps to sustain the constancy of an-
archic interactions and makes the permanent “state of war” tolerable because
its contests for security are in the main regularized.

The revolutionary impact of technological change upsets this basic political
framework of international society, whether because the transforming technol-
ogy empowers unrecognized players with subversive motives and aims or be-
cause it deprives states of clear “if-then” assumptions necessary to conduct a
restrained rivalry. The ªrst factor, the concern voiced by Admiral Mullen
über, contributes to fundamental instability in security relationships: a condi-
tion where the appearance of nontraditional or dissatisªed players under-
mines strategic stability. The second factor, alluded to by Admiral Stavridis,
can produce instrumental instability, whereby accidents and misinterpretation
of the new technology destabilize the dealings even of rational state adversar-

70. Alexander Fitzpatrick, “Cybersecurity Experts Needed to Meet Growing Demand,” Washing-
ton Post, Mai 29, 2012.
71. Donna Miles, “Stavridis Spotlights Top National Security Issues,” American Force Press Ser-
vice, UNS. Department of Defense, Marsch 15, 2012, http://www.defense.gov/news/newsarticle
.aspx?id(cid:2)119538.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 32

ies.72 The advent of the atom bomb, zum Beispiel, proved transformative only
in the second sense: it elevated the horrors of war and disturbed the interstate
strategic equation without altering the basic Hobbesian framework that de-
ªnes how nuclear states compete for survival. Ongoing efforts to deprive ter-
rorists and rogue states of the bomb, in contrast, are motivated by a desire to
avert a nuclear revolution of the ªrst order. Zusamenfassend, more important than the
nature of a new weapon are the nature of its possessor and the purposes that
instigate its use.

The cyber domain is a perfect breeding ground for political disorder and
strategic instability. Six factors contribute to instrumental instability: offense
dominance, attribution difªculties, technological volatility, poor strategic depth,
and escalatory ambiguity. Another—the “large-N” problem—carries with it
fundamental instability as well.

offense dominance. For the reasons enumerated in the preceding section,
cyberspace is an offense-superior domain. This poses instrumentalist obstacles
to the preservation of strategic stability among state rivals. Most notably, it ex-
acerbates the security dilemma in three ways.73 First, the recognition of offense
superiority has instigated an arms race as states seek to avert strategic upsets
in the new strategic arena.74 Cyber arms veriªcation, the chief prerequisite of
successful arms control, confronts enormous challenges—not least the intangi-
bility of cyberweapons, which complicates their detection. At present, no inter-
national limitations exist on the production of offensive cyber artifacts, and no
such regulatory framework has yet been foreseen. Zweite, the perceived ad-
vantages of offensive use elevate the chances that those in possession of the
new capability will actually employ it. Adversaries of the United States will
have taken note of the tactical and strategic returns paid by Olympic Games;
they may consider similar policy adventures in the future. Dritte, attempts
to redress the defensive gap with “active defenses,” a class of proactive mea-
sures that involves preemption or prevention of cyberattack by inªltrating or
disrupting an opponent’s computer systems,75 obscures the offense-defense

72. For a discussion of strategic instability in the nuclear context, see Graham T. Allison, Albert
Carnesale, and Joseph S. Nye, Hrsg., Hawks, Doves, and Owls: An Agenda for Avoiding Nuclear War
(New York: W.W. Norton, 1985), Kerl. 1.
73. A classic analysis of the problem is Robert Jervis, “Cooperation under the Security Dilemma,”
World Politics, Bd. 30, NEIN. 2 (Januar 1978), S. 167–214.
74. According to some accounts, the ªfteen largest militaries are developing advanced cyber
weapons systems. See Editorial Board, “A New Kind of Warfare,” New York Times, September 9,
2012.
75. On active defenses, see U.S. Department of Defense, Department of Defense Strategy for Oper-
ating in Cyberspace (Washington, D.C.: UNS. Department of Defense, Juli 2011), P. 7, http://www
.defense.gov/news/d20110714cyber.pdf?.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 33

boundary in weapons systems. Folglich, defensive actions may be mis-
construed as overt attacks and produce pressures for an accidental exchange
of blows.

attribution difªculties. Authentication of the source of a cyberattack is
ordinarily difªcult.76 Five characteristics of cyber conºict contribute to this
Problem. Erste, the ease of proliferation of cyberweapons means that, except in
case of the most sophisticated offensive actions, the number of possible assail-
ants is large. Zweite, proving the identity or location of any one of these
assailants can be a huge challenge, because cyberspace affords an attacker an
inordinate degree of anonymity. Dritte, where attribution is possible, it may
not be of the right kind to organize a punitive response. Knowing the IP ad-
dress of an attacking machine—the most basic form of technical attribution—
does not necessarily reveal the identity of its human handler and, even if
it does, this does not mean that the identity and motives of the sponsoring
party will be divulged.77 Fourth, because malware crosses multiple jurisdic-
tions with ease, obtaining forensic evidence in the aftermath of an attack will
be difªcult without effective international cooperation. Fünfte, even if all of
these complications are resolved, it is still possible that attribution will not be
prompt enough for timely retaliation. By the time their identity is known, Die
perpetrators may have relocated beyond the ability of the victim to respond.
The most important strategic consequence of the attribution problem is that it
weakens deterrence by reducing an assailant’s expectation of unacceptable
penalties.78 Moreover, because reprisal to a cyberattack in the absence of con-
vincing attribution incurs legitimacy costs for the retaliator, acceptable options
following a failure to deter may be limited.

technological volatility. The technology itself is a third destabilizing
factor: cyberweapons are so novel and the vulnerabilities they seek to manipu-
late so inscrutable as to impede interpretation of probable effects of their use.
Put simply, it is difªcult to know how pernicious code will behave. The very
short life cycle of advanced malware strains (many of which can be up-
dated almost instantly upon release) contributes to this problem. Ein anderer
difªculty concerns collateral damage. A poorly customized cyber artifact can

76. Others have analyzed this problem in detail. Sehen, Zum Beispiel, Clark and Landau, “Untangling
Attribution.”
77. Herbert S. Lin, “Some Interesting Aspects of Cyberconºict for Discussion,” presentation at the
Harvard Kennedy School, Cambridge, Massachusetts, Februar 8, 2012.
78. On cyber deterrence, see Patrick M. Morgan, “Applicability of Traditional Deterrence Con-
cepts and Theory to the Cyber Realm,” in Proceedings of a Workshop on Deterring Cyberattacks:
Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: National Academies
Drücken Sie, 2010), S. 55–76.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 34

cause far-reaching effects beyond the intended target if it infects a large num-
ber of third-party machines. The customization of malware only partly re-
solves the problem of unintentional civilian harm. Although the scope of
possible direct effects may be reduced, the indirect consequences can still be
enormous if the affected computer systems support essential social and eco-
nomic activities. These indirect effects may be difªcult to model or predict. A
single brief interruption of stock-trading platforms, zum Beispiel, could pro-
duce little impact, or it could exert psychological effects that undermine public
conªdence in the entire ªnancial system. Another related difªculty is the po-
tential for “blowback”: the possibility that the negative effects of a cyberattack
will be felt by the attacker, whether through the self-propagative tendencies of
malware (causing direct effects on home computer systems) or through cas-
cading economic damage (indirect effects on the home society).79

poor strategic depth. A fourth destabilizing factor is the short time a de-
fender has between the detection and impact of a cyberattack. The speed of
cyberweapons eliminates temporal limitations to the inºiction of harm. Der
new capability pushes the upper speed of weapons systems from Mach 20
(the speed of the fastest intercontinental ballistic missiles) to the velocity of
electrons. Folglich, the interaction domain of cyber conºict unfolds in
milliseconds80—an inªnitesimally narrow response time for which existing cri-
sis management procedures, which move at the speed of bureaucracy, may not
be adequate. Traditional precedents that regulate the role of government agen-
cies in the conduct of national defense can be difªcult to interpret in a cyber
emergency. And even where the necessary tactical action is known, the ability
of operational and command structures to implement it may not exist. To illus-
trate, die USA. National Security Agency has authority to retaliate against for-
eign-based cyberattacks, but it may lack access to forensic data necessary to
tailor a timely response if such information resides in private computer sys-
tems or in foreign jurisdictions. The implementation of automated “tactical
ªres” can go far toward restoring strategic depth, but by removing the human
agent from the response procedure, it introduces unknown risks of inappropri-
ate reaction.

escalatory ambiguity. Traditionell, an international crisis could be averted
through conªdence-building measures such as established signaling proce-
dures and diplomatic “hotlines.” Failing that, common rules and norms could

79. See Owens, Damm, and Lin, Technologie, Policy, Law, and Ethics, S. 2–32.
80. John C. Mallery, “Models of Escalation in Cyber Conºict,” presentation at the Workshop on
Cyber Security and Global Affairs, Budapest, May 31–June 2, 2011, http://es.slideshare.net/
zsmav/models-of-escalation-and-deescalation-in-cyber-conºict.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 35

still provide a minimum measure of expectations and moderating behavior.
These safety valves disappear when dealing with a cyberattack. Signaling be-
comes murky; channels of communication break down or vanish; geteilt
norms are rudimentary or unenforceable; and the identity, motives, or location
of an attacker may not be known. Darüber hinaus, the tactical and strategic ambigu-
ities of the related technology impede attempts to design escalatory models for
the full spectrum of conceivable cyber conºict. The absence of clear “conver-
sion tables” to orient interpretation of the equivalence principle could prompt
an excessive response from a victim of an attack; lack of agreed standards of
proportionality may produce further unreasonable counterresponses; and all
the while, the lack of conªdence-building measures could hinder attempts to
de-escalate or terminate the crisis. What may begin as a low-intensity cyber
exchange could intensify into a major showdown, possibly of conventional
proportions. Such a crisis could be set in motion by cyber exploitation if the
defender misconstrues it as a step in preparation for attack and instigates a
preemptive blow.

“large-n” problem. Low barriers to entry mean that the cyber domain fea-
tures a variety of relevant players, ranging from states to private organized
groups and individuals.81 This can upset strategic stability in three ways, Die
ªrst two of which are instrumental. One problem involves cooperation dif-
ªculties among unitarily rational states. As the number of cyber-capable states
rises, the transaction and information costs of cooperation among them in-
crease; there is less heterogeneity in discount rates for future payoffs (welche
raises the chances of a defection spiral); and the punishment of defection it-
self becomes a collective-action problem.82 Second, the rising number of play-
ers in the domestic cyber establishment can impede the ability of states to
act as coherent units. Although the United States has operated a uniªed
cyber command since 2009, the ªrst steps to standardize cyber operations
across the combatant commands and their respective cyber outªts began only
in mid-2012.83 In the civilian domain, it is possible, according to Secretary of
Homeland Security Janet Napolitano in remarks made in 2012, that private
industry will be authorized by the government
its own
proactive measures.84 Moreover, some countries—notably, Russia and China—

to conduct

81. For a discussion of this phenomenon, see Nye, The Future of Power, Kerl. 5.
82. A classic study of this problem is Kenneth A. Oye, Hrsg., Cooperation under Anarchy (Princeton,
N.J.: Princeton University Press, 1986).
83. See Zachary Fryar-Biggs, “Panetta Green Lights First Cyber Operations Plan,” Defense News,
Juni 6, 2012.
84. Joseph Menn, “Hacked Companies Fight Back with Controversial Steps,” Reuters, Juni 18,
2012.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 36

increasingly employ cyber “militias” to prepare and execute hostilities. Solch
use of civilian proxies provides states plausible deniability if they chose to
initiate a cyberattack, but it also risks instigating a catalytic exchange should
the lines of authority and communication break down or if agents decide to
act alone.

A third, deeper source of instability stems from the dispersion of power
away from governments. While states remain the most powerful cyber play-
ers, they are not alone; the new technology empowers a variety of nontradi-
tional actors such as religious extremist groups, political activists, criminal
syndicates, and individuals. The cyberattacks against Estonia and Georgia
demonstrate the ease with which civilian culprits can use the new weapons to
exert economic and tactical effects outside their borders. Even lone agents can
generate astonishing impact. A virus created in 2000 by a disaffected Filipino
teenager infected one in ten machines worldwide, causing billions of dollars in
economic losses and forcing the closure of computer networks at the Pentagon.
Secretary of Defense Panetta warned of far worse scenarios, stating that mili-
tant groups could use cyber instruments to derail trains transporting hazard-
ous chemicals or to contaminate the water supplies of large cities.85 Cyber
conºict, daher, can ªt four basic agent frames: (1) state-to-state, in which
one state targets another state’s strategic computer assets, such as in Olympic
Games (this category includes the use by government of obedient civilian
proxies); (2) private-to-state, which includes cyberattacks by militant groups or
“patriotic” hackers such as in the Estonian case; (3) private-to-private, involv-
ing an exchange of cyber blows between nonstate entities such as private com-
panies (a possible contingency of Secretary Napolitano’s consideration); Und
(4) state-to-private, in which a state attacks the private computer systems of
another nation, possibly for commercial or other economic gain.

The diversity of potential cyber adversaries and the possibility of coop-
eration among them establish conditions for fundamental instability; eher
than hew to the familiar logic of interstate rivalry, cyber phenomena are likely
to strain established theoretical models of security competition. Analysts must
grapple, in effect, with two distinct but interrelated “states of nature,” each
of which may exhibit its own peculiarities: the traditional one of states locked
in familiar contests for security but featuring a largely untested weapon
whose use is difªcult to model and regulate even among rational contenders;
and a chaotic “global” system comprising nontraditional actors who may not

85. See Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of Cyberattack on
U.S.,” New York Times, Oktober 11, 2012.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 37

accept or even understand the delicate political framework of anarchic interna-
tional relations.86

The greatest test of international relations theory may well be its ability to
assess instances of convergence and collision between these two universes. An
the one hand, the wide diffusion of cyber technology enables new modes of
cooperation between state and nonstate players who share certain goals and
adversaries. An example of this phenomenon is the reported collusion be-
tween Iran and company insiders at Saudi Aramco to incapacitate tens of
thousands of the ªrm’s machines in 2012. There is also the danger of collision,
Jedoch: a cyber event in which nonstate cyber activity encounters the high
stakes of interstate competition. The cyberattacks that were conducted by
nonstate actors to freeze ªnancial activity in Estonia prompted ofªcials in the
capital, Tallinn, to consider invoking NATO’s collective defense clause, a move
that would have embroiled the Alliance in a major crisis with Moscow. Con-
tamination of the preference pool with nontraditional players can impede the
ability of states to maintain the restrained stability of their relations. Zustände
have demonstrated reserve in the use of cyberweapons against each other, als
illustrated by the United States’ decision in 2003 not to attack computer sys-
tems in Iraq for fear of causing indiscriminate effects and setting dangerous
precedents for future action. Nontraditional players, Jedoch, may not be
so inhibited: they may use the new technology in ways that disrupt habitual-
ized interstate rivalries, perhaps initiating a catalytic event that instigates a
military showdown.87

Daher, a dangerous separation of power and diplomacy is occurring. Sogar
if problems of instrumental instability in the cyber domain were soluble
through intergovernmental agreement—a Sisyphean task thus far—private
culprits could still unsettle the interstate equilibrium by defying the consen-
sus. Gesamt, concerns about the possibility of global chaos voiced by practitio-
ners may be overstated, but they contain the germ of an important truth about
the contemporary cyber danger.

Abschluss

This article has offered a conceptual framework for the study of adversarial
cyber phenomena in the ªeld of international security. It has argued that ignor-

86. For a discussion of a similar point in relation to globalization, see Stanley Hoffmann, Chaos and
Gewalt: What Globalization, Failed States, and Terrorism Mean for U.S. Foreign Policy (Lanham, Md.:
Rowman and Littleªeld, 2006), Kerl. 1.
87. On catalytic cyberattacks, see Owens, Damm, and Lin, Technologie, Policy, Law, and Ethics, P. 9-8.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 38

ing the dangers that cyberweapons pose domestically and internationally
inhibits future intellectual progress in the ªeld. What may now seem a “revo-
lutionary” technology will eventually become the new “conventional.” Either
there will be an exhaustive effort to integrate the new technology into our the-
ories or there will be theoretical exhaustion. Equally important, sound theory
can assist practitioners in the reevaluation of strategic axioms on which the
efªcacy of security policy ultimately rests. Scholars have a duty to decipher
the meaning of the cyber revolution—if only to dispel the misperceptions of
decisionmakers about its consequences for policy.

The cyber issue inºuences international relations theory in three general
ways that cyber studies can immediately begin to address. At the most basic
Ebene, it touches on foundational theory, das ist, scholars’ understanding of ba-
sic concepts such as anarchy and order, which orient the formulation of re-
search questions and guide the quest for satisfactory answers. In this respect,
the preceding analysis suggests that the peculiar features of cyber phenomena
may give impetus to two intellectual trends. One relates to the content of our
substantive concerns—an ongoing conceptual shift that privileges security,
broadly deªned, over strict notions of war or military defense.88 It is important
to understand that cyber technology is expanding the range of possible harm
beyond traditional conceptions of war and that it poses new challenges for na-
tional and international security. Another trend involves the ªeld’s current
state-centric prejudices. Within the ªeld of international security studies, con-
ceptions of system and order typically—and at times exclusively—center on
states and competition among them. Um sicher zu sein, this frame applies to much of
the cyber issue; insofar as it does not, Jedoch, future study will require con-
sideration of the negative inºuences that nonstate players may be able to
exert on states and their relations with other states. Cyber studies requires
a willingness to evaluate the cyber issue in its interstate as well as in its
global dimensions—especially the points at which the two universes converge
and collide.

Zweite, scholars must open their theoretical toolkits to model, explain,
Und, where possible, predict adversarial cyber relationships. This task may in-
volve incorporating cyber phenomena into major existing theoretical para-
digms, such as the balance of power or institutional theory, jedes davon
may yield distinct explanatory models. Empirical analysis, Jedoch, could
also yield more narrowly focused theorization: the formulation of orderly

88. See Steven E. Müller, “International Security at Twenty-ªve: From One World to Another,„Inter.“-
national Security, Bd. 26, NEIN. 1 (Sommer 2001), S. 7–8.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

The Meaning of the Cyber Revolution 39

propositions that account for precise occurrences within the dataset, wie zum Beispiel
the use of code to destroy Iranian nuclear centrifuges and the regional conse-
quences of pressing for such a course.

Dritte, in addition to elucidating empirical cyber events, scholars can guide
the design of policies to affect them. Some theorists may resist the extension of
scholarship in this manner. The pressures of decisionmaking, Jedoch, verlassen
practitioners little time for strategic interpretation, further elevating the need
for cyber studies. The quandaries of strategy are urgent. Does declaratory am-
biguity deter cyberattacks or merely increase the chances that the prospect of
retaliation will be underrated? What dangers does a policy of cross-domain
deterrence that includes escalation to conventional force pose for the manage-
ment of a cyber crisis? What signaling procedures and conªdence-building
measures could halt a cyber exchange involving nonstate actors from acceler-
ating beyond the ability of states to control it? With what mechanisms can pri-
vate actors be co-opted into the cyber establishment so that it can leverage
civilian resources for strategic gain? The academy has a duty to apply and
adapt its theories in the assessment of such policy conundrums.

Some observers perceive the information age as a veritable revolution in hu-
man affairs. Few questions in future cyber studies will be more important than
that of determining the extent to which the present era represents a new phase
in international relations—whether patterns of security competition will be
signiªcantly altered or whether they will continue essentially the same, albeit
with new instruments at actors’ disposal. One of the main conclusions of this
study contravenes what historical experience seems to suggest: unlike pre-
vious technological transformations, the cyber revolution is inºuencing the
tendencies of anarchic international politics, rather than merely altering
the strategic dealings of states; das ist, the cyber domain exhibits both funda-
mental and instrumental forms of instability. Given its lack of purposive regu-
larity and absence of stable or known logics of interaction, the present cyber
condition deviates from the routinized patterns of competition that character-
ize much of international anarchy. A central task of scholarship, daher, Wille
be to formulate concepts and propose policies that can impose on the chaotic
cyber domain the necessary measure of stability to render its contests not just
orderly but also “ordinary.”

The cyber revolution is still incipient; conclusions about its implications for
theory and practice are necessarily provisional. It remains open to question
whether the related technology demands a greater order of change in our
thinking about international security than did previous technological revo-
lutions. We may discover that the challenge to our theories is not much larger

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3

International Security 38:2 40

als, Zum Beispiel, the advent of the telegraph in the nineteenth century. Con-
versely, the need for new concepts could be far greater, given societies’ grow-
ing reliance on cyberspace and its usefulness in the propagation of threats.

In sum, the conceptual apparatus of international security may yet absorb
emergent cyber phenomena—or it could become a relic in need of redevelop-
ment. But whatever the cyber revolution signiªes, it is detrimental to the intel-
lectual progress and policy relevance of the ªeld to continue to avoid its
central questions.

l

D
Ö
w
N
Ö
A
D
e
D

F
R
Ö
M
H

T
T

P

:
/
/

D
ich
R
e
C
T
.

M

ich
T
.

e
D
u

/
ich
S
e
C
/
A
R
T
ich
C
e
–
P
D

l

F
/

/

/

/

3
8
2
7
1
8
4
4
1
6
3

/
ich
S
e
C
_
A
_
0
0
1
3
8
P
D

.

F

B
j
G
u
e
S
T

T

Ö
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
PDF Herunterladen