National cybersecurity is a complex endeavor, involving millions of actors and billions of devices. Cyberspace permeates so much of the critical social, economic and military infrastructure of modern nations that it forms a foundational substrate upon which national security relies. This chapter focuses on national efforts to achieve cybersecurity, and the continuing relevance of state actors in cyberspace. Although non-state actors – such as hackers, criminal organizations, non-profit organizations and companies – affect cybersecurity, states have unparallelled authority, legitimacy, expertise and access to resources.1 Governmental and societal reliance on information technology infrastructure inevitably creates vulnerabilities that public authorities seek to mitigate. National decision-makers, and the processes they follow, shape cyberspace and the interactions that take place within it.
The need for national cybersecurity is now widely recognized, and the debate on the ends, ways and means necessary to achieve national cybersecurity has attracted increasing public and scholarly attention in the last decade.2 The networked nature of cyberspace requires national cybersecurity to span multiple divides between public and private, and local, national and international organizations. The national cybersecurity strategies of major powers such as China, Russia and the United States all emphasize the need to coordinate multiple actors and approaches to security in and through the digital realm. Despite significant differences in national cyber strategies, nation states face a number of common challenges to achieving national cybersecurity.
National security can be understood both in the objective sense of physical safety, and in a more subjective way, as the protection of national values.3 While the physical safety of nations poses similar challenges across the globe, variation in national interests and values – specifically between liberal democracies and authoritarian regimes – produces different approaches in the pursuit of national security.
To maintain national security, governments wield power. In its simplest form, power is the ability to influence others. This ability rests on economic, demographic, political and socio-cultural resources, among others. States use a variety of instruments – diplomacy, information, military and economic capabilities (also known as DIME) – to leverage these resources and pursue goals they believe will have a positive impact on their regime or population. In democracies, governments are elected to formulate national interests through policy objectives and strategies that translate into action.4 They sometimes opt to wield hard power, using or threatening to use military operations and economic sanctions to force other actors to change their behavior. At the softer end of the spectrum, policy-makers use information and diplomacy to influence actors through persuasion. One of the core challenges confronting high-level decision-makers is to effectively combine hard- and soft-power resources – what Joseph Nye calls a smart-power strategy – to achieve national security objectives.5 Much of the contemporary debate about national cybersecurity explores how to leverage specific cyber capabilities to contribute to such a strategy.
The concept of cyber power provides a useful basis for discussing the role of cyber capabilities in the context of national security policy. Strategist John Sheldon defines cyber power as “the ability, in peace, crisis, and war to exert prompt and sustained influence in and from cyberspace.”6 With the distinction between “in” and “from” cyberspace, Sheldon suggests that cyber operations establish influence beyond cyberspace, in the physical world. For Daniel Kuehl, another strategist, cyber power is a dimension of the informational instrument of power that “links to, supports, and enables the creation and exercise of the other instruments” to create advantages and influence events.7 Cyberspace is inherently linked to the economic performance of major nations. Digital goods and services accounted for 6.5 percent of the US economy in 2016 and over 30 percent of the Chinese GDP.8 States also leverage cyber capabilities as a means of influencing opinions throughout the world and, increasingly, to exert military force. Cyber capabilities have come to permeate all elements of national power.
During the Cold War era, the information element of national power was focused on strategic communications and propaganda, two types of information-based influence operations meant to affect the perceptions and attitude of specific audiences. With the advent of cyberspace, the information domain has expanded significantly. All sorts of state and non-state actors can leverage cyberspace to advance their interests in and through the digital world. The Internet is sometimes referred to as the “great equalizer,” reflecting the way in which easy access to cyberspace empowers actors that do not traditionally wield significant informational influence. In a realm where both state and non-state actors play a prominent role, power cannot simply be exerted over others to influence them, but must also be utilized co-operatively.9 Wielding power in cyberspace and achieving national cybersecurity require public–private and international cooperation.
Leveraging instruments of power in a coordinated manner is essential to achieve national objectives. Strategy aims to align ends (objectives), ways (courses of action) and means (resources). Cyber strategy seeks to connect these elements to cyber power in the pursuit of national security objectives. In their seminal book, Cyberpower and National Security, Franklin Kramer, Stuart Starr and Larry Wentz define cyber strategy as “the development and employment of strategic capabilities to operate in cyberspace, integrated and coordinated with the other operational domains, to achieve or support the achievement of objectives across the elements of national power in support of national security strategy.”10 Achieving national cybersecurity requires the development of human, technological and organizational resources and procedures that contribute to specific national objectives.11
States pursue different interests and objectives and follow different strategies to translate their resources into desirable outcomes. Proponents of strategic culture argue that states formulate national assumptions – based on their political, cultural, philosophical and cognitive characteristics – that limit the options they consider. Cultural legacies brought by different organizations can also play a role in framing issues and evaluating policy options.12 These elements, as well as bureaucratic preferences and legal constraints, can be expected to produce national styles and preferences that shape the way nations user their cyber power.13 However, analysts need to be careful not to make extreme generalizations that would seek to predict state behavior based solely on national circumstances and legacies.14 While domestic factors are important in understanding national cybersecurity, a number of other influences – such as the structure of the international system and the particular characteristics of cyberspace – pose similar security challenges to decision-makers across the world. The following sections emphasize the national approaches to cyber power and security favored by the three most powerful nations in cyberspace: China, Russia and the United States. They emphasize a number of differences, but also some commonalities in the way these major powers guide and organize their actions in and through cyberspace.
The development of the modern Chinese state and its emergence as a great power in cyberspace was not preordained. In the 1990s, China, while rapidly developing, lacked sufficient human and technical capacity in information communications technologies. This lack of endogenous capacity was confronted head-on in a 1998 book written by two Chinese PLA colonels, entitled Unrestricted Warfare.15 In their book, Colonels Liang Qiao and Wang Xiansui proposed a new way of challenging potential adversaries without engaging in direct confrontation. To achieve this strategy, and exploit the rapidly evolving technological landscape, China began implementing an ambitious program of technological development. In 2000, then General Secretary of the Communist Party Jiang Zemin gave a series of seminal speeches in which he established the trajectory of China’s information society and outlined a strategy to transform China into an advanced cyber power.16
These intentions were formally outlined in a 14-year plan that emphasized the priorities of a resurgent China in cyberspace. In tandem with developing the educational facilities and pushing for students to enter into information technology careers, the plan established the necessity of developing both internal controls on information and the capacity to exploit the information vulnerabilities of other states. Nearly 14 years later, China is technologically advanced and often dominates the quest for high-performance computing and Artificial Intelligence (AI). The nation currently benefits from a booming economy, and hosts close to a quarter of the global Internet population. Consequently, the Internet is an important enabler – and also a possible source of vulnerabilities – in the emergence of China as a great power.17
The authoritarian nature of the Chinese regime shapes its conception of cybersecurity and use of cyber power. At the domestic level, China has sought to control the flow of external information into the national sphere, to exert sovereignty over its society. For the Chinese government, Internet threats are not only technical but also informational. While various democratic nations, such as the United States and Sweden, monitor Internet traffic in and out of their country, China filters out unwanted content.18 To control information Chinese authorities have developed a “golden shield,” colloquially known as the Great Firewall of China. The Ministry of Public Security defines the boundaries of this wall, providing censorship guidelines that must be followed by ISPs and citizens alike. The Chinese Internet police relies on a combination of legislation, technologies and human workforce to enforce censorship and shut down websites, delete or redirect information and arrest dissident bloggers.19
This effort to censor the Internet aims to limit the influence of Western media and other news sources, which are seen as subversive tools that threaten the stability of the regime.20 Chinese “netizens” do not have access to a number of foreign websites and applications, such as Facebook and Google Maps. Service providers are also forced to block access to websites presenting information on “subversive” movements and ideologies, such as the teachings of the Dalai Lama. In principle, Chinese censorship aims to limit separatism, terrorism and extremism. In practice, critics point out that information control also limits freedom of expression. In a detailed study of Chinese social media, Gary King and his colleagues found that Chinese censorship does not seek to systematically suppress government criticism on social media but attempts to “reduce the probability of collective action,” such as protests.21
The Chinese government’s ability to control Internet traffic on its territory provides a useful tool against external attacks. The government could shut off domestic access to the Internet in an effort to prevent major cyberattacks. However, experts have questioned the impermeability of the Great Firewall, noting that some activists have managed to bypass it.22 Researchers have questioned the extent to which China is well equipped to confront technical and economic threats at home. The widespread use of pirate software in China creates vulnerabilities as their users do not automatically get access to security upgrades and patches.23 Further concerns exist about the extent to which cyberspace has facilitated the development of a black-market economy, over which the government has limited control.24
At the international level, China is both a source and a target of cyber insecurity. The Chinese government knows that it cannot match the United States in conventional assets and has therefore sought to develop asymmetric means to wield informational power. This asymmetric approach seeks to turn the technical superiority of adversaries into a liability.
China has focused its efforts on cyber espionage and the theft of intellectual property in order to develop an informational advantage across the fields of economics, military affairs, politics and technology, and to weaken the operational efficiency of its adversaries.25 This focus on information gathering is consistent with the Chinese strategy of pre-emption and “informationized war.” The Chinese military wants to anticipate threats and act early to gain the initiative. This pre-emptive approach requires preparation and mobilization in peacetime, including the recruitment of a wide pool of talented personnel, as well as the continuous testing of adversaries’ networks to uncover their strengths and vulnerabilities and signal intrusion capabilities. The information gathered through reconnaissance and espionage efforts can then be utilized to deceive or entice an opponent and adopt an appropriate strategy that will lead to the greatest gains.26
China is often decried in the West for its confrontational cyber posture and efforts to penetrate Western computer systems for military and economic gain. In the last two decades, a number of major cyber operations originating from China – from Titan Rain to APT1 – stole sensitive information from Western governments and industries. However, the extent to which Chinese-led APTs have translated into economic and military gains is unclear.
While these operations reflect an active stance, they might not be as aggressive as is commonly perceived. Some analysts argue that they reveal China’s concerns about adversaries’ efforts to penetrate its own government and private-sector systems.27 Chinese authors writing about cyber warfare emphasize the role of the United States in driving cyber insecurity, and the need for China to develop cyber capabilities to maintain its sovereignty and protect itself from US destabilization.28 For Valeriano, Jensen and Maness, Chinese cyber behavior reflects a desire to achieve balance with the United States and maintain power in Asia.29 These concerns would explain why Beijing engages in cyber espionage and information manipulation rather than cyber degradation.
The organization of national cybersecurity in China is spread across multiple organizations. Jon Lindsay emphasizes the complex networks of overlapping committees and groups making decisions under the banner of the Chinese one-party government.30 This institutional fragmentation has limited Chinese abilities to foster strong cybersecurity across the public–private divide, and weakened critical infrastructure protection. The PLA has invested significantly in its cyber warfare capabilities, both offensive and defensive. The responsibility for cyber operations in the Chinese military is generally attributed to the PLA General Staff’s 3rd Department, which holds responsibilities for signals intelligence (SIGINT) and seems to play a primarily defensive role. The Chinese General Staff Department 418th Research Institute and its Unit 61539 are generally considered to be the Chinese Cyber Command. A number of other cyber units are co-located with civilian entities, specifically universities and schools.31 Following a military reform launched in 2016, many of these units have been reorganized under a Strategic Support Force.
Chinese cyber operations also rely on entities and individuals that are not officially acting on behalf of the government and not directly tied to the PLA, allowing the government to formally deny any involvement and responsibility. Following Mao Tse Tung’s notion of mobilizing popular support to wage a protracted struggle, Beijing has fostered the development of cyber militias and “patriotic hackers” organized in networks around the PLA and contributing to the development of Chinese cyber power.32 According to some recent research, these militias bring together from 8 to 10 million individuals and primarily serve a defensive role.33 The extent to which the PLA will effectively leverage and merge these disparate cyber capabilities remains to be seen.
Russia maintains a holistic approach to cybersecurity that considers strategic interactions across all the elements of power.34 This approach is well suited to the all-encompassing nature of computer networks in modern societies. At the domestic level, Russian authorities have sought to control the flow of information and data in cyberspace to maintain national sovereignty. Following Tsarist and communist precedents, the government maintains a strong degree of state control on information to protect its regime and keep the loyalty of its people in check. Prior to the collapse of the Soviet Union, the KGB installed a System for Operative Investigative Activities at network junction points around the country. This system of devices has since evolved and now provides the FSB, Russia’s Federal Security Service, with unprecedented surveillance capabilities on Russian networks.35 Russia has not built a Great Firewall, but the government supervises the media to make sure they promote patriotic values and traditions.36
Russian officials are particularly concerned with the influence of the Western information society and way of life. To limit Western influence and maintain its sovereignty, Russia has expressed a desire to develop an independent Internet and create its own domain name system that would limit external influences.37 Russian law requires ISPs to host data belonging to Russian persons and entities on the Russian territory (to limit surveillance from other countries).38 Beyond these technical measures, the Russian government has supported the development of a Russian ecosystem of Internet services, including the Russian social networking service VKontakte and the Russian search engine Yandex. The executive branch of government leverages this Russian segment of the Internet (also known as RUNET) as an instrument of power, both at home and abroad, to pursue Russian sovereignty.39 RUNET provides Moscow with a tool to support a distinct digital subculture and influence former Soviet states like Georgia and Ukraine.
At the international level, Russia leverages cyberspace as an asymmetric means to engage with an adversary (the West) that is stronger in other elements (economy, military). Here, Russian use of cyber operations to project power and sow chaos contrasts with the more defensive outlook of Chinese cyber strategy. In Russia, cyber operations are construed as a form of information warfare that seeks to disrupt enemy civil–military facilities and systems, leadership, troops and populations.40 Russian doctrine attributes great importance to the role of public perception and seeks to exploit psychological and cognitive factors as a part of a broader informational struggle. The aim is to manipulate the adversary’s picture of reality, interfere with its decision-making process and influence its society to produce favorable conditions. The Russians use “reflexive control” to convey “to a partner or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.”41
In this context, cyber operations might seek to affect enemy information gathering and analysis, and manipulate the information disseminated in mass media and online. Such operations can be used to disorganize the structure of a society, distort public consciousness and affect elites and citizens alike. For example, Russian military movements in Eastern Ukraine were accompanied by Distributed Denial of Service (DDoS) attacks disrupting computer systems in Kyiv. Sowing such confusion can help to buy time in the initial stages of a conflict and thicken the fog of war.42 Since 2016, Russian efforts to interfere in democratic elections across Western countries have become increasingly apparent. Russia has used cyber operations to gather protected information, alter some of its content and leak selected documents online to influence electorates. Russian trolls have used social media to foment societal tensions in the West, instill chaos and reinforce its position on the international scene. These actions have sent strong signals that Russia is a capable and dangerous cyber actor, but their overall utility as an instrument of power remains debatable.43 Storybox 5.1 discusses Russian interference in the presidential elections in the United States (2016) and France (2017) to exemplify the Russian use and limits of cyber operations as an informational instrument of power.
According to a declassified US intelligence community report, President Vladimir Putin ordered an influence campaign targeting the 2016 US presidential election.44 This campaign sought to undermine public faith in the US democratic process and harm the electability of Secretary Clinton (initially a candidate for the Democratic Party presidential primaries). The Russian campaign relied on a messaging strategy that blended covert intelligence operations, mostly through cyber activity, with overt efforts by the government, state-funded media and social media users to delegitimize Clinton’s candidacy. Russian military intelligence (General Staff Main Intelligence Directorate, or GRU) used online persona Guccifer 2.0 and the website DCLeaks.com to release data obtained through cyber operations to selected media outlets.
The crux of the operations relied on the GRU’s ability to penetrate Democratic National Committee (DNC) networks from summer 2015 to 2016. Russian hackers compromised the personal email accounts of Democratic Party officials and stole large volumes of data. The US intelligence community assesses that the Russian services consider their cyber-enabled disclosure operation to be a “qualified success” because of its impact on public discussion in the United States.45 Experts expect Russia to continue its propaganda and disinformation campaign to further exacerbate social and political fissures in the United States, and beyond.46 This operation also served domestic purposes, drawing the Russian public’s attention to flawed aspects of democratic institutions.47
* * *
In contrast to the success of its interferences in the 2016 US election, Russian efforts to influence the French presidential election of 2017 failed to divide French society and affect outcomes. One key aspect of the Russian campaign in France was the leaking of information that had been captured from then-candidate Emmanuel Macron’s presidential campaign. The Macron leaks were a combination of real emails and forgeries released a few hours before the final vote on the second tour of this election.
Recent research on the failure of this operation to influence the French elections highlights a combination of structural factors and anticipatory measures. At the structural level, the two-round system of the French presidential elections makes it more difficult to identify potential candidates well ahead of the elections. The second round also provides an opportunity for the population to shift their support to a mainstream candidate. In this case, the mainstream candidate Emmanuel Macron faced a candidate for the extreme right party Rassemblement National. The quality of the French media environment, specifically the marginal role of tabloids and alternative websites, further limited the impact of the Macron leaks. In addition, the establishment of an independent administrative authority in charge of the integrity of the elections encouraged traditional media not to exploit the Macron leaks.48
The French government and presidential candidates had the opportunity to learn from Russian influence operations in the United States, as well as similar efforts in the Netherlands and the United Kingdom. The French national cybersecurity agency (ANSSI) organized workshops to train political parties, and warned Macron about a potential attack. The Macron campaign team compartmentalized information and communicated only face-to-face on the most sensitive issues. They talked publicly about hacking attempts against them and even forged emails and fake documents to confuse the hackers with irrelevant information. These measures undermined the validity of the leaked documents and made the population doubt the authenticity of the material. 49
Responsibility for Russian national cybersecurity falls on the FSB and its SIGINT unit, the Ministry of Internal Affairs (MVD) and the Foreign Intelligence Service (SVR). FSB and MVD are responsible for monitoring online information on extremist groups, for example. When doing so, they rely on national service providers and the companies at the basis of RUNET. Russian national cybersecurity relies on the synergy between the Russian security services and its business sector, both of which cooperate to purge RUNET of unwanted content.50
The Russian government has developed an ambivalent relationship with cyber criminals. The government tolerates, and sometimes encourages, hackers when they target adversaries. Reliance on hackers allowed Russia to maintain some distance from the well-coordinated cyberattacks that targeted Estonia in 2007 and Georgia in 2008, and to deny any responsibility. This reliance on hackers can be linked to the close ties between the Russian government and broader criminal networks.51 Western analysts argue that the Russian government deliberately lets hacktivists and cyber criminals operate from its territory to “erode the boundaries of organized violence” and wage influence without resorting to open conflict.52 The extent to which criminal organizations such as the Russian Business Network (RBN) are driven and coordinated by government entities is not clear, but they certainly seem to enjoy a degree of immunity.53 Scholar Nikolas Gvodsev concludes that Russia’s hackers might have struck a bargain with the government whereby they will be left alone – perhaps even politically protected – as long as they do not target the state and its key interests. This Russian strategy is not without risks, as criminals could, one day, turn against their political protectors.54
The United States is one of the most connected nations in the world – its economy, civilian infrastructure and government services are all highly dependent on cyberspace. Unlike China and Russia, the United States actively defends and promotes freedoms – specifically, freedom of speech – in cyberspace. The technological dependency and openness of the United States have created significant vulnerabilities that its adversaries have sought to exploit. The number of significant cyberattacks on the United States has required the government to adopt a very active stance on national cybersecurity and spawned the creation of a number of organizations and policies designed to enhance national cyber defense and resilience.
The US government has published dozens of strategic documents reflecting the growing importance of cyber power and national cybersecurity. Cyberspace emerged as a distinct national security policy area during the presidency of Bill Clinton when the White House established a structure to coordinate efforts across the public–private divide to “eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructure.”55 Since then, a variety of Defense, Military and National Security Strategies have identified cyber threats to critical infrastructure and services as a pressing national security threat.56 The US approach emphasizes the importance of international alliances, specifically the North Atlantic Treaty Organization (NATO), in deterring shared threats and promoting stability in and through cyberspace.57 The transatlantic alliance has been one of the main vectors supporting the development of strong and resilient cyber defense and cooperative cybersecurity in the West.
The US government has embraced cyberspace as an instrument of soft and hard power. The 2011 International Strategy for Cyberspace proposed to promote US values throughout cyberspace, including fundamental freedoms, privacy and respect for property. To achieve these objectives, the strategy sought to leverage defense, diplomacy and development. China and Russia consider US support for an open cyber environment, and specifically the spread of US-backed social media and Internet technologies like The Onion Router (TOR), as an effort to interfere in their domestic affairs. In a famous case of cyberattack discussed in the next chapter, the United States successfully deployed a computer worm to sabotage Iranian nuclear centrifuges.
In a government that traditionally divides responsibilities between multiple departments and across society, coordinating national cybersecurity policy and implementation presents a significant challenge. Critics note that the division of labor that characterizes American society limits the US ability to anticipate and respond to problems in a timely and coherent way.58 To counter cyber threats, the US government has developed a number of platforms to promote common security standards, share information and coordinate threat assessments and responses across the public–private divide. However, these efforts remain limited by issues of privacy and trust between government and private-sector organizations.59 Experts question the extent to which the private sector is ready to communicate with government entities about vulnerabilities. Equally, some government agencies remain reluctant to systematically share sensitive information with outsiders.60 Such problems of public–private coordination are less apparent in China and Russia where the public authority of government is more sweeping and evident.
Responsibility for cybersecurity and related incidents is broadly divided into domestic and foreign responsibilities. The US Department of Homeland Security (DHS) is responsible for protecting critical infrastructure at home, from both physical and cyber threats. Its National Cybersecurity and Communications Integration Center (NCCIC) brings together public and private partners to coordinate cybersecurity efforts. The Department of Justice, acting through the Federal Bureau of Investigation, is the lead federal agency for threat response and law enforcement activities.61 Both departments are expected to effectively coordinate their activities within their respective lines of effort, but the extent to which they do so in practice is not clear. Since 2009, the US has established a Cyber Command, which brings together all components of the US military that work on cyber threats. USCYBERCOM was elevated to an independent unified command in 2018 under the direction of General Paul Nakasone, putting it on par with other warfighting commands and confirming the growing importance of digital combat. In May of 2018, USCYBERCOM reached full operational capability when the last of its 133 national mission teams became certified.
The latest Cyber Command “vision” points out that America faces competitors who are deliberately operating at a level below armed aggression. The document highlights a desire to defend forward – that is to say, to target adversaries’ weaknesses, imposing costs on them so that they are forced to shift their resources to defense. Until August 2018, classified US Presidential Policy Directive 20 (PPD-20) imposed severe limitations on when, how and by whom offensive cyber operations could be authorized. In the summer of 2018, President Trump reportedly revised the standing direction and loosened the requirement that all offensive cyber operations required presidential approval.
In their analysis of US cyber strategy, Valeriano, Jensen and Maness present the United States as a sophisticated cyber power.62 They argue that the notion of the precision strike has shaped the conduct of US cyber operations. Cyber capabilities are used to “infiltrate command networks, often through counterintelligence honeypots, and paralyze them at an opportune moment.”63 This approach utilizes cyber capabilities to gain information superiority, identify specific targets, and develop a sophisticated method to strike precisely at an opportune moment.
To stop or limit attacks by adversaries, the United States has sought to adopt a whole-of-government approach and liaise with partners across government, industry and academia.64 US strategy recognizes the need for better alignment with the private sector, including ISPs and security companies. Other Western governments have faced similar coordination challenges and developed similar approaches. American allies such as South Korea and France have also established a Cyber Command (respectively in 2009 and 2016). The United Kingdom established a National Cyber Security Centre in 2016.65 Governments increasingly coordinate their cybersecurity efforts through both bilateral and multilateral cooperation agreements.66 As of October 2018, more than 83 countries had National Cybersecurity Strategy documents, each addressing the nuances and challenges, as well as interpretations, of the operating environment in and through cyberspace. A number of international organizations, including the African Union (AU), the Association of Southeast Asian Nations (ASEAN), the EU and the UN, have set up working groups and developed strategies to coordinate national efforts to improve cybersecurity.67
The dynamics of national cybersecurity can be understood through the canon of international relations. In the realist tradition, cyberspace is an extension of the Hobbesian worldview in which states pursue their national interests by maximizing power. Chris Demchak and Peter Dombrowski argue that cyberspace, a man-made domain, cannot escape the “Westphalian world of virtual borders and national cyber commands.”68 In the digital realm, states strive to ensure their citizens’ online safety, and the economic well-being of their nation. They also exert their power in cyberspace and push to assert national policies both at home and abroad. From this perspective, nation states are exerting their monopoly over the legitimate means of control of cyberspace. State control is apparent when governments require ISPs to share data with them and to filter out traffic. At the international level, Chinese Advanced Persistent Threats (APTs), the US cyber operation against Iranian centrifuges, and the Russian efforts to interfere with democratic elections in Western countries, all suggest that states are wielding power in cyberspace. As such, classic international relations debates about coercion, deterrence, escalation and alliance are increasingly central to the debates surrounding cybersecurity in social science.
Following a liberal internationalist tradition, some scholars have started to explore the emergence of international norms of behavior in cyberspace.69 Nation states are growing increasingly interdependent and have much to lose from overt conflict in cyberspace. Evidence suggests that state-on-state cyberattacks and governments’ efforts to control their domestic cyberspace have been tempered by the interdependencies of an increasingly globalized world.70 Consequently, most governments want some degree of international cooperation. However, divergences over the governance of cyberspace highlighted in chapter 3 show that different models – some more supranational than others – continue to co-exist. These national differences can be explained by domestic factors such as regime type, and political and strategic culture.
Despite differences in national approaches to cybersecurity, most cyber powers confront common challenges in cyberspace. China, Russia and the United States all struggle to control and manage the various actors involved in cyberspace. These common challenges explain why nations that wield cyber power against each other cooperate on specific cybersecurity issues, such as the theft of banking information.71 The rapid evolution of connected information technologies, from malicious codes to new applications to the Internet of Things (IoT), challenges governments’ desire to control cyberspace domestically, and provides opportunities to wield power on a global stage. National cybersecurity is inherently transnational, and therefore requires the interaction of a plethora of different actors, only some of which have the resources and authority to coordinate effective responses.
1. How can we study cyber power?
2. Contrast and compare the American, Chinese and Russian approaches to national cybersecurity.
3. How is the tension between centralization and decentralization visible in the organization of cybersecurity at the state level?
Center for Strategic and International Studies, Cybersecurity and Cyberwarfare, Preliminary Assessment of National Doctrine and Organization, 2011, www.unidir.org/files/publications/pdfs/cybersecurity-and-cyberwarfare-preliminary-assessment-of-national-doctrine-and-organization-380.pdf.
Franklin D. Kramer, Stuart H. Starr and Larry K. Wentz (eds.), Cyberpower and National Security (Washington, DC: National Defense University, 2009).
NATO Cooperative Cyber Defence Centre of Excellence, “Cyber Security Strategy Documents,” October 18, 2018, https://ccdcoe.org/cyber-security-strategy-documents.html.
Brandon Valeriano, Benjamin Jensen and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (Oxford University Press, 2018).