The New Normal

AUTHOR:  Ben Buchanan

PUBLISHED BY:  Harvard University Press

REVIEWED BY:  Patrick Swan, per Concordiam contributor

Cyber war wasn’t supposed to be this way. We expected the digital equivalent of Pearl Harbor, signifying the opening shots in a big global conflict. Like nuclear war, it would present a cyber version of mutually assured destruction. Instead, it has shown to be more effective when employed stealthily and with origin deniability — persistent, annoying, jostling cyber skirmishes. As a form of statecraft, these are more akin to cloak-and-dagger espionage than employment of big, ballistic bombs. There is an irony to this. As digital technology permits ever more precise delivery of conventional munitions, cyber technology remains often a mere blunt, uncontrollable and uncalibrated area-wide instrument of power.

To understand better this uncertain realm of warfare, Ben Buchanan offers us advice in his book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. He writes: Always keep two approaches to statecraft in mind: signaling and shaping. If one can decipher whether a given cyber operation is intended to signal capability or to shape behavior, one can manage a competent understanding of “what just happened.” 

One signals an adversary that it has to change a certain behavior or face the consequences, while the other shapes events by hampering an adversary’s behavior. Buchanan argues that cyber is an increasingly versatile tool for shaping geopolitics and seizing advantages but is ill-suited for signaling one’s positions and intentions. Cyber capabilities often benefit from or require secrecy, he writes. Signaling makes visible one’s cyber capabilities.

Buchanan is blunt: The best way to conceptualize cyber operations is not through familiar signaling-centric paradigms, but through the framework of shaping, rooted in concepts such as espionage, sabotage and destabilization. He adds, “The states that reap the most benefits from hacking are the ones that aggressively mold the geopolitical environment to be more to their liking, not the ones that try to hint, coerce, or threaten.”

Nations threaten each other with rhetoric all the time. The old saw, “oh yeah, you and what Army” is a truism. You say you can cripple my power grid. Go for it. But unless those words are backed up with action, the threat is interpreted as nothing more than bluster. Even if Country Y acts against Country X, the effects are short-lived. The grid fails and the public undergoes inconvenience or suffering. County X restores the grid with more safeguards. At the same time, Country Y has surrendered its ability to shape County X’s conduct.

There are occasions when one may need to inadvertently signal one’s cyber capabilities while in the process of shaping. The United States killed the Iranian Revolutionary Guard commander at the Baghdad airport with a precision airstrike. The Americans shaped the ongoing conflict with Iran with this strike, assessing that removing the Iranian commander provided greater benefits than just signaling their capability to do so. No doubt, the strike led the Iranians to change their movement protocols, but these changes could not bring back an indispensable and charismatic leader.

To help readers comprehend the nuances in signaling and shaping, Buchanan divides his book into sections on espionage, attacks and destabilization. He recalls the message of international relations strategist Thomas Schelling, who focused a theory of warfare on bargaining. Signaling one’s “power to hurt” an adversary could coerce the adversary to at least partially bend to one’s will to avoid further costs. It sends clear and credible signals. Again, the problem with using this in cyber operations is the signals are rarely clear because by nature they must be shadowy. Hence, rather than signal to Iran that the U.S. had a cyber capability to sabotage its nuclear reactor work if it did not alter its pursuit of a nuclear bomb, it purportedly actually sabotaged it quietly, with the Stuxnet worm. This shaping operation undermined Iranian confidence in its ability to manage a nuclear reactor centrifuge because it did not know for certain whether this was a hostile, cyber-engineered problem or incompetence by its engineers.

In turn, when Iran launched a cyber attack on the Aramco oil company in Saudi Arabia to signal displeasure with Saudi policies, it failed to change Saudi behavior. One reason was that it was done surreptitiously, by third-party hackers, so Iran could deny national involvement. Buchanan states that signals are more meaningful when a state commits to them. Iran did not do so, surrendering the “win” that its hackers had achieved. Another aspect of effective, nuanced geopolitical signaling that Buchanan references is the capacity to inflict carefully measured amounts of violence, with the threat of more to come. After the Aramco strike, the Saudis did not fear a follow-up attack and did not change their behavior to satisfy Iranian objections.

The vignettes Buchanan shares reveal a conundrum for geopolitical cyber operations. Nations use hackers to act on behalf of the state. The state denies involvement so as not to trigger a physical war with an adversary. But the signal can be lost if the attack cannot be traced with certainty to the sponsoring nation. Additionally, if the sponsor nation is not directly overseeing the operation, the signaling may be murky.

Buchanan relates three observed characteristics of hacking: its versatility as a tool of geopolitical shaping, its weakness as a means of geopolitical signaling, and its ambition, which has become increasingly aggressive as modern cyber operations grow in capability. He writes, “Hacking has earned its place in the playbook of statecraft.” At the same time, hacking lacks precision because cyber intrusions do not lend themselves to predictable and easily calibrated force; that is, they cannot inflict a carefully chosen amount of harm. This is because cyber attacks are difficult to control with precision. If the attack achieves less than desired, the attackers often can’t go back because the capability is either spent or now detected and countered. And this is a key determinant for success: Its operational effects must be both anticipated and able to be ratcheted up over time. Anything less is just launching figurative cyber Scud missiles haphazardly in the hopes of hitting something of value. Effective signaling requires not just communication but also credible commitment. Buchanan writes, “Demonstrated commitment is hard to muster in cyber operations that risk no lives, have unclear paths of escalation, frequently offer no clear last chance to avert conflict, and often become less effective when their preparations are made public.”

An old Looney Tunes cartoon had one character harmed by another and then deadpanning dryly, “This means war.” In cyberspace, by contrast, Buchanan states that policymakers regard cyber operations not as acts of war or even public crises, but rather as part of the everyday digital melee. Nations use it to jostle for geopolitical advantage and are largely uninhibited by norms, treaties or fears of retaliation. This may go a long way in explaining why they are not treated as war — because one would be persistently at war with a number of nations, while at the same time not knowing for certain that one’s counterattack was striking at the actual nation behind the cyber operation. Without this certainty, the digital melee is a more inviting prospect.

In one respect, cyber operations fall squarely into what was once called “operations other than war” or “asymmetrical war” or “small war.” They can operate as stand-alone implements for achieving national strategy as part of a broader menu of activities. In another respect, they can work hand in hand with offensive operations by shaping the digital battlefield at the time conventional kinetic operations commence. It won’t matter if the capability is revealed because there won’t be time for the adversary to counter it before being overwhelmed by physical force. It works in a time-sensitive sense then.

The big takeaway from Buchanan’s book is to know what is more effective — shaping over signaling — in the cyber warfare realm. Then one can prepare best one’s cyber capabilities and employ them accordingly against known and anticipated threats when they are needed. In practice, this means against a state actor or a state-sponsored hacker activist. We’ve learned from experience that to confuse when to use each is strategic cyber malpractice.

Given that U.S. investments in security, collective defense and regional stability seek to create conditions that minimize conflict and promote opportunities for peace and prosperity, the best outcome one should strive for is one where cyber operations are unnecessary and, like nuclear weapons, rarely if ever used.