ARGUMENT: CYBERWARAre We Asking Too Much of Cyber?

Published 4 May 2023

Both cyber enthusiasts and skeptics may be asking too much of cyber. “U.S. cyber strategies should be more explicit about articulating not only the strategic benefits cyberspace offers but also its limitations,” Erica Lonegran and Michael Poznansky write. “More realism about cyberspace may help leaders truly integrate cyber capabilities.”

The U.S. intelligence community’s 2023 Annual Threat Assessment contains some alarming estimates, especially as it relates to the cyber capabilities of the People’s Republic of China. It states that Beijing would “almost certainly consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide” if they thought war was “imminent.” These operations “would be designed to deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.” Such warnings are particularly concerning considering we may be in the midst of what some experts call “the decade of maximum danger.”

Erica Lonegran and Michael Poznansky write in War on the Rocks that there were similar warnings prior to Russia’s invasion of Ukraine early last year.

Cyber security expert Jason Healey hypothesized that if a SolarWinds-style hack in the midst of the Ukraine crisis actually wiped data on all machines that downloaded the malware — as opposed to stealing data from a subset of them — “The psychological shock to the public and to decision-makers might successfully coerce the United States into backing down.” Others warned of the potential for Russia to use cyber tools to cow Ukraine into submission. One article held that “a potentially destructive cyber onslaught … could pressure Kyiv into concessions and its friends abroad into meeting Russia’s demands.” Another posited that Putin “would likely employ massive cyber and electronic warfare tools … to create ‘shock and awe,’ causing Ukraine’s defenses or will to fight to collapse.”

But not everyone is so sanguine about cyber’s promise and potential. When it comes to cyber coercion, these scholars and analysts are skeptical about cyber’s capacity to coerce or shape conflict in any meaningful way. They point to a number of factors that hamper cyber operations’ potential for coercion, such as their limitations in generating costly effects; their unpredictable nature, which can confound attempts to cause a desired effect against a specific target at the right time; and the fact that brandishing cyber capabilities for the purposes of signaling can undermine their effectiveness