Are We Asking Too Much of Cyber?

Too often, conversations about cyber coercion take place in a vacuum, disconnected from broader debates about coercion and its efficacy. Coercion theory focuses on the threat or application of force or punishment of some kind to shape the behavior of an adversary — either as a form of deterrence to prevent or dissuade them from taking an undesirable action or as a form of compellence to induce changes in behavior. Despite its appeal, there are countless studies which indicate that coercion routinely fails, regardless of the tool being used. Even still, leaders often rely on these imperfect tools not because they expect them to work but because they lack better options.

The upshot is that both cyber enthusiasts and skeptics may be asking too much of cyber. When enthusiasts speak of cyber’s enormous coercive potential, they are essentially expecting it to be more potent than conventional tools that commonly fail. By placing disproportionate faith in a fragile and ephemeral capability, they overlook the fact that coercion of all kinds often fails. For their part, cyber skeptics are discounting the reality that many of the non-digital tools states use to shape one another’s behavior also have a poor track record. Moreover, by dismissing cyber coercion’s potential, often for good reasons, skeptics may find it challenging to engage policymakers who are likely to find it appealing — not necessarily because they expect it to succeed but because options are limited. They may also underestimate the frequency with which adversaries may attempt cyber coercion for the same reason. And even if those attempts ultimately fail, the damage done in the process demands that we anticipate them and take them seriously.

Simply put, coercion is hard. Cyber is especially problematic, but it is not uniquely limited. The sooner we come to terms with this, the sooner we can prioritize what cyber capabilities can best accomplish.

Lonegran and Poznansky conclude:

Looking ahead, U.S. cyber strategies should be more explicit about articulating not only the strategic benefits cyberspace offers but also its limitations. One useful example from which policymakers could draw is the United Kingdom’s recently released National Cyber Force white paper, which offers strategic guidance for offensive cyber operations. The document directly tackles some of the challenges of employing cyber power — such as the limited evidence that cyber operations can be a “primary contributor to deterrence,” the constraints associated with developing and employing exquisite offensive cyber capabilities, and the difficulties of measuring outcomes. The strategic guidance engages these issues while still offering a robust vision for the role of cyber offense. Moreover, it is worth noting that whenever leaders use cyber for coercion, they are potentially burning exploits that could have been leveraged for intelligence. This is less relevant for capabilities like conventional munitions where intelligence and military capabilities are not as intertwined.

More realism about cyberspace may help leaders truly integrate cyber capabilities. In most cases, integrating cyber effectively will mean leveraging the insights gleaned from this domain to tailor other, non-digital forms of deterrence and coercion. In the rare cases where leaders believe cyber coercion can work, it is likely to be as part of a broader package involving other policy levers. Figuring out what the right cocktail is will be hard but is a worthy undertaking.