Lucas Kello, The Virtual Weapon and International Order (Yale University Press, 2017)
Why do all hackers wear hoodies? A quick Google image search for terms “hacker” or “cyber” will give you a range of abstract stock photos of men (almost never women) in hoodies, along with incoherent codes (usually Python script) in the background or foreground. Usually, these abstract stock images are accompanied by either circuit board or world map artworks, adding to the nonsensicality of the visual imagination of cyberspace. CNN asked the same question in May 2017, exploring the stereotypical representations of programmers, cybersecurity professionals, or “hacktivists” with a hoodie or occasional Guy Fawkes mask in stock photos, Hollywood movies or popular series. After all, there must be a reason why Eliott in Mr. Robot puts on his hoodie when he’s stressed out, or about to embark on a shady adventure.
A visual content analysis of our digital constructions of cyberspace yields several recurring themes: We can’t properly define the extent, main actors involved within, and the adversarial mechanics of power in digital interactions. Anonymity (hoodies), protest (Guy Fawkes mask), ambiguity (incoherent codes), and global repercussions (world map made of a circuit board) are the four main pillars of how we define cyberspace in popular culture. It is a fluid space with unclear borders, obscure actors, fuzzy interests, and uncertain metrics of success. It is hard to defend and even harder to set borders, barriers or confines of legitimacy. It is a domain that is often thought of as weakening state capabilities and enabling non-state actors and interests.
Naval military history is rich with analogies for cyberwar. The Greco-Persian Wars (499 to 449 BC) witnessed the first combined land-sea operations that rendered an inherently fluid and largely indefensible space – water – as a force multiplier in combat. It wasn’t until the invention of “wooden walls” of Themistocles’ triremes in Salamis that the first semblance of naval defense emerged, albeit at disproportionate costs. Cyberspace too is a fluid and often indefensible space with fuzzy boundaries that states seek to defend by squeezing overwhelming resources into selected chokepoints of data transfers. Then the Romans introduced offshore blockade warfare by way of the naval catapult and siege towers. Maritime siege technology enabled great powers to use this fluid domain of combat to make a marked difference against ground defenses, rather than merely cultivate it as a force multiplier for ground operations. In a similar vein, it was with the 2010 Stuxnet attack on the Iranian nuclear facility in Natanz that cyberspace came to be acknowledged as posing a threat to critical physical infrastructure.
A major transformative war has usually accompanied advances in naval technology. Development of galleasses (large, slow, but imposing 16th and 17th century sail-oar hybrid naval vessels) enabled ships to carry more firepower than faster, but more vulnerable galleys, which enabled the victory of the Venetian-Spanish fleet over the numerically superior Ottoman fleet in the critical Battle of Lepanto of 1571. Demonstrating the difficulty of maintaining supremacy in this fluid environment, Ottomans would later build better galleasses and re-assert their dominance in the Mediterranean, by defeating the navies of the Holy League. Like modern-day cyber relations between state and non-state digital power brokers, Ottoman naval resurgence was a result of their close strategic alliance with the most potent maritime non-state actors of the day – Barbary Corsairs. State resources and non-state unpredictability, when used in tandem, reduced the Spanish and Venetian navies’ freedom of navigation and resource generation, turning the tide of great power relations in the Mediterranean Sea.
Today, cyberspace serves as the vantage point of similar recalibrations of great power relations through the use of hackers, hybrid media systems and technology companies. Non-state actors are especially strengthened by this fluidity and slowness in which states try to adapt to digital space. This fluidity has also blurred realism as the fundamental paradigm of international relations. States are no longer the primary forces of change in the cyber domain, and they are most certainly not unitary actors. Usually, different agencies and branches pursue often competing interests and motives in digital space. It is no wonder then, that the idea of ‘privateering’ – essentially a 16th and 17th century naval concept – has already been deployed in reference to state sponsorship of non-state actors in digital conflicts.
Fluidity is the core premise of cyberspace. Traditional concepts of offense and defense are also blurred concepts in digital power relations. Often, we tend to overlook the fact that cyber events are now a daily occurrence, occuring in real-time, all over the world. We tend to cherry-pick incidents that are either digital anomalies, that lead to physical harm (including financial), or cause abnormal peaks in network behavior. Defining a cyber event has been so elusive that the University of Maryland has started a new measurement debate on policy-relevant metrics that would constitute a major “cyber incident”. In addition, there is the oft-cited Tallinn Manual, which outlines international legal criteria that would help define a “cyber attack”. Yet, what constitutes a “cyber-attack” for all operational purposes suffers from the same problem with terrorism research: lack of an operational, internationally agreed upon, actionable definition of what it tangibly constitutes. Computer scientists present their own data-centric measurements of risk hotspots, whereas social science security researchers focus on more societal aspects of human-machine interactions. As more research clusters attempt to draw the boundaries of cyberspace, much gets lost in translation, technical details, and perhaps crucially, over-emphasized research findings submitted before funding progress monitoring committees.
A new book, The Virtual Weapon and International Order, provides much-needed conceptual and theoretical context that establishes a solid foundation for the study of cyberspace in international relations. It trims away much of the fat around the overabundance and abuse of “cyberisms” and alarmist strands of mainstream debate concerning a hypothetical “cyber Pearl Harbor” or “cyber world war.” Lucas Kello grounds the debate and operationalizes it into three pillars: who operates in cyberspace (units of analysis), how power (offense-defense balance) is constructed in the digital medium, and the primary parameters of statecraft (sovereignty, strategy, and policy) in online transactions. The level of accessibility of the book makes it an easy introduction for readers to both policy and technical worlds. Indeed, this speaks the most fundamental contribution of the book: Kello shows how international relations can (and should) discuss global power relations in cyberspace without being derailed by highly technical details of the computer science world. This is an interesting debate both for academic and policy circles, as it closely resembles the Cold War debate on how much international relations scholars should know about nuclear physics to develop models on nuclear escalation, deterrence, and war. Some of the most influential Cold War nuclear policy practitioners like Henry Kissinger, Zbigniew Brzezinski, Brent Scowcroft or theorists like Kenneth Waltz, John Mearsheimer, and Thomas Schelling didn’t come from an engineering background – yet they defined the very foundations of nuclear deterrence doctrines and patterns of escalation literatures. This may not be a palatable argument for computer scientists trying to make inroads into the international relations-cybersecurity nexus, or coder international relations scholars such as myself, but the book successfully defends this case.
The key foci in Virtual Weapon are the properties, boundaries and effects of the adversarial nature of digital space and their impact on inter-state relations. The book tackles the hard task of conceptualizing the limits and extent of cyber adversity through a combination of theory-building and process tracing methods, dissecting its deterrent qualities (chapters 2 and 7), escalation potential (chapters 4-6), impact on state-non-state relations (chapters 8 and 9), and overall potential of cooperation and conflict on global affairs.
The first chapter is especially useful for teaching, as it embarks on a methodological challenge against the interdisciplinarity of “cyber studies,” deriving from a large number of fields. A recent trend in computational social science research is to create “extreme interdisciplinarity” to answer some of the most pressing challenges of digital space. Kello criticizes this “Clash of Conceptions” due to the ambiguity in which it addresses the cyber question. Defining cyber as an analytical field, or a level of analysis in international relations, is so elusive that this uncertainty is by itself generating alarmism in mainstream debate, Kello maintains.
The book goes on to cluster the scholarship of “cyber skeptics” into three categories. First are the “technoskeptics”, who steer clear of cyber issues due to the high level of technical expertise required for scholars to fully grasp this domain. The second line of skepticism comes from “threat skeptics” who attempt to contextualize much of the alarmism about “cyber nuclear war” schools of thought. Such cyber alarmism has already been criticized in Thomas Rid’s “Cyber War Will Not Take Place” and James Shires and Max Smeets’ “The Word Cyber Now Means Everything—and Nothing At All.” Joseph Nye had already reassured American audiences that the United States is “already well ahead of the curve,” although recent warnings about the United States lagging behind in artificial intelligence raise questions about Nye’s statements. The final layer of skepticism calls for the very rejection of a cyber theory embedded in international relations, citing that technology or cyber have nothing new to add to already existing conceptualizations of interstate war and the structure of global conflict patterns. These conceptualizations play out later in the book, as the theory-building and empirical case selection silently communicate with these three layers of skepticism.
But the book goes beyond its theoretical contributions and serves as a solid guide for policymakers. For example, how do you create a strategic doctrine for a disruptive technology that can incapacitate virtually anything, from targeting systems to missile defense architecture and crisis communications? How do you plan for retaliation if successful attribution for the initial attack is only possible after weeks of code validation? Even more important, should actors in cyberspace attempt to hack back even though code architecture and language of the initial attack could easily be mimicked to implicate other countries? Kello asserts that the decision-makers should learn to live in a state of “unpeace”: a state of affairs where frequent attacks create a chaotic and uncertain environment, but are usually not destructive enough to constitute a war. The attacker usually sets the modes of the conflict and the defender has to invest exponentially higher sums (financial and human capital) in order to defend. Yet cyberspace has no spending “sweet spot” and the question of how much to invest in defense is always overshadowed by the question of in what defense to invest.
These questions are important because some of the core contributions of the book orbit around the concepts that the mainstream theoretical and policy debate takes for granted. For example, what is a cyber threat? Many analyses of cyber incidents miss the fact that cyber events do not have a start or end time. As an ongoing real-time power negotiation between vaguely defined state, sub-state, non-state entities, we often identify ‘cyber incidents’ in terms of physical damage, or sudden peak in volume, but is that enough? The Department of Homeland Security has its own National Cyber Incident Response Plan that lays out different responsibilities for government agencies. Britain’s signals intelligence agency runs an incident management team. Yet, these address cyber incidents on a case-by-case basis and come short of conceptualizing state interests, power and capability metrics in digital space. This is precisely what Kello aims to address in his book.
There are numerous pitfalls in discussing cyberspace in isolation from other technological advances in interconnectedness and digital technologies. Not only traditional weapons systems – flight electronics, artillery targeting systems, and naval anti-missile radars – but also newer combat platforms such as drones, 3D printers, satellite targeting systems, and artificial intelligence-based target selection systems have a symbiotic relationship with cyberspace. The book aptly avoids this pitfall by linking the emerging technologies debate together with the cyber debate, exploring potential conceptual and theoretical evolutions of both domains in relation to one another. Kello identifies three sets of challenges for international order: third-order (inadvertent, miscalculated escalations), second-order (revisionary state challenges), and first-order (non-state actor challenge to states system as a whole) disruptions. These render both defense and deterrence in cyberspace significantly problematic – a theme explored recently by Nye, Ben Buchanan, Magnus Hjortdal and Erik Gartzke. Deterring cyber-attacks is a difficult endeavor, especially when you think that it is a) hard to notice skilled attacks and b) that regular cyber-attacks take place in real time. Punctuated deterrence, defined by Kello as “a series of actions that generate cumulative effect, rather than tit for tat response” is offered as the best way to address these issues. The book tests this theory by exploring Russian cyber doctrine through process tracing analysis, including layers of its digital adversarial strategies; misinformation, hackers, bots, confusion and misleading.
Like naval history, the cyber domain comes with its own riddles: “Every advantage borne of the new technology also invites its dangers.” The book ends with a rather cautious evolutionary conclusion, portraying cyber space as producing equal levels of opportunity and disruption, forcing states and non-state actors to continuously adapt to its ever-changing contours and novelties. Non-state actors are still more adaptive to these changes overall, posing a challenge to states individually and the state-system as a whole. This, according to Kello, imposes new duties on international relations scholars “to supply concepts that can close the gap between theory and new technology to the narrowest degree possible before the forces of change unleash new rounds of disturbance in the known order.” This may prove to be a tall order with our existing measurement tools for cyber events, whereby the sound of terabytes of trees falling a day on the web incapacitates us in terms of responding and understanding digital dynamics. It is, then, not our absence in the digital forest, but the overabundance of falling trees that deafens us to the proverbial “sound” that the quantum riddle expects us to hear.
H. Akin Unver (@AkinUnver) is an Assistant Professor of International Relations at Kadir Has University, Istanbul. He currently serves as a fellow at the Center for Technology and Global Affairs at Oxford University and a research associate at the Alan Turing Institute, London. He is the author of the recently published report: Computational Diplomacy: Foreign Policy Communication in the Age of Algorithms and Automation.
Image: Defense Department