Are We Asking Too Much of Cyber?

The U.S. intelligence community’s 2023 Annual Threat Assessment contains some alarming estimates, especially as it relates to the cyber capabilities of the People’s Republic of China. It states that Beijing would “almost certainly consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide” if they thought war was “imminent.” These operations “would be designed to deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.” Such warnings are particularly concerning considering we may be in the midst of what some experts call “the decade of maximum danger.”

There were similar warnings prior to Russia’s invasion of Ukraine early last year. Cyber security expert Jason Healey hypothesized that if a SolarWinds-style hack in the midst of the Ukraine crisis actually wiped data on all machines that downloaded the malware — as opposed to stealing data from a subset of them — “The psychological shock to the public and to decision-makers might successfully coerce the United States into backing down.” Others warned of the potential for Russia to use cyber tools to cow Ukraine into submission. One article held that “a potentially destructive cyber onslaught … could pressure Kyiv into concessions and its friends abroad into meeting Russia’s demands.” Another posited that Putin “would likely employ massive cyber and electronic warfare tools … to create ‘shock and awe,’ causing Ukraine’s defenses or will to fight to collapse.”

But not everyone is so sanguine about cyber’s promise and potential. When it comes to cyber coercion, these scholars and analysts are skeptical about cyber’s capacity to coerce or shape conflict in any meaningful way. They point to a number of factors that hamper cyber operations’ potential for coercion, such as their limitations in generating costly effects; their unpredictable nature, which can confound attempts to cause a desired effect against a specific target at the right time; and the fact that brandishing cyber capabilities for the purposes of signaling can undermine their effectiveness. 

Too often, conversations about cyber coercion take place in a vacuum, disconnected from broader debates about coercion and its efficacy. Coercion theory focuses on the threat or application of force or punishment of some kind to shape the behavior of an adversary — either as a form of deterrence to prevent or dissuade them from taking an undesirable action or as a form of compellence to induce changes in behavior. Despite its appeal, there are countless studies which indicate that coercion routinely fails, regardless of the tool being used. Even still, leaders often rely on these imperfect tools not because they expect them to work but because they lack better options.

The upshot is that both cyber enthusiasts and skeptics may be asking too much of cyber. When enthusiasts speak of cyber’s enormous coercive potential, they are essentially expecting it to be more potent than conventional tools that commonly fail. By placing disproportionate faith in a fragile and ephemeral capability, they overlook the fact that coercion of all kinds often fails. For their part, cyber skeptics are discounting the reality that many of the non-digital tools states use to shape one another’s behavior also have a poor track record. Moreover, by dismissing cyber coercion’s potential, often for good reasons, skeptics may find it challenging to engage policymakers who are likely to find it appealing — not necessarily because they expect it to succeed but because options are limited. They may also underestimate the frequency with which adversaries may attempt cyber coercion for the same reason. And even if those attempts ultimately fail, the damage done in the process demands that we anticipate them and take them seriously.

Simply put, coercion is hard. Cyber is especially problematic, but it is not uniquely limited. The sooner we come to terms with this, the sooner we can prioritize what cyber capabilities can best accomplish.

Why Coercion is Hard

States often turn to coercion to influence other leaders short of war. Leaders can implement coercive strategies through denial approaches, thereby making it more difficult for adversaries to carry out their military strategy. Alternatively, they can turn to punishment by imposing significant costs on an adversary’s civilian population and economy — or at least threatening to.

Despite its appeal, successful coercion is notoriously elusive.For it to work, several factors must align. The coercing state must clearly communicate to adversaries the desired behavior and the consequences of defiance. The threat must also be credible, which means states need both the capability and political will to carry it out. The potential costs also have to outweigh any benefit the target perceives in taking an action. Finally, and perhaps most difficult, the coercing state has to reassure the target it will not carry out its threat if it complies. There are many points where things can go awry.

Unsurprisingly, examples of failed coercion abound. The United States could not deter Syria from using chemical weapons despite President Barack Obama’s August 2012 warning that it would be a “red line” that would “change [his] calculus” and cause “enormous consequences.” The U.S. threat to Muammar Gadhafi in March 2011 to “step down from power and leave,” coupled with the warning that the United States was exploring a range of military responses if he refused, is another example of failed coercion. And the Trump administration’s coercive diplomacy campaign, applying “maximum pressure” with blustery threats of military force like the president’s infamous “fire and fury” warning in 2017, did not result in concessions by North Korea around its nuclear weapons program.

A Deeper Dive into the Limits of Coercive Tools

The most popular tool the United States employs to coerce external actors is economic sanctions. However, targets often find ways of circumventing them, especially earlier efforts that were less “smart” and tailored. And once sanctions are applied, it becomes more difficult to repeal them, undermining the reassurance aspect of coercion. Individual cases illustrate the point. The United States and its allies have imposed punishing sanctions on North Korea for years with little to show for it. The same could be said for sanctions against Iraq throughout the 1990s.

Where sanctions appear to have had an effect, it was often a large-scale, multilateral effort that took years to bear fruit. Iran is a good example. Many experts identify a desire for sanctions relief as important for getting Iran to the negotiating table in 2015 to sign the Joint Comprehensive Plan of Action. But to make sanctions bite, a collective effort of lots of countries was necessary. After Trump ended U.S. participation in the agreement, the effectiveness of sanctions — many of which were temporarily lifted as part of the deal — on Iran’s enrichment progress has been minimal.

The limits of aerial bombing is also instructive. Despite advancements in precision, lethality, and range, air-power is often of marginal coercive utility, especially when used independently and as a form of punishment. Germany’s strategic bombing campaign against London in World War II was a failure. The United States dropped millions of tons of ordnance during the Vietnam War and still lost.

When it comes to cyberspace, there are endemic features of the domain that undermine its usefulness as a tool of coercion. Reasons include the difficulty of attribution, the inability to telegraph attacks beforehand without compromising access, and the relatively low impact and reversibility of most operations. Even if states could credibly communicate that they would impose costs and those threats were believed, adversaries still may not care. Despite all this, states continue to find cyber coercion enticing.

The takeaway is not that policymakers should refrain from being skeptical of cyber’s coercive capacity. Rather, the point is that many tools of statecraft are ineffective when it comes to coercion, whether kinetic, economic, or digital. And when they do work, it is often because of large-scale, joint efforts or a host of other factors that contribute to success.

A Lack of Good Options

If coercion is so hard, it may seem odd that states try it so often. In reality, it is less puzzling than it seems. Leaders are not purely motivated by effectiveness when deciding which tools of statecraft to use. They frequently pursue policies they anticipate will not be wildly successful owing to a lack of better options. In the case of the United States, this is often due to perceived limitations of political will, especially when it comes to using military force where troops are deployed overtly.

Interestingly, then, asking whether cyber coercion is effective or ineffective is often beside the point. In many instances, leaders turn to this capability — just as they do others, such as remotely piloted aircraft — because they can avoid significant escalation while still demonstrating they are doing something. If it succeeds, all the better. But effectiveness regularly competes with a reluctance to expend significant blood and treasure or incur major political costs.

Another wrinkle is that when leaders turn to imperfect tools of coercion because the alternatives are too costly, this further undermines the very resolve needed for successful coercion. If targets are aware of the constraints leaders are operating under, or can infer as much from the actions they take, it diminishes the chances of capitulation. With respect to cyber specifically, if adversaries believe policymakers are using these capabilities because they want to shield themselves from more significant costs, it is little wonder their coercive potential is limited.

Getting Cyber Right in an Era of Competition

This discussion has big implications for assessing the threat that China poses in cyberspace, particularly in a crisis or in wartime. As mentioned at the outset, U.S. policymakers clearly believe China is attracted to the prospect of cyber coercion. According to a recent Politico article, China may “unleash a volley of digital strikes against the United States” in the context of potential military action against Taiwan. Policymakers like Rep. Mike Gallagher warn that in a Taiwan invasion scenario, China would likely conduct cyber attacks against America’s “electrical grid, water systems and communications infrastructure — especially near military installations.”

The million-dollar question is whether this would work. Theory and evidence suggest it may not. Coercion, for reasons outlined above, is hard. Cyber enthusiasts have yet to articulate why things would be different this time around. Even if the operations succeed on technical grounds, there is no guarantee of coercive success. Coercive attempts by China are just as likely to rally the American public as they are to divide it. To be sure, China may recognize as much and still try it anyway — something skeptics have not fully grappled with. China may see few alternatives for targeting the U.S. homeland directly. As such, the potential for widespread disruption demands that policymakers continue to invest in defense and resilience even if coercion ultimately fails. 

There are also major lessons here for U.S. strategy. The appeal of cheap(er) coercive tools is apparent in U.S. strategic documents. The 2023 National Cybersecurity Strategy — the first one authored by the new Office of the National Cyber Director — calls on the United States to conduct “disruption campaigns” on an ongoing basis. A core pillar of the 2022 National Defense Strategy is the concept of “integrated deterrence,” which sees offensive cyber operations as one of many options for shaping how adversaries — especially China, which the strategy defines as the “pacing challenge”  — view the expected benefits of aggression. 

Looking ahead, U.S. cyber strategies should be more explicit about articulating not only the strategic benefits cyberspace offers but also its limitations. One useful example from which policymakers could draw is the United Kingdom’s recently released National Cyber Force white paper, which offers strategic guidance for offensive cyber operations. The document directly tackles some of the challenges of employing cyber power — such as the limited evidence that cyber operations can be a “primary contributor to deterrence,” the constraints associated with developing and employing exquisite offensive cyber capabilities, and the difficulties of measuring outcomes. The strategic guidance engages these issues while still offering a robust vision for the role of cyber offense. Moreover, it is worth noting that whenever leaders use cyber for coercion, they are potentially burning exploits that could have been leveraged for intelligence. This is less relevant for capabilities like conventional munitions where intelligence and military capabilities are not as intertwined. 

More realism about cyberspace may help leaders truly integrate cyber capabilities. In most cases, integrating cyber effectively will mean leveraging the insights gleaned from this domain to tailor other, non-digital forms of deterrence and coercion. In the rare cases where leaders believe cyber coercion can work, it is likely to be as part of a broader package involving other policy levers. Figuring out what the right cocktail is will be hard but is a worthy undertaking.

Erica Lonergan is an assistant professor in the Army Cyber Institute at West Point and a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University. She is the co-author, with Shawn W. Lonergan, of “Escalation Dynamics in Cyberspace” (Oxford University Press, 2023).

Michael Poznansky is an associate professor in the Strategic and Operational Research Department and a core faculty member in the Cyber and Innovation Policy Institute at the U.S. Naval War College. He is the author of In the Shadow of International Law: Secrecy and Regime Change in the Postwar World (Oxford University Press, 2020). 

The views expressed here are the authors’ alone and do not reflect the policy or position of any U.S. government organization or entity with which they may be affiliated.

Image: U.S. Cyber Command