Martin C. Libicki - Crisis and Escalation in Cyberspace

Martin C. Libicki

Prepared for the United States Air Force
Approved for public release; distribution unlimited

The research described in this report was sponsored by the United States Air Force under Contract FA7014-06-C-0001. Further information may be obtained from the Strategic Planning Division, Directorate of Plans, Hq USAF.

Library of Congress Cataloging-in-Publication Data

Libicki, Martin C.
Crisis and escalation in cyberspace / Martin C. Libicki.
1 online resource.
Includes bibliographical references.
Description based on print version record and CIP data provided by publisher; resource not viewed.
ISBN 978-0-8330-7680-9 (epub) -- ISBN 978-0-8330-7681-6 (prc) -- ISBN 978-0-8330-7679-3 ( ebook/pdf) -- ISBN 978-0-8330-7678-6 (pbk. : alk. paper)
1. Information warfareUnited States. 2. Escalation (Military science) 3. CyberspaceSecurity measures. 4. Crisis managementGovernment policyUnited States. 5. CyberterrorismPrevention. 6. United States. Air ForceOrganization. 7. United States. Air ForceDecision making. 8. Conflict management. I. Title.

U163
358.4141dc23

2012046778

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RANDs publications do not necessarily reflect the opinions of its research clients and sponsors.

RAND is a registered trademark.

Copyright 2012 RAND Corporation

Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND documents to a non-RAND website is prohibited. RAND documents are protected under copyright law. For information on reprint and linking permissions, please visit the RAND permissions page (http://www.rand.org/publications/permissions.html).

Published 2012 by the RAND Corporation
1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138
1200 South Hayes Street, Arlington, VA 22202-5050
4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665
RAND URL: http://www.rand.org/
To order RAND documents or to obtain additional information, contact
Distribution Services: Telephone: (310) 451-7002;
Fax: (310) 451-6915; Email:

This report presents some of the results of a fiscal year 2011 RAND Project AIR FORCE study on the integration of kinetic and nonkinetic weapons, U.S. and Threat Non-Kinetic Capabilities. It discusses the management of cybercrises throughout the spectrum from precrisis to crisis to conflict.

The basic message is simple: Crisis and escalation in cyberspace can be managed as long as policymakers understand the key differences between nonkinetic conflict in cyberspace and kinetic conflict in the physical world. Among these differences are the tremendous scope that cyberdefense affords; the near impossibility and thus the pointlessness of trying to disarm an adversarys ability to carry out cyberwar; and the great ambiguity associated with cyberoperationsnotably, the broad disjunction between the attackers intent, the actual effect, and the targets perception of what happened. Thus, strategies should concentrate on (1) recognizing that crisis instability in cyberspace arises largely from misperception, (2) promulgating norms that might modulate crisis reactions, (3) knowing when and how to defuse inadvertent crises stemming from incidents, (4) supporting actions with narrative rather than signaling, (5) bolstering defenses to the point at which potential adversaries no longer believe that cyberattacks (penetrating and disrupting or corrupting information systems, as opposed to cyberespionage) can alter the balance of forces, and (6) calibrating the use of offensive cyberoperations with an assessment of their escalation potential.

The research reported here was sponsored by Gen Gary North, Commander, U.S. Pacific Air Forces, and conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE. It should be of interest to the decisionmakers and policy researchers associated with cyberwarfare, as well as to the Air Force strategy community.

RAND Project AIR FORCE (PAF), a division of the RAND Corporation, is the U.S. Air Forces federally funded research and development center for studies and analyses. PAF provides the Air Force with independent analyses of policy alternatives affecting the development, employment, combat readiness, and support of current and future air, space, and cyber forces. Research is conducted in four programs: Force Modernization and Employment; Manpower, Personnel, and Training; Resource Management; and Strategy and Doctrine.

Additional information about PAF is available on our website:
http://www.rand.org/paf/

A.1. Configuring Networks to Limit the Damage of
Distributed Denial-of-Service Attacks

The chances are growing that the United States will find itself in a cybercrisisthe escalation of tensions associated with a major cyberattack, suspicions that one has taken place, or fears that it might do so soon. By crisis, we mean an event or events that force a state to take action in a relatively short period of time or face the fraught consequences of inaction. When they fear that failure to act leads to war or a great loss of standing, states believe they must quickly decide whether to act. When we use the term cyberattacks, we refer to what may be a series of events that start when systems are penetrated and may culminate in such events as blackouts, scrambled bank records, or interference with military operations.

The basis for such a forecast is twofold. First, the reported level of cyberincidents (most of which are crimes or acts of espionage) continues to rise. Second, the risks arising from cyberspace are perceived as growing more consequential, perhaps even faster.

The genesis for this work was the broader issue of how the Air Force should integrate kinetic and nonkineticthat is, cyberoperations. Central to this process was careful consideration of how escalation options and risks should be treated, which, in turn, demanded a broader consideration across the entire crisis-management spectrum.

To put the material on escalation into a broader context, we preface it with an examination of appropriate norms for international conduct with a focus on modulating day-to-day computer-network exploitation and building international confidence ( covers narratives, dialogue, and signals: what states can and should say about cybercrises. A state that would prevail has to make a clear story with good guys and bad guys without greatly distorting the facts (beyond their normal plasticity).