It is becoming more likely that the United States will find itself in the middle of a crisis in cyberspace — through the escalation of tensions associated with a major cyberattack, suspicions that one has taken place, or fears that it might do so soon. The growing number of cyber incidents is rising, and the risks arising from cyberspace are perceived as growing more consequential.
But are cybercrises inevitable? And are there steps that can be taken to manage one?
Yes — on both counts. In my latest study, conducted for the Air Force, I assess the best ways to address how crises escalate and their associated risks. By taking steps to reduce the incentives for other states to step into crisis, by controlling the narrative, understanding the stability parameters of the crises, and trying to manage escalation if conflicts arise from crises, the United States can manage a cybercrisis.
The study draws several conclusions for the Air Force:
- It should find ways of conveying to others that its missions can be carried out in the face of a full-fledged cyberattack.
- It needs to watch carefully the messages and signals it sends out about its operations, both explicit and implicit.
- It should clearly differentiate between cyberwar operations that can be part of kinetic operations, and those that cannot.
- Air Force planners must understand how their potential adversaries would perceive the escalatory aspect of potential offensive operations.
- The Air Force should develop itself as an independent source of expertise on cyberwar.
Martin Libicki is a senior management scientist at the nonprofit, nonpartisan RAND Corporation.