One of the tests of any theoretical paradigm is whether it works on a new explanatory domain. The introduction of "cyber" as a new possible zone of conflict would seem to be an ideal testing ground for international relations theory, for example. Will cybersecurity emerge within a strong body of law-governed international regimes, a norm-infused sphere of do's and don'ts, a game-theoretic equilibrium in which no actor has an incentive to deviate frrom status-quo policies, an arena where nuclear analogies are applied to a new and not-so-similar security theater, or a realpolitik zone of anarchy in which there are no rules or norms, just exercises of power and capabilities?
Based on recent reporting, the answer appears to be a realpolitik one. After bolstering the Department of Defense's Cyber Command even during a time of austerity, the New York Times' David Sanger and Thom Shanker report on a new legal review of presidential authority in this area:
A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.
The rules will be highly classified, just as those governing drone strikes have been closely held....
Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record....
As the process of defining the rules of engagement began more than a year ago, one senior administration official emphasized that the United States had restrained its use of cyberweapons. “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done,” the official said....
While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.
One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief.
A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air defense system during a conventional strike against an adversary.
“There are very, very few instances in cyberoperations in which the decision will be made at a level below the president,” the official said. That means the administration has ruled out the use of “automatic” retaliation if a cyberattack on America’s infrastructure is detected, even if the virus is traveling at network speeds....
Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the F.B.I.
There's a lot going on in this story, but distilled to its elements, it does seem as though the U.S. is ramping up its offensive capabilities a hell of a lot more than preparing for defensive resiliency. So, offensive realism for the win, right?
Well, maybe, or maybe this is just some odd organizational politics going on. I confess to finding this utterly puzzling, because the latter is clearly kinda important. In an arena populated by non-state actors and quasi-non-state actors, defense would seem to me to be a far more important concern.
The language and analogies being used by officials in the story are also a confusing mix. On the one hand, a lot of the quotes in the story suggest that they think of cyber as like nuclear deterrence, in that escalation could be a very, very, very bad thing. On the other hand, keeping the decision rules classified seems to cut against any kind of deterrence logic.
The New Republic's Thomas Rid is equally bumfuzzled:
Barack Obama is probably America’s most web-savvy president ever. But when it comes to actually crafting policy for the nation's cyber security, his administration has been consistent in only one aspect: bluster. Obama's major legacy on cyber security, it increasingly seems, will be an infrastructure for waging a non-existent “cyber war” that's incapable of defending the country from the types of cyber attacks that are actually coming....
[T]he rhetoric of war doesn't accurately describe much of what happened [in recent cyberattacks]. There was no attack that damaged anything beyond data, and even that was the exception; the Obama administration's rhetoric notwithstanding, there was nothing that bore any resemblance to World War II in the Pacific. Indeed, the Obama administration has been so intent on responding to the cyber threat with martial aggression that it hasn't paused to consider the true nature of the threat. And that has lead to two crucial mistakes: first, failing to realize (or choosing to ignore) that offensive capabilities in cyber security don’t translate easily into defensive capabilities. And second, failing to realize (or choosing to ignore) that it is far more urgent for the United States to concentrate on developing the latter, rather than the former.
In many ways, what's happening with cyber appears to mirror a more general conceptual uncertainty about whether resources and doctrine that apply to other states in the international system can be applied to non-state actors as well. In cyber, it seems that the latter is the more immediate and constant threat, while the former is the more serious but latent threat. On the other hand, when pondering an actor like China, perhaps that dichotomy breaks down.
I'm far from a cyber expert, but I do know a litle bit about international relations theory. What's disturbing about these stories about cyber is not that they reflect aspects of offensive realism -- it's that they reflect a more inchoate cluster of contradictory impulses.
What do you think?
Daniel W. Drezner is professor of international politics at the Fletcher School of Law and Diplomacy at Tufts University.