War without Rules
State-on-state cyberattacks escalate unpredictably owing to a lack of agreed protocols
Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents. This creates a fog of uncertainty in which potential miscalculations could trigger a spiral of retaliatory responses. Imagine that a country’s critical infrastructure systems are compromised by a cyberattack, leading to disruption of essential services and loss of life—the pressure to retaliate would build rapidly, potentially setting off an escalatory chain reaction.
Questions of speed and attribution heighten the risk of unpredictable consequences. If an attack is developing more quickly than the targeted state’s efforts to identify the attacker, retaliation might be misdirected, drawing new actors into a widening conflict. This would add to the potential for further confusion and escalation, including the resort to conventional military force or the unintended widening of conflict if an active cyberweapon inadvertently spreads through cross-border networks into non-target countries.
In conventional warfare, agreed norms and protocols provide predictability and slow the emergence of crises. If governments accelerated current efforts to establish similar ground rules for cyberwarfare, it would help to prevent conflict erupting by mistake. Familiar concepts such as transparency, proportionality and non-proliferation could be re-codified for cyber purposes. And perhaps classes of cyberweapons could be collectively prohibited, in the same way biological and chemical weapons have been.