In 1991, as the United States rose to preeminence on the international stage, many of the core problems that had worried policymakers and academics for the duration of the Cold War simply dissolved along with the Soviet Union. The dark cloud of nuclear arms seemed to dissipate, strategic concerns were soon shelved for more appealing tactical and operational pursuits, and scholars earnestly proclaimed that, as a global community, we had reached “The End of History”[i]. Nearly three decades later, these understandably optimistic outlooks seem shortsighted. As security competition looms within the re-emerging 4+1 threat environment (China, Russia, North Korea, and Iran plus the constant challenge of transnational threats), those once-archaic concepts of ‘great power war’ and ‘nuclear deterrence’ are worth revisiting. Chief among these concepts is the ‘stability-instability paradox’. A deeper understanding of this, coupled with an empirically supported connection of its dynamics to the modern cyber domain, will provide academics and policymakers with a helpful framework for examining modern conflict. Through a review of extant literature, a corroborating set of statistical tests, and a thorough discussion of the results, this study finds that the dynamics of the stability-instability paradox extend to cyber conflict between states.
Before proceeding to empirical testing, it is necessary to explore the expansive literature concerning nuclear security as well as cyber conflict. First, this section will delve into the relevant theories that define the dynamics of nuclear deterrence before explaining the stability-instability paradox in greater detail. Second, it will explain the basic principles of cyber conflict and cyber policy before linking them to the stability-instability paradox framework.
Nuclear Deterrence Theory
“It is true,” write Osgood and Tucker “that most wars are perpetrated by states who want something they do not have rather than by states that are content to defend what they already have.”[ii] These undercurrents may describe conflict throughout the majority of human history. However, the relatively recent introduction of nuclear weapons to the international system has profoundly changed strategic calculations of state actors in a number of ways. These changes are well-represented in the nuclear deterrence versus nonproliferation debate common to Cold War international relations literature.
Deterrence theory has firm roots in the rational actor model—a framework that assumes unitary, rational actors as the heads of each state who attempt to maximize their gains in response to their oppositions’ preferences and choices. It follows that when conflict can result in complete nuclear annihilation of both parties, rational states will be deterred from any course of action that invites such great risk. Given a state of nuclear proliferation where nuclear weapons simply cannot be countered outright or preempted with absolute certainty, neither actor can pursue goals that the other is committed to defending with the threat of nuclear force. Therefore, the logic of deterrence theory ultimately posits that nuclear arms have pacifying effect. In fact, stability as a result of nuclear arms is one of its core principles.[iii] For this reason, adherents to this body of theory concerning nuclear stability are often called “deterrence optimists”.[iv]
Conversely, nonproliferation theory takes a far more critical view of the effects of nuclear weapons on the international system. This body of theory presents two major critiques of deterrence theory. The first is largely directed at the theory’s internal structure. While deterrence optimists claim broad, universal application of their logic, nonproliferation theorists— “deterrence pessimists” as Krepon calls them[v]— hold that deterrence is defined by “unique experiences of particular societies at one moment in history rather than by universal laws”.[vi] More importantly, they criticize deterrence theory for its lack of ability to account for all reasons that a state might wish to enter conflict. As deterrence theory posits, external threats may be major influences, but by ignoring the effects of domestic or alliance politics on strategic decision-making, deterrence theory ignores key avenues for states to rationally stumble into nuclear war. The second set of critiques have to do with the assumed environment in which nuclear states exist. Deterrence optimists assume that nuclear conflict will be negotiated by great, responsible powers. Nevertheless, as poorer, less stable countries seek influence above their stature on the global stage, their attempts to acquire and use nuclear arms will inevitably disrupt the neat logic of deterrence. While an established, accountable nation such as the United States may be hard-pressed to act responsibly in the maintenance of and threat to use its nuclear arsenal, emerging nuclear powers such as Iran or North Korea will not always have the resources or incentives to act in accordance with the ‘rational’ norms of deterrence logic.[vii] As a summation of its structural and environmental critiques, nonproliferation theorists hold that nuclear arms have an inherently destabilizing effect on the international system.
Scholars of international relations, however, have found reason to be critical of both theories. Between the exceedingly broad and over-optimistic outlook of deterrence theorists and the much narrower, more pessimistic outlook of nonproliferation theorists, common ground is rare. However, the stability-instability paradox, a theory first introduced to the field by Glenn Snyder, offers a valuable framework for accommodating the pacifying and destabilizing effects of nuclear weapons. To date, Jervis provides us with perhaps one of the clearest definitions of this framework. “To the extent that the military balance is stable at the level of all-out nuclear war,” he writes “it will become less stable at lower levels of violence.”[viii] Though the early Cold War began with the U.S. communicating its stance of “massive retaliation”—an approach that promised overwhelming nuclear responses to any provocation—the USSR quickly found that it could still engage in “a range of minor ventures” with relative impunity.[ix] In other words, the rigid logic of deterrence theory proved to be too inflexible to reflect reality. Even though countries locked in a state of nuclear deterrence refrained from nuclear or even conventional military provocation (for fear of escalating the dispute to a point of unthinkable nuclear destruction), the ‘unthinkable’ nature of nuclear conflict actually encouraged more conflict below the threshold of escalation.
It is important here to correct some common misunderstandings and varying conditions regarding this paradox. To some, such as Kapur, the stability-instability paradox is simply an “inverse relationship between the probability of nuclear and conventional military conflict.”[x] The stability-instability paradox is not merely a clean tradeoff between nuclear stability and military instability. An understanding well-rooted in the words and arguments of the framework’s founders simply requires more nuance. For this reason, it is helpful to think of the framework as a pyramid—with nuclear war at the pinnacle and low-intensity conflict at the base. This can be seen in Figure 1.
Figure 1. The Stability-Instability Paradox - To achieve their security objectives by other means, states locked in nuclear deterrence conduct higher frequency low-intensity conflict, which is less likely to escalate to conventional war and even less likely to escalate into nuclear war.
Although states tread carefully while signaling and executing their conventional military actions—as not to unintentionally escalate the situation towards the peak—they will, instead engage in low-intensity actions with impunity, knowing that the other party’s response must also be low enough on the pyramid as to not constitute a serious step towards nuclear escalation.
Additionally, scholars like Barretta and Rauchhaus contend that for the paradox to work, both states must (1) be locked in nuclear stalemate, (2) be contesting a contiguous territory, and (3) they must have employable conventional forces against each other.[xi] These, assertions, however, constitute a very narrow rendering of the stability-instability paradox and must be subject to further testing.
Though most scholars focusing on nuclear deterrence and escalation lend support to this framework, authors like Bell and Miller are skeptical of its validity. In “Questioning the Effect of Nuclear Weapons on Conflict,” these authors use quantitative analysis of dyadic state pairs to test the stability-instability paradox and find that “symmetric nuclear dyads are not less likely to fight wars, nor significantly more likely to engage in low-level conflict than nonnuclear dyads.”[xii] Though Bell and Miller’s work is compelling, it lacks much of the nuance found in other contemporary studies. For example, Glaser and Fetter find immense qualitative evidence of the paradox at play between the U.S. and China as both states abandon larger efforts at nuclear damage reduction strategies in favor of increased low-intensity provocation to achieve national security goals.[xiii] [xiv] Most notably, however, Powell and Rauchhaus contribute formidable quantitative support for the paradox. Through rigorous game-theoretic modeling, the authors validate the stability-instability model while simultaneously shedding doubt on the relevance of symmetry or power balance when studying these dynamics—points that Bell and Miller do not effectively address in their study.[xv] Rauchhaus conducts tests very similar to those found in Bell and Millers’ work while keeping these nuances in mind, and he finds broad quantitative support for the paradox.[xvi] These discrepancies must inevitably be addressed. But for the time being, it is sufficient to note that the stability-instability paradox is both an effective bridge of divergent deterrence theories as well as a valid framework for conflict in the modern world. This will be extremely useful as we turn to examine cyber conflict in the 21st century.
Cyber Conflict and Cyber Deterrence
With the advent of information technology and the rapid penetration of networked systems into every facet of modern life, individuals and states are ever-dependent on the realm of cyber. However, an exploration of the threats posed by aggressive cyber activity—especially as an extension of state power shows that this dependence appears to be a major liability.
The development of information and communications technology (ICT) has erupted over the past century. No longer do devices exist individually; today, they form a highly-intertwined system of networks, infrastructure, and resident data known commonly as “cyberspace” that has become present in all areas of modern life. The vast majority of cyber users are lawful and benign. However, a small portion of those who use cyberspace do so with far more insidious intentions. These parties access cyberspace in order to deny service, steal, manipulate, or destroy data, and hijack devices to attack themselves or others within a network[xvii].
As a Congressional Research Service report on cybersecurity explains, “the risks associated with any attack depend on three factors: threats (who is attacking), vulnerabilities (how they are attacking), and impacts (what the attack does)”[xviii]. Threats can come in many forms, including criminals seeking monetary gain through cyber theft or extortion, spies bent on stealing sensitive information, nation-state warriors who develop and employ offensive cyber measures to further strategic state objectives, “hacktivists” intent on disrupting cyber systems to further a cause, and terrorists who use cyberattacks to advance non-state or state-sponsored warfare. It is worth emphasizing, however, that whatever the differences in threat origins, all forms can be—and often are—leveraged by nations to achieve national security objectives. In this regard, all forms of cyber aggression exploit vulnerabilities to accomplish these goals. State actors are constantly probing ICT systems for weaknesses in software as well as simple human errors such as customers responding to phishing emails or employees inadvertently installing malicious software on their work computers. Once a vulnerability is found, it is then exploited, resulting in various impacts. A successful attack can compromise an ICT system’s integrity, confidentiality, and availability. Cybertheft or espionage can result in the mass exfiltration of financial, proprietary, or personally identifiable information (PII), while direct denial of service attacks (DDoS) can grind a cybersystem’s speed to a halt or prevent access altogether. Botnet malware can actually give an aggressor direct control over a device—or multiple devices—and strikes on industrial control systems can result in the destruction or degradation of equipment like generators, pumps, and centrifuges[xix]. These represent serious threats with serious implications for state actors on the global stage.
For this reason, scholars and policymakers largely agree that while the cyber domain is, in some ways, unique, it largely conforms to the same laws and contours of international conflict and deterrence. Accordingly, the U.S. Department of Defense labels cyberspace as a “war fighting domain” akin to the traditionally physical land, sea, air, and space domains of warfare.[xx] Some scholars disagree with this conception. Valeriano and Maness, for example, hold that “cyber conflict mimics the dynamics of espionage or economic combat and is not a form of war at all since zero deaths result from the actions”.[xxi] Of course, it is tempting to think of cyber conflict this way—the nature of cyber capabilities and vulnerabilities means that states may skip conventional military gains entirely and achieve the desired effects on another state or organization directly.[xxii] Nevertheless, cyber conflict does not have to incur the battlefield deaths of conventional war for it to be considered a form of national security power projection. Clarke and Knake as well as other authors reiterate this point several times throughout their works, emphasizing that the human cost associated with traditional conflict will predictably be much lower in the cyber realm.[xxiii] Regardless of casualties, the majority of scholars refute such dismissals of cyber war and cyber conflict. They insist that state actors—the only parties with ample resources and organization to execute cyber operations that would register as low or high-intensity conflict in the first place—will use cyber means, much like military might, as a tool for statecraft.[xxiv]
Nevertheless, we cannot dismiss Valeriano and Maness’ concerns completely, as they bring attention to an important set of questions. Why is it that cyber conflict is more ‘tame’ than its counterparts in the other domains? Are the same (or similar) paradoxical restraining forces of deterrence at play? Lindsay and Gartzke think so. They state that “the mechanisms of restraint in the cyber domain are slightly different than in the nuclear world insofar as actors look to maintain connectivity and avoid military retaliation vs. mutual Armageddon, but the results are similar: we see little to none of the most dangerous behavior but a great deal of provocative friction”.[xxv] They later go on to assert that “by and large, cyber options fill out the low end of the conflict spectrum where deterrence is not as credible or reliable”.[xxvi] Here, we reach the theoretical end-point in the literature and a key starting point of this analysis. It would appear in the works of Lindsay, Gartzke, Haggard, and others that cyber conflict conforms to the stability-instability logic in the same way that conventional forms of conflict do. We can call this the ‘nuclear stability-cyber instability paradox’.
As helpful as these corroborating arguments are, however, they are limited in two major ways. First, their application of the stability-instability paradox to cyber conflict is not as comprehensive as it could be. To authors like Lindsay, cyber capabilities represent the energized lower end of the conflict spectrum and the unthinkable peak of escalation—the pinnacle and the base of the pyramid. No expert on cyber warfare doubts that states’ true capabilities in the cyber domain can bring about effects of massive proportions. However, the details of these capabilities—who has them and what exactly they can do—are obfuscated in the black box of state secrets, making it nearly impossible to credibly deter other states, let alone measure that deterrence from an academic perspective. Therefore, this study seeks to take a cross-domain perspective. It does not set out to examine the stability-instability paradox within the realm of cyber conflict but to integrate cyber conflict into the already existing logic of the paradox as it pertains to nuclear deterrence. The second limitation of the extant theory on cyber conflict and the stability-instability paradox is a methodological one. These authors provide expert analyses through the use of descriptive case studies, yet they do not adopt formal quantitative analyses to support their findings. In addition to contributing a cross-domain conception of the cyber domain and the deterrence paradox, this study will make this quantitative analysis a priority.
As explained above, even a rudimentary quantitative analysis of the nuclear stability-cyber instability paradox will be useful to a growing body of relevant research. Any quantitative evidence that can be lent in support of this theory will certainly inform our academic understanding as well as policymakers’ conceptions of a very new, rapidly developing dimension of national security. In order to add value to this conversation, however, this study must be consistent in its theoretical structure, clear in its operationalization of variables, and honest in noting the limitations of potential findings.
First, although the theoretical framework for this study should be clear from the literature review, it is worth visualizing this structure once more. As we see in Figure 1, a paradoxical model incorporating cyber can be visualized as a pyramid of escalation. State actors locked in nuclear deterrence are hypothesized to have higher-tempo low-intensity conflict, because they wish to achieve their national security objectives without crossing the threshold of conventional or nuclear escalation. Meanwhile, states not experiencing nuclear deterrence will not experience significant upticks in low-intensity cyber conflict.
Second, quantitatively testing anything in the cyber realm is very difficult, as there is little to no established data for cyber incidents that would enable more traditional large-n studies. Nevertheless, Valeriano and Maness provide a suitable starting point in their “Dyadic Cyber Incident and Dispute Dataset” (DCID).[xxvii] The observations in this dataset span 14 years from 2001 to 2014 and are “primarily focused on rivals for data construction purposes simplifying the complicated process of identifying cyber events”.[xxviii] Keeping in tradition with databases like the “Correlates of War” project, the DCID measures incidents at the state-dyad level, meaning that each observation occurs between two states and is demarcated by a specific country dyad code.
This study hypothesizes that if states are locked into the dynamics of nuclear deterrence, then they will experience a greater tempo of cyber incidents between them—thus conforming cyber conflict to the stability-instability paradox. To reliably find support for this—or more importantly, to know when we cannot find support—let us first describe how each of these concepts will be measured and tested. For all models in this study, ordinary least squares (OLS) regression will be used to yield results and spur discussion, and, as is standard in studies of international conflict, the alpha level is set at .05. The first test will be a simple bivariate analysis of the dependent variable, ‘incident severity’ and the independent variable, ‘nuclear MAD’. The dependent variable is an ordinal scale, ranking incidents in severity (1 being the lowest and 10 being the highest). For the purposes of this study, and in keeping with the traditional limitations and practices of quantitative research on international relations, all ordinal variables will be treated as continuous. Moreover, it must be noted that incident severity is not the ideal measure for tempo of low-level cyber conflict. Nevertheless, due to lack of observations in this very new field, severity represents the closest approximation to this latent concept that is available. Lastly, though it is a 1-10 scale, observations only occur between 1 and 5. To ensure a more suitable, normally distributed dependent variable without losing any observations, incident severity is cut to a smaller scale from 1 to 5. The independent variable in the first bivariate analysis will be nuclear MAD, a basic dichotomous variable signifying the presence of security-threatening nuclear capabilities in both sides of the dyad. This basic analysis should give a simple proof of concept to open the next section and lay the groundwork for further control variables to be added.
The second model will simply add common international relations controls to the first regression. As the study of cyber continues to grow and form in the context of security studies, it will have to contend with popular truisms in the field. In this sense, two traditional explanations for conflict must be addressed: territorial contiguity and strategic rivalry. The first originates from the Correlates of War contiguity dataset and is a simple 0-5 ordinal scale ranging from 0 (no contiguity) to 5 (very close contiguity). The second originates from Klein, Diehl and Goertz’s enduring rival dataset as well as Thompson’s strategic rival dataset. It is a dichotomous variable indicating whether or not the dyad in question constituted a strategic rivalry at the time of the cyber incident.
The third model will add three controls—this time, from cyber-specific literature discussed in the above section. The first is inspired by Barretta’s claim that nuclear dyads must be symmetrical (both parties must have nuclear arms) in order to be apart of the stability-instability paradox. ‘Asymmetry; is a dichotomous measure of whether or not only one member of the dyad has threatening nuclear capabilities during the given incident. The second control added in this model stems from Lindsay and Gartzke’s claims that states with nuclear capabilities may be more willing to initiate low-intensity conflict. It too is a dichotomous measure of whether or not the initiator of the cyber incident has nuclear capabilities at the time. The third and final control added in this model will address Lindsay and Gartzke’s idea that particularly advanced states may conform more logically to the stability-instability paradox. This also harkens back to deterrence pessimists’ claims that poorer, less stable states may behave differently in nuclear deterrence frameworks. This variable is a dichotomous measure of weather or not both members of the dyad are parties to the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). This control screens for a particularly advanced and selective group of nuclear parties (The U.S., UK, France, China, and Russia) and excludes countries like India, Israel, North Korea, and Pakistan.
Ultimately, every quantitative study in international relations will come with limitations, and this research effort is no exception. Some of these have been touched upon through this section, but a clear discussion of them here will be useful. First, all findings and implications of this study must be taken with an understanding of the limited observations available. The DCID is the best, most comprehensive dataset that mirrors trusted datasets like the Correlates of War. Nevertheless, it only includes 192 cyber incidents. Over time, as cyber conflict gains a more storied past, scholars will have more data with which to work. This does not mean, however, that early forms of quantitative analysis are not worth the effort—they are. Any results must simply be taken with the limitations in mind. Second, the dependent variable is not the perfect measure of the latent concept that the theoretical model describes. In an ideal situation, more data would be available, and this study could include more sophisticated analyses on ‘head count’ variables. As of now, the limited observations make conducting this sort of study unfeasible. With these two main limitations in mind, it is important to note that this is merely a starting point. As an entire field, the study of cyber war does not have very many quantitative analyses from which scholars can build and move forward. And in the even smaller intersection of cyber war and nuclear deterrence research, there are simply no quantitative studies at all. As cyber conflict evolves and grows (and datasets like the DCID grow in with it), opportunities for more precise, robust testing will undoubtedly open. However, for now, the field can still benefit from an initial quantitative push.
As discussed throughout the above section, testing of the nuclear stability-cyber instability hypothesis will be conducted across three models. The first two represent the test in its simplest form, beginning first with a bivariate regression of the major dependent and independent variables then applying a pair of common international relations controls to illustrate the lack of effect. Third, more complete model will include the traditional controls while also adding control variables specific to the stability-instability paradox literature.
Nuclear Stability-Cyber Instability Meets Traditional Explanations for Conflict
Figure 2 shows the first set of regressions in the first two columns. As we can see, in a simple bivariate analysis, there appears to be a causal relationship between mutually assured nuclear deterrence and the tempo and severity of cyber attacks. This relationship is significant at the .05 threshold with a magnitude of .340. Essentially, this suggests that as nuclear deterrence flips from ‘off’ to ‘on’, the incident severity between two states deterring each other increases by roughly one third of a point on a 5-point scale.
Interestingly enough, when we control for territorial contiguity and strategic rivalries within these dyads, MAD retains some significance—if only marginally at the .10 level. Traditional international relations scholars who contend that cyber conflict is merely a continuation of extant strategic rivalries or conventional territorial disputes may find some support for their arguments here. However, adding contiguity and rivalry variables does not necessarily demonstrate their unique significance in cyber dynamics; it merely saps mutual nuclear deterrence of some of its magnitude and explanatory power. As the table indicates, adding these controls certainly raises the explanatory power of the model (shown by the adjusted R-squared) from .024 to .031. However, the remaining marginal significance of MAD suggests that the dynamics of international rivalries and territorial contiguity may have little effect on the severity of cyber incidents when tested alongside more powerful determinants. More importantly, as the sample size of cyber incidents increases over the coming years, it is quite possible that this relationship gains more evidence, potentially retaining significance well below the .05 threshold. These results are a modest start, but they already suggest that the dynamics of the stability-instability paradox imposed by the presence of nuclear arms may be at play.
Nuclear Stability-Cyber Instability and Field-Specific Points of Interest
Adding other factors pointed out by extant literature appears to also add clarity to these dynamics. The first of these stems from early discussions by Barretta regarding symmetry between deterrence dyads. When adding an indicator for asymmetric nuclear deterrence dyads, we actually see significant, negative results at the .05 threshold. As the dyad in question shifts from symmetrical to asymmetric (meaning only one party has threatening nuclear arms), the dyad experiences a sizeable .715-point drop in incident severity. The second factor added comes from Lindsay and Gartzke’s insinuation that nuclear states may generally be more confident to conform to the stability-instability paradox and engage in low-intensity conflict with impunity. With a significance level of .05, the presence of a nuclear initiator (the instigator of the cyber incident has threatening nuclear capabilities) appears to cause a .574-point increase in incident severity. Moreover, the addition of the third factor: a control for parties to the NPT appears to have a similar effect. Significant at the .05 level, dyads that include only NPT states also see an increase in incident severity and tempo of roughly half a point (.550 to be exact).
Perhaps most interestingly, the addition of these three variables appears to completely shift the role of the general MAD variable. Whereas in the first two basic models, MAD had a significant positive effect on incident severity, controlling for different aspects of the balance between members of each nuclear dyad leads MAD to have a significant negative effect. At the .05 threshold, and accounting for the other variables, we now see that the generalized presence of MAD between states has a sizeable negative effect of .918—a decrease in severity by almost one whole point. Additionally, even when adjusting for the addition of multiple other variables to the model, the adjusted r-squared indicates a major increase in explanatory power (from .024 and .031 in the previous two models to .076 in the full model)—though this is only noteworthy in relative terms.
Figure 2. Full Models with Advanced Controls
But what accounts for these puzzling shifts in the full model? This section will explore the possible mechanisms behind the results, discuss three key lessons for future studies, and conclude with four practical implications and recommendations for policymakers in national security posts.
Nuclear Stability-Cyber Instability: A Developed-Country’s Game
A review of the full model is confounding at first but reveals a major trend at play. While asymmetric dyads cause decreases in the tempo and severity of cyber incidents, any dyad whose cyber-initiator also had threatening nuclear capabilities saw an increase in severity. When we account for the NPT results, which suggest that dyads comprised only of NPT countries (the U.S., UK, France, China, and Russia) cause a similar increase in low-intensity cyber conflict, the picture becomes clearer. Overall, we can accept our hypothesis: nuclear stability does instigate cyber instability, but only for a select few in the international community. The possible exceptions at play can be theorized as two sides to the same coin. On one side, states without nuclear weapons or even without robust, developed bureaucracies (such as non-NPT states) may simply not feel secure enough (a) in their ability to deter the highest forms of escalation or (b) in their proficiency in initiating sophisticated low-intensity cyber conflict with impunity. On the other side, highly advanced and capable nuclear states (such as NPT members) may feel much more emboldened by (a) their robust abilities to deter strategic adversaries in nuclear conflict and (b) their proficiency in waging high-tempo, low-end cyber conflict with relative impunity. Therefore, feeling secure in both areas, they avoid the pinnacle of escalation while driving forward in low-intensity cyber war. In summary, the nuclear stability-cyber instability paradox finds support here—it simply appears more complicated than previously theorized.
This new conception of the stability-instability paradox as it pertains to modern cyber conflict brings a number of lessons to light for the security studies community. First, cyber conflict cannot be quickly or easily explained away by traditional determinates of war. It would seem that including contiguity and existing rivalry to the list of control variable does little, if anything, to disrupt the more powerful relationships between nuclear balance, deterrence, and cyber instability. Second, these results appear to confirm the suspicions of traditional deterrence theorists like Barretta. Asymmetry in nuclear capability does turn the relationship away from the stability-instability paradox. In fact, it even decreases the severity of cyber conflict. Third, we can confirm the insinuations of scholars like Lindsay and Gartzke, as more capable, advanced states seem to be the only states secure enough to initiate and instigate low-intensity cyber conflict with impunity.
In the future, more robust quantitative studies of these dynamics are certainly in order—as are qualitative case studies. Regarding the latter, subsequent analyses should focus on the cyber dynamics at play across three key categories: between highly advanced nuclear states, between advanced nuclear states and developing nuclear states, and between nuclear states and non-nuclear states. The U.S. and Russia, China and India, and the Iran and Saudi Arabia would make compelling case studies in these respective bins.
But what do these findings mean for national security policy in the 21st century? Of course, as discussed in the methods section, these results stem from a limited pool of data and rely on admittedly imperfect conceptualizations of the latent concepts at play. Nevertheless, there are a number of common sense policies that countries—particularly the United States—can pursue in order to mitigate and defend against increased low-intensity cyber conflict in the future. First, the attribution problem inherent to cyber conflict makes deterring or defending against aggression difficult. Therefore, even modest investments in attribution, counterintelligence, information sharing capabilities, and the communication of their effectiveness is a logical starting point. Second, though strained public-private sector relationships as they pertain to cyber security cannot be discussed in detail here, research shows that they are a key roadblock to cyber defense. Clarifying the protections that the government extends to private firms, the amount of risk those firms should assume, and the level of statutory security needed for a secure nation will be another key component of reform. Third, the establishment of international laws and norms to define acceptable behavior and constrain abuses is long overdue. As a global leader in diplomacy and technological innovation, the U.S. should spearhead these much-needed discussions through international institutions. Lastly, if cyber conflict cannot be deterred by cyber means alone, policymakers must explore avenues of cross-domain deterrence that are credible and effective.
From this humble starting point in quantitative cyber studies, it is still clear that cyber conflict, in its own way, conforms to the contours of the stability-instability paradox. In light of the lessons discussed above, this should be a worrying trend. Although great power competition has not been a topic of conversation since the Cold War, resurgent militaries such as Russia and China have brought it firmly back into the realm of possibility. While nuclear provocation still remains an exceedingly, and in many cases, unacceptably risky form of brinksmanship, cyber conflict will continue to fill out the low end of more palatable conflict. And as revisionist powers continue to explore new means to aggravate and disrupt the status quo, it is difficult to imagine a situation where the nuclear stability-cyber instability paradox becomes any less relevant or problematic. As the dataset inevitably expands, future research efforts must focus more attention on this crucial area of study should we wish to understand it in better or more certain terms.
Barretta, Michael A. “Nuclear proliferation and the stability-instability paradox,” NPS Institutional Archive (1996).
Bell, Mark S. and Nicholas L. Miller, “Questioning the Effect of Nuclear Weapons on Conflict,” Journal of Conflict Resolution 59, no. 1 (2015).
Clarke, Richard and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: Harper Collins, 2010).
Fischer, Eric A. and Catherine A. Theohary, Cybersecurity (CRS Report No. IF10159) (Washington, DC: Congressional Research Service, 2015).
Fischer, Eric A. et al., The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress (CRS Report No. R42984) (Washington, DC: Congressional Research Service, 2014).
Fukuyama, Francis, “The End of History?” The National Interest (Summer 1989).
Gaddis, John Lewis, “The Long Peace: Elements of Stability in the Postwar International System,” in Sean M. Lynn-Jones ed., The Cold War and After: Prospects for Peace (Cambridge: The MIT Press, 1991).
Ganguly, Sumit, “Indo-Pakistani Nuclear Issues and the Stability-Instability Paradox,” Studies in Conflict and Terrorism 18 (1995).
Glaser, Charles L. and Steve Fetter, “Should the United States Reject MAD?” International Security 41, no. 1 (2016).
Haggard, Stephan and Jon R. Lindsay, “North Korea and the Sony Hack: Exporting Instability Through Cyberspace” The East-West Center No. 117 (2015).
Jervis, Robert, The Illogic of American Nuclear Strategy (Ithaca, NY: Cornell University Press, 1984).
Kapur, S. Paul, “The Stability-Instability Paradox,” in Fathali M. Moghaddam ed., The SAGE Encyclopedia of Political Behavior (Thousand Oaks: SAGE Publications, Inc., 2017).
Krepon, Michael, “The Stability-Instability Paradox, Misperception, and Escalation Control in South Asia,” The Henry L. Stimson Center (Washington, DC 2003).
Lindsay, Jon and Erik Gartzke, “Coercion through Cyberspace: The Stability-Instability Paradox Revisited,” in Kelly Greenhill and Peter J. P. Krause, eds., The Power to Hurt: Coercion in Theory and in Practice (Oxford University Press, 2018).
Lynn, William J. III, “Defending a New Domain,” Foreign Affairs (2010).
Maness, Ryan C., Brandon Valeriano, and Benjamin Jensen, “Codebook for the Dyadic Cyber Incident and Dispute Dataset Version 1.1,” (2017).
Martel, William C. “Deterrence after the Cold War,” in Stephan J. Cimbala and Sidney R. Waldman, Controlling and Ending Conflict, Issues Before and After the Cold War (New York: Greenwood Press, 1992).
Powell, Robert, “Nuclear Brinkmanship, Limited War, and Military Power,” International Organization 69 (Summer 2015).
Rauchhaus, Robert, “Evaluating the Nuclear Peace Hypothesis,” Journal of Conflict Resolution 53, no. 2 (2009).
Segal, Adam The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (New York: Public Affairs, 2016).
Snyder, Glenn, Deterrence and Defense (Princeton: Princeton University Press, 1961).
Valeriano, Brandon and Ryan C. Maness, Cyber Hype versus Cyber Reality: Restraint and Norms in Cyber Conflict (Oxford University Press, 2015).
Waltz, Kenneth N. “The Emerging Structure of International Politics,” International Security, 18, no. 2 (Fall 1993).
[i] Francis Fukuyama, “The End of History?” The National Interest (Summer 1989).
[ii] Michael A. Barretta, “Nuclear proliferation and the stability-instability paradox,” NPS Institutional Archive (1996): 2.
[iii] John Lewis Gaddis, “The Long Peace: Elements of Stability in the Postwar International System,” in Sean M. Lynn-Jones ed., The Cold War and After: Prospects for Peace (Cambridge: The MIT Press, 1991); Kenneth N. Waltz, “The Emerging Structure of International Politics,” International Security, 18, no. 2 (Fall 1993), 74.
[iv] Michael Krepon, “The Stability-Instability Paradox, Misperception, and Escalation Control in South Asia,” The Henry L. Stimson Center (Washington, DC 2003), 3.
[v] Ibid. 6.
[vi] William C. Martel, “Deterrence after the Cold War,” in Stephan J. Cimbala and Sidney R. Waldman, Controlling and Ending Conflict, Issues Before and After the Cold War (New York: Greenwood Press, 1992), 54.
[vii] . Barretta, “Nuclear proliferation and the stability-instability paradox,” 20-21.
[viii] Robert Jervis, The Illogic of American Nuclear Strategy (Ithaca, NY: Cornell University Press, 1984), 31.
[ix] Glenn Snyder, Deterrence and Defense (Princeton: Princeton University Press, 1961), 226.
[x] S. Paul Kapur, “The Stability-Instability Paradox,” in Fathali M. Moghaddam ed., The SAGE Encyclopedia of Political Behavior (Thousand Oaks: SAGE Publications, Inc., 2017), 2.
[xi] Barretta, “Nuclear proliferation and the stability-instability paradox,” 23; Robert Rauchhaus, “Evaluating the Nuclear Peace Hypothesis,” Journal of Conflict Resolution 53, no. 2 (2009): 271.
[xii] Mark S. Bell and Nicholas L. Miller, “Questioning the Effect of Nuclear Weapons on Conflict,” Journal of Conflict Resolution 59, no. 1 (2015): 86.
[xiii] Charles L. Glaser and Steve Fetter, “Should the United States Reject MAD?” International Security 41, no. 1 (2016), 97-98.
[xiv] Sumit Ganguly also finds intriguing qualitative support for the stability- instability paradox in his study of security competition between India and Pakistan. Found in Sumit Ganguly, “Indo-Pakistani Nuclear Issues and the Stability-Instability Paradox,” Studies in Conflict and Terrorism 18 (1995).
[xv] Robert Powell, “Nuclear Brinkmanship, Limited War, and Military Power,” International Organization 69 (Summer 2015): 589.
[xvi] Rauchhaus, “Evaluating the Nuclear Peace Hypothesis,” 271.
[xvii] Eric A. Fischer et al., The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress (CRS Report No. R42984) (Washington, DC: Congressional Research Service, 2014), 2.
[xviii] Eric A. Fischer and Catherine A. Theohary, Cybersecurity (CRS Report No. IF10159) (Washington, DC: Congressional Research Service, 2015), 1.
[xix] Fischer and Theohary, Cybersecurity, 1.
[xx] William J. Lynn III, “Defending a New Domain,” Foreign Affairs (2010).
[xxi] Brandon Valeriano and Ryan C. Maness, Cyber Hype versus Cyber Reality: Restraint and Norms in Cyber Conflict (Oxford University Press, 2015), 68-69.
[xxii] Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: Harper Collins, 2010), 1-26, 225-246.
[xxiii] Clarke and Knake, Cyber War: The Next Threat to National Security and What to Do About It (2010), 1-26, 225-246; Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (New York: Public Affairs, 2016), pp. 1-26, 225-246.
[xxiv] Jon Lindsay and Erik Gartzke, “Coercion through Cyberspace: The Stability-Instability Paradox Revisited,” in Kelly Greenhill and Peter J. P. Krause, eds., The Power to Hurt: Coercion in Theory and in Practice (Oxford University Press, 2018), 3, 33.
[xxv] Ibid. 4-5, 34-35; Stephan Haggard and Jon R. Lindsay, “North Korea and the Sony Hack: Exporting Instability Through Cyberspace” The East-West Center No. 117 (2015), 1.
[xxvi] Lindsay and Gartzke, “Coercion through Cyberspace: The Stability-Instability Paradox Revisited,” (2018), 35.
[xxvii] Ryan C. Maness, Brandon Valeriano, and Benjamin Jensen, “Codebook for the Dyadic Cyber Incident and Dispute Dataset Version 1.1,” (2017).
[xxviii] Maness, Valeriano, and Jensen, “Codebook for the Dyadic Cyber Incident and Dispute Dataset Version 1.1,” (2017), 1.