The rapid advancement and diffusion of information and related technologies across the globe has been a prevalent characteristic of the modern era affecting national statecraft and how the militaries approach national power. Essentially, it has led to the emergence of the concept of Cyber Power, which can be identified, according to Joseph S. Nye, Jr., as the capability to achieve desired results by utilizing the interconnected electronic information resources within the cyber realm.[1] Similarly, Daniel T. Kuehl determines Cyber Power as the ability to leverage cyberspace to obtain advantages and shape outcomes across various operational domains and throughout all elements of power.[2]
It is worth paying particular attention to the “various operational domains” that Daniel Kuehl refers to in the definition of Cyber Power. Saliently, Cyber Power represents a combination of physical and virtual dimensions where the physical dimension refers to all the tangible elements of cyberspace, such as infrastructure, hardware, and technological devices, enabling cyber activities, including data centers, servers, network cables, computers, and related equipment. However, the virtual dimension is less tangible yet equally important, encompassing software, data, programs’ algorithms, and the digital realm in general. It involves using code, digital information, and online platforms to exert influence, control, and defend against threats in cyberspace and beyond.[3]
This analysis will further examine the reasons behind the concept of Cyber Power becoming an integral part of national strategies and military doctrines and the limitations of measuring Cyber Power, such as the lack of coercive strength, attribution challenges, legal and regulatory gaps, and the rapidness of technological development.
Why has Cyber Power become prevalent as a concept?
Some scholars argue that the rise of the Internet and information networks symbolizes a novel wave of Revolution in Military Affairs (RMA), triggering significant technological change, and innovation processes alongside an increase in institutions’ effectiveness.[5] Following Andrew F. Krepinevich, Michael Raska suggests that the international community is now going through an IT-driven RMA which indeed started in the 1990s-early 2000s, representing a new security environment with the emergence of electronic and cyber warfare.[6]
Essentially, since then the states started considering cyberspace as a new contested dimension, which should be incorporated into the national strategy-planning processes. In 1993, John Arquilla and David Ronfeldt published the article titled “Cyberwar is coming,” arguing that following the growth in advanced technologies, specifically the information technologies, netwars and cyberwars are evidently inevitable.[7] Remarkably, at that time, roughly 36 million people in world had access to the Internet. In 2017, 3.7 billion people could use the global network.[8] Such the significant increase in the number of users alongside reliance of societies and economies on digital systems and the Internet has led to a new domain of influence, within which control over digital resources and capabilities can lead to significant advantages in various sectors, from politics and the military to business and civil society engagement.
Although the rise of information and offensive cyber operations has a long gradual history, it is worth identifying, probably, the most significant and resonant cases that have portrayed the essential value of Cyber Power as part of a particular country’s national power – Stuxnet and Edward Snowden’s case with the leaks of the US classified data.
Stuxnet, a malicious computer worm unveiled back in 2010, is thought to be the collaboration between the United States and Israel to disrupt Iran’s nuclear facilities. This highly sophisticated cyber weapon is known for its precision targeting of industrial control systems. Stuxnet marked a significant shift in the cyber warfare landscape, highlighting the potential real-world consequences of such attacks and underscoring the urgent need for enhanced security measures to protect critical infrastructure.[9] The intricate design and accurate execution of Stuxnet established it as a landmark in the evolution of cyber threats, demonstrating that cyberattacks can lead to genuine, physical repercussions. This turning point emphasized the importance of increased vigilance and protective measures against sophisticated cyber threats. Additionally, Stuxnet’s exposure prompted discussions on the ethical and legal aspects of state-sponsored cyber activities, as it showcased the new type of weapon capable of causing physical damage and destruction.[10]
In 2013, Edward Snowden, a former National Security Agency contractor, leaked a substantial amount of classified US data to the public. This highly resonant event disclosed top-secret information and brought about a seismic shift in the global understanding of Cyber Power. The revelations exposed the extent of global surveillance programs run by the NSA and sparked a worldwide debate on multiple fronts. It raised questions about privacy, as it revealed how governments could intrude into the personal lives of individuals through digital means. Similarly, it unleashed how extensively various government agencies (e.g., intelligence services) can monitor activities around the globe.[11]
Snowden’s leak stirred the critical discourse on the very tenets of Cyber Power. It highlighted how Cyber Power could be both a tool for national security and a potential instrument of intrusion and control. The incident underscored cyber capabilities as means of surveillance and a tool for geopolitical strategy. Essentially, it also increased scrutiny and demands for transparency and accountability, while triggering a new wave of debates about cyber deterrence since the purely technical problem in the past is now manifested as an equally socially affected one.[12]
Both cases illustrated above bolstered the significance of considering states’ Cyber Power, as they demonstrated how nation-states and people, in general, are dependent on information. Essentially, based on the examples above it is clear that Cyber Power today is not entirely technical; it encompasses cyber operations in cyberspace and, significantly, cyber-enabled physical operations, involving human factors, e.g., intelligence and surveillance.[13] Therefore, it is fair to presume that the core reason behind increasing prevalence of Cyber Power in strategy planning is indeed that Cyber Power (1) encompasses several dimensions of statecraft and national security and (2) projects the key foundation of the military doctrine in terms of increasing reliance on information and, essentially, the control of information in a greater geopolitical context.[14] Yet, there are particular limitations in defining and measuring it.
Limitations of using the concept of Cyber Power
Is the concept of Cyber Power relevant, or academic limitations
It is worth emphasizing that there has long been a tendency to think about Cyber Power within the scope of cyber warfare.[15] Yet, even within the generally accepted framework, different scholars did define Cyber Power differently. Thus, a well-known opponent of netwars and cyber wars, Thomas Rid, ties Cyber Power with the ability of a state to exercise cyber espionage, sabotage, or subversion.[16] By contrast, Julian Richards equals cyber war to Cyber Power, the exploitation of which is indeed projects cyber war.[17] Others consider deception the cornerstone of Cyber Powe; thus, Erik Gartzke and Jon R. Lindsay argue that “deception not only enables cyber-attack, it is necessary…”.[18] All these illustrate an inherent complexity surrounding the definition and understanding of Cyber Power.
As Samuel Zilincik and Isabelle Duyvesteyn argue, the decline in a cyber warfare fashion and the rise of a hybrid warfare fashion have made the debates even increasingly complex.[19] Though Cyber Power has still been discussed within the “warfare” terminology, hybrid warfare has introduced a much broader scope of a national strategy, including non-military aspects, e.g., economy, social factors, etc.[20] In this regard, placing Cyber Power is becoming more complicated, especially considering how nation-states define hybrid warfare. For instance, Russian political and military thinkers consider it a strategic approach where all endeavors, including military actions are subservient to an overarching information campaign.[21] The US-led Multinational Capability Development Campaign approaches hybrid warfare as the coordinated utilization of diverse instruments of national power to exploit particular weaknesses and vulnerabilities across all facets of a society.[22] Thus, the disparity in understanding Cyber Power at the state level indeed transfers to academia, creating complexity and limits in using the concept.
Is Cyber Power indeed the power that may coerce, or practical limitations
Essentially, the concept of power is believed to be complex and often vague, whilst comparing different actors in terms of their respective power has always been a challenging issue; however, let us assume that power can be conceptualized and, accordingly, measured. Thereby, it is worth highlighting Michael Barnett and Raymond Duvall, who identified various types of power, which focus on different interactions between actors, but all imply the influence factor.[23] Yet, does Cyber Power incorporate the influence factor?
As Barnett and Duvall assumed, compulsory power showcases an ability to force someone to do what they would not do without external influence.[24] Remarkably, it corresponds with the traditional coercion theory, which places power as the cornerstone of influencing one’s behavior. Thomas Shelling argues that projecting or employing power on a limited scale suffices to deter undesirable actions from an adversary or compel a target state to adhere to the provisions as aimed by the targeting state.[25]
Thus, in global politics, two forms of coercion are compellence and deterrence. Compellence is often employed to persuade other states or actors to adopt a specific behavior or course of action. It can be seen as the persuasive tactic that leverages force or the threat of force to accomplish a particular goal. On the other hand, deterrence is a strategy to discourage an opponent from initiating a potentially damaging action by promising a credible threat of retaliation. According to a deterrence theory, making an action more costly and less beneficial can prevent a potential adversary from undertaking it.[26]
Accordingly, Erica Borghard and Shawn Lonergan defined conditions for successful coercion that encompass communication, cost-benefit calculus, credibility, and reassurance.[27] Essentially, while applying the aforementioned criteria to the cyber domain, it becomes evident that none of them can be accurately addressed, starting with the initial stage of communication.[28] In this regard, the critical issue is that Cyber Power consists of a massive layer of classified information. Remarkably, the information, e.g., on a state’s offensive cyber capability is normally intentionally classified by the state government, making it increasingly challenging to clearly communicate intentions and threats in cyberspace. Thus, it complicates the coercion in the cyber domain, questioning the concept of Cyber Power as the power that can portray influence unlike conventional or nuclear forces that can be, therefore, measured.
Therefore, it seems reasonable to question the methodology of measuring Cyber Power. What aspects of Cyber Power should be considered and how to avoid misperceptions triggered by the evident lack of knowledge. Respectively, the International Institute for Strategic Studies proposed its model of assessing states’ cyber capabilities, which includes strategic and doctrinal analysis, states’ security and resilience in cyberspace, a role in the international arena, intelligence, offensive/defensive capabilities, and other factors.[29] Nonetheless, considering the obstacles noted above, this model will similarly suffer inadequate data unless states declassify the necessary information. Ultimately, it makes the concept of Cyber Power assumptions-based and subjective to the ones providing an analysis. For example, Robert Bebber’s model for assessing states’ cyber power differs from IISS, leading to opposite views.[30]
Attribution challenge – how to define who committed what?
Arising from the inapplicability of the coercion theory, there have always been debates around the attribution of cyber-attacks. Some scholars argue that, at the today’s level of technology, attribution is just a time issue.[31] Nonetheless, it is generally perceived that attribution in the cyber domain is nearly impossible unless the actor who committed an attack takes full responsibility for it. Therefore, although NATO suspects Russia in several offensive cyber operations e.g., the ones against the Ukrainian energy infrastructure in 2015 and 2016, they have not yet been attributed. Similarly, cyber-attacks, which have indeed been tied to the Russian state, such as the NotPetya attack (2014), raise significant doubts about the accuracy and certainty of attribution.[32] Essentially, it leads to inadequate understanding of offensive cyber capabilities states possess in their disposal, challenging the conceptualization of Cyber Power.
Technology is beyond the law, or legal limitations
It is important to highlight that contemporary international law lacks sufficient elaboration to effectively govern state behavior in cyberspace.[33] In essence, there are today no universally applicable, legally binding international agreements which outline the responsible use of cyberspace and establish the liabilities of states for engaging in illegal cyber activities. Respectively, Joseph Nye argues that the development of norms and institutions tends to progress at a much slower pace compared to technology advancements.[34]
Essentially, to accurately address the concept of Cyber Power, a legally approved framework should define responsible states’ behavior in cyberspace. Though Joseph Nye suggests that the pace of legal development concerning the cyber domain correlates with timeframes of humanity’s response to emerging threats and challenges, like it was during the post-World War II period with nuclear weapons, the rapid rise of cyber capabilities and advancement of cyber-enabled operations pose additional risks, which are not explicitly addressed by the modern global legal architecture, leading to uncertainties on the legality of certain cyber activities and the appropriate response mechanisms. Therefore, similar to the limitations identified earlier, it complicates the use of the concept of Cyber Power.
Conclusion
Summing up everything stated above, it is worth emphasizing that Cyber Power has become prevalent in national strategies and doctrines following the development of information technologies and increasing reliance on the information and its control on a broader geopolitical scope. Considering the number of Internet users as the civilian component and the salience of Internet communications in the military, nation-states have no other option than to focus on their respective Cyber Power, which, essentially, incorporates both physical and virtual dimensions alongside includes often underestimated human factor, as portrayed by Edward Snowden’s case.
Nonetheless, though Cyber Power has become increasingly topical, it faces certain limitations in conceptualization and measurement. More essentially, the primary obstacle to adequate usage of the concept is different interpretations of Cyber Power at both the state level and within academic circles. Subsequently, it becomes even more complicated following the inapplicability of traditional theories surrounding power as something that projects influence alongside the rapid development of technology that goes beyond the existing legal framework, creating ambiguity and uncertainty around cyberspace.
Yet, it does not make the concept of Cyber Power meaningless or risky to use. Conversely, it is helpful regarding recent developments and requires considerable attention to adapt to novel changes and challenges. It is indeed too early to talk about the universal concept, yet the current understanding may help to examine particular patterns of national strategic statecraft, states’ priorities, and doctrinal aspirations.
[1] Joseph S. Nye, Jr., Cyber Power (Belfer Center for Science and International Affairs, May 2010), pp. 3-4.
[2] Robert Bebber, Cyber power and cyber effectiveness: An analytic framework (Comparative Strategy, Vol. 36, No. 5, 2017: 426-436), p. 427.
[3] Jelle van Haaster, Assessing Cyber Power (NATO CCD COE Publications, Tallinn, 2016), pp. 13-14.
[4] Joseph S. Nye, Jr., Cyber Power, p. 5.
[5] Andrew F. Krepinevich, The Military-Technical Revolution A Preliminary Assessment (Center for Strategic and Budgetary Assessments, 2002), p. 35.
[6] Michael Raska, The sixth RMA wave: Disruption in Military Affairs? (Journal of Strategic Studies, Vol. 44, No. 4, 2021: 456-479), p. 474.
[7] John Arquilla, David Ronfeldt, Chapter Two: Cyberwar is coming (In Athena’s Camp: Preparing for Conflict in the Information Age, RAND Corporation, 1997: 23-60), pp. 28-32.
[8] Joseph S. Nye, Normative Restraints on Cyber Conflict (Belfer Center for Science and International Affairs, August 2018), p. 7.
[9] Thomas M. Chen, Stuxnet, the Real Start of Cyber Warfare? (IEEE Network, 2010), p. 3.
[10] Jon R. Lindsay, Stuxnet and the Limits of Cyber Warfare (Security Studies, Vol. 22, No. 2, 2013: 365-404), pp. 369-371.
[11] Michael Gurnow, The Edward Snowden Affair: Exposing the Politics and Media Behind the NSA Scandal (Blue River Press, 2014).
[12] Joe Burton, Cyber Deterrence: A Comprehensive Approach? (CCD COE Library, 2018), p. 10-13.
[13] Joseph S. Nye, Jr., Cyber Power, pp. 5-6.
[14] Ibid.
[15] Samuel Zilincik, Isabelle Duyvesteyn, Strategic studies and cyber warfare (Journal of Strategic Studies, Vol. 46, No. 4, 2023: 836-857), pp. 846-847.
[16] Thomas Rid, Cyber War Will Not Take Place (Journal of Strategic Studies, Vol. 35, No. 1, 2012: 5-32), p. 15.
[17] Julian Richards, Cyber-War: The Anatomy of the Global Security Threat (Basingstoke: Palgrave Macmillan, 2014), p. 73.
[18] Erik Gartzke, Jon R. Lindsay, Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace (Security Studies, Vol. 24, No. 2, 2015: 316-348), p. 326.
[19] Samuel Zilincik, Isabelle Duyvesteyn, Strategic studies and cyber warfare, p. 849.
[20] Ibid.
[21] Mason Clark, Russian hybrid warfare (Institute for the Study of War, 2020), p. 15.
[22] Patrick J. Cullen, Erik Reichborn-Kjennerud, MCDC Countering Hybrid Warfare Project: Understanding Hybrid Warfare (Multinational Capability Development Campaign, 2017), p. 8.
[23] Michael Barnett, Raymond Duvall, Power in International Politics (International Organisation, Vol. 59, No. 1, 2005: 39-75), p. 43.
[24] Ibid.
[25] Thomas Shelling, Arms and Influence (Yale University Press, 1966), p. 3.
[26] Robert J. Art, To What Ends Military Power? (International Security, Vol. 4, No. 4, 1980: 3–35), p. 9.
[27] Erica D. Borghard, Shawn W. Lonergan, The Logic of Coercion in Cyberspace (Security Studies, Vol. 26, No. 3, 2017: 452-481), p. 455-471.
[28] Robert Jervis, Signaling And Perception: Projecting Images And Drawing Inferences (How Statesmen Think: The Psychology of International Politics, Princeton University Press, 2017: 107-124), p. 118.
[29] Cyber Capabilities And National Power: A Net Assessment (International Institute for Strategic Studies, 2021), p. 3.
[30] Robert Bebber, Cyber power and cyber effectiveness: An analytic framework, p. 427.
[31] Tim Maurer, Here’s How Hostile States Are Hiding Behind “Independent” Hackers (The Washington Post, February 2018).
[32] Rod Thornton, Marina Miron, Deterring Russian cyber warfare: the practical, legal and ethical constraints faced by the United Kingdom (Journal of Cyber Policy, Vol. 4, No. 2, 2019: 257-274), p. 263.
[33] Michael N. Schmitt, The Law of Cyber Targeting (Naval War College Review, Vol. 68, No. 2, 2015: 16-34), p. 30-31.
[34] Joseph S. Nye, Normative Restraints on Cyber Conflict, p. 23.
Key words: Emerging Technologies; Cybersecurity
ET
F4/SOR – 24/08/16