The role of diffusion of cyber capabilities in changing the balance of power in global politics - Literature Review

October 2021 (submitted as part of MA in International Affairs, King’s College London completed June 2022)?

?

Overview?

A review of the literature on the above outlined topic begins with an assumption that there has been a change in the balance of power in global politics. From an international relations perspective, can cyber be considered a related factor or contributor to this change? In refining the body of literature for review, the history and evolution of cyber needs to be considered to identify the point at which computing evolved to be recognized as both an opportunity and a threat to national prosperity, security and statecraft (IISS 2021: 2). The US military was researching computing in the 1960s and the specific issue of security in the 1970s (Bell & La Padula 1976). However, this literature review is primarily concerned with how the balances of power between states changed to affect global politics and therefore the core period of focus is from end of the Cold War (1989) through to the present day, a period that has seen the rise of China after it connected to the internet in 1994 (Xinhua 2014); Russia’s adoption of cyber following the breakup of the former Soviet Union, and the development of cyber capabilities of former Soviet-bloc as Estonia, Czech Republic and states that cannot afford to invest in traditional military capabilities yet possess nuclear capabilities and view cyber as a low-cost alternative such as Iran, Tunisia and North Korea (Langner 2016: 207). Regarding the national significance of cyber to individual states, there has been a range of approaches to developing cyber strategies and range of ways of classifying it. As cyber has grown as an issue of national and international interest, this been paralleled by a growth of literature exploring the subject, in particular during the past decade (2011-2021). So while the cost of attacks may be low and attribution difficult, cyber attacks are becoming more targeted, more costly and more disruptive (Cavelty 2020: 5).?

Although there is much literature from the US, the challenge of cyber is its global, borderless nature of cyber, how it should therefore be governed and under liberal democratic values or realist state control such as in China. Reflecting the change in the role of cyber, Peng (2015: 477) argues that cybersecurity is not a “pure computer security issue….[but] a matter of national policy because the illicit use of cyberspace can hamper economic, public health, and national security issues.”?

Whilst deaths specifically attributable to malicious use of cyber are few, there is increasing recognition of the potential damage. Langner (2015: 212) believes that chemical leaks as a result of cyber attacks were quite plausible scenarios and argues for increasing cyber resilience. This view is shared by Shafquat and Masood (2016: 129) who also argue that cyber attacks can cause “more physical and financial loss then physical terrorism.” So within this context, this review of the relevant literature will consider the types of sources; how cyber is defined; how states have developed national cyber strategies; cyber as a multilateral tool; and how IR theoretical paradigms have been variously applied.?

Limitations of this Literature Review?

Since the field of cyber is still relatively new, most literature has been written within the past twenty years, since 2000. This can be broadly classified as academic papers for journals written by academics at universities; reports by the government think-tanks of traditional powers such as the US to support the development of a political policy; and wider industry papers prepared for political alliances and multilateral alliances such as NATO, the EU or US intended for influencing governments on an international level. The academic literature regarding cyber is not only written by specialists in the field, but also is cross discipline covering security studies to war studies , social studies, technology, politics, and science, research that applies international relations or security studies theory.?

Cavelty’s review (2020: 5) of cyber security politics work believes that the majority of research can be categorized as post-positivist and highlights Buzan and Hansen’s IR framework from their “The Evolution of International Security Studies” (2009) as providing a structure. However due to the fast emergence of the field, the current body of literature is not yet mature and much of the writing appears to be motivated to support national agendas amid concerns about rising new powers such as China, and accordingly this bias is present in the writing. There are also language limitations. This review primarily focuses on English language sources, all information about Russia is via English language sources while some Chinese language sources have been included in an attempt to identify any differences of interpretation compared with Western sources. Considerations for published Chinese sources are that they include publication of policies and news from official government agencies. In addition academic sources by Chinese institutions are generally drafted in support of government policies. Limitations of this review include a lack of Russian language capabilities by the author which would provide greater insights into the political views of a traditional and continuing global power, and how the change in its power in a post- Cold War environment plus other local languages of key states in multilateral organisations.?

The importance of language an influencing political tool is also noted by Shafqat and Masood (2016: 130) stating that the countries that they ranked highest in their cyber security rankings have published their cyber security strategies in English in addition to the native language as part of move to influence the accepted international standards and governance.?

Definitions of Cyber?

As a new industry in which the context is continually changing, the creation of a shared vocabulary and standard definitions remains high contested. Cavelty & Wenger (2020: 5) argue that “security” in cyber security may be understood in two ways – “as cyber security politics (the security political aspects of the issue) or as cyber security politics (the politics engaging with questions of cyber security more broadly).” Shafqat and Masood (2016: 131-132) also highlight that in their cyber strategies almost every country uses its own definition, and whilst, most focus on the technical sphere defining it as “a complete network of all virtual and physical ICT devices that can be the target of evil cyber actors” some countries define it only as “Internet and pertinent ICT devices.” Meanwhile Finland doesn’t use the term cyber space and instead refers to the “cyber domain”. Cyber security is recognized as a strategy for managing cyber threats within cyber space but Austria and Finland limit the definition to the protection of digital information or critical infrastructure. The Czech Republic and Japan meanwhile offer no definition for the term cyber security in their strategies. However, in China, the Government recognized importance of information and therefore cyber definitions and policies recognized that Cyber Security, Information Security and Cyber Warfare should be recognized on the same level (Wang 2015).?

Therefore, in the absence of shared definitions by states, non-state actors have also created their own interpretations. For example, Langner (2016: 206-7) defines cyber power as “a society’s organized capability to leverage digital technology for surveillance, exploitation, subversion, and coercion in international conflict.” Therefore the lack of agreed definitions may lead to an even greater lack of understanding.?

National Strategies and Policies?

Based on the development of technology and computing, in 1991, the US formulated the concept of Revolution in Military Affairs (RMA), which was “characterized by extensive use of ICT to provide management, control and intelligence, information wars, and the use of various types of non-lethal weapons [Metz, Kievit 1995] in Tsakanyan (2017: 342). The US was also publishing cyber policies in the 1990s (IISS 2021) but it was generally after 2000 that most countries began to develop policies and not until after 2010 that national strategies started to appear (Shafqat & Masood 2016: 210). Recognition of cyber as a political tool can be seen in the US Department of Defense categorization of four types of cyber security threat including those posed by external state and non-state actors including foreign governments and criminal groups (Tsakanyan 2017: 343).?

In 2011, the Center for Strategic and International Studies conducted a mapping of 133 states to understand whether these countries had a military command or doctrine for cyber, or if they planned to acquire offensive cyber capabilities. Whilst useful, the sources are only open-source data and therefore the information about more secretive states may be limited. Shafqat & Masood (2016) conducted a more granular review of the cyber security strategies of twenty countries by reviewing the “legal, operational, technical and policy-related measures” and in addition to a lack of common definitions, highlighted the way in which threats were characterised and the aims and description of cyber awareness.?

In both Russia and China, policies and regulation are focused on the information capabilities of cyber. For example, in Russia, all regulation is part of the state policy of development of the national sector of information technologies with national cyber security including national security strategy teams and the Ministry of Defense.” (Tsakanyan 2017: 343-4). In 2014 in China, the government founded the “Central Cyber Security and Informatization Leading Group” and policy of “No national security without cyber security ordered by President Xi Jinping demonstrating how cyber had become recognized by the topic level of government (Wang 2015).??

The most recent IISS Cyber Capabilities: A Net Assessment (2021) reviews fifteen states considering the strategy and doctrine; governance; core cyber-intelligence capability; cyber empowerment and dependence; cyber security and resilience; global leadership in cyberspace affairs and offensive capability. The objective of this report was to “assist decision-making” when calculating strategic risks and deciding on investment.??

Multilateral power structures?

So while states remain in disagreement regarding definitions and approaches regarding cyber, Tsykanyan (2017) argues that this may be a reason why multilateral agreements such as UN resolutions have become favoured by many states even though some cyber-related resolutions may not be completely aligned with maintaining international stability and security. For example, the United States and its allies view cyber security as important for “combating the criminal misuse of information technology and global culture of cyber security.” Meanwhile, other organisations such as the Council of Europe Convention on Cybercrime and the UN Charter and existing principles of international law provide frameworks for the regulation of activities of states in the use of ICT in the military-political purposes. Yet fundamental differences between states remain - in particular between advanced economies such as the US and Japan compared with the needs of Russia and its allies whose economies are in a less developed state.?

Cyber intelligence is recognized as fundamental to cyber power. Like traditional forms of military capabilities, few states have the capabilities to have full global reach. Therefore states have either added cyber to their existing alliances or created new organisations. Examples include ‘Five Eyes intelligence allies (Australia, Canada, New Zealand, the UK and the US), which operate collectively; their two most cyber-capable partners, Israel and France” (IISS 2021: 6).?

Cyber capabilities are not only about military capabilities. As noted in the 2021 IISS report, “states have realized the degree to which their economic prosperity, as well as their national security and geostrategic influence, is dependent on their management of cyber risks.” The Report also notes that states such as Russia and China would prefer the UN to support a model of governing the internet that allows greater state control replacing the ‘multi-stakeholder’. This highlights the challenge of multi-lateral organisations that have been founded on democratic principles and realist values.?

Chumtong and Stolte (2021: 98) argue that “contrary to Clausewitz’s dichotomy of war and peace, cyberattacks operate in a space between the two that remains a grey area in international law” and “low-threshold cyber operation” provide states with opportunities without the need to openly declare was as well as a low risk of escalation or attribution.?

Evolution of Theoretical Paradigms for Cyber?

In 2006, Eriksson and Giaocomello stated that the IR was “struggling to apply its varied theoretical toolbox” to cyber security, this body of research has evolved with a mainly post-positivist research tradition (Cavelty Wenger 2019: 6) and note “the state is not the only important active in this space-rather, it is at the intersection between state and non-state actors, nationally and internationally, that the specificities of cyber security politics emerge.” At the same time, Freedman (in Kavanagh 2013: 4) argued against RMA theorists who stated that the wars between states would become contests of information and instead pointed to how political affairs would be conducted saying that RMA “failed to respond to changing political conditions and adapt its wars” which were more asymmetrical, irregular and transnational in nature and more reflective of shift power structures within states and across regions.” This period was when the political relevance of cyber began to be theorized. However, Gijsberg and Veenendaal (2011: 193) were skeptical about whether or not cyber war alone could achieve political objectives arguing that they would be more effective as part of a larger military effort. In addition to affecting critical infrastructure, Stumberg (Chumtong & Stolte 2021: 102) adds the influencing of foreign states through disinformation. For example, although the US was dismissive of China’s “emergent cyber capabilities” and noted that the PLA was prioritizing an “information advantage” it also recognized China’s perspective and the potential challenge.” (2000: 74).??

Conclusion?

In reviewing the literature regarding cyber capabilities, the challenge of definitions and understanding of basic terms creates a fundamental question about how comparative reading may be possible. This review of the literature reviews how cyber has created an additional domain in which all states are fighting maintain their sovereignty yet cyber capabilities offer opportunities to smaller states to increase their influence because they provide an effective tool of asymmetric warfare. As a domain that involves both state and non-state actors as potential adversaries, cyber has rapidly emerged as the arena for a new political power paradigm not only because it transcends national borders but because conversely cyberwarfare has potential to affect advanced economies, those that were traditionally the dominant global powers, more than the rising new states.?

As a relatively new domain, the challenge posed by much of the current literature is that the sources are mainly from Western powers and consequently, the literature demonstrates an inherent bias against the rise of new power and shows a clear desire to promote democratic values. The current lack of English language academic literature from new powers such as China is exacerbating the imbalance of understanding. As cyber evolves, it is becoming a critical part of international relations and theoretical analysis is demonstrating that traditional understanding of power in terms of military and economic might no longer hold true.?

?

Bibliography?

Bell, D.E. & L.J. La Padula (1976) “Secure computer system: Unified exposition and multics interpretation” (March 1976) The Mitre Corporation.?

Buzan, Barry & Lene Hansen (2009) The Evolution of International Security Studies. Cambridge University Press. Https://doi.org/10/1017/CBO9780511817762 ?

Cavelty, Myriam Dunn & Andreas Wenger (2020) “Cyber security meets security politics: Complex technology, fragmented politics, and networked science.” Contemporary Security Policy, 41: 1, 5-32, DOI: 10.1080/13523260.2019.1678855?

Chumtong, Jason & Christina Stolte (2021) “Cyber capabilities as a new resource of power: Conflicts in the digital sphere.” International Reports: Global Power Shifts (pp95-105)?

Craig, Anthony John Stuart (2020) “Capabilities and Conflict in the Cyber Domain An Empirical Study” PhD Dissertation submitted to School of Law and Politics, Cardiff University.??

Geers, Kenneth (2020) “Alliance Power for Cybersecurity” Atlantic Council ISBN-13: 978-1-61977-097-3?

Gijsbers, Koen and Matthijs Veenendaal (2011) “Protecting the National Interest in Cyberspace” Georgetown Journal of International Affairs, 2011. International Engagement on Cyber: Establishing International Norms and Improved Cybersecurity (2011) pp, 191-196?

Hakala, Jann & Jazlyn Melnyhuk (2021) “Russia’s strategy in cyberspace” NATO Strategic Communications Centre of Excellence. June 2021. ISBN: 978-9934-564-90-1?

IISS (2021) “Cyber Capabilities and National Power: A Net Assessment” The International Institute for Strategic Studies?

Kavanagh, Camino & Daniel Stauffacher (2013) “The reach of soft power in responding to international cybersecurity challenges” ICT4Peace Foundation. Geneva 2013. Cyber Security Policy Process Brief?

Kolton, Michael (2017) “Interpreting China’s pursuit of cyber sovereignty and its views on cyber deterrence” The Cyber Defense Review, Vol 2,? No. 1 (Winter 2017): 119-154?

https://www.jstor.org/stable/10/2307/26267405 ?

Kozloski, Robert (2008) “The information domain as an element of national power” Strategic Insights. Center for Contemporary Conflict?

Langner, Ralph (2016) “Cyber Power: An emerging factor in national and international security”, Horizons Journal of International Relations and Sustainable Development (Autumn 2016: 206-218)?

Lewis, James A. & Katrina Timlin (2011) “Cybersecurity and cyberwarfare: Preliminary assessment of national doctrine and organization” Center for Strategic and International Studies. The United Nations Institute for Disarmament Research (UNIDIR)?

Libicki, Martin C. (2013) “Brandishing cyberattack capabilities.” RAND National Defense Research Institute?

MacNamara, Conor (2019) “Power in cyberspace: How states operate in the digital domain” PhD Dissertation Queen’s University Belfast?

Medeiros, Breno Pauli & Luiz Rogerio Franco Goldoni (2020) “The fundamental conceptual trinity of cyberspace” Contexto Internacional Vol 42(1) Jan/Apr 2020?

Myriam Dunn Cavelty & Andreas Wenger (2020) Cyber security meets security politics: Complex technology, fragmented politics, and networked science, Contemporary Security Policy, 41: 1, 5-32, DOI: 10.1080/13523260.2019.1678855?

National Institute for Defense Studies, Japan (2021) “NIDS China Security Report 2021: China’s Military Strategy in the New Area”?

Office of the Secretary of Defense (2020) “Military and security developments involving the People’s Republic of China 2020”. Annual Report to Congress (US).??

Peng Shin-yi, (2015) “Cybersecurity Threats and the WTO National Security Exceptions” Journal of International Economic Law, 2015, 18, 449-478?

Shafqat, Narmeen & Ashraf Masood (2016) “Comparative analysis of various national cyber security strategies” (IJCSIS) International Journal of Computer Sciences and Information Security, Vol 14, No. 1, January 2016?

Spade, Jayson M. (2011) “China’s cyber power and America’s national security” USAWC Strategy Research Project?

Tsakanyan, V.T. (2017) “Role of cybersecurity in world politics” Peoples’ Friendship University of Russia (RUDN University), Moscow, Russia DOI: 10.22363/231306602017172339348?

Wang, Shiwei (2015) 论信息安全、网络安全、网络空间安全 “On Information Security, Network Security and Cyberspace Security” https://www.cnki.com.cn/Article/CJFDTOTAL-ZGTS201502006.htm ?

?Xinhua (2014) “Reviewing China’s 20 years of the Internet” Cyberspace Administration of China April 20, 2014 https://www.cac.gov.cn/2014-04/20/c_126417746.htm ?

?

?