Analysing the Future of Cyber Conflicts Post Russia-Ukraine War
Enjoyed this post? Explore more in my E-book "Geopolitical Cyber Risk Analysis Handbook"! - predictivedefense.io
Introduction
Hello everyone,
In this blog post, we'll use the "Alternative Futures Analysis" technique to explore the future of cyber norms in light of events from 2022-2023. Our goal is to discuss the history and current state of international norms, analyse how the ongoing Russia-Ukraine war affects cyber norms, and evaluate the impact of each scenario on civilian sectors to aid strategic security planning.
What is a norm?
A "norm" in international relations refers to shared expectations among states about appropriate behavior. Some norms develop from longstanding practices, while others are solidified through international treaties, like the European Convention on Human Rights, which safeguards rights such as the prohibition against torture and the right to life.
Realist theory in international relations views state interactions as inherently anarchic and is skeptical about international norms. Conversely, liberal theory advocates that norms can be enforced through international organizations like the United Nations. This view has predominated globally, especially in the West since World War I.
History of cyber norms
Communication technologies have influenced international relations by offering both opportunities and security risks. Cyber norm discussions began with the United Nations' first working group in 2004 but have not yet concluded due to the states' inability to come to a consensus [1]. Currently, there is no international cyber norms treaty. However, it is widely accepted in the West that existing armed conflict laws, like the Geneva Conventions, also apply to cyber conflicts. For example, in theory, a cyberattack on a NATO ally could trigger a military response under NATO's Article 5. However, such responses have not been triggered yet because cyberattacks are usually seen as below the threshold of war. Adapting armed conflict criteria—like 'weapon,' 'border,' and 'force'—to cyberspace complicates the evaluation of cyber operations.
Various states have expressed their expectations for rules in cyberspace, like the US has done regarding intellectual property theft, election security, and critical infrastructure. These diplomatic efforts are essential parts of the push to establish cyber norms.
Obama Tells China President Hacking Must Stop [2]
Barack Obama ordered 'cyber bombs' for Russian network after hacking: report [3]
State of International Norms
With the global economic center shifting from the West to Asia, countries like China and Russia have started transforming their economic wealth into political influence. This shift has led to policies that challenge the US-led international system during the transition to a multipolar world. Meanwhile, global adherence to norms on issues like women’s rights and gun control has declined. [4] Challenges to norms in the battle for global hegemony have naturally impacted the still-developing cyber norms. While China has used cyber operations to steal intellectual property, Russia and Iran have repeatedly breached norms with destructive attacks on critical infrastructure and election interference.
We are at a turning point for cyber norms. In 2022, Russia significantly increased its use of destructive cyberattacks due to its war against Ukraine. Likely under sanctions, Russia now appears more willing to accept the political risks of cyberattacks. This critical period's events are crucial for the future of cyber conflicts. If the US and Western countries cannot impose effective sanctions against these norm-violating cyberattacks, it suggests that cyberattacks will become more frequent in the future. This would mean that critical infrastructure and civilian sectors are likely to face more frequent and severe cyberattacks.
In the next section, we will use the Alternative Futures Analysis technique to explore possible scenarios.
Alternative Futures Analysis
Alternative Futures Analysis is designed for strategic planning in uncertain and complex situations. It involves exploring how different factors (economic, technological, social, political, etc.) might interact in the future. For example, how might a technological innovation lead to social change, or how could an economic crisis impact political stability?
The scenario matrix is a central tool in this analysis, taking two main uncertain factors and creating four different scenarios based on their possible combinations. Each factor is considered at its extremes (e.g., high growth/low growth or high technology adoption/low technology adoption). These factors form the axes of the matrix, with each combination generating a different future scenario.
In our analysis, we will examine the following parameters:
Adherence to Norms: Reflects the presence of cyber norms and other states' adherence to these norms.
Sanction Deterrence: Represents the effectiveness of sanctions applied against cyberattacks, regardless of consensus on norms.
Let’s now explore our scenarios based on these combinations.
1 - Normative Zone
In this scenario, there is an international consensus on cyber norms. International collaborations detect deviations and apply effective sanctions, ensuring general compliance among states. States commit to limited use of cyber operations, reducing risks to critical infrastructure and civilian sectors. This stability decreases the private sector's sensitivity to geopolitical developments.
2 - Lawfare Zone
Here, a legal framework for cyber norms exists, but enforcing sanctions for deviations is challenging or the sanctions are not deterrent enough. States may occasionally deviate from norms even as they generally try to adhere to them. Cyber norms become legal tools that states use to gain advantages over each other (Lawfare), undermining their intended purpose. Civil sectors overall become more susceptible to cyber conflicts in this scenario.
3 - Cult of the Offensive
In this dangerous scenario, there are no agreed norms or effective sanctions. This creates a fertile ground for the "Cult of the offensive," [5] where states believe that the best defense is a good offense. Trust in defensive strategies is low, and initiating attacks is seen as crucial. The frequency of destructive cyberattacks increases, along with a wider variety of targets in civilian sectors, significantly heightening their geopolitical sensitivity.
4 - Agreed Competition
In this scenario, the legal framework for cyber norms is either absent or vague. However, states begin to apply effective individual sanctions against cyberattacks. Each state’s response to a cyberattack varies, creating unique "red lines" instead of a common norm. This dynamic dictates the basic logic of cyber conflicts; each state crafts its own policy. The impact on civilian sectors largely depends on their respective country’s policies and enforcement capabilities. States with robust deterrent policies and enforcement capabilities better protect their civilian sectors, but cyber conflicts are expected to be more common than in the first two scenarios due to the anarchic nature of this setting.
What should organizations do?
The developments we've discussed affect not only state institutions but also private sector companies significantly. In an environment where civilian sectors are increasingly targeted, supply chains, for instance, become much more fragile, inevitably impacting operational processes. While data privacy remains a primary concern in private sector’s cyber security planning, the developments indicate a world where risks to business continuity are more pronounced, and resilience becomes crucial. Thus, it is essential for private sectors to monitor these developments as closely as states do and prepare for possible scenarios.
Signposts of Change
The emergence of the scenarios discussed in the previous section may be indicated by the following likely developments in the future:
States effectively incorporate their own cyber engagement rules into their military and diplomatic frameworks.
The application of deterrent sanctions against cyberattacks becomes more widespread. (e.g., Albania cuts diplomatic ties with Iran over a cyberattack [6])
International collaborations in combating cybercrime strengthen.
The number of states adopting an active cyber defense [7] strategy increases, and various state institutions' powers are expanded.