2.1 Defining Information Sharing

Information sharing is a measure for interorganizational, intersectoral, and intergovernmental exchange of data that is deemed by sharers to be relevant to the resolution of a collective action problem (Skopik, Settanni, & Fiedler, Reference Skopik, Settanni and Fiedler2016). In the cyber peace context, it is the agreed upon exchange of an array of cybersecurity related information, such as vulnerabilities, risks, threats, and internal security issues (“tactical IS”), as well as best practices, standards, intelligence, incident response planning, and business continuity arrangements (“strategic IS”) (International Standards Organization, 2015). The primary aim of IS in all of these contexts is to reduce information symmetries regarding cyber vulnerabilities at two levels: between hostile cyber actors and their targets and between targeted organizations themselves, none of which has complete situational awareness of the threat environment on their own.Footnote ⁵

The 2016 Guide to Cyber Threat Information Sharing, published by the US National Institute of Standards and Technology (NIST), describes the advantages of IS measures for improving cybersecurityFootnote ⁶ as follows:

These advantages are gained through the resolution of several key issues which arise in defining the four modalities of IS for any given IS platform:

• The agreed rules for thresholds of shared threats and events – IS depends upon the prior agreement among participants as to the threshold events which will trigger the need to share information, especially for the real-time sharing of vulnerabilities and hostile cyber events requiring specific defensive actions such as patching vulnerabilities (ideally within an agreed on window of time). This threshold determination is both substantive and technical: It is set in accordance with legal and regulatory requirements of the given jurisdiction, whether domestic or international, and it is triggered by technical indicators based incident response protocols protecting the network.

• Regulatory issues – Substantive normative and regulatory frameworks constitute an ever-present backdrop for the technological modalities of IS and the determination of IS thresholds. The role of such frameworks in IS, especially the relationship between them and the agreed technical rules for information sharing is critical. They include the aforementioned rights protections (personal data privacy protections, corporate Internet protocol (IP) safeguards, and antitrust guarantees), general international law constraints on hostile cyber activities (Schmitt, Reference Schmitt2017), and bilateral and multilateral treaty provisions (Convention on Cybercrime, 2001). Treatment of these substantive issues are beyond the scope of the present chapter and are noted in the Conclusion for further research.

• The types of information shared – Each IS platform specifies the typologies of relevant information to be shared by participants, often in a Terms of Use document that is restricted to the participants – an internal code of conduct that may serve to build trust among sharing entities. Legal and regulatory constraints also determine types of information that may be shared, and the conditions for sharing, such as anonymization of protected personal data. One example is the Cybersecurity Information Sharing Act (2015), S. 754, 114th Cong. (2016), which defines in Section 104(c)(1) two types of shareable information that must be restricted to a “cybersecurity purpose”: “cyber threat indicators” and “defensive measures.” As discussed below, current developments are moving toward standardization of relevant threat indicators, IS automatization, and rapidity, toward a commoditization of cyber threat data within communities of trust.

• The sharing entities – Since effective IS platforms are based on communities of trusted sharers, the identity of the sharing entities should be explicit and transparent to all participants (Gill & Thompson, Reference Gill and Thompson2016; Lin, Hung, & Chen, Reference Lin, Hung and Chen2009; Özalp, Zheng, & Ren, Reference Özalp, Zheng and Ren2014). Moving from the local to the global, sharing of cybersecurity relevant data may take place among individuals (i.e., the MISP and Analyst1 platforms for cyber analysts); within a corporate sector (i.e., the Financial Sector Information and Sharing Analysis Center (FS-ISAC) and Israel’s Cyber and Finance Continuity Center (FC3)); between private sector entities and governmental agencies (as in the UK’s Cyber Security Information Sharing Partnership [CiSP] and the US’ CISCP example below); between one country’s governmental agencies (i.e., the US federal government’s Cyber Threat Intelligence Integration Center); between states, either bilaterally and multilaterally (i.e., the European Union’s CSIRT network as mandated in the Network and Information Systems Directive); and in the framework of international organizations (i.e., NATO’s Computer Incident Response Capability).Footnote ⁷

Moreover, if the definitional scope of IS broadens to include notifications of irregular activity in cyberspace, then sharers also include individual members of the public who may share reports of suspected cyber fraud and cybercrime with entities such as the FBI and national authorities within the EU, via dedicated websites such as the FBI’s Internet Crime Complaint Center and the national sites listed on the platform of Europol’s Cybercrime Center, “Report Cybercrime Online” (FBI, 2020; Europol, 2020).

The above sampling of sharing entities illustrates the criticality of a polycentric approach to the governance of cyberspace that includes a diversity of actors to address a collective problem. Beyond the modes of IS to bolster cybersecurity among governmental and private companies and organizations reviewed in this Part, current trends in the development of IS include intrasectoral sharing of cyber threat data, integration of artificial intelligence capabilities to improve IS, participation of expert individuals in IS platforms, and the inclusion of the wider public for the purpose of reporting suspicious activity that may constitute a cybercrime, or an indication of a new cyber threat on financial and consumer platforms.

We exclude from the present discussion IS between civilian entities and military or other covert state operators, due to the lack of transparency of most such arrangements (Robinson & Disley, Reference Robinson and Disley2010, p. 9). While there are some examples of military actors sharing cyber threat data publicly, as in the US Cyber Command’s utilization of the VirusTotal platform in September 2019 to share malware samples associated with the North Korean Lazarus Group, such sharing is neither consistent nor transparent, and thus difficult to analyze conclusively (Vavra, Reference Vavra2019). Should such a trend emerge toward IS by military and intelligence stakeholders with the public, in order to help strengthen common cybersecurity postures, it will be an interesting development that would further support the argument in favor of the polycentricity of IS.

In concluding this initial definitional and conceptual discussion of IS, we note that IS must develop in concert with the changing cyber threat landscape in order to retain its relevance and credibility for participants. These developments dovetail with the approach that cyber peace is a dynamic situation, not a static one, and that it also will take into account changing aspects of cyberspace activities.

In the following two sections, we briefly examine two examples of governmental and private sector exchange of cyber information, each incorporating a different model of IS. The first example, the US’ CISCP, constitutes a national platform with both governmental and private sector sharers. The second example, the FS-ISAC, is global in scopeFootnote ⁸; yet, it has been established by private organizations in the financial sector as a not-for-profit entity. Additional platforms, and some of their characteristics, are noted following these two, as well as a brief summary of commonalities and differences.

2.2 The DHS Cyber Information Sharing and Collaboration Program

The US Department of Homeland Security and Department of Justice provides a dedicated platform for IS between governmental and private sector organizations, the CISCP. Originally established as a platform for the benefit of critical infrastructure operators pursuant to Presidential Decision Directive-63 of May 1998 (as updated in 2003 by Homeland Security Presidential Decision Directive 7), the CISCP is a generic, voluntary, free-of-charge IS platform, open to public and private sector organizations. By incorporating operators of critical infrastructures and other private and governmental organizations into one platform, CISCP aims “to build cybersecurity resiliency and to harden the defenses of the United States and its strategic partners” (CISCP, www.cisa.gov/ciscp). Thus, it is an explicitly domestic IS platform, operating under US legal and regulatory constraints. Prospective participants sign an agreement establishing the modalities of the exchange of anonymized cybersecurity information, thus ensuring protection from legal liability that may ensue from the sharing of protected information such as personal data, information subject to sunshine laws, and some proprietary data. The platform is described as follows:

Upon completion of an onboarding training session, participating organizations are provided with of two types of CISCP data, reflecting the abovementioned distinction between strategic and tactical IS. The first is ongoing cyber threat information that is made available to participants through indicator bulletins, analysis reports, and malware reports. Two examples are the Weekly Bulletin, summarizing new vulnerabilities according to NIST’s National Vulnerability Database classification system (U.S. Department of Homeland Security, 2020) and Joint Alerts, such as that issued in early April 2020 on the exploitation of COVID-19 by malicious cyber actors (Cybersecurity and Infrastructure Agency, 2020b).

The second type of IS provided by CISCP is real-time information about emerging hostile cyber events, characterized by actionable data such as technical indicators of compromise and measures to be taken for resolving them (software updates and patches, file hashes, and forensic timelines). One example is the January 2020 alert regarding serious vulnerabilities in Microsoft Windows operating systems, designated CVE 2020-0601 (also, less officially, “Curveball” and “Chain of Fools”) (Wisniewski, Reference Wisniewski2020). The alert warned of a spoofing vulnerability in the way that Windows validates a certain type of encrypted certificate. A hostile actor could exploit this vulnerability through a man-in-the-middle attack, or by using a phishing website (such as an individual user’s bank website) to obtain sensitive financial data or to install malware on a targeted system.

The CISCP shared two types of tactical cybersecurity information with platform participants: A Microsoft Security Advisory addressing the vulnerability by ensuring that the relevant encrypted certificates were completely validated and a National Security Agency advisory providing detection measures for targeted organizations (Cybersecurity and Infrastructure Agency, 2020a). As a result, the Windows vulnerability was quickly identified and addressed by targeted actors. Analysts have noted that IS was especially effective in this incident, resolving a “dangerous zero-day vulnerability” because of the proactive disclosure made by the NSA to Microsoft, and then allowing the vulnerability and patch to be rapidly and simultaneously shared at “machine speed” through the CISCP’s automated indicator sharing capability (Wisniewski, Reference Wisniewski2020). The CVE 2020-0601 event thus exemplifies the importance of leveraging IS among a diversity of sharers – here, governmental and private sector actors – in a transparent manner (Schneier, Reference Schneier2020).

2.3 Financial Services Information and Analysis Center (FS-ISAC)

The second IS platform for analysis is FS-ISAC. Like CISCP, it was established pursuant to Presidential Decision Directive-63; yet, the scope of its activity differs from the CISCP in three important respects: It is restricted to the regulated financial sector; it is explicitly global in its membership and scope; and it requires a fee for participation. Thus, it provides a different model for IS from that of the CISCP and focuses on the sector-specific threat vectors and risks of the vulnerable and frequently targeted global financial sector (World Economic Forum, 2019).

FS-ISAC is the leading global IS platform for this sector, which includes 7,000 members in over 70 jurisdictions. It is constituted as a nonprofit organization with headquarters located in the USA and regional hubs in the UK and Singapore. Member institutions are regulated private-sector financial entities (with some exceptions) and include banks, brokerage and securities firms, credit unions, insurance companies, investment firms, payment processors, and financial trade associations. A separate subplatform was established in July 2018 under the auspices of FS-ISAC for governmental and regulatory entities (Cision, 2018): This CERES platform (CEntral banks, REgulators and Supervisory entities) utilizes separate Operating Rules (www.fsisac.com/fsisac-ceres-operating-rules) and Subscriber Agreements (www.fsisac.com/ceres-forum-subscriber-agreement) for its members.

The FS-ISAC platform focuses on intrasectoral IS: The sharing of government sourced information is independently vetted by the platform’s Analysis Team as it is shared via the DHS’ National Cybersecurity and Communications Integration Center, which provides US federal government cyber advisories. The primary objective is to share “relevant and actionable” information among sectoral participants on an ongoing basis “to ensure the continued public confidence in global financial services” (FS-IAC, www.fsisac.com/). The motivation for members to utilize the FS-ISAC platform includes “[its] access to … best-available information, … trusted consultation with other experts in interpreting the information, the classified working environment” (He, Devine, & Zhuang, Reference He, Devine and Zhuang2018, p. 217), and the opportunity to access all of this on a single, sector-specific dedicated platform. Shared data include sector-specific threat alerts and indicators, intelligence briefings, tabletop exercises, and mitigation strategies. Participants are eligible to participate in seven separate levels of IS, in accordance with graded membership fee levels, which can amount to tens of thousands of dollars annually (Weiss, Reference Weiss2015, pp. 9–10). To increase its global reach and promote cybersecurity within the financial sector, FS-ISAC also provides a no cost, unidirectional crisis alert service for financial institutions which do not opt for paid membership. The FS-ISAC Operating Rules, Subscriber Terms and Conditions, and End User License Agreement are all available to the public on its website, but those organizations accepted for membership are required to sign an additional, and transparent Subscriber Agreement that is forwarded only following an internal authentication process.

The platform itself is operated by a private sector service provider and overseen by a member constituted board. Information may be attributed or shared anonymously by encrypted web-based connections, and alerts are distributed by the FS-ISAC Analysis Team in accordance with one of the five service levels to which the member has subscribed. Members are notified of urgent and crisis situations via the type of communication they designate (electronic paging, email, Crisis Conference call), and are required by the Subscriber Agreement to access the FS-ISAC portal to retrieve relevant information. Due to the highly regulated nature of the financial sector and the high confidentiality of the information it processes, members are explicitly permitted to submit information anonymously. In addition, all data that have not been specifically designated as attributable to the sharer is subject to a two-step process to scrub all references to the submitting company, one automated via process of keyword search and the second a review by the Analysis Team. Incoming information collected by FS-ISAC from members is shared with government and law enforcement agencies only with consent of the sharing member. Concerns around sharing of sector-specific information are governed by an explicit ban on the exchange of commercial information by antitrust and competition provisions in the Rules and the Subscriber Agreement, and by the applicability of all relevant laws and regulations in member countries (FS-ISAC Operating Rules, art. 9). Likewise, members are bound by a confidentiality agreement and requirements with respect to any sharing of protected personal data (FS-ISAC Operating Rules, arts. 11 & 12).

FS-ISAC maintains an all sector, global cybersecurity alert level, the Financial Services Sector Cyber Threat Advisory, and uses the standardized Traffic Light Protocol (TLP) that is also employed by CISCP, as further described below. Recent research shows that FS-ISAC’s use of automated peer-to-peer alerts has decreased the time for generation of cybersecurity compromise indicators by IS participants “from nearly six hours to one minute” (Wendt, Reference Wendt2019a, p. 109), and that “… the automated receipt, enrichment, and triage of [indicators] by the financial institutions were reduced from an average of four hours to three minutes. In total, the automation reduced the average time to produce an IOC, disseminate an IOC, and initiate a response from approximately 10 hours to 4 minutes” (Wendt, Reference Wendt2019b, p. 27).

At present, financial sector entities “actively participate” in peer-to-peer platforms such as FS-ISAC (Wendt, Reference Wendt2019a, p. 115), leveraging automated IS to boost organizational and sectoral cybersecurity. Yet, FS-ISAC and similar sectoral ISACs have come under criticism for the less than optimal participation of members in the platform. Reasons include the platform’s reliance on voluntary sharing by members – and thus, the ease with which an institution can act as a “free rider”; the potentially negative impact of sharing of vulnerabilities and risks on commercial reputation and profitability within the sector; and concerns of substantive legal exposures with respect to protected personal data, corporate IP, and antitrust concerns (Liu, Zafar, & Au, Reference Liu, Zafar and Au2014, p. 1). The perception of vulnerability given by participation in an IS platform may be an additional factor (Wagner et al., Reference Wagner, Mahbub, Palomar and Abdallah2019, at 2.6). Thus, on the one hand, the use of FS-ISAC as a platform for sharing among financial sector participants may be readily adopted, especially given the cost-free option made available for receiving urgent governmental alerts. One the other hand, the incentivization of IS on the part of private sector members is much more challenging. We address this concern in Section 4.

2.4 Operationalizing IS as a Standardized Best Practice for Cybersecurity

Information sharing on cyber threats and vulnerabilities of all types that passes through the CISCP, FS-ISAC, and other IS platforms requires technological measures to safeguard IS at three levels: (1) The rapid provision of data by the sharing organization; (2) its confidential transmission; and (3) its timely processing, distribution, and storage on the IS platform. As we have seen in the above examples, IS platforms leverage standardized, automated formats that enable rapid dissemination and reception of cyber threat indicators (CISA Incident Reporting System, www.us-cert.gov/forms/report; US-CERT DHS Cyber Threat Indicator and Defensive Measure Submission System, www.us-cert.gov/forms/share-indicators). Well-known examples are the STIX and TAXII indicator formatsFootnote ⁹ that also enable automated information sharing (AIS), Automated Indicator Sharing (AIS), www.us-cert.gov/ais, and the standard TLP, which classifies the security levels of the shared data using four colors in order to indicate the rules for sharing perimeters (see Figure 3.1).Footnote ¹⁰

Figure 3.1 Traffic Light Protocol (TLP) definitions and usage, CISA [no date].

There are many examples of national and transnational IS platforms utilizing similar, standardized systems for threat indicator transmission, including NATO (Oudkerk & Wrona, Reference Oudkerk, Wrona, Luiijf and Hartel2013); the EU’s CSIRT network established under the EU NIS Directive (Directive 2016/1148)Footnote ¹¹; the Cyber Threat Alliance (Fortinet, 2017); Israel’s “Showcase” (Chalon Raávah) (Israel Cyber Directorate, 2019) and its FC3 (Housen-Couriel, Reference Housen-Couriel2018; Housen-Couriel, Reference Housen-Couriel2019; Ministry of Finance and the Cyber Directorate, 2017); the CiSP of the UK National Cyber Security Center (National Cyber Security Centre, n.d.); and the “Informationspool” platform supported by Germany’s Department for Information Sharing (Bundesamt für Sicherheit in der Informationstechnik, BSI) through its “cyber alliance” (Allianz für Cyber-Sicherheit) (Alliance for Cyber Security, n.d.).

In addition to these IS platforms that foster IS among governmental, corporate, and some other institutional actors for a broad range of cyber threats and risks, several specialized IS platforms focus on a narrower risk typology that pinpoints cybercrime and terrorist activity on the Internet. Examples include INTERPOL’s Cybercrime and Cyber-terrorism Fusion Centres (INTERPOL, n.d.); EUROPOL’s European Cybercrime Centre (which has been effective in botnet takedown and in the protection of children online) (Europol, n.d.); and the Hash Sharing Consortium established in the framework of the Global Internet Forum to Counter Terrorism (GIFCT) founded in 2016 by Facebook, Google, YouTube, and Twitter to share information on extremist and terrorist content online and containing more than 200,000 such hashes (Global Internet Forum to Counter Terrorism, n.d.).

These and other such IS platforms reflect organizational and regional differences in the modes of gathering and processing cyber threat indicators and other operational data. Yet, they all rely on standardized and vetted processes that promote trust among sharing entities (International Standards Organization, 2015). The developing technical protocols and the informal codes of conduct around their use constitute an important aspect of IS as a best practice for cybersecurity, and contribute to incentivizing it for use by a plurality of sharers.

4.1 Information Sharing as a Best Practice in Support of Cyber Peace

The definition of cyber peace cited at the beginning of this chapter identifies four of its aspects: clarification of “rules of the road” for setting actors’ expectations and thresholds for IS; threat reduction; risk assessment; and best practices for carrying out these three tasks – all of which are supported by IS. Participants in any given IS platform agree ex ante to the thresholds of nonpermissible online behavior of hostile actors, by virtue of the triggers indicating precisely when relevant information should be shared by them and is shared with them. Typical informational asymmetries that have characterized cyber hostilities to the advantage of the attacker are addressed by the sharing of data, such as by those alerts referred to in the above examples of CISCP and FS-ISAC. Risk assessment is carried out, inter alia, on the basis of indicators, data, and situational evaluations received through IS.

Two additional attributes of IS that support sustainable and scalable cyber peace should be noted. First, its neutrality with respect to the typology of both attackers and targets. Whether the attacker is an individual, a country, a group of criminal hackers, an inside operator, or an autonomous or semiautonomous computer – the IS alert thresholds are similar.Footnote ¹⁴ Likewise, alerts, vulnerabilities, and warnings are target neutral, and are similarly applicable in the context of state-to-state hostilities, cybercrime, terrorist activity, hacktivism, and money laundering. The second attribute is the convenient scalability of IS, as sharing technologies and protocols currently undergo standardization, automatization, and commoditization.

Work is still needed to quantify the specific advantages that IS brings as a best practice in boosting levels of cybersecurity, especially in terms of its cost effectiveness as part of the overall cybersecurity strategy of organizations and states. This much needed analysis will contribute to a better understanding of the economic aspects of sustainable cyber peace, as well.

4.2 Beyond Best Practice: The Value of Information Sharing as a CBM

Building on this understanding of IS as a best practice, it is argued here that IS further supports sustainable cyber peace as a CBM at the international level, among the states, international organizations, and multinational companies that are critical to ensuring global cybersecurity. The framing of IS as a CBM, rather than as a binding, substantive norm to which these entities are subject as a matter of law or policy, is beneficial to the utilization of IS platforms at the international level (Borghard & Lonergan, Reference Borghard and Lonergan2018). By sidestepping substantive multilateral commitments, IS can be more readily utilized to support cybersecurity and cyber peace. Examples where this has occurred include the UN’s 2015 GGE (United Nations General Assembly, 2015), the OSCE’s 2016 listing of cybersecurity CBMs (Organization for Security and Co-Operation in Europe, 2016), and the 2018 Paris Call for Trust and Security in Cyberspace (Principle 9).

CBMs were originally used in the context of the Cold War to further disarmament processes in the context of the diplomatic and political standoff between the USSR and the West. Nonmilitary CBMs have been defined more generally as “actions or processes undertaken … with the aim of increasing transparency and the level of trust” between parties (Organization for Security and Co-operation in Europe, 2013). They are “one of the key measures in the international community’s toolbox aiming at preventing or reducing the risk of a conflict by eliminating the causes of mistrust, misunderstanding and miscalculation” (Pawlak, Reference Pawlak, Osula and Rõigas2016, p. 133). CBMs are also critical in the global cybersecurity context and have been described as a “key tool in the cyber peacebuilder’s toolkit” (Nicholas, Reference Nicholas2017).

In a 2017 in-depth study of eighty-four multilateral and bilateral initiatives addressing the collective action challenges of cybersecurity, including treaties, codes of conduct, agreements, memoranda and public declarations, IS was found to be included as an agreed cybersecurity measure in more than 25 percent of such initiatives (twenty-one out of the total eighty-four) (Housen-Couriel, Reference Housen-Couriel2017, pp. 51–52). Moreover, the analysis was able to isolate several specific elements of IS, discussed above, that were individually included in this top quarter: IS measures in generalFootnote ¹⁵; establishment of a specific national or organizational point of contact for information exchange; and sharing of threat indicators (Housen-Couriel, Reference Housen-Couriel2017, pp. 51–52).Footnote ¹⁶ These elements were three out of a list of a dozen CBMs that occur with sufficient frequency to be included in a “convergence of concept” with which diverse stakeholders – states, regional organizations, intergovernmental organizations, specialized UN agencies, standards organizations, private corporations, sectoral organizations, and NGOs – have incorporated into cybersecurity initiatives.Footnote ¹⁷ The study concluded that, while such cyberspace stakeholders are frequently willing to incorporate general arrangements for IS (it is in fact the leading agreed-upon cyber CBM in the initiatives that were studied), and even to specify a national or organizational point of contact, they are less willing to commit to a 24/7, real-time exchange of cybersecurity related information (Housen-Couriel, Reference Housen-Couriel2017, p. 67). This finding indicates a gap that should be considered in the context of further leveraging IS in the context of cyber peace.

Nonetheless, as noted above, IS as a CBM holds the advantage of bypassing the present, considerable challenges of achieving formal and substantive multistakeholder agreement on substantive cyber norms, until such time as such binding norms are legally and geopolitically practicable (Efroni & Shany, Reference Efroni and Shany2018; Finnemore & Hollis, Reference Finnemore and Hollis2016; Macak, Reference Macak2017). A few examples of binding domestic law and international regulatory requirements for organizational participation in IS platforms do exist, such as the pan-EU regime established under the EU NIS (Directive 2016/1148), the Estonian Cybersecurity Act of 2016, and the US Department of Defense disclosure obligations for contractors when their networks have been breached. However, there are many more based on voluntary participation, such as the CISCP and FS-ISAC reviewed above, Israel’s FC3, and the global CERT and CSIRT networks of 24/7 platforms for cyber threat monitoring, including the EU network of more than 414 such platforms (European Union Network and Information Security Agency, 2018).

For the purposes of its analysis in this chapter, IS constitutes as a nonbinding CBM that also constitutes a best practice for bolstering cybersecurity and cyber peace, yet does not require a binding legal basis for its implementation. The critical issue of the use of regulatory measures, both binding and voluntary, to promote IS for optimal cybersecurity and cyber peace is, as noted above, an issue for further research.

4.3 Leveraging Polycentricity for Effective IS

In this section, we briefly address the advantages of a polycentric approach for effective IS. Polycentricity is an approach and framework for ordering the actions of a multiplicity and diversity of actors around a collective action problem.Footnote ¹⁸ Several scholars in the field of cybersecurity describe and analyze regulatory activity in cyberspace specifically in accordance with such an approach (Craig & Shackelford, Reference Craig and Shackelford2015; Kikuchi & Okubo, Reference Kikuchi and Okubo2020; Shackelford, Reference Shackelford2014, pp. 88–108). Polycentricity explicitly recognizes a multiplicity of sources of regulatory authority and behavioral organization for cyber activities, including nation-state actors, private sector organizations, third sector entities, and even individuals, and it acknowledges the value of employing a diversity of measures to address the collective action problem (Elkin-Koren, Reference Elkin-Koren1998; Shackelford, Reference Shackelford2014; Thiel et al., Reference Thiel, Garrick and Blomquist2019).

A polycentric approach is theoretically and conceptually most appropriate for supporting IS in particular and cybersecurity overall due, inter alia, to its inherent stakeholder inclusiveness, flexibility with regard to types of regulatory measures, and transparency with respect to potential violations of substantive privacy rights, IP protections, and antitrust provisions (Shackelford, Reference Shackelford2014, p. 107). Moreover, in the context of IS, a polycentric approach maximizes the potential for remedying informational asymmetries among a diversity of vetted sharers, bringing to bear a variety of perspectives and capabilities (Kikuchi & Okubu, Reference Kikuchi and Okubo2020, pp. 392–393; Shackelford, Reference Shackelford2013, pp. 1351–1352).Footnote ¹⁹ Such an approach explicitly acknowledges the complex interdependencies of all actors in cyberspace (Shackelford, Reference Shackelford2014, pp. 99–100). Thus, a polycentric approach will optimally include on an IS platform the broadest possible range of sharers: Government regulators and agencies themselves; sectoral actors that may share information informally, as they are targeted simultaneously by malicious cyber actors; umbrella groups formed within the sector for formal and informal IS; technical experts, academic and consulting actors, providing external assessments of IS models and their effectiveness; and individuals who may share information through governmental, sectoral, or organizational channels, or through informal channels such as social media – when they experience compromised cybersecurity through their personal Internet use.

The two examples reviewed above are relatively non polycentric at present: CISCP is a public–private sector partnership that includes government agencies and companies in its membership, and FS-ISAC restricts participation even further, to private sector members only (central banks, sector regulators, and other government agencies must join the separate CERES platform). The challenges for building trust on these two platforms are significant and may continue to constitute barriers for inclusion of a broader, more diverse membership. In the context of the financial sector, especially, a more polycentric participation in IS may be encumbered at present by legal and regulatory constraints. Nevertheless, financial institutions already recognize the important potential of gathering data on unusual, detrimental activity in their networks via reporting by customers and suppliers – that is, individual users who access parts of the network regularly and often, and who can serve as sensors for fraudulent and hostile cyber activity such as phishing (Cyber Security Intelligence, 2017). Individual user endpoints and accounts may be among the most vulnerable points of entry into an institution’s network, but they also constitute a key element for cybersecurity data gathering at the perimeter of financial institutions that, we contend, should be leveraged within IS platforms as an additional means of mitigating the informational asymmetry between the hostile actor and the targeted organization. Thus, the provision of fraud prevention alert mechanisms on the websites of banks and some other private companies, by means of which customers may provide information about phishing schemes, irregular activity in their accounts, and other suspicious activity, might be incorporated into sectoral IS platforms.Footnote ²⁰ This growing understanding on the part of financial organizations, social media platforms, and consumer websites that much valuable information with respect to cyber risks may be garnered from individuals (including customers, employees, and suppliers) requires creative thinking around the incentivization of such IS, as well as the protection of individual privacy rights as cyber risk indicators are shared.Footnote ²¹

In summary, IS is likely be most effective as best practice at the domestic level and as a CBM at the international level – when it is governed by a polycentric approach for the most efficient pooling of resources, knowledge, and experience to mitigate, counter, and respond effectively to cyber threats and events.

5.1 Research Design

Demonstrating that cyber operations can serve as crisis off-ramps and represent a common strategic choice to respond proportionally during crisis interactions can be a difficult proposition. The goal is to find evidence, under a controlled setting, when a state will have to make a choice between an option that might cause significant damage, an option that will cause little or no harm, the option of doing nothing, and the ability to wage a cyber operation against the opposition.

We propose two methods to investigate our propositions, a theory-guided case study investigation and a survey experiment using crisis simulations and wargames. Once the plausibility of our propositions is determined, we can follow-up our examinations with further support and evidence through follow on experiments. This is not a simple process and we only begin our undertaking here.

The case study presented here represents a theory-guided investigation according to Levy’s (Reference Levy2008) typology. These case studies are “structured by a well-developed conceptual framework that focuses attention on some theoretically specified aspects of reality and neglects others” (Levy, Reference Levy2008, p. 4). In these cases, we cannot rule out other theoretical propositions for the cause of de-escalation, but can demonstrate the process of how cyber activities provide for off-ramps on the road to conflict.

Such case studies can also serve as plausibility probes. According to Eckstein (Reference Eckstein, Greenstein and Polsby1975, p. 108), plausibility probes “involve attempts to determine whether potential validity may reasonably be considered great enough to warrant the pains and costs of testing.” We can only pinpoint the impact of a cyber operation as a choice and examine the outcome – de-escalation during a case study investigation.

Case studies are useful, but do not provide controlled situations where there are clear options and trade-offs for leadership. It might be that a cyber option was decided before the crisis was triggered, or that a cyber option in retaliation was never presented to the leader. Here, we will use a short case study to tell the story of how a cyber operation was chosen and why it represented a limited strike meant to de-escalate a conflict, but will pair this analysis with an escalation simulation.

Deeper investigations through proper controlled settings can be done through experimental studies. In this case, experimental wargames where a group of actors playing a role must make choices when presented with various options. Our other option is survey experiments to demonstrate the wider generalizability of our findings, but such undertakings are costly and time intensive.

Experiments are increasingly used in political science to evaluate decision making in terms of attitudes and preferences (Hyde, Reference Hyde2015; Sniderman, Reference Sniderman2018). While there are challenges associated with external validity and ensuring that the participants reflect the elites under investigation, experiments offer a rigorous means of evaluating foreign policy decision making (Renshon, Reference Renshon2015; Dunning, Reference Dunning2016). For the experiment below, we employ a basic 2 × 2 factoral design.

5.2 Wargames as Experiments

To date, research on cyber operations have focused either on crucial case studies (Lindsay, Reference Lindsay2013; Slayton, Reference Slayton2017), historical overviews (Healey & Grindal, Reference Healey and Grindal2013; Kaplan, Reference Kaplan2016), and quantitative analysis (Valeriano & Maness, Reference Valeriano and Maness2014; Kostyuk & Zhukov, Reference Kostyuk and Zhukov2019; Kreps & Schneider, Reference Kreps and Schneider2019). Recently, researchers have expanded these techniques to include wargames and simulations analyzed as experiments.

There is a burgeoning literature on the utility of wargames and simulations for academic research. Core perspectives generally define the purpose and utility of wargames, failing to include the wider social science implications of new methodologies defaulting toward the perspective that war-gaming is an art (Perla, Reference Perla1990; Van Creveld, Reference Van Creveld2013). More recently, there has been an increasing amount of research offering a social science perspective on war-gaming as a research methodology (Schneider, Reference Schneider2017; Pauly, Reference Pauly2018; Jensen and Valeriano, Reference Jensen and Valeriano2019a, Reference Jensen and Valeriano2019b). The perspective that wargames can add to our knowledge about crisis bargaining under novel technological settings is one we follow herein (Reddie et al., Reference Reddie, Goldblum, Lakkaraju, Reinhardt, Nacht and Epifanovskaya2018; Lin-Greenberg et al., Reference Lin-Greenberg, Pauly and Schneider2020).

To evaluate the utility of cyber operations in a crisis, the researchers used a conjoint experiment linked to a tabletop exercise recreating national security decision making. Small teams were given packets that resembled briefing materials from US National Security Council (NSC) level deliberations based on guidance from NSC staffers from multiple prior administrations. The packets outlined an emerging crisis between two nucleararmed states: Green and Purple. The graphics and descriptions tried to obscure the crisis from current states, such as China and the United States. The respondents were asked to nominate a response to the crisis, selecting from a range of choices capturing different response options using diplomatic, information, military, and economic instruments of power. Each instrument of power had a scalable threshold of options, from de-escalatory to escalatory. This range acted as a forced Likert scale. Figure 4.1 shows a sample page from the respondent packets outlining the road to crisis and balance of military capabilities.

Figure 4.1 Diagram from Wargame Simulation.

The packets were distributed to a diverse, international sample of 400 respondents in live session interactions. In the terms of the types of respondents who participated, 213 were students in advanced IR/political science classes, indicative of individuals likely to pursue a career in foreign policy, 100 were members of the military with the most common rank being major (midcareer), 40 were members of a government involved with foreign policy decision-making positions, 19 were involved with major international businesses, and 13 opted not to disclose their occupation, while 15 left it blank. Of these respondents there were 267 male respondents, 110 female respondents, and 4 who preferred not to say, while 19 opted to leave it blank.Footnote ³ With respect to citizenship, 295 respondents were US citizens, 87 were non-US citizens, and 4 preferred not to say, while 14 left their response blank.Footnote ⁴

These participants were randomly assigned to one of four treatment groups:

• Scenario 1. A state with cyber response options (cyber resp) that thinks the crisis involves rival state cyber effects (cyber trig);

• Scenario 2. A state with no cyber response options (no cyber resp) that thinks the crisis involves rival state cyber effects (cyber trig);

• Scenario 3. A state with cyber response options (cyber resp) that thinks the crisis does not involve rival state cyber effects (no cyber trig); and

• Scenario 4. A state with no cyber response options (no cyber resp) that thinks the crisis does not involve rival state cyber effects.

These treatments allowed the researchers to isolate cyber response options and assumptions about the role of rival state cyber effects in the crisis. These treatment groups are listed in Table 4.1.

To measure escalation effects associated with cyber capabilities (H1), the survey experiment examined participant response preferences using the respondent initial preference (RESP) variable. This variable asked the survey respondents to indicate their initial reaction and preferred response to the crisis as de-escalate (1), adopt a proportional response (2), escalate (3), or unknown at this time (4). Coding along these lines allowed the researchers to factor in uncertainty and capture if there were any differences between what the survey respondents wanted to do initially, and what they selected to do after reviewing approved response options across multiple instruments of power. Furthermore, as a 2 × 2 experiment focused on attitudes and preferences, the RESP variable helped the team determine if the four different treatments altered the decision to escalate as a cognitive process, and how each participate viewed their options given limited information in a rivalry context. The results are shown in the contingency table (Table 4.2 and Figure 4.2).

Figure 4.2 Response preferences from wargame simulation.

Escalation was generally low with only twenty respondents preferring escalation. When they did opt to escalate, neither the presence of cyber response options nor the adversary use of cyber seemed to affect their response preference. Alternatively, when states had cyber response options and there were no signs of rival state cyber effects, participants opted to de-escalate (57) more than expected (47.5). The results were inverse when states were in a crisis that lacked cyber options and adversary cyber effects (treatment 4). Here there were less observed preferences to de-escalate (28) than expected (42.5) and more instances of proportional responses (67) than expected (49.8). The results also lend themselves to categorical variable tests for association using the phi coefficient (Sheskin, Reference Sheskin2020). The phi coefficient is 0 when there is no association and 1 when there is perfect association. The value is .286 indicating a weak but significant relationship between the treatment group and escalation preferences consistent with the hypothesis. Cyber options were not associated with escalation and were, in fact, linked to preferences for de-escalation.

A second measure of escalation allows the team to differentiate between the RESP and the overall degree of potential escalation based on the instruments of power selected. This measure is less effective since it does not capture the attitude and preference as a cognitive process in line with best practices in experiments, but does allow the researchers to further triangulate their findings. The researchers created a variable odds of escalation (OES) and average odds of escalation (OESAAVG). OES is a summation and adds the escalation scores from across the actual response options selected. OESAAVG is a binary variable coded 1 if the OES score is over the average and 0 if it is under the average (Table 4.3). OESAAVG allows the researchers to look across the treatments and see if there are differences when cyber response options are present and absent.

The results cast further doubt on cyber operations as being escalatory. Both treatments 1 and 3 had less combined instruments of power above the average coercive potential (29, 30) than expected (37, 37). Of particular interest, when states had cyber response options and escalated, the magnitude tended to be less with treatment 1 seeing 29 instances of above average coercive potential versus 37 expected (−1.3 standardized residual) and treatment 3 seeing 30 instances versus 37 expected (−1.2 standardized residuals). These contrast with treatment 2 where there is a cyber trigger and no cyber response options available. Here there were 48 instances of above average coercive potential versus 37 expected (1.8 standardized residual). Cyber appears to have a moderating influence on how participants responded to the crisis.

Turning to the second hypothesis, to measure complementary effects associated with the survey experiment, the researchers examined how participants combined instruments of power. Participants were allowed to recommend three response options to the crisis. These response options were organized by instruments of power on the aforementioned Likert scale. Each instrument had six options. In treatments where participants had cyber response options, six additional options were added each with an equivalent level of escalation. This gave participants a total of twelve responses in cyber treatments. Since the packets involved four instruments of power (diplomatic, information, military, economic), participants had a total of 24 response options in noncyber treatments (treatments 2, 4) and 48 in cyber response treatments (1, 3). Participants could choose three response options all in one instrument of power, or spread them across multiple instruments of power. Table 4.4 shows the number of response options selected for each instrument of power across the treatments below. There were no statistically significant differences across the treatments with respect to the distribution of the responses.

In each survey experiment, the researchers used this information to create a variable called COMB (combined) that measured the number of instruments of power a respondent used. This number ranged from one to three. Since the survey experiments asked participants to select three options, they could either select three options from any one instrument of power or employ up to three combined instruments of power. To confirm the second hypothesis, one would need to see a higher than expected instances of combining instruments of power comparing conventional versus cyber escalation preferences.

To evaluate hypothesis two along these lines, the researcher separated treatments 2 and 4 and 1 and 3 to compare escalation preferences and combined instruments of power. In Table 4.5, the conventional escalation column shows how many times respondents used 1, 2, or 3 instruments of power, differentiating between treatments that saw escalation and no escalation.Footnote ⁵

Third, to evaluate substitution, the researchers compare percentages. There should be a higher rate of substitution, measured as using a cyber option, in treatment 3 than in treatment 1. In treatment 3, participants have no evidence the rival state is using cyber capabilities thus making them more likely to substitute cyber effects due to the lower, implied information costs. A respondent would look at the situation and see more utility in using cyber because no adversary cyber effects are present. Alternatively, when adversary cyber effects are present, participants will assess higher information costs. They will be more concerned about adversaries being able to mitigate the expected benefit of any cyber response (Table 4.6).

As predicted, there was more observed substitution in treatment 3, as opposed to treatment 1. In treatment 3, 52.38% of the response options selected (i.e., coercive potential) involved cyber equivalents compared with 17.14% for treatment 1. Because there were no indications of adversary cyber capabilities in this treatment, participants likely perceived a cross-domain advantage, hence less information costs. This alters the hypothetical elasticity of demand making cyber a more perfect substitute. Table 4.7 breaks out the substitution further.

In treatment 1, cyber responses were substituted at a higher rate for information effects (40%) than other instruments of power. Three of the four substitutions involved the option to “burn older exploits in adversary systems disrupting their network operations in order to signal escalation risks.”

In treatment 3, cyber responses were heavily used to substitute for conventional responses over 50% of the time. The most common military substitution (4/7) involved opting to “compromise data of individual members of the military to include identify theft, fraud, or direct social media messaging.” This option substituted for the conventional response: “Conduct a public show of force with air and naval assets challenging known defense zones and testing adversary response.” Participates opted for information warfare, or more conventional displays of military force. The most common information substitution remained burning “older exploits in adversary systems disrupting their network operations in order to signal escalation risks.” The most common diplomatic substitution in the packet was “use spear phishing, waterholing, and other methods to expose sensitive political information.” Again, information warfare was a substitute for more conventional forms of coercion when the adversary posture suggests a low probability of response to information operations.

Another factor stands out when looking at the descriptive statistics associated with differentiating conventional and cyber escalation, measured as coercive potential. As seen in Table 4.6, there is a higher observed rate of coercive potential in noncyber response treatments. The available of cyber response options appears to reduce the coercive potential by substituting information warfare for more traditional approaches to coercion.

Overall, we have evidenced that cyber response options can moderate a conflict between rival powers. Respondents generally used cyber options to either respond proportionally or seek to de-escalate the situation until more information can be gathered. What we cannot explain is whether or not the results were influenced by the presence of nuclear weapons on both sides, different regime types, and other possible confounding variables because our sample was not large enough to enable additional treatments.

6.1 Origins

The full picture of what happened between Iran and the United States in the summer of 2019 will continue to develop as classified information is released, but what we do know suggests there was a significant confrontation with cyber operations playing a role as a coercive instrument alongside diplomatic, economic, and military inducements in the dispute. Given that Iran and the United States maintain an enduring rivalry and have a history of using force, even if through proxies, this case was particularly escalation prone. Yet, instead of going to war, Tehran and Washington pulled back from the brink. The key question is why?

As long-term rivals, the United States and Iran have been at loggerheads over the control of the Middle East and resource access for decades (Thompson & Dreyer, Reference Thompson and Dreyer2011). The origins of the contemporary rivalry between Iran and the United States started, from an Iranian perspective, in 1953 when the CIA helped their UK counterparts stage a coup (Kinzer, Reference Kinzer2008). From the US perspective, the rivalry dates to the Iranian Revolution and the overthrow of the Shah in 1979, installed in the 1953 coup (Nasri, Reference Nasri1983). The new regime, led by Ayatollah Ruhollah Khomeini, launched a revisionist series of direct and proxy challenges against US interests in the region (Ramazani, Reference Ramazani1989) that culminated in a protracted conflict with Iraq. During the Iran–Iraq War, the United States backed Iran’s rivals, including Iraq and the larger Gulf Cooperation Council. Iran in turn backed Shiite groups across the Middle East implicated in attacking US forces in the Lebanon.

In the aftermath of the Iranian Revolution and during the subsequent Iran–Iraq War, the United States engaged in limited but direct military engagements with Iran, including the failed Desert One raid to rescue American hostages (1980), and during Operation Earnest Will (1987–1988) in which the US Navy escorted Gulf State oil tankers in a convoy to protect them from Iranian military forces (Wise, Reference Wise2013). This period included multiple naval skirmishes such as Operational Praying Mantis (1988) and Operational Nimble Archer (1988) in which US forces attacked Iranian oil rigs and military forces in retaliation for Iranian mining in the Strait of Hormuz and repeated attacks. Contemporary US perspectives on Iranian motives and likely foreign policy preferences emerged during this period, with the Washington foreign policy establishment seeing Iran as a revisionist, revolutionary state.Footnote ⁶ Similarly, Iranian attitudes toward the United States hardened even further as Washington labeled the country part of an Axis of Evil (Shay, Reference Shay2017) and invaded its neighbor, Iraq. Iran opted to counter by funding proxy Shiite groups in Iraq and undermining the transitional Iraqi government.Footnote ⁷

Parallel to its proxy struggle with the United States in Iraq, Tehran sponsored terror groups that attacked US interests across the region and accelerated its nuclear weapons program.Footnote ⁸ Starting in 2003, the International Atomic Energy Agency started pressuring Iran to declare its enrichment activities, which led to multilateral diplomatic efforts starting in 2004. These efforts culminated in UN Security Council resolutions expanding sanctions on Iran over the subsequent years, and the US joining the multilateral effort (P5+1) in April 2008 following a formal Iranian policy review. Backed by the larger range of diplomatic and economic sanctions that had been in place since the Iranian Revolution, the pressure resulted in the 2015 Joint Comprehensive Plan of Action (JCPOA). This agreement limited Iran’s ability to develop nuclear weapons and included European allies as treaty members distributing the burden of enforcement internationally (Mousavian & Toossi, Reference Mousavian and Toossi2017).

In 2018, the Trump administration withdrew from the agreement, arguing that Iran was still building nuclear weapons and directing proxy warfare against US allies (Fitzpatrick, Reference Fitzpatrick2017). The Trump administration wanted to move past the JCPOA agreement, which had reduced tensions in the region. Instead, the Trump administration ramped up sanctions and designated the Islamic Revolutionary Guard Corps, with the Quds force (Tabatabai, Reference Tabatabai2020), a terrorist organization in 2019 (Wong & Schmitt, Reference Wong and Schmitt2019). The leader of the organization, QasemSoleimani, became a prime target (Lerner, Reference Lerner2020).

6.2 Cyber and Covert Operations

Given Iran’s use of proxies, covert operations generally color the relationship between Iran and United States. These activities included the use of cyber capabilities. The United States and Iran were deep in a cyber rivalry, with twenty cyber conflicts between 2000 and 2016 (Valeriano et al., Reference Valeriano, Jensen and Maness2018). Data on cyber interactions only begin in 2000, making it difficult to catalog the full range of covert and clandestine activity between 1979 and 2000.

With respect to cyber operations, the United States likely initiated seven cyber operations while Iran launched thirteen (Maness et al., Reference Maness, Valeriano and Jensen2019). The most significant event was when the United States and Israel launched the Stuxnet attack, which disabled centrifuges in the Natanz nuclear power plant (Lindsay, Reference Lindsay2013). The overall impact of the attack on the Natanz plant is intensely debated, but assessment at the time suggested a limited overall impact on Iran’s ability to produce nuclear materials (Barzashka, Reference Barzashka2013). It is still unknown what effect the Stuxnet attack had on Iranian internal calculations and assessment of US capabilities.

The pattern between the United States and Iran has often been for the United States to rely on cyber espionage and degrade operations to harm Iranian interests and activities, while Iran generally seeks to avoid direct confrontation in cyberspace (Valeriano & Maness, Reference Valeriano and Maness2015). Saudi Arabia is a frequent proxy cyber target of Iran, given that the United States is seen as its protector and ally. Iran’s actions against the United States mostly entail basic espionage, economic warfare, and the typical probes and feints in cyberspace (Eisenstadt, Reference Eisenstadt2016).

Another key aspect of the covert competition, and the prime threat that Iran offered to the United States, was the use and control of proxy forces in the region. The Iranian Quds force controlled proxy actors in the region (Eisenstadt, Reference Eisenstadt2017), with Houthi forces seeking to attack forces in the region with Scud missiles (Johnston et al., Reference Johnston, Lane, Casey, Williams, Rhoades, Sladden, Vest, Reimer and Haberman2020). The awareness that Hezbollah was taking clear direction from Iran altered the dynamics of the dispute between Israel and its regional rivals (Al-Aloosy, Reference Al-Aloosy2020). Entering the summer of 2019, Iran’s use of proxy forces dominated the concerns of the Trump administration (Simon, Reference Simon2018; Trump, Reference Trump2018).

6.3 The Summer 2019 Crisis

As the summer began in 2019, tensions accelerated due to concerns about Iranian proxy warfare, the use of cyber actions in the region, and the pursuit of nuclear weapons after the end of the JCPOA (see Figure 4.3 for the timeline of events). In addition to increased hacking activities, Iran attacked tankers in the Persian Gulf, with two incidents occurring in May of 2019. At one point, Iranian operatives were seen placing unidentified objects on the hull of a tanker before it was disabled. Iran “called the accusations part of a campaign of American disinformation and ‘warmongering’” (Kirkpatrick et al., Reference Kirkpatrick, Perez-Pena and Reed2019).

Figure 4.3 Iran–United States Case Timeline.

(Source) [no date]

Following intelligence reports that Iran was plotting an attack on US interests in the Middle East on May 5, 2019, National Security Adviser, John Bolton, announced (Bolton, Reference Bolton2019) the deployment of a carrier strike group and bomber task force to the Middle East to “send a clear and unmistakable message to the Iranian regime that any attack on the United States interests or those of our allies will be met with unrelenting force.” In response, on May 12 the crisis escalated with four commercial vessels, including two Saudi Aramco ships, targeted by sabotage attacks attributed to Iran in the Gulf of Aden (Yee, Reference Yee2019). By May 13, the Pentagon announced plans to deploy as many as 120,000 troops in the region in additional fighter squadrons and naval task forces already headed to the region (Schmitt & Barnes, Reference Schmitt and Barnes2019). In response, on May 14 Iranian proxies in Yemen launched a massive attack against Saudi oil infrastructure using a mix of drones and cruise missiles (Hubbard et al., Reference Hubbard, Karasz and Reed2019). By the end of May, the United States implicated Iran proxies in firing rockets at US interests in Iraq and responded with additional troop deployments and weapon sales to Saudi Arabia. These measures added to the range of economic sanctions the Trump administration initiated following its departure from the JCPOA (News, Reference News2018).

The increasingly militarized crisis continued into June. On June 6, 2019, Iranian-backed rebels in Yemen shot down a MQ-9 Reaper, leading the US Central Command (CENTCOM) Commander to warn that US forces faced an imminent threat throughout the region (Kube, Reference Kube2019). On June 13, magnetic mines, likely delivered by Iranian unmanned subsurface vehicles, damaged two additional commercial vessels, leading the United States to announce additional troop deployments.

The downing of a US RQ-4A Global Hawk UAV on June 20, 2019, served notice that conflict was likely to escalate. The United States deemed it an unprovoked attack of an aircraft in international waters. President Trump ordered a military strike on June 20, but halted the operation over fears of mass casualties on the Iranian side, or fears of the impact of a war with Iran on reelection. He stated on Twitter, “We were cocked & loaded to retaliate last night on 3 different sights when I asked, how many will die. 150 people, sir, was the answer from a General. 10 minutes before the strike I stopped it, not proportionate to shooting down an unmanned drone.” (Olorunnipa et al., Reference Olorunnipa, Dawsey, Demirjian and Lamothe2019).

Instead of escalating the conflict, on June 22 the United States leveraged a series of cyber operations to respond proportionally to Iranian provocations. There seems to have been a few distinct operations; it is unclear how many separate teams or tasks were directed against Iran. One operation disabled Iran’s ability to monitor and track ships in the region by attacking their shipping databases (Barnes, Reference Barnes2019b). Another operation by US Cyber Command was said to have disabled Iranian missile sites, making them vulnerable to air attacks (Nakashima, Reference Nakashima2019). In addition, the United States was also likely dumping Iranian code on the site VirusTotal (Vavra, Reference Vavra2019), potentially impairing Iranian’s ability to retaliate by spilling their tools so other defenders were prepared.

The cyber operations served to signal risk to the Iranians and preserve further options to manage the crisis if it was to continue. The proportional response to Iran’s activities possibly allowed for the conflict to stabilize and helped push the two states away from the brink of war. On the road to war, cyber options provide a critical path away from confrontation while still managing to service domestic audience concern

On June 24, cyber security scholar, Bobby Chesney, observed, “Indeed, reading the tea leaves from the past weekend, it appears the cyber option helped ensure there was an off-ramp from a kinetic response that might have led to further escalation.” (Pomerleau & Eversden, Reference Pomerleau and Eversden2019). On June 25, Valeriano and Jensen (Reference Valeriano and Jensen2019) wrote a column in The Washington Post that stated, “contrary to conventional wisdom, cyber options preserve flexibility and provide leaders an off-ramp to war.”

Following a tense summer, the conflict moved into a new phase in late 2019 and 2020 with the killing of an American contractor after a rocket attack on the US base in Iraq on December 27, 2019 (Barnes, Reference Barnes2019a). The United States retaliated with strikes against Iranian proxies, the Hezbollah, in Iraq and Syria. Hezbollah then attacked the American embassy in Iraq, leading to the US president authorizing the assassination of IRGC Commander, Qasem Solemani, on January 3, 2020 (Zraick, Reference Zraick2020). The United States moved to deploy 4,000 addition troops in the region and Iran retaliated by launching missile strikes on US bases in Iraq, wounding over a hundred soldiers (Zaveri, Reference Zaveri2020). The conflict was finally de-escalated, with the United States choosing to not respond to the Iranian attack by claiming that no one had been killed. Since there was six months between the summer and winter 2019/2020 incidents, they are treated as two distinct, albeit linked, crisis cases.

6.4 Assessing the Case

Assessment of the events suggests that the crisis with Iran could have escalated in June 2019 after the downing of the Global Hawk UAV, seen as a significant piece of military hardware costing around $220 million (Newman, Reference Newman2019). Demands for retaliation and escalation were rife in the foreign policy community and within the Trump Administration (Trevithick, Reference Trevithick2019).

Instead of escalation, the United States took a different path, consistent with Hypothesis 1. By responding through cyber actions, the United States did two things. First, it demonstrated commitment and credibility to counter Iranian operations by signaling intent for future operations that could have dramatic consequences on Iranian power in the region. Second, these cyber operations also served as Phase 0 operations meant to shape the environment and set the conditions should the United States want to use additional military options in the future. With Iranian defensive systems compromised, Iran was vulnerable to an American attack that never came, and simultaneously subject to a cyber substitute consistent with Hypothesis 3. Cyber operations served to de-escalate the conflict by vividly illustrating the shadow of the future for continued Iranian harassment in the region.

President Trump also increased targeted sanctions directed at Iran’s leadership and threated further strikes, stating that he did not need Congressional approval due to the existing authorization for military forces in the region to respond to terrorist threats (Crowley, Reference Crowley2020).Footnote ⁹ These moves are consistent with Hypothesis 2, which suggests that cyber operations are used to complement other forms of power if there is a consideration for escalation.

When challenged by a strike on an American asset in the region, the United States had two options, respond in kind or escalate the conflict. Doing nothing would incur significant audience costs among President Trump’s base of support because it would demonstrate weakness. Escalation would likely provoke retaliation by proxy forces all over the Middle East leading to significant US casualties. War would also harm the President’s reelection chances after promising a reduction in tensions and an end to the wars in the region (Tesler, Reference Tesler2020).

Choosing the option of cyber operations and increased sanctions fits clearly with an off-ramp perspective on crisis bargaining. As Hypothesis 3 argued, cyber operations are likely to be used as substitutes when there are no indications of adversary cyber activity. Here cyber options substituted military options because Iran did not escalate in the cyber domain in response to US cyber moves, and Washington likely judged it had a domain advantage.

Cyber options offered a path out of the conflict through responding in ways that target Iran’s command and control functions directly, demonstrating decreased capacity for Iran to control their battlespace. Of particular interest, some of the cyber operations specifically limited Iran’s ability to retaliate in cyberspace by leaking the malicious code Tehran was likely to use. No other military response options were utilized, although they were considered, after cyber operations were leveraged. Cyber options can serve as off-ramps from the path to war.

3.1 Human Rights, a Call of Action to Update the Social Contract

The promotion of human rights and peacebuilding mechanisms can be analyzed as joint processes in which peacebuilding insights and methods can advance human rights promotion and protection (Parlevliet, Reference Parlevliet2017). However, some overlapping tensions must be considered, such as the complicated relationship between freedom of expression and political stability, and the disputes concerning how to handle sensitive issues such hate speech, sexual harassment, and politically driven attacks that foment collective violent responses.

While freedom of expression, privacy, and data protection are covered by International Humanitarian Law and Human Rights Law at the international level (Franklin, Reference Franklin, Wagner, Kettemann and Vieth2019; Lubin, Reference Lubin, Kolb, Gaggioli and Kilibarda2020), inadequate enforcement mechanisms and profound social issues at the national level, such as a lack of digital literacy and limited Internet access, undermine their implementation (Shackelford, Reference Shackelford2019). This difficult adoption of international regulations complicates peacebuilding scenarios because governments regulate freedom of expression to impose an official truth, which sometimes limits the right of expression and association of the opposition sectors. Moreover, in peacebuilding scenarios, some voices, even the official ones, can become radicalized, creating new challenges to stability. In this context, governments can be tempted to prioritize security and stability over freedom of expression and a pluralist dialogue toward peacebuilding.

For example, there is no Internet detailed legal framework in Colombia that guarantees its citizens’ fundamental rights in cyberspace. Nevertheless, freedom of speech is viewed comprehensively by the Constitutional Court. It is also backed by Colombia’s membership of the Inter-American Human Rights System, which means that this right applies, not only offline, but also in the online world (Dejusticia, Fundación Karisma and Privacy International, Reference Dejusticia2017). However, the respect of those human rights in cyberspace is often challenged due to the use of a securitization narrative by the current governing party that was an opponent to the peace negotiations with the FARC rebels. The government perceives peacebuilding as a mere process of disarmament, demobilization, and reintegration of former combatants in order to restore stability. This limited view of the peacebuilding process also justifies the use of online state surveillance actions to guarantee national security, in which political leaders, former government officials, journalists, and humanrights activists are targeted because of their support of the peace agreement (Vyas, Reference Vyas2020). Without a doubt, the respect of human rights in Colombia, through cyberspace interactions, represents a new challenge that has been ignored by policymakers in the reconstruction of the social fabric in this transitional society.

Second, there is a tension in cyberspace on how to handle sensitive issues that could evolve into violent conflicts. In this complex scenario, Big Tech companies play a critical role because they are able to track and censor what people post and share. However, in the Global South, this tension is not a priority (Schia, Reference Schia2018). On the contrary, Big Tech companies are more concerned with access and digitalization than privacy rights. Many social media companies that operate in developing countries do not have clear policies regarding this issue. Instead, their roles in these societies have been linked to increasing disinformation, inciting violence, and decreasing trust in the media and democratic institutions (Bradshaw & Howard, Reference Bradshaw and Howard2019).

The case of South Africa provides an interesting perspective on the respect of human rights in cyberspace as part of a reconciliation process. Their constitution guarantees the right to freedom of opinion and expression. This topic is mainly addressed under the supervision of the South African Human Rights Commission (SAHRC), which was created by the South African Constitution and the Human Rights Commission Act of 1994. Its aim is linked to promoting human rights through a variety of actions about education and raising community awareness; making recommendations to the Parliament; reviewing legislation; and, most importantly, investigating alleged violations of fundamental rights and assisting those affected to secure redress (Sarkin, Reference Sarkin1998). Based on its mandate, this institution had provided significant recommendations in the legislation linked to topics data protection (SAHRC, 2012) and recent cybersecurity issues (SAHRC, 2017). Nevertheless, its main challenge is to address issues concerning hate speech and racism in cyberspace, particularly on social media platforms, in a quick and efficient way. This commission acknowledges the issue, and it has taken some steps to face this challenge recognizing the allegations of racism perpetrated on social media (SAHRC, 2016). Most importantly, it started a multistakeholder dialogue to reach a detailed social media charter, including human rights education at all academic levels, to fight racism in the digital sphere (SAHRC, 2019).

In conclusion, in order to address human rights issues in cyberspace, particularly in peacebuilding scenarios, there is a need for a new social contract that recognizes human rights as digital rights. Human rights are considered a crucial element of peacebuilding, which must include cyberspace activities. To provide an impact on the development of peacebuilding mechanisms, some human rights standards, values, and principles must be included. To accomplish that end, some actions concerning public policies regarding security and privacy ought to be addressed by governments without exceeding their power. Big Tech companies must provide stricter and more straightforward privacy protocols and conduct codes in layperson’s terms based on the local framework in which they operate. Moreover, civil society’s role, particularly that of users, must be present to delimitate the scope of the potential legal actions concerning topics linked to privacy rights, freedom of speech, misinformation, and disinformation. This inclusive approach would help to create a healthy environment for the exchange of ideas and information, enabling all members who coexist in a changing society to respect and resolve their differences, even in the context of intrastate armed conflict and peacebuilding scenarios.

3.2 Multistakeholder Cyber Peacebuilding

Multistakeholder governance has become a gold standard in Internet governance and regulations of human activities in cyberspace (Scholte, Reference Scholte2020). While not exempt from criticisms in terms of legitimacy and efficiency, the cooperation between public and private actors has become necessary to handle increasingly large amounts of data and regulate private algorithms and infrastructure, leading to a hybridization of governance (Chenou & Radu, Reference Chenou and Radu2019).

This hybridization of governance has also transformed the approach to cybersecurity. Cybersecurity, understood as a national security issue, has historically curtailed the space for multistakeholder governance (Dunn Cavelty, Reference Dunn Cavelty2013; Kuehn, Reference Kuehn, Radu, Chenou and Weber2014). However, recent developments in the production and governance of cybersecurity showcase different governance structures beyond the hierarchical state-led governance of cybersecurity (Kuerbis & Badiei, Reference Kuerbis and Badiei2017; Mueller, Reference Mueller2017; Shires, Reference Shires2018; Tanczer et al., Reference Tanczer, Brass and Carr2018). A multi-stakeholder governance of cybersecurity is emerging at the global, national, and local levels (Pernice, Reference Pernice2018). According to Pernice, the shared responsibility in the establishment of cybersecurity and cyber peace requires a:

The participation of different sectors in cybersecurity governance is even more important in postconflict contexts, where peacebuilding efforts also require the inclusion of multiple stakeholders (Brzoska et al., Reference Brzoska, Ehrhart and Narten2011; Narten, Reference Narten, Brzoska, Ehrhart and Narten2011). Beyond public authorities, three types of actors are of particular importance. First, the private sector plays an essential role in peacebuilding efforts, both during the negotiations and in the implementation of peace agreements (Rettberg, Reference Rettberg2007, Reference Rettberg2016; Miklian & Schouten, Reference Miklian and Schouten2019). Second, the media can promote peace and the prevention of incitement to violence (Howard, Reference Howard2002; Himelfarb & Chabalowski, Reference Himelfarb and Chabalowski2008). Finally, civil society fulfils different functions in peacebuilding, such as: the protection of citizens; the monitoring of human rights violations and the implementation of peace agreements; advocacy for peace and human rights; socialization to values of peace and democracy; intergroup social cohesion; facilitation of dialogue; and service delivery to create entry points for the other functions (Paffenholz, Reference Paffenholz2010).

Despite some common requirements and goals, multistakeholder cybersecurity governance and multistakeholder peacebuilding are rarely treated together in practice. For example, South Africa has been one of the pioneering countries and a model of multistakeholder peacebuilding with the establishment of an infrastructure for peace. The 1991 National Peace Accord created Regional and Local Peace Committees that were open to any relevant civil society organization, such as religious organizations, trade unions, business and industry representatives, and traditional authorities (Odendaal, Reference Odendaal2010). This multistakeholder infrastructure for peace became a reference for further processes (Preventive Action Working Group, 2015). In 1994, South Africa created the National Economic Development and Labour Council in order to allow for multistakeholder participation in the formulation of economic and social policies. However, multistakeholder participation in the governance of cyberspace is limited in South Africa (Mlonzi, Reference Mlonzi2017). For example, the National Cybersecurity Policy Framework was drafted under the leadership of the South African Department of Communications between 2009 and 2012, but was later transferred to the Ministry of State Security (Global Partners Digital, 2013). As the responsibility of a civilian Ministry, cybersecurity fell under the category of economic and social policy and was thus, open to multistakeholder participation. However, the leadership of the Ministry of State Security limited the scope of cybersecurity and undermined the participation of diverse stakeholders.

In Colombia, multistakeholder participation became institutionalized in economic and social policies through the Consejo Nacional de Política Económica y Social (National Council of Economic and Social Policy). There is a strong participation of diverse stakeholders in the formulation of Internet governance policies organized around the Mesa Colombiana de Gobernanza de Internet (Colombian Internet Governance Forum). Moreover, the recent peace accord acknowledges that “participation and dialogue between different sectors of society contribute to building trust and promoting a culture of tolerance, respect and coexistence” (República de Colombia, 2016, Introducción, translated by the authors). However, the issue of peacebuilding is hardly included in Internet governance debates that tend to reproduce global discussions. On the other hand, the governance of cyberspace is not among the priorities of peacebuilding efforts beyond the question of access (see the section below).

Multistakeholder cyber peacebuilding represents a step further in the implementation of multistakeholder participation. It requires a multistakeholder dialogue between actors involved in the regulation of cyberspace and the diverse sectors that share a responsibility in peacebuilding activities. The cases of South Africa and Colombia illustrate the necessary participation of social media platforms and search engines in peacebuilding efforts. As the corporate social responsibility of digital platforms in campaigns and elections is being discussed in consolidated democracies, the role of digital platforms in postconflict societies to promote peace and limit incitement to violence must be put on the agenda. Likewise, the mass media’s responsibility in the promotion of a culture of peace is now shared with new media and social media (Stauffacher et al., Reference Stauffacher, Weekes, Gasser, Maclay and Best2011; Comninos, Reference Comninos2013). As noted by Majcin (Reference Majcin2018), modern peace agreements should include the regulation of social media content that may disrupt the peace and promote the resurgence of violence. These rules could even be institutionalized in the form of special commissions to review content on social media and take action when viral publications undermine peacebuilding.

In sum, multistakeholder governance of cyber peacebuilding entails not only the adoption of national cybersecurity policies that allow for the participation and representation of all stakeholders in postconflict societies it also requires the adoption of multistakeholder mechanisms directly aimed at the promotion of peace and the prevention of violence in cyberspace with the participation of the private sector, digital platforms, academia, and civil society organizations.

3.3 Redefining Stability in Cyberspace

To understand the role of stability in cyberspace, we adopt a nuanced definition of stabilization by drawing upon conflict resolution literature to explain how the tensions generated in cyberspace can affect the dynamics and the conclusion of intrastate conflicts and the development of peacebuilding activities.

There are many approaches to the concept of stability to address armed conflicts. They include issues related to statebuilding (Hoddie & Hartzell Reference Hoddie and Hartzell2005), international interventions (Belloni & Moro, Reference Belloni and Moro2019), and negotiated peace settlements (Hartzell et al., Reference Hartzell, Hoddie and Rothchild2001), among other approaches. From the UN Security Council’s vision, stability refers to a desired state of affairs, almost as a synonym of “peace” (Kerttunen & Tikk, Reference Kerttunen, Tikk, Tikk and Kerttunen2020). Additionally, this concept has a robust state-centric approach (Carter, Reference Carter2013). To analyze cyberspace’s effect in the ending of intrastate conflicts and peacebuilding scenarios, the dynamic definition proposed by Mielke, Mutschler, and Meininghaus (Reference Mielke, Mutschler and Meininghaus2020) is more useful. They argue that stability is an open-ended and transformative process which accepts changes in social dynamics to keep its forces in equilibrium by constant reconcilement of interests. In a nutshell, the state’s role is crucial to address normative rules, but nonstate actors also play a critical role in achieving long-term stability.

Considering that cyberspace is a very dynamic place, stabilization efforts can lead to the transition from intrastate conflicts toward the restoration of the social fabric through peacebuilding actions. This nuanced approach of stability is crucial to understand issues in conflict resolution scenarios, such as the role of spoilers in cyberspace.

Spoilers can be understood as “key individuals and parties to the armed conflict who use violence or other means to shape or destroy the peace process and in doing so jeopardize the peace efforts” (Nilsson & Söderberg, 2011, p. 624; see also Stedman, Reference Stedman1997). This definition serves to understand the impact of those actors in cyberspace that affect the termination of intrastate conflicts. Digital spoilers are those political actors with relevant influence upon users in cyberspace that exploit their influence to promote violence and spoiling behavior to affect the attempts to achieve peace. They differ from Internet trolls, defined as “unknown online users that create and claim intentionally upsetting statements to enhance strong emotional responses posting offensive or unkind things on the Internet using tactics of disinformation and propaganda” (Petykó, Reference Petykó and Warf2018). Digital spoilers are conflicting parties or leaders who use trolling activities, such as the promotion of disinformation and propaganda to affect the achievement of conflict resolution scenarios.

One example of digital spoilers can be found in Colombia, where the opponents of the peace agreement promoted strong and negatively charged hashtags on social media concerning the endorsement of the peace process with the FARC guerilla organization in October 2016 (Nigam et al., Reference Nigam, Dambanemuya, Joshi and Chawla2017). The promotion of these messages, among other factors, affected the perception of the peace negotiations, which was reflected in the rejection of the peace plebiscite by a small margin. The management of spoilers is a daunting task because influential social media platforms users can foment emotions and hostile attitudes against the peacebuilding process. However, these digital spoilers can be tackled when they violate internal regulations of social media platforms (BBC News Mundo, 2019), which highlights the relevance of multistakeholder Internet governance at the national level.

Another relevant example can be found in South Africa, in which political figures use the rhetoric of hate speech toward different communities in order to gain political support (Akhalbey, Reference Akhalbey2019; Meyer, Reference Meyer2019). The SAHRC has, in the past, analyzed and sanctioned some cases concerning the use of social media to promote hate speech (Geldenhuys and Kelly-Louw, Reference Geldenhuys and Kelly-Louw2020). However, it seems that its mandate does not cover those digital spoilers who express their thoughts in an offensive and disturbing way, pushing the limits of the right to freedom of speech. Their social media statements address critical issues that the peacebuilding process did not solve, such as land reform or race relations, suggesting unpeaceful actions to solve those issues. Additionally, to address the damage that these digital spoilers could make in cyberspace, social media platforms have a key role to play in order to tackle hurtful messages. In this particular case, it seems that there is a misconnection between the conception of the legal rights of freedom of expression provided by the SAHRC and the rules established by social media platforms (Nkanjeni, Reference Nkanjeni2019), which represents a new institutional challenge to address.

In sum, within the framework of cyberspace, stability must be analyzed dynamically. The handling of information plays a critical role because it reflects an age-old tension concerning the relationship between citizens and governments. In that sense, Big Tech companies have become referees and players in a complicated situation. On the one hand, they need to guarantee information and data protection to ensure their legitimacy. On the other hand, they must also respect governmental authority, whose interests are linked to employing surveillance, gathering data, and performing intelligence through controlled information. Amid intrastate armed conflicts and peacebuilding scenarios, the scope of government surveillance could be enhanced, intensifying asymmetric responses. On the other hand, there are more real threats concerning political motivations to spoil conflict resolution scenarios than the risk of cyberspace’s misuse of information beyond the cybersecurity framework. Against this background, the concept of digital spoilers is useful to analyze the behavior of actors whose role could substantially affect the dynamics of stability and conflict resolution efforts. This dynamic approach of stability could lead to the fertile ground to develop cyber peacebuilding actions.

3.4 Inclusion and Human-Centered Cybersecurity

Universal Internet access is an enabling condition for cyber peace. It was identified as the first of the five principles for cyber peace by the ITU (International Telecommunication Union, 2011). According to the ITU, providing access to telecommunication technologies is part of the responsibilities of states, which was later translated into the (debated) idea of Internet access as a human right (Tully, Reference Tully2014). However, the relationship between Internet access and cyber peacebuilding is not direct. Access to the Internet is a necessary, though insufficient, condition to building peace that spans offline and online spaces.

Contrary to the late twentieth century’s techno-optimistic visions, the “old” concept of the digital divide remains relevant today (van Dijk, Reference van Dijk2020). While early accounts of the digital divide focused on physical access and the divide among countries, contemporary analysis of the digital divide insists on the quality of access and the importance of the gap between Internet access within the same country. This dimension is of utmost importance for cyber peacebuilding (Wilson & Wilson, Reference Wilson and Wilson2009). Those communities that do not have access to the Internet are generally communities that have been historically marginalized (Tewathia et al., Reference Tewathia, Kamath and Ilavarasan2020). The digital divide also presents a gender dimension that undermines women’s participation in peacebuilding (Njeru, Reference Njeru2009). Moreover, since telecommunication infrastructures are targets and battlegrounds during conflicts, violence-affected regions are likely to suffer from inadequate or unstable connectivity (Onuoha, Reference Onuoha2013; Adeleke, Reference Adeleke2020). Furthermore, the national digital divide certainly undermines states’ capacities and presence on peripheral territories and, subsequently, their legitimacy (Krampe, Reference Krampe2016). This lack of presence and the complicated access to increasingly digitized public services reinforces the perceived abandonment by the states among marginalized communities.

Both South Africa and Colombia have reached significant rates of access at the national level as a result of economic development and ambitious policies. While just over 50 percent of the world population had access to the Internet at the end of 2019 (International Telecommunication Union, 2020), access rates in South Africa were around 65 percent (DANE, 2020; STATSSA, 2020). However, national digital divides are still important in both countries. For example, over 74 percent of the Gauteng province around Johannesburg and Pretoria benefit from Internet access, compared to just over 46 percent in the poorer province Limpopo, that also has the smallest white South African population in the country (Media Monitoring et al., 2019, p. 12). In Colombia, less than 10 percent of the inhabitants in 700 out of the 1,123 municipalities have Internet access (Quintero & Solano, Reference Quintero and Solano2020). These municipalities are located in geographically remote areas that are also the most affected by the internal conflict.

The bridging of the digital divide is related primarily to the telecommunication infrastructure. Another key element is the use of Internet access by individuals and grassroots organizations to participate in the process of peacebuilding through early warnings, grassroots reporting and monitoring, and data collection “from below.” Internet access is necessary to engage in political activities, including peacebuilding (Puig Larrauri & Kahl, Reference Puig Larrauri and Kahl2013; Shandler et al., Reference Shandler, Gross and Canetti2019).

While access is a necessary feature to build the conditions for civil society to participate, it is not sufficient to secure meaningful participation. Another crucial condition for cyber peacebuilding is the construction of a cyberspace that is safe for everyone. A broad and emancipatory definition of cybersecurity goes beyond the preservation and defense of critical national infrastructure. It focuses on the general population, both users and nonusers, to build a postconflict cyberspace that is safe for everyone, including former fighters, victims, women, and marginalized communities. However, cybersecurity policies tend to be framed as a response to conflict. For example, research shows that cybersecurity capacity is greater in countries engaged in civil war. However, this capacity seems to aim to crack down on domestic dissent rather than provide secure cyberspace at the national level (Calderaro & Craig, Reference Calderaro and Craig2020). Even in postconflict contexts, the original state-centered and militarized approach tends to prevail, despite the evolving conditions. As we have seen, the South African National Cybersecurity Policy Framework was first drafted by the Department of Communications. It was later transferred to the Ministry of State Security and finally adopted in 2015 (State Security Agency, 2015). While it briefly mentions “hate speech” and “fundamental rights of South African citizens” (State Security Agency, 2015, pp. 5, 14), the bulk of the document focuses on national security and on the fight against cybercrime. In the same vein, Colombia adopted a Digital Security policy in 2016 that was drafted during the negotiations between the government and the FARC guerrilla organization (CONPES, 2016). However, the document does not mention the postconflict context. It is largely inspired by the OECD discussions on the management of digital risks and thus, focuses on the necessary conditions for the development of trust in Colombian digital markets. On the other hand, the peace accord only mentions ICTs as a way to access public information and public services such as health and education, without acknowledging their role in the peacebuilding process (República de Colombia, 2016).

Contrary to these examples, the institutionalization of cyber peacebuilding should rely on more comprehensive cybersecurity policies that do not reproduce the patterns of great cyber powers to focus on peacebuilding needs in postconflict societies, such as digital literacy and the regulation of hate speech.

2.1 Information Security Overview

The stakes in our national information security debate are high. Information security refers to the hybrid scientific and legal inquiry into defending against all possible third-party attackers and the legal consequences that arise when they cannot. The purpose of information security is to develop and provide technological solutions to prevent the potential for cyberattacks and to minimize the interstate insecurity caused by information technologies (Libicki, Reference Libicki2009, pp. 12–13). Information security technologies have a crucial impact on AI’s role in cyber peace, and therefore, it is necessary to have a proper understanding of what these concepts mean and how they may accelerate or decelerate concerns for a path toward a sustainable and secure cyber peace.

Information security is a capricious concept with varying definitions in the legal and policy realms, but it has a more concrete meaning in computer science and technological realms (Reuter, Reference Reuter2020, pp. 17–18). In a technological sense, the cyber world of computerized networks where information technologies are relevant have three layers: (1) a physical layer of infrastructure (including integrated circuits, processors, storage devices, and optical fibers); (2) a software logic layer (including computer programs and stored information that is subject to processing); and (3) a data layer, for which a machine contains and creates information (Tabansky, Reference Tabansky2011, p. 77). In order to analyze the relevance of information technology, particularly AI, and its role in cyber peace, it is necessary to understand how these concepts relate to technology characteristics. While conflicts among nations can be carried out in different domains, such as land, sea, air, and space, conflict with the use of information technology infrastructure has the following peculiar characteristics for security implications: (1) many actors can be involved; (2) the identity of the security threat may be unknown due to the challenge of attribution; (3) international proliferation; and (4) its dual-use nature that can be exploited in a variety of ways (Reuter, Reference Reuter2020, pp. 12–13). These characteristics are accounted for in the various defensive and offensive uses of information technology, as subsequently shown.

2.2 Defensive Information Security Measures

Defensive protection measures allow for proactive ways to detect and obtain information regarding cyberattacks or intrusion (Chesney, Reference Chesney2020, p. 3). Defending against cyberattackers entails the use of software tools that obfuscate or obscure cyberattackers’ efforts (Andress & Winterfeld, Reference Andress and Winterfeld2011, p. 113). A major goal of defensive cyber protection is to prevent critical infrastructure damage which would generate large spillover effects in the wider economy. The defensive cyber protection approach seeks to: (i) minimize unauthorized access, disruption, manipulation, and damage to computers and (ii) mitigate the harm when such malicious activity occurs to computers. In so doing, information security seeks to preserve the confidentiality, integrity, and availability of information (Tabansky, Reference Tabansky2011, p. 81).

Approaches fall into two general categories: proactive measures (also known as preventative techniques, which can block efforts to reach a vulnerable system via firewalls, access controls, and cryptographic protection) and deterrence measures (that increases the effort needed by an adversary, and includes many types of security controls) (Ledner et al., Reference Ledner, Werner, Martini, Czosseck and Geers2009, pp. 6–7, 9–10). In either approach, the goal is to prevent unauthorized access to a computer system by the use of technological methods to identify an unauthorized intrusion, locate the source of the problem, assess the damage, prevent the spread of the damage, and reconstruct damaged data and computers (Reuter, Reference Reuter2020, pp. 22, 280–283). Deterrence, mitigation, and preventative strikes with the use of information technology include application security, attack detection and prevention, authorization and access control, authentication and identification, logging, data backup, network security, and secure mobile gateways.

2.3 Offensive Information Security Measures

While defensive measures and technology can deter and mitigate the consequences of unauthorized access of computers and networks, limiting unauthorized access may not achieve cyber policy goals. Offensive measures, which are considered lawful but unauthorized, refer to penetrating or interfering with another system and can include mechanisms that allow for impersonation of trusted users and faster attacks with more effective consequences (Dixon & Eagan, Reference Dixon and Eagan2019). Such offensive measures are one of many ways that nations can utilize cyber power to destroy or disable an adversary’s infrastructure (Voo et al., Reference Voo, Hemani, Jones, DeSombre, Cassidy and Schwarzenbach2020). Nations seek to achieve cybersecurity in order to bend the other side’s will or to manage the limiting the scope of the other side’s efforts, and can do so, via deliberate provocation or through escalation via offensive measures or cyberattacks (Jensen, Reference Jensen2009, pp. 1536–1538). A common mechanism for cyberattacks is a computer network attack, wherein actions are taken through the use of information technology and computer networks to disrupt, deny, degrade, or destroy information on computers and networks, and can electronically render useless systems and infrastructures (Andress & Winterfeld, Reference Andress and Winterfeld2011, pp. 110–113).

The increasing power of computers, proliferation of data, and advancements in software for AI capabilities presents many new applications of offensive measures. To demonstrate that AI is a rapidly growing field with potentially significant implications for cyber peace, several technological examples are provided to show the direct or indirect impact of such technological advancement on the need for shared governance of a global service AI corps.

Attack means and methods include malware, ransomware, social engineering, advanced persistent threats, spam, botnets, distributed denial of service, drive-by-exploits and exploit kits, identity theft, and side channel attacks. Such cyberattacks include the intrusion of the digital device with some sort of malware that initiates the communication between the attacking computing and the intruded device. The reasons for initiating such offensive measures include preventing authorized users from accessing a computer or information service (termed a denial-of-service attack) destroying computer-controlled machinery, or destroying or altering critical data and, in doing so, can affect artifacts connected to systems and networks (such as cyber-physical devices, including generators, radar systems, and physical control devices for airplanes, cars, and chemical manufacturing plants). Cyberattack mechanisms include the use of malware installation (sometimes combined with disruptive code and logic bombs), creation of botnets (that refer to a group of infected and controlled machines that send automated and senseless reports to a target computer), and installation of ransomware (that encrypts a device) (Reuter, Reference Reuter2020, pp. 16, 24–5, 113–14, 117, 140, 279–81). Malware refers to malicious software, which can attack, intrude, spy on, or manipulate computers. Botnets are made up of vast numbers of compromised computers that have been infected with malicious code and can be remotely controlled through Internet-based commands. Ransomware refers to malicious software that is installed on a computer, network, or service for extortion purposes, by encrypting the victim’s data or systems and making them unreadable such that the victim has to submit a monetary payment for decrypting files or regaining access.

2.4 Information Security Linkage to Artificial Intelligence

Technological development, particularly in the rapidly developing information technology realm, plays a crucial role in questions regarding cyber peace. Information technology is becoming omnipresent in the cases of resilience and of managing cyber conflicts. As the interdisciplinary field of cyber peace links more with technology, it is crucial to consider the ways that information technology assists and supports peace processes, as well as be cognizant of ways it can be a detriment.

Ever since information technology has created, moved, and processed data, the security of the data encountered challenges with policy and conflict resolution. In recent years, as advancements in information technology have increased connectivity, collaboration, and intelligence, these issues have become even more important. Information technology concerns information sharing and deterrence and implicates security concerns. As such, information technology security involves the preservation of confidentiality, integrity, availability, authenticity, accountability, and reliability. Relatedly, information technology can manipulate and anonymize data, and this feature can be used for a cyberattack (Gisel & Olejnik, Reference Gisel and Olejnik2008, pp. 14–17). The implication of this capability is attribution challenges. Attribution refers to the allocation of a cyberattack to a certain attacker toward providing real-world evidence for unveiling the identity of the attacker. AI makes it easier to identify or attribute a cyberattacker since it analyzes significantly higher number of attack indicators and discovers patterns (Payne, Reference Payne2018).

AI is poised to revolutionize cyber technological use in cyber peace, by providing faster, more precise, and more disruptive and anomalous capabilities (Stevens, Reference Stevens2020, pp. 1, 3, 4). AI can analyze data and trends to identify potential cyberattacks and provide offensive countermeasures to such attacks (Padrón & Ojeda-Castro, Reference Padrón and Ojeda-Castro2017, p. 4208). Moreover, AI presents the most powerful defensive capability in cybersecurity (Haney, Reference Haney2020, p. 3). While AI presents new technological capabilities to cyber conflict, it raises new considerations of what it might mean for human control, or lack thereof, and how it may help or hinder risks (Burton & Soare, Reference Burton and Soare2019, pp. 3–4). AI capabilities can undermine data integrity and present stealthy attacks that cause trust in organizations to falter and lead to systemic failures (Congressional Research Service, 2020, Summary). Nations could use AI to penetrate another nation’s computers or networks for the purposes of causing damage or disruption through manipulation and change (Taddeo & Floridi, Reference Taddeo and Floridi2018, pp. 1–2).

From an offensive standpoint, AI presents new considerations for cyber conflict, such as new manipulation or change capabilities that can allow for expert compromise of computer systems with minimal detection (Burton & Soare, Reference Burton and Soare2019, pp. 9–10). Adversarial AI impacts cyber conflict in three ways, including impersonation of trusted users, blending in the background by disguise and spreading itself in the digital environment, and faster attacks with more effective consequences. These capabilities provide motivation for the “defend forward” strategy of a preemptive instead of a reactive response to cyberattacks (Kosseff, Reference Kosseff2019, p. 3).

Additionally, AI makes deterrence possible since its algorithms can identify and neutralize the source without necessarily identifying the actor behind it, which makes it easier to thwart attacks. AI capabilities allow for going to the forefront of the cause or the conflict to analyze data and trends to identify potential attacks and provide countermeasures to such attacks.