Are cyber capabilities escalatory? This is one of the most debated and important questions in cyber operations.
If cyber capabilities, and more broadly, their use in operations and campaigns, will not meaningfully increase the nature or intensity of a conflict, states will not be willing to risk war even after suffering substantial cyber harms, as argued by a group of “doubters.”
But if they are escalatory, as a group of “worriers” fears, then the world will stumble into even more crises and wars, intentionally or unintentionally caused by operations in and through cyberspace.
Unfortunately, too much of this debate, like many others in the relatively new field of cyber operations, focuses on the two extremes: Will they be escalatory or not? Such binary propositions do a disservice to the strengths and nuances of both sides.
Simply put, doubters are more focused on the characteristics of offensive cyber capabilities and their historical use, in which cyber capabilities often de-escalated geopolitical crises. In contrast, the strongest arguments of the worriers are more based on structural characteristics of cyberspace and how the future may look far more dangerous than history suggests.
Control theory is an effective way to understand complex systems tossed about by such competing factors. It helps shift the debate from either/or explanations to understanding under what conditions the fears of the worriers or the placations of the doubters are more likely to predominate.
This article, adapted from a chapter in a research handbook, summarizes some concepts of control theory, especially negative and positive feedback, then analyzes how the dynamics cited by worriers and doubters might amplify or dampen conflict. The article concludes with an analysis and proposes steps for further research.
Understanding Amplifiers and Dampeners
Both doubters and worriers have some part of the correct answer, but it is hard to know which is most likely to be correct over time in a chaotic international environment. Under what conditions will the world see the happy, continued absence of major cyber escalation, in which the factors cited by doubters overwhelm those of the worriers? Alternatively, which conditions will lead to escalation, when the factors cited by the worriers overwhelm those of the doubters?
Control theory, which can allow an examination of how these dynamics of each side might interact, offers an effective path towards answering these questions. This theory is designed for problems like escalation, which concern the regulation of feedback — often competing, often reinforcing — within a given system.
Amplifiers provide positive feedback, magnifying the impact of the initial signal. When driving a car with poor tires on an icy road, a tiny input can generate wildly different outputs as the car slides out of control. In international politics, positive feedback is what leads to non-linear, disproportionate outcomes, turning what might have been a manageable event into a national security crisis, no longer under the control of decision-makers.
By contrast, dampeners provide negative feedback, which, despite its name, is usually a good thing in regulating the effects of new input. A stable car, with new tires and advanced safety features, dampens erratic behavior, ensuring that even the most novice drivers are prevented from steering into unsafe conditions. Balances of power between states are one of the better-known geopolitical examples, as “restraint and stability arise as ambition checks ambition and self-interest counteracts self-interest.”
Table 1 below summarizes many amplifiers and dampeners cited in the literature on cyber escalation.
Yay: Dampeners Leading to Negative Feedback
Doubters cite a rich literature that accurately assesses why cyber has not yet escalated into conventional war, based on characteristics of cyber capabilities which limit their impact and their historical use by states. These arguments can be broadly categorized into three areas: the strategic, geopolitical behaviors of states; the operational behaviors of states in cyberspace; and certain characteristics of cyberspace and cyber capabilities.
For example, a mix of deterrence and tacit bargaining has put an upper limit on a rival’s willingness to conduct cyber operations above a certain threshold and help control the escalation of cyber conflict. They may fear retaliation for operations that turn deadly and have opportunities to learn each other’s (and their own) boundaries.
Cyber operations additionally can signal accommodation or “provide a non-kinetic option for leaders who feel pressure to act in a crisis” without using force. Doubters note that cyber conflict may escalate because it bears more similarity to an intelligence contest than to the use of military force. Cyber may also be a better tool for political manipulation or subversion “in situations in which armed conflict is expressly being avoided.”
There are also a set of technical or operational factors that can limit the escalatory potential of cyber operations. The most impressive effects usually require extensive preparation and organizational capacity, and cyber operations are usually reversible, non-lethal, and with unpredictable effects. Effective cyber defense is possible, even against advanced cyber threat actors.
Boo: Amplifiers Leading to Positive Feedback
Worriers, more concerned about the likelihood of cyber escalation, can acknowledge the arguments of the doubters but lend more weight to a different set of arguments.
For example, because “the potential for significant international conflict between great powers is increasing,” while there is decreased global governance to handle those crises, rivals may no longer feel bound by thresholds determined in more peaceful times. Policymakers may rely on self-help and strike back in cyberspace, as neither meaningful international help nor condemnation is likely.
Moreover, dozens of cyber commands have been created across the world, which should justify themselves, in part, by conducting offensive operations against rivals. In turn, they may feel justified in expanding their own cyber command and operations, intensifying cyber competition. New commands and with more personnel have a clear parallel to warfare, where a country might escalate by creating a specialized command or committing more troops, just not with “boots on the ground” as such, but with offensive presence in cyberspace.
This is just one of the many ways cyber operations lead themselves to mistakes and miscalculations, likely more so than traditional intelligence or military operations. Cyberspace is not visible in any conventional sense, is relatively recent in origin, and is still often unfamiliar to senior military officers, diplomats, and senior decision-makers. Since most states classify their operations, what may seem like a shock event may actually be a proportional response to an operation only known by a privileged, cleared few.
This novelty likely magnifies the impact of uncertainty and emotions, which can act as a dampener if an adversary fears provoking a kinetic response from a rival — this is deterrence at work. But in a crisis when a participant’s blood is up, it will be hard to calibrate such signals so delicately. An attack meant to signal strength and resolve, might not cause fear but anger, and incite a status challenge or a desire to inflict punishment for punishment’s sake.
Even if one side chooses to deescalate or explain an attack that unexpectedly cascaded, with few ways to directly communicate between rivals, it may be difficult to convey such messages.
While doubters correctly note that cyber defense is possible, this overstates the practical difficulties. Since the earliest internet, some of the most damaging campaigns even against well-defended and -resourced organizations were conducted by poorly resourced teenagers. Examples include the Solar Sunrise incident of 1998 which prompted the U.S. Department of Defense to create the first cyber command; mafiaboy’s denial-of-service attacks against major e-commerce sites; the Mirai botnet that disrupted most of the internet in the northeast United States; and the Scattered Spider/Lapsus$ ransomware campaigns that successfully compromised Microsoft and disrupted major casinos.
Because of common-mode vulnerabilities (which means that many computers all share the same, Internet-reachable weaknesses), large-scale cascading failures and major internet-wide vulnerabilities are common occurrences. The Internet was disrupted at-scale by the Morris Worm, Melissa, ILOVEYOU, NIMDA, SQL Slammer, and Blaster attacks. Large-scale exploitation and disruptive attacks such as Conficker, Mirai, WannaCry, NotPetya, and SolarWinds routinely affect not just a single organization but thousands across the Internet, not to mention the thousands of ransomware attacks happening annually. Every year or two, major vulnerabilities like Heartbleed, ETERNALBLUE and Log4shell are discovered, forcing defenders around the globe into emergency mode to find and patch them.
Failures to deal with these structural disadvantages are not simply “poor management.” Few organizations, the “security one percent,” “have the personnel, processes, technology, and support to implement somewhat robust digital security programs.”
Assessment: Will Dampeners Continue to Dampen Amplifiers?
Cyberspace is too complex, too tightly coupled and highly interconnected, and too ever-changing for anyone — generals, academics, or technologists — to assess confidently whether dampeners will keep a lid on escalation, or amplifiers will spin the system out of control.
At best, we can assess how they have balanced in the past: a constant intensification of conflict within cyberspace (driven by amplifiers) but not yet any escalation out of it (driven by dampeners). But what if the future does not resemble the past?
Cyber capabilities may not have, thus far, escalated outside of cyberspace because, in the post-Cold War era, major cyber powers have generally not settled their differences through interstate war. Escalation may accordingly be more likely as international governance mechanisms become weaker (reducing the historical impact of dampeners) at the same time as there are more frequent and intense geopolitical crises (increasing the impact of amplifiers).
Moreover, Russia’s full-scale invasion of Ukraine shows that some dampeners are more situational than suggested by historical cases. States do not always want to limit cyber operations below the threshold of armed conflict or deploy them as non-lethal moves in an intelligence game. Sometimes, they just want to hurt.
There is good news. Increased global focus and investment in cybersecurity might favor dampeners. A more-secure cyberspace, including the system-wide improvements in the U.S. National Cybersecurity Strategy, might harden cyberspace enough so that minor attacks and weak threat actors are no longer effective. Investments in resilience could make it harder for any adversary to create widespread, cascading effects.
Artificial intelligence and other technological advances might also dampen escalation by producing more secure software, automatically finding and fixing software vulnerabilities, spotting attacks quickly, or by shifting security tasks from overworked human defenders. But will AI’s dampening effects outweigh the amplifying effects of threat actors using it for offense? Again, existing frameworks can help, but there may be too many variables that are too tightly coupled and highly interconnected to assess with much confidence.
Next Steps and Conclusions
Further research on feedback lag and gain might considerably improve the ability of researchers and practitioners to answer these questions with confidence.
Feedback lag refers to the time that elapses from when a signal is received until the system noticeably responds. The longer the lag in a feedback loop (such as from difficulties of detection, attribution, and decision-making), the harder it is to know if a given signal is having any escalatory or de-escalatory impact. Defenders might be surprised to be attacked by a rival reacting to events which took place long before and the defenders did not consider as escalatory at the time.
Feedback gain is likely even more important as it measures the ratio of feedback to stimulus for a system as a whole. If the loop gain is low, the system favors stability — conflicts in such a dampened system would be unlikely to escalate. If high, the system favors amplifiers and instability — cyber crises would therefore be far more likely to spin out of the control of policymakers.
The most important policy question around cyber escalation, then, might just be whether cyberspace as a system is more likely to be characterized by amplifiers or dampeners? Longer lags and larger gains are more likely to drive cyber conflict into full-blown war.
One way to balance the arguments of doubters and worriers is that historically, conflict in cyberspace demonstrated positive feedback (high loop gain, helping drive more intense cyber conflict over time), while geopolitical conflict over that time has seen negative feedback (low loop gain, helping prevent conflict escalating out of cyberspace).
For some time, it will pay to be humble about whether escalatory or de-escalatory pressures will ultimately prevail. There is little way to know if the doubters or the worriers will be proven right. The best we can do is to assess under which conditions the amplifiers or dampeners will overcome the other. There is hope in borrowing from other areas of research, like control theory, which can illuminate the tensions between competing dynamics in complex systems.
The age of cyber conflict remains about as old as the first Top Gun movie — the information age will last for decades and centuries more. Over that time, changes in technological use and geopolitics will continue to reform the dynamics of cyber operations, demanding adaptable theories to match, which can help ensure cyber conflict does not take on a life of its own, escalating out of the control of policymakers.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs. He was a plankholder of the first joint cyber command in 1998 and the White House’s Office of the National Cyber Director in 2022.
Virpratap Vikram Singh is a research fellow for the Cyber Power and Future Conflict program at the International Institute for Strategic Studies. Prior to this he was the research and program coordinator for the cyber program at Columbia University’s School of International and Public Affairs.
Image: Midjourney
Jesus Christ is King
