The United Kingdom faces up to 120,000 cyber-attacks a day, equating to 44 million over the year. Cyberwarfare is also considered by a majority of American defence officials as the most serious threat facing the United States (US), even above terrorism, which ranks second. Cyber-intelligence[i], by which we refer to as the use of web-based technologies for intelligence purposes, has the potential to impose significant economic, political and security costs on the targeted states. It has been estimated that governments and consumers lose $125 billion annually to cyber-attacks, but these costs are often hard to assess.
Unlike traditional espionage situations, cyber-intelligence operations (CIO) are difficult to attribute to the responsible party, are not clearly defined in international law, and lack a clear endgame.
Designing a diplomatic response to such an activity, let alone a targeted or effective one, is therefore a difficult task. When a diplomat is accused of breaching the Vienna Convention of Diplomatic Relations by engaging in conventional intelligence operations, s/he is generally declared persona non grata and expelled from the country. This situation is hardly applicable to CIOs as the nature of the acts, the identity of the perpetrators, the legal framework, and the conditions of success against them are more difficult to discern.
In a joint paper to be published in the forthcoming volume on “Secret Diplomacy: Concepts, Contexts and Cases”, Ashley Coward and I argue diplomatic responses to cyber-intelligence operations embrace a spectrum of positions, from the informal to the formal (see Fig 1). At the lower end of the spectrum is an informal-indirect response. This is akin to no response at all, such as a refusal to comment or acknowledge the incident or the decision to allow media speculation and public comments about the incident to go unchecked. Moving along the spectrum is an informal-direct response, which might entail state officials signalling their displeasure with a particular cyber-intelligence operation. This type of response might take the form of retaliation in-kind accompanied by a range of comments denying responsibility for retaliatory CIO: flat denials, reciprocal claims of being a CIO victim itself or shifting blame to non-state actors.
Further along the spectrum is the formal-indirect response. This includes internal government reports, the passing of domestic law and official government statements calling for dialogue on cyber-intelligence operations with other parties. At the upper end of the spectrum is the formal-direct response, which would likely involve a comprehensive and vigorous governmental approach. This might include official accusations against a particular state or individuals, raising the issue of CIO directly with foreign counterparts, high-level meetings, sanctions or possibly a targeted policy shift in concurrent aid or trade negotiations.
The reason states may decide to pursue any of these four types of responses is influenced by three pragmatic considerations: the degree of exposure of the incident in the public sphere, the nature of the relationship between parties, and concerns regarding the constraints the response might place on future actions.
More specifically, we argue that public vocalisation about cyber-intelligence operations encourages movement up the Diplomatic Response Spectrum (DRS), but that movement is moderated by the value of the relationship between the states involved and consideration of the constraints that might be placed on future actions. The more valuable the relationship and the greater the perceived constraints on future action, the less likely for states to formalise their response to CIO (see Fig 2).
The viability of the DSR framework was tested empirically in two case studies: the Stuxnet virus allegedly deployed by the US against Iran’s Natanz nuclear facility and the alleged Chinese cyber-espionage against the US (see Fig 3 & 4). The two cases cover the most common and important forms of cyber-intelligence operations, sabotage and espionage, and offer a good level of variance with respect to the three challenges for diplomatic responses discussed above: attribution, legal framework and conditions for success.
The two case studies confirmed that more formal diplomatic responses were prompted by increases in public vocalisation. Response formalisation on behalf of the victim of CIO also appeared to exert particular pressure on the alleged attacker to move up the response spectrum itself. What this suggests is that the efficacy of relying solely on a policy of denial is somewhat diminished in the face of public vocalisation. While such a policy prevents legal culpability and should essentially allow a state to ignore accusations of cyber transgressions, it does not prevent the media and public sector from inflicting reputational repercussions on states. The case studies also confirmed that movement along the response spectrum is moderated by the relationship between the states involved. The risk of antagonising a valuable relationship due to attribution problems serves as a barrier to response escalation. The case studies also moderately confirmed that consideration of future action restrains response formalisation, more so in the case of cyber-espionage.
[i] As a term of reference, we prefer to use “cyber-intelligence” instead of “cyberwarfare” due to the more neutral connotation of the former.