Anthony Craig is a PhD candidate at Cardiff University in the Department of Politics and International Relations. You can follow him @Tony91C
There is a dire need for systematic, academic analyses on the adoption of cyber capabilities in the international system. Investigating this issue is important for both policymakers and academics because of the potential effects of cyber capabilities on international stability. The spread of cyber weapons could theoretically lead to a greater likelihood of cyber conflict or a reconfiguration of the global distribution of power, so an understanding of the proliferation of cyber capabilities is critical.
There has not been much empirical analysis on this topic, perhaps due to perceptions that data collection is difficult in cybersecurity, or that it requires a level of technical understanding above that of most political scientists. In a recent Net Politics post, Melissa Griffith points out that cybersecurity research suffers from a lack of data while at the same time suggesting that quantitative research is mostly unfeasible anyway.
Quantitative research is possible. My work involves creating a dataset on national cyber capabilities for countries observed between 2000 and 2017, which I use to assess the causes and consequences of cyber capability build-ups. I define cyber capabilities as the resources and assets available to a state that it can draw on or use to resist or project influence through cyberspace. The dataset assesses these from two perspectives: latent and active cyber capabilities. Latent cyber capabilities are the broad societal-based resources such as computer science knowledge and IT industry that governments can draw on to achieve their strategic interests in cyberspace. Active cyber capabilities refer to the operational capabilities that governments directly control and can deploy in computer network operations.
Although governments are understandably secretive about some aspects of their capabilities, there are several observable and therefore measurable aspects to cyber build-ups. For instance, there is plenty of information on the creation of computer incident response teams, military cyber units, or national cyber strategies. Moreover, governments may in fact want to display their ability to operate in cyberspace to create a deterrent effect.
One example of an observable development in cyber capability is the creation of military computer network operations (CNO) units, which I define as government entities located within a state’s military structure that are tasked to engage in operations involving computer networks. An obvious example would be U.S. Cyber Command created in 2010. Using this variable, the first thing that can confirmed by the data is the rapid acquisition of cyber capabilities. Figure 1 shows the increase in military CNO units from 2000 to 2017 among the ninety-five countries listed as victims in the Council on Foreign Relations’ cyber operation tracker. The number of these units has risen from just five in 2000 to sixty-three in 2017. When compared to previous military innovations such as nuclear weapons, battleships, or aircraft carriers, the rate at which military cyber capabilities have been adopted is notably high.
So what factors may be driving this process? Traditional international relations theory asserts that military build-ups are a response to external security threats. Applying this to cyberspace, countries that have experienced cyber threats should therefore be more likely to develop military cyber capabilities.
To explore this issue, I examine the relationship between two categorical variables: (1) whether a country created a military CNO unit in a given year, and (2) whether that country experienced a cyber incident against it in any of the previous three years. The table below shows how the data (1235 total observations from ninety-five countries over twelve years) are distributed among four possible combinations of events.
A CNO unit was created in 32 of the 1041 cases (3.1 percent) in which a country had not been attacked. However, a CNO unit was also created in 19 of the 194 cases (9.8 percent) in which a country had been attacked. In other words, countries that have suffered a cyber-attack are more likely to create a CNO unit compared with countries that have not suffered a cyber-attack (The chi2 test gives a p-value of 0.000 suggesting the relationship is statistically significant).
The results demonstrate a correlation between cyber threats and the development of military cyber capabilities. A cyber incident provides clear evidence to the state of its vulnerability, thus motivating it to develop the operational capacity to defend against and respond to future aggression. Nevertheless, there are evidently more factors involved in this process that are yet to be uncovered, given that most CNO units are created in the absence of cyberattacks.
If cyber threats are driving the proliferation of cyber capabilities, more consideration should be given to their effects in fuelling a cyber arms race and to the associated risks of escalation in cyber conflict. Yet the threat model is only one potential explanation for cyber capability proliferation. Factors relating to technological capacity, offensive motivations, international norms, or domestic politics may also play a role. Quantitative, as well as qualitative research, can be very helpful in developing theories about how the cyber domain operates. Although the challenges to data collection in this area cannot be denied, it would be unfortunate if researchers did not try.