Atlantic Council

In the Atlantic Council report "Achieving International Cyber Stability," Council Distinguished Senior Fellow Franklin D. Kramer analyzes the issues of cyber instability and emphasizes the roles of resiliency, cooperation, and transparency in achieving international cyber stability.

The most disruptive potential cyber security concern is the capacity of information technology to generate or escalate geopolitical conflicts into open or uncontained hostilities through attacks on operational networks. Undermining critical capabilities such as the military or the electric power grid would be highly destabilizing and potentially escalatory, generating a perceived need to move a confrontation toward conflict or to escalate a contained conflict into a broader arena.

International cyber stability can, however, be achieved by generating a three-legged stool of resilience, cooperation and transparency. For the United States, achieving these ends will require a three-part strategy of internal action to reduce vulnerabilities focused on key operational networks; collaborative activities with close allies and partners; and transparent interaction for the creation of norms, provision of assistance, and dialogue with others, including potential adversaries, to reduce risk.

The value of cyber stability is three-fold. First, reducing vulnerabilities reduces the risk of adversary attack, since such an attack will be less able to achieve its objectives. Equally, to the extent an attack is nonetheless undertaken, the harm will be reduced. Second, by generating cooperation, it increases the prospect of successful defense. Moreover, it also creates an international geopolitical environment which can shape attitudes and thereby further reduce the likelihood of an attack in the first place. Third, by increasing transparency, it may create international norms of behavior both with respect to possible partners and potential adversaries. For the first group, it offers the prospect of information and assistance. For the potential adversaries it may create shared learning possibly leading to two conclusions: first, that there may be useful areas of collaboration—even though there is not universal agreement; and, second, that there may be good reasons to limit cyber use in order to avoid inadvertent generation of conflict and/or escalation.

In establishing cyber stability, priorities are necessary since a desire to protect everything equally is not practically implementable from either a resource or a political standpoint. Despite the fact that the Department of Homeland Security has identified eighteen critical infrastructures, not all such infrastructures equally underpin United States security or the economy. Most clearly, the military and other national security agencies need to be able to operate in a confrontation. Likewise, no activities in the United States can take place without electric power. Telecommunications and financial systems are similarly crucial. Focusing on these four key infrastructures would allow resources and tailored solutions to be generated and prioritized.