Winning and losing in cyberspace

摘要

This paper examines cyber conflict using a lens of `winning' or `losing', or alternatively the role of `victory' or `triumph' compared to that of `defeat', to draw broader conclusions about the dynamics of cyber power. To do so, the paper analyses writing on the general topic of winning over the years, then dives into the two most critical key case studies: the 2007 attacks on Estonia, and the 2008-2015 conflict between the United States and Iran. It addresses the most relevant factors for these cases, including a summary of the participants in the conflict and which side `won' or `lost' and why. After these case studies, the paper will address larger questions of winning and losing and the implications for our understanding of cyber power. One of the factors that most distinguishes this research from previous work on cyber power is that winning is defined not only by actions on the network, but in terms of longer-term national security outcomes. For example, Estonia certainly lost tactically in 2007, as it was offline because of the Russian-encouraged denial-of-service attack. Regretfully, most analyses of the conflict do not explore any further, which is unfortunate, as while the Estonians lost the battle, they won the war. The Estonians refused to be coerced and are now renowned for their cyber security excellence, while NATO was warned of the dangers of cyber conflict, even building a new NATO cyber centre of excellence in Tallinn. Russia was thereafter known as a cyber bully. When expressed in terms of longer-term national security outcomes, it is clear they won both operationally and strategically. Because this larger, non-technical view is often ignored in analyses of cyber conflict, this paper makes the case that the United States and nations that follow its model misunderstand the dynamics of cyber power and cyber conflict. Too much emphasis is placed on the success or failure of offensive and defensive capabilities, rather than on better or worse long-term national security outcomes. The paper concludes with a short view of what winning might mean in more strategic national security terms, and recommendations for the mechanics of national security policy-making.