Cyberspace

The book that first described the concept of cyberspace and is credited with its naming.

Cyberspace is a concept used to describe the widespread interconnected digital technology and is used to express the online world as a world "apart" or distinct from everyday reality. The term entered popular culture from science fiction, with it first being used by American-Canadian author William Gibson in 1982 in a short story published in Omni magazine, before being used to describe a central concept in the author's novel Neuromancer. In the novel, Gibson described cyberspace as the creation of a computer network in a world filled with artificially intelligent beings.

The term has since been used by technology strategists; security professionals; government, military, and industrial leaders; and entrepreneurs to describe the domain of the global technology environment. In this use case, the term is often defined as standing for the global network of interdependent information technology infrastructures. Further, cyberspace has been defined as a global domain within the infrastructure environment consisting of an interdependent network of information systems infrastructures including the internet, telecommunication networks, computer systems, and embedded processors and controllers. Similarly, it can refer to the complex environment that results from the interaction of people, software, and services on the internet.

Common understanding of the connected infrastructure of cyberspace.

In one sense, cyberspace is considered analogous to the internet, but it could be more correct to say that cyberspace occurs when the internet is used it creates cyberspace or allows cyberspace to exist. Which means, with the prolific use of computers and smartphones to access the internet, in a practical and theoretical sense, cyberspace continues to grow. Perhaps a good example of cyberspace is online gaming communities. These communities, playing together, create their own cyberspace worlds that exist only in the digital realm and not in the physical world. This is something that can be done from a remote location, but would have previously needed to have thousands of people collected in a single space to play.

One of the challenges in defining cyberspace is making present computer networks look more like a Gibsonian cyberspace integrating the intuitive geometry of 3D virtual reality, but with the more general, but cognitively confusing, infinite dimensionality of hypertext nets. As a description of what exists, the word "cyberspace" is used in a variety of significations, which can emphasize one or more meanings and can be used as a synonym for virtual reality, for the World-Wide Web hypermedia network, or for the internet as a whole.

The term cyberspace started to become a de facto synonym for the internet, and later the World Wide Web, during the 1990s. Author Bruce Sterling, who popularized this meaning, credited John Perry Barlow as the first to refer to cyberspace as the "present-day nexus of computer and telecommunication networks." However, none of these definitions quite capture the intrinsic aspect of the concept: that of a shared medium through which one can exert control over one's environment. Control can apply as well to the objects in cyberspace, as to the objects in real world.

However, the metaphor of cyberspace, as the connection between networked devices, as more than the internet, the internet's infrastructure, the World-Wide Web, and the interaction between users and devices, has been useful in helping a generation of thought leaders to reason through new military strategies around the world, led in part by the US Department of Defense. The use of cyberspace as a metaphor has some limits, especially when the metaphor can become confused with physical infrastructure.

Although cyberspace is a virtual environment, it exists, in part, in a physical space, involving a large computer network composed of computer subnetworks that employ TCP/IP protocol to aid in communication and data exchange activities. It is also an interactive environment, necessitating a broad range of participants, which in turn means any system with a significant user base or a well-designed interface could be thought of as cyberspace.

These physical systems further include information system infrastructures, such as the internet, telecommunication networks, computer systems, and embedded processors and controllers. And as it relies on the internet, much of this infrastructure is under the sea on the large and complex network of cables and satellites that transfer the data and information and connect the disparate sections of the internet. And it includes satellites for various uses, included for the Global Positioning System (GPS), weather monitoring, and enabling radio and television communications.

The "space" in cyberspace is better understood as an abstract, mathematical meaning of space more than the term physical space. Cyberspace does not have the duality of positive and negative volume. In a physical space, for example, a room has the negative volume of usable space delineated by positive volume of walls. Internet users, however, cannot enter the screen and explore the unknown parts of the Net as an extension of the space they are in. But, spatial meaning can be attributed to the relationship between different pages, considering the unturned pages to be "out there."

The concept of cyberspace therefore refers not to the content being presented to the surfer, but rather to the possibility of surfing among different sites, with feedback loops between the user and the rest of the system creating the potential to always encounter something unknown or unexpected.

Increasingly, personal privacy and national security in the 21st century depend on protecting sets of systems that did not exist until late in the 20th century, being the electronic web of information sharing known as cyberspace. Electronic computing and communication pose some of the more complex challenges engineering has faced, ranging from protecting the confidentiality and integrity of transmitted information, and deterring identity or data theft.

This can be increasingly important as networks of electronic information flow are embedded in almost every aspect of modern life, including controlling traffic lights to routing airplanes, radio and TV signals, cell phones, and other forms of communication all rely on these networks. And this is not limited to civilian life, but includes military, financial, and emergency services. Utility systems providing electricity, gas, and water can be crippled by these disruptions, and any attacks on these networks would potentially have a disastrous consequences for individuals and larger society.

Despite the danger posed in the breach or compromise of any of these systems, research and development for security systems has progressed little beyond strategy akin to plugging a hole in a dike, or cobbling together software patches when vulnerabilities are discovered. Historically, the approach to computer protection has been what is called "perimeter defense," which is implemented by placing routers and firewalls at entry points of sub-networks to block access from outside attacks.

Cybersecurity experts know the perimeter defense does not work, as all defenses can eventually be penetrated or bypassed. And even without such breaches, systems can be compromised, such as crashing a server by flooding a website with bogus requests. One possible approach to computer protection is to engineer more secure software. This could be done through better or more secure programming languages or by writing more security protections into programs. Technology also seems to be required to detect vulnerable features of software before it is installed, rather than waiting for an attack. Another challenge is securing the data flow through various routes on the internet, to stop information from being diverted, monitored, or alerted.

Once problems are detected, technologies for taking countermeasures and for repair and recovery must be in place as well. As well, part of this process could include new forensics for finding and catching criminals committing cybercrime or cyberterrorism. Although the best way for cybersecurity to succeed is an understanding that the safety requires an understanding of the whole system, rather than protecting individual parts.

Cyberspace is best understood as a global domain within the internet environment, which consists of the interdependent network of information technology infrastructures. This has become a place where human relationships and communities have developed in new ways. And it has seen the development of new models of commerce. Some have seen this and argued that it provides a universal ground for communication to help bring the world together, while others point out that people will continue to associate narrowly with those of similar interests and economic and social status.

Despite the globality of cyberspace, the majority of the infrastructure is owned and maintained by private companies. Countries and local governments play a limited role in the development of infrastructure, such as granting licenses to companies installing cables or taking steps to regulate, monitor, and set standards for all kinds of cyber infrastructure. For example, New Zealand passed legislation in 1996 to protect cables and pipelines, in part regulating fishing and anchoring activity, as well as establishing a cable protection zone.

Another example is the 2018 European Union General Data Protection Regulation (GDPR), which— among other provisions—limits what companies can do with personal data stored in data centers. There are two main international agreements that govern cyber infrastructure. For satellites, this includes the 1967 Outer Space Treaty, which was drafted at the height of the Cold War and holds that outer space belongs to all and should be used for peaceful purposes and kept free of weapons of mass destruction. And in 1982, the UN Convention of the Law of the Sea (UNCLOS) provided regulation on the use of submarine cables, including the right to lay cables in international waters.

Similar to this, there are a few standards-setting organizations, which have a limited reach that is often not legally binding. One of the most notable of these is the Internet Corporation for the Assignment of Names and Number (ICANN). A nonprofit established in 1998, and originally tied to the US Department of Commerce, ICANN has operated independently since late 2016 and provides internet protocol (IP) addresses and gives domain names to those addresses.

As cyber insecurity, or threats to cyberspace and the associated institutions, has become a growing global problem, states and related stakeholders have sought to increase stability for cyberspace. As a result, a new ecosystem of "cyber norm" processes has emerged. This has included various stakeholders and organizations, including the United Nations, expert commissions, industry coalitions, working to identify or operationalize various normative standards of behavior for states and stakeholders in cyberspace.

Proposed laws or norms for cyberspace, or a Digital Geneva Convention.

For example, in October 29, 2019, the University of Pennsylvania's Perry World House and the Carnegie Endowment for International Peace convened a workshop on cyber norms with participants from various stakeholders, such as governments, international organizations, nongovernmental entities, industry, and think tanks. Participants assessed various cyber norm processes and offered key takeaways, including four weaknesses that constrain the effectiveness of these frameworks:

• Inherent characteristics of the cyber domain, especially its relatively low barrier to entry to develop and use cyber capabilities, create serious multi-stakeholder cooperation problems, as state, corporations, proxy actors, and others would need to adhere to norms that may not be in their best individual interest.
• A lack of transparency about state behavior, which creates an inability to measure norm adherence to differentiate "aspirational norms" from actual "norms" and, within the latter category to assess the breadth and depth of conformance by relevant actors.
• A dearth of great power cooperation to address this global public policy challenge, especially as geopolitics moves from identifying norms to internalizing them within relevant state and other stakeholder communities.
• A lack of clear incentives for internalizing norms—that is, articulating concrete benefits for adopting and internalizing one or more cyber norms or the costs that may follow a failure to do so.

The same workshop offered four recommendations to possibly address these issues:

• Focused research on specific cyber norms to measure their alignment with actual behavior in cyberspace and identification of potential gaps between them and among existing accords.
• A shared global database of cyber processes that can improve transparency on what each process does, who participates, and how its work is received in other processes (that is, what sort of cross-pollination occurs versus triggering competing or conflicting norm proposals).
• Research efforts to identify a menu of incentives to promote norm adoption and implementation, including a list of potential consequences that can follow cases of nonconformance.
• More multi stakeholder engagement with great powers on exercising their power responsibly to improve the identification and operation of cyber norms for states and stakeholder groups.

The cyberspace domain has offered a new vector for attacks and warfare, one without geographical boundaries and out of reach of traditional norms such as the Geneva convention. Referred to as cyber warfare, the use of cyberspace as a domain for warfare has changed how enemies are reassessed and how challenges are met, and allows for policies to be enacted that match the growth of the cyber domain.

Cyberspace is often conceptualized as the fifth domain of warfare.

However, there is no clear or universal definition of what cyber warfare is, with subtle differences in the word's connotation often reflecting emphases on an offensive versus a more conventional defensive positioning. Or as some have suggested, does the term reflect a select type of warfare? Can it be extended to digital weapons, or limited to actions taken on a computer or related network? Does it extend to ever more intelligent and autonomous weapon systems? Often definitions emphasize the difference between a cyber attack from cyber warfare, with the idea of a "war" implying a wider scope and longevity, while an attack can be understood as a single event, often with a "war" encapsulating a series of attacks.

Not surprisingly, articulating the nature of and doctrine for operations in cyberspace has been difficult. This is in part due to the underlying physical and logical elements that are increasingly conceived, funded, and built by technology companies, not governments, and in foreign nations, reflecting commercial, not national interests. Despite having been drivers of the creation of the internet and facilitators of its use, many consider Western governments to have since exited the race of developing cyberspace. And to some degree, formulating cyberspace as an operational domain for the defense industry has been seen as an effort to reclaim lost ground.

Cyberspace was first referred to as a military domain alongside the land, air, maritime, and space domains in the United States as early as the 2004 National Security Strategy. There have since been several descriptions used to try and explain cyberspace as a military domain. However, in 2011, with the unveiling of the US Department of Defense's new strategy to protect military computer networks from hackers, and effectively designating cyberspace as an operational domain for the United States Forces, Deputy Defense Secretary William Lynn said the Pentagon wanted to avoid militarizing cyberspace, but aimed to secure strategic networks with the threat of retaliation, as well as by mounting a more robust defense.

William Lynn further declared cyberspace operations as the "employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace. Following this early stance, which was a more defensive stance, changed in 2017 with the approval of the US Cyber Command (USCYBERCOM) as a Functional Unified Combatant Command with a worldwide area of responsibility that included directing DoD information networks, security, operations, and defense. In declaring cyberspace as an operational domain, and forming the US Cyber Command and Cyber Mission Force, the DoD implemented and evolved through multiple command and control structures for cyberspace operations derived from traditional military doctrine, in order to achieve unity of effort across both global cyberspace domain with military operations in the physical domains.

Patch for the United States Cyber Command.

In the military context, cyberspace presents a different operational environment than the physical domains, and even the application of traditional military command and control constructs to the cyberspace domain has led to complications. One such difficulty has been the organizational efficiency in the relationship between the NSA and US Cyber Command. Both organizations are responsible for the cyber domain, with the relationship, which was intended to be temporary, initially developed to help Cyber Command benefit from NSA's expertise, capabilities, and experience, to help Cyber Command reach full operational capability. However, the dual hat command relationship has continued to exist, which has complicated and hampered the capabilities of both organizations in reference to their capabilities and activities in cyberspace.

Components of US Cyber Command.

The US Cyber Command has further been hampered by acquisition regulations, such that the organization can only purchase items that big contractors have figured out how to sell. This means, functionally, the US Cyber Command cannot go to a technology company with a solution for a specific software or cyberspace problem, because the startup would not necessarily go through the federal qualification process, which can take a year and a half. This has created barriers to private-sector collaboration, which hampers Cyber Command interaction between Cyber Command and private-sector IT experts. There are also cultural differences between the private sector and Pentagon officials who view cyberspace as a war-fighting domain, which further hampers cooperation. This is especially important when considered that most of the infrastructure of cyberspace is created and maintained by private-sector companies.

Command and control is defined as the direction of activities in accordance with the will of a commander. In this, there are specific ideas, such as intelligence, fires, movement and maneuver, and protection and sustainment. In this structure, intelligence refers to the integrated, evaluated, analyzed, and interpreted information about an enemy or operational environment; fires refers to the use of weapons or systems to effect changes in the state of a target; movement and maneuver refers to the combination of movement and fires to achieve an advantageous position; while protection and sustainment refers to one's own force and assuring continuity of operations. The JP 3-12 (2013) explains how these functions apply to cyberspace operations:

• Command and control—a commander's control over forces tasked with carrying out cyberspace operations
• Intelligence—intelligence that is pertinent to the conduct of cyberspace operations as well as any intelligence that can be conducted via cyberspace operations
• Fires—the use of "cyberspace capabilities" to manipulate adversary cyberspace targets through redirection, military deception, systems conditioning, or more
• Movement and maneuver—the movement of data through physical and logical infrastructure and the navigation of network links and nodes, often in conjunction with the application of fires
• Protection—protection of physical and logical infrastructure, and the application of defensive capabilities and operational security (sometimes equivalent to information security measures)
• Sustainment—maintaining capabilities through equipment acquisition, training, capability upgrades, and planning for operational continuity

Example of a command and control module for cyberspace.

These operational functions, and the preceding fundamentals and tasks associated with them, can be combined to produce an APIT (advanced persistent threat) operation line model, based on the line of operation concept put forth in the US military doctrine, which links tactical milestones of an operation to the strategic objectives of the operation. As APT operations are, like any operation, a human-driven process carried out to fulfill human objectives, situational awareness is required at all decision points.

The situational awareness dimension should be included in a description of the APIT's line of operation, because vulnerabilities inherent to this dimension can be exploited by defenders to deceive adversaries, degrade their capabilities over the short and long term, disrupt operations and strategic agendas, deny strategic advantage, and, potentially, even destroy information assets or manipulate planning processes in a disadvantageous way that can result in strategic failure.

Advanced persistent threat (APT) is acknowledged as the most sophisticated and potent class of security threat. APT refers to knowledgeable human attackers that are an organized and sophisticated group that are often motivated to achieve their objectives against a targeted organization over a prolonged period. Strategically-motivated APTs or S-APTs are distinct in that they draw their objectives from the broader strategic agenda of third parties such as criminal syndicates, nation-states, and rival corporations.

In 2016, the NATO Warsaw Summit brought together state and government heads of NATO countries, with representatives from non-NATO nations including Montenegro, Ukraine, Georgia, and Russia. This was the first NATO summit to recognize cyberspace as a "domain of operations." This summit further reaffirmed commitments such as strengthening cyber defense capabilities and the applicability of international law in cyberspace. The recognition of cyberspace as a domain alongside the domains of air, land, sea, and space is intended to include broader deterrence and defense, integration into operational planning and Alliance operations and missions more effective in terms of NATO's cyber defense and better management of resources, skills, and capabilities.

This was seen as a significant step to equating cyberspace with other domains when talking about defense, and the inclusion of cyberspace in any defensive strategies. The use, in NATO's documents referring to the definition of cyberspace as a domain, of the concept and word "deterrence" is further seen as significant, as it is seen as a step towards the acceptance of offensive cyber capabilities as part of the collective defense. However, linking deterrence to cyber defense has been seen as difficult, as deterrence is usually achieved by enemies being afraid of the offensive capabilities of a nation in a domain, but many nations are not afraid of the offensive cyber capabilities of most other countries. Some believe there exists a "deterrence by denial" in cyberspace, but this concept has not been sufficiently demonstrated.

Accordingly to the summit, the acceptance of cyberspace as a domain meant NATO allies have a commitment to enhancing the cyber defenses of their national networks and infrastructures, including improving their capability to respond to cyberattacks, including hybrid contexts, and for those capabilities to be continuously adapting and adaptive.

With the announcement of NATO's inclusion of cyberspace as a strategic domain, there have been different approaches to optimally secure and defend cyberspace, and further, to include cyberspace as a domain of operations within the larger context of all strategic domains. Part of the efforts of defining national strategies has been due to the new and emerging nature of cyberspace, and that many nations expect cyberspace to play a more central role in future conflict. This is especially as some nations find cyberspace as a cost-effective way of overcoming relative material weakness, and therefore cyberspace and related operations offer a way of reducing a rival country's advantages. Aggressive operations in cyberspace, especially those aimed at disrupting communications infrastructure, would put a rival nation on the back foot and likely force them to make otherwise difficult strategic decisions.

For example, in Canada, between 2010 and 2020, the country released two cyber security strategies, a defense policy, and updated laws, and created new organizations intended to illustrate the Canadian government's approach to cyberspace. Canada has demonstrated a primarily domestic focus in its approach, which emphasizes efforts to improve security and country cybercrime. In this program, there is an acknowledgement that the emphasis is challenged by the majority of cyber threats originating from outside the country, while the reach of cyberspace allows criminals and hostile states to hide behind political barriers while exploiting possible victims in Canada.

Meanwhile, in the United Kingdom, there is an emphasis on combining cyberspace operations with traditional warfighting in traditional domains. The country tends to view the cyberspace domain as both a threat and an opportunity. British Army doctrine, for instance, notes that threats are increasing as both the United Kingdom's capabilities and the capabilities of other actors, whether hostile or not, continue to grow and become more reliant on sophisticated information services, although this has also increased the possible threats in the domain. At the same time, efforts to merge cyber and kinetic operations create new opportunities to debilitate adversary systems, achieve tactical surprise, and control the scope and pace of conflict.

While for the US and CYBERCOM, the strategy remains to achieve and maintain superiority in cyberspace while directing, synchronizing, and coordinating cyberspace planning and operations to defend and advance national interests with domestic and foreign partners. And part of this is the unification of cyberspace operations; secure networks, platforms, and data; and an expansion of the military options available to national leaders and operational commanders.

Primary strategy targets for the Department of Defense's operations in cyberspace.

At the same time, the US military and CYBERCOM pursue an operational script, which has been in use since the Gulf War, to use technological advantages to fight and win quickly. This includes blinding strikes against intelligence and command and control centers intended to leave enemies unable to organize a coherent defense. Including information attacks in cyberspace to further bewilder and confuse enemies, especially if those attacks can achieve similar or same effects as traditional weapon systems and kinetics attacks at a lower overall cost. And cyberspace operations have proven naturally suited to this approach. This becomes increasingly important as more adversaries use cyberspace as an operational domain against the United States, and as more weapons systems rely on elaborate software and complex supply chains, these systems can be sabotaged through cyberspace operations.

Chinese military doctrine emphasizes the importance of controlling information in the early stages of any conflict and focuses on what it takes to win under "informatized conditions." In the 2001 edition of the Science of Military Strategy, an influential publication by the People's Liberation Army, a statement was published describing the use of cyberspace for precision strikes at the outset of war in order to paralyze enemy information systems and infrastructure. Updates to the policy have included strategies focused on the effective suppression and destruction of enemy's information systems and information protection capability. The policy includes China's goal to seize and control battlefield initiative, paralyzing and destroying the enemy's operational system, in order to shock the enemy's will for war.

The splinternet suggests a scenario where portions of the internet are fragmented into geographically and politically controlled zones.

In order to solve some of the logistic concerns in the development of cyberspace as a military domain, and in one of the largest projects in cyberspace, the Chinese "splinternet" is an attempt to develop an alternative cyberspace closed off to those who do not participate in this. And in the development of this separate cyberspace, China has worked to invite developing countries into the splinternet. The splinternet is a cyberspace that works to be separate and ideologically distinct, and not just due to its closed nature, compared to the open cyberspace most people are used to.

Further, as part of the splinternet strategy, China is not interested in improving the existing internet in an interoperable way or open way, or helping the internet in its resilience to cyber-attacks, but continues to engage in creating a completely different digital architecture, complete with its own ideological governance and values which are incompatible with the wider open cyberspace.

One technology China has turned to in order to develop the splinternet is blockchain. Blockchain is generally considered attractive as it is intended to be a peer-to-peer system with no intermediaries or central power. But the plan for China has been to subvert that by owning the blockchain and using government agents to operate each node in the blockchain. This gives the Chinese government the capability to monitor every communication in perpetuity. And any country signing up to China's splinternet (which the Chinese government incentivizes by offering to build the necessary infrastructure for the country signing up to the splinternet) would be also exposed to the same level of state control. This would also herald a new cold-war style split.

Another manifestation of China's potential for surveillance, and specifically fiscal surveillance, is through the country's new digital currency, a state-backed digital yuan controlled by the People's Bank of China.

Similar to China's strategy, Russia has moved towards integrating cyberspace operations into conventional offensives. However, either due to strategy or capabilities, these initiatives have seen mixed results in activities by the Russian military in Georgia and Ukraine. For Russian strategists, cyberspace operations are intended to disorient and demoralize adversaries before conflict begins and is intended to be used to help neutralize enemy command and control systems.

As more interest in cyberspace from militaries has increased and evolved across states, and cyber attacks attributed to advanced persistent threats have become commonplace, there have been some developments in military approaches to cyberspace. These developments, in part, accentuate the need for governments to thoroughly consider the risk of civilian harm that may result as a byproduct of cyber operations.

As in all industries, the application of machine learning has accelerated as governments and technology companies have sought the benefits of artificial intelligence and the efficiencies of scale and automation. One such development, in response to a 2016 challenge from the US Department of Defense, was developed by ForAllSecure which introduced a system called Mayhem. This system demonstrated it was possible for a computer to find, test, and patch vulnerabilities in real time, and since every major cybersecurity vendor stresses the importance of artificial intelligence in their products. This further means the technology has become a necessary element of any defensive cyber solution. And, while governments may hesitate before making the leap to fully autonomous AI systems for offensive operations until the technology has been proven capable, but will continue to use human operators, especially as any cyber operation has the possibility of causing global impacts.

As more devices are being connected to the internet, it increases the attack surface of cyberspace, extending it doorbells, thermostats, refrigerators, televisions, and security cameras, among other devices. The risk of civilian harm can often be managed by targeting specific IoT devices, but the opposite is also true as cyber operations that target vulnerable devices indiscriminately could attack these IoT services and cause civilian harm. It also become imperative that nations evaluate the significant risks associated with conducting cyber operations involving IoT devices, as it can be difficult to discern the impact they may have on medical facilities, critical infrastructure, educational institutions, and other sensitive networks.

There have been two events of advanced persistent threats—the 2020 SolarWinds supply chain compromise and the Microsoft Exchange Server compromise in 2021. Both events were conducted outside of the context of armed conflict, but they highlight a trend where cyber operations are conducted below that threshold, and therefore outside of the scope of the protections that international humanitarian law (IHL) affords to civilians. In both attacks, it was assessed that nation-state cyber actors worked to compromise these systems. The SolarWinds attack was believed to be conducted to monitor the company's networks. While in the Microsoft Exchange attack, it was believed to be conducted in order to gain privileged access to Microsoft email servers worldwide.

Comparing the two events sees a willingness on the part of some to shift towards indiscriminate cyber operations. And while, in both attacks, the original attempt may have been espionage, it has become clear that both operations resulted in harm to thousands of civilian institutions, including local businesses, schools, medical facilities, and critical infrastructure owners forced to take systems offline and remediate malicious code across a network.

The tactical limits of cyberspace operations should give any nation developing war plans based on the assumption of rapid and effective information attacks pause. The strategic limits, as explored below, especially of infrastructure attacks should cause careful thinking in the event of developing a cyberspace operations strategy. However, as is often the case with new domains and strategic leaders, it is expected that some leaders may fall victim to the wish that cyber operations will deliver the oft promised bloodless victory, despite this wish or dream putting such a leader into a set of tricky strategic dilemmas.

The first strategic limit involves intra-war escalation. Despite cyberspace operations facing limits against hardened military targets, political leaders may still be expected to overreact to news that information systems are under assault. This situation would offer nightmare scenarios of losing command and control, and ultimately the conflict, and could encourage risky decisions rather than testing the resiliency of those information systems against an opponent. This reaction could preemptively escalate conflict, with the simplest strategy to avoid escalation being to engage in conflict conservatively. In cyberspace operations, this would mean eschewing operations against critical targets and generally erring on the side of caution rather than taking the risk of an escalating attack. Although, at the same time, this type of approach to cyberspace operations increases the likelihood of a protracted war.

Disrupting communications of an enemy makes tactical sense, as those units, if unable to communicate, will find it increasingly difficult to coordinate efforts. Unreliable command and control ultimately undermines battlefield effectiveness, leaving deployed forces vulnerable to defeat. Cyberspace operations offer the possibility of cyber attacks and electronic warfare to induce this type of operational sclerosis. However, if the goal of a conflict is to force the enemy to negotiate favorable terms, using these capabilities can complicate the strategy. Ideally, cyber capabilities would be capable of dividing an enemy's hierarchy and insulate willing peacemakers to negotiate with while focusing military pressure on those unwilling to negotiate. But in dividing the enemy, a leader may find it hard to locate a reliable negotiating partner with the proper and necessary authority to compel armed forces to stand down in light of a negotiation. In turn, this division, especially along fault lines in a rivals leadership group, could create atomized national institutions, which could only guarantee temporary at best and geographically limited peace deals which, often, would only be held up while specific commanders hold sway.

As with any emerging technology, there is a certain allure to cyberspace operations and the possibility of a rapid victory, either through the technology itself or as a force multiplier. The possibility of winning a conflict at low cost offers the ability to secure national interests with minimal risk. This could be through the use of offensive cyber operations, coupled with kinetic strikes, meant to stun a target and allow for attackers to deploy reinforcements or main forces under the confusion. And in this scenario, the attacking nation controls the pace of the conflict and can set the terms for ending said conflict. Meanwhile, the targeted nation may struggle to muster a meaningful response and face the dilemma of either accepting bad terms or fighting at a disadvantage, which could, depending on the deployment of cyber operations and kinetic forces, range in severity.

This further brings up an issue for the victor, who having such an advantage over the defeated nation, may find it impossible to provide credible assurances that it will not cheat on the terms of the peace settlement for a more comprehensive victory later on; this could be especially true if the victor nation is especially larger than the losing nation, and the possibility of a comprehensive victory is not out of scope for the capabilities of the victory nation. This further increases the difficulty of assuaging the losing nation. Furthermore, recent scholarship suggests these conditions have already been proven, in the difficulty of great powers to convince and coerce smaller rivals in peacetime.

Strategy is perhaps best understood as the theory of victory. A strategy attempts to communicate how military violence will help a state achieve political goals, and how to use that violence to compel enemies to back down. Cyber operations have been shown to be useful for strategic purposes, especially in the cases where they can enable physical violence and reduce the overall cost of that violence to the attacker, while further coercing the target to settle sooner.

Grand strategy, in contrast, deals with security. It attempts to describe how foreign policy instruments can help the state achieve durable national security. In doing so, a grand strategy will deal with the questions of world politics, the underlying sources of national power, and the utility of military and non-military tools. Victory in war is not the same as security in peacetime.

In some cases, good strategy and necessary wartime decisions can undermine the long-term grand strategy. For example, increasing a nation's debt in pursuit of victory may leave the victor in a difficult position that other rival nations could seek to exploit. The introduction of new technology may also have an unexpected effect on the balance of power and any postwar economy. Suppose, for example, that one nation uses cyberspace operations energetically in a future conflict and can employ new and powerful tools against hard targets. In this case, if the tool in question is malware targeted at enemy forces, the collateral damage could be the same malware infecting civilian computers far beyond the battlefield. This could, in turn, reduce postwar confidence in the regional and international economic order—especially in a scenario that would see firms and consumers retreat from online commerce and communication.