Research Questions How should the Air Force integrate kinetic and nonkinetic (cyber) operations? How should escalation options and risks be treated?
The chances are growing that the United States will find itself in a crisis in cyberspace, with the escalation of tensions associated with a major cyberattack, suspicions that one has taken place, or fears that it might do so soon. The genesis for this work was the broader issue of how the Air Force should integrate kinetic and nonkinetic operations. Central to this process was careful consideration of how escalation options and risks should be treated, which, in turn, demanded a broader consideration across the entire crisis-management spectrum. Such crises can be managed by taking steps to reduce the incentives for other states to step into crisis, by controlling the narrative, understanding the stability parameters of the crises, and trying to manage escalation if conflicts arise from crises.
Key Findings Cybercrises Can Be Managed with Multiple Strategies Parties can reduce incentives for other states to get involved should a crisis arise. Parties can control narratives. Decisionmakers should ensure that they understand the parameters of the crisis. Each party is responsible for managing escalation should conflict arise.
Recommendations The Air Force should find ways of conveying to others that its missions can be carried out in the face of a full-fledged cyberattack. The Air Force needs to watch carefully the messages and signals it sends out about its operations, both explicit and implicit. Air Force operations should support rather than contradict the United States' master narrative about cybercrises. The Air Force should clearly differentiate between cyberwar operations that can be subsumed under kinetic operations and those that cannot. Air Force planners need a precise understanding of how their potential adversaries would perceive the escalatory aspect of potential offensive operations. The Air Force should develop itself as an independent source of expertise on cyberwar.
Table of Contents Chapter One
Introduction
Chapter Two
Avoiding Crises by Creating Norms
Chapter Three
Narratives, Dialogue, and Signals
Chapter Four
Escalation Management
Chapter Five
Implications for Strategic Stability
Chapter Six
Can Cybercrises Be Managed?
Appendix A
Distributed Denial-of-Service Attacks
Appendix B
Overt, Obvious, and Covert Cyberattacks and Responses
Appendix C
Can Good Cyberdefenses Discourage Attacks?
Research conducted by RAND Project AIR FORCE Force Modernization and Employment Program
The research reported here was sponsored by the United States Air Force and conducted by RAND Project AIR FORCE.
This report is part of the RAND Corporation monograph series. RAND monographs present major research findings that address the challenges facing the public and private sectors. All RAND monographs undergo rigorous peer review to ensure high standards for research quality and objectivity.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.