Table of Contents


No one has died directly from a cyber attack—yet. Nevertheless, in just a few years cyberwarfare has become a major global concern. Since 2013, cyber operations have topped the U.S. intelligence community’s assessment of worldwide threats. This worry is widely shared—and yet the specific qualities of cyber threats, and what constitutes appropriate responses, are still hard to characterize.

Cyber anxiety proliferates globally because so many actors and actions can cause harm through cyber means, and the scope and scale of their potential harmful effects are so varied. Criminals routinely break into networks to steal financial assets and valuable intellectual property. The NotPetya cyber attack in 2017, attributed to Russia, shut down production lines, such as those of the pharmaceutical manufacturer Merck, and rendered entire ports inoperable when it hit the shipping company Maersk.1 North Korea has pioneered the use of cyber for large-scale robbery, attempting to steal an estimated $1.1 billion from financial institutions around the globe over the past few years.2 China has conducted cyber espionage to steal intellectual property, including designs of advanced U.S. military equipment and commercial nuclear reactors, as well as the personal information of over 21 million current and former federal government employees.3

George Perkovich
Perkovich works primarily on nuclear strategy and nonproliferation issues; cyberconflict; and new approaches to international public-private management of strategic technologies.
More >

Cyber operations have subverted elections and sown chaos, cognitive confusion, and violence in France, India, Ukraine, and the United States, to name a few targets. Russia’s invasion of Georgia in 2008 and irregular military operations in Ukraine in 2014 relied heavily on cyber. The United States and Israel mounted the Stuxnet cyber attack to physically damage uranium enrichment centrifuges in Iran. Amid these trends, Western powers, including Canada, France, Germany, Israel, the UK, and the United States, increasingly broadcast their development of offensive cyber capabilities.4 Others, such as China, India, and Russia, are more quietly creating dedicated military cyber forces.5

Yet, the worst fears of a “cyber Pearl Harbor” have yet to materialize. Instead of rapid escalation to cyberwarfare, there has been a steady degeneration to a state of near-constant cyber contestation among major powers in the gray zone between war and peace. In the absence of civilizing rules of the road, the tenuous boundaries of cyber contestation that have emerged could break down. Once they do, all bets are off.

Wyatt Hoffman
Wyatt Hoffman was a senior research analyst with the Nuclear Policy Program and the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

This uncertain state of affairs harkens back to earlier periods when technological disruption threatened global stability. In 1907, as telegraphy and radio transformed the world, Andrew Carnegie noted hopefully,

Since the civilized world is now united by electric bonds into one body in constant and instant communication, it is largely interdependent and rapidly becoming more so. War now involves the interests of all, and therefore one nation has no longer a right to break peace without reference to others. Nations hereafter should be asked to remember this and not to resort to war, but to settle their disputes peacefully.6

Of course, the First World War erupted seven years later, illustrating the need for institutions and leadership to control the risks that new technologies may add to international affairs. The conflict began in 1914 with an act of gray zone violence, when a Serbian militant with ambiguous ties to state security organs assassinated Archduke Franz Ferdinand. The rapid escalation that ensued continues to alarm students of human behavior and politics. Technology—in the form of railways—played a part in the catastrophic escalation by speeding it and making it harder to reverse.

A century later, notwithstanding lots of gray zone competition, states thus far have not used growing cyber arsenals in ways that could cascade into collective self-harm à la 1914. Of the 272 documented cyber operations between states between 2000 and 2016, only a few were highly destructive.7 Thus far, the vast majority of malicious cyber activity has constituted espionage, theft, vandalism, and other nonlethal threats. States have good reasons to exercise restraint—but how long will this restraint suffice in the face of growing cyber confrontation?

What is the need for cyber peacemaking, and how might it be pursued? Before all else, it is vital to distinguish those threats that could rise to the destructiveness of war from those that will be more persistent and will require civilizing forms of preventive or palliative action different from those associated with peacemaking. Then the more particular challenges of cyber conflict and peacemaking can be addressed.

The Cyber Frontier

The cyber peacemaker’s first task is to develop norms that distinguish acceptable behavior from unacceptable and exert moral and political pressure to isolate those that transgress them. Criminals, mercenaries, and states possess the means and motivations to steal from, vandalize, spy on, and otherwise disrupt individuals, societies, and governments through cyberspace. With so many actors of such wide reach, it will take a long time to civilize this space. The civilizing project requires concepts, actors, and instruments that are analogous to law and order and standards of hygiene and public health within well-ordered societies. The pace will be uneven, as some governments are less enthusiastic than others to take this up.

Many national, international, and private sector institutions are now working to foster norms of responsible behavior for states’ (and others’) cyber activities.8 Notably, the United Nations’ Group of Governmental Experts (GGE) process brings together expert representatives from key states to explore international norms and rules and cooperative measures to reduce the risk of cyber conflict. Other efforts include the recent Paris Call for Trust and Security in Cyberspace, which brought together sixty-five states and hundreds of private corporations and nongovernmental organizations to endorse a set of normative principles.9 Valuable as they are, these efforts primarily seek voluntary, legally nonbinding adherence to high-level principles in peacetime. The process of moving from norms to codified and enforceable rules and laws is only beginning. A widespread perception remains that cyberspace is still a wild frontier.

The frontier metaphor suggests another facet of the civilizing project: preventing, defending against, and managing viral threats to the cyber health of the population. This is akin to a public health challenge. Illicit actors gain access to computers, networks, and data through vulnerabilities created accidentally or purposefully in hardware and software, and from poor cyber hygiene by owners and operators. Information and communication technologies (ICTs) need to be more resistant to hacking, and networks and society must become more resilient to withstand hacking that cannot be prevented.

The “public health challenge” is made more complicated by the fact that much of the internet and related ICTs are owned and operated by nongovernmental actors—businesses and individuals. The burden of managing cyberspace falls largely to the private sector, especially in technologically advanced Western countries.

Producers, sellers, operators, and regulators of ICTs must be educated and motivated to do all that can reasonably be done to ensure their security and resilience against malicious activity. Moreover, the sheer number and variety of producers and users of relevant technologies continues to grow with the Internet of Things. As sellers and buyers naturally seek to reduce costs and maximize profits, the urgency of the prevention imperative is not met by necessary action. Robert Hannigan, the innovative director of the United Kingdom’s intelligence organization GCHQ from 2014 to 2017, and creator of the National Cyber Security Centre in 2016, concludes:

The market does not easily correct because there is no immediate cost for the consumer or manufacturer from poor security. . . . Governments can not only encourage behavioral change, but have the regulatory levers to accelerate it. . . . Without regulatory force, manufacturers seem likely to resist the extra costs.10

Of course, private actors worry that governmental rules and regulations will be inflexible, impractical, and expensive to implement. A balance may need to be found between imposing regulations and a market-oriented approach. For example, holding providers of vulnerable ICT goods and services liable for the flaws that leave their users open to attack would strengthen incentives to make products more secure. Insurance providers will also play a role, pegging coverage and premiums to customers’ cyber risk management practices.11 Similarly, other commercial actors such as large private and sovereign-wealth-fund investors and credit-rating firms can create financial incentives to improve the security practices of technology providers and users.

The inculcation and enforcement of norms and rules, and the increased proportions of secure products and hygiene-minded users, will reduce threats of cyber theft, vandalism, harassment, and disinformation. This in turn will begin to change the cost/payoff ratio that today motivates states to opportunistically exploit and attack each other’s ICTs rather than cooperate with one another. In this safer and more secure environment, two other requisites of cyber peace become more achievable: the establishment of taboos around the most dangerous, destabilizing actions, and the implementation of deterrence and laws of armed conflict to reinforce restraint and impose severe costs on those who would violate it.

Cyber Contestation: The Good, the Bad, and the Ugly

States increasingly project and parry power through cyberspace. The good news is that thus far they have not tried to do the worst that can be done with cyber weapons. The challenge is to preserve restraints, even as states continue to pursue two lines of action that could cause accidental or purposeful escalation to major conflict: cyber espionage and cyber-infused confrontation in the gray zone between war and peace.

Technical and political factors entice states to use cyber operations to challenge each other. The interconnectedness and widespread vulnerabilities of ICTs make it relatively easy and affordable for states to penetrate each other’s systems and those of private entities. At the very least, this is done to gather intelligence—a standard operating procedure of governments since time immemorial. Each capable state assumes or knows that others are doing it, so acts in kind. Defenders then persistently engage with intruders.12

Yet, with cyber espionage it is far more difficult for the defender to assess that the purpose of an intrusion is merely espionage and not a full-scale attack. The difference may be a few lines of code in a weaponized payload, and the final step of delivering or activating that payload can be taken in an instant. This ambiguity is potentially very dangerous.

U.S. Defense Cyberspace Operators, assigned to U.S. Cyber Command and members of the Ministry of Defense of Montenegro, pose for a photo during Cyber Defensive Cooperation at Podgorica, Montenegro, Sept. 28, 2018. (Photo by Spc. Craig Jensen)

Beyond intelligence gathering, most cyber contestation now occurs in a gray zone between peace and war. It is worth noting that the use of cyber operations in this space may sometimes actually reduce real-world bloodshed. Cyber operations expand the range of options for states to signal resolve, apply pressure, and counter others’ activities before resorting to armed force. For example, the use of Stuxnet to disrupt and damage Iranian nuclear centrifuges likely forestalled an airstrike against Iran’s nuclear program. The implantation of foreign code in a competitor state’s electricity infrastructure could be a less menacing form of deterrence than the threat of missile attacks against the same targets. Competition in cyberspace can act as a “pressure valve” that inhibits war, adding new means for adversaries to signal resolve and the potential to raise costs short of causing bloodshed.

The major danger here, however, is that gray zone contestation can escalate. “The truth is,” intelligence expert Robert Hannigan writes, “that aggressive nation states behave online much as they do in the physical world, with the same degree of recklessness and disregard for collateral damage or unintended consequences.”13 States such as Iran, North Korea, and Russia—not to mention criminals and terrorists—do not have hugely valuable tech companies and global financial institutions that they must protect from cyber attack. These states already censor and control information exchange and debate online. This means that, compared with technologically advanced and democratic states—and in different ways China—these states have little to lose in a conflictual cyberspace. Moreover, several of these cyber-aggressive states have effective conventional, covert, and, ultimately, nuclear forces that can deter their adversaries from responding too harshly to their cyber operations. They thus find it relatively easy to undermine the military and economic power and political cohesion of their adversaries. However, even these more cyber-reckless states thus far have not been able to successfully use cyber threats to compel adversaries, including the United States, to concede to their demands.

Those more open states that do benefit enormously from the cyber-based economy and open online information exchange have the most to lose. For them, as Hannigan puts it, “‘hitting back’ is rarely a feasible response, despite the salience of this headline in political terms. . . . It is hard to find targets that are both high enough profile to have impact, but low enough in impact not to breach what is lawful and ethically acceptable.”14 To be sure, the United States and Israel have used cyber means to coerce others, most visibly in the Stuxnet attack on Iran. More broadly, China, Russia, and other states perceive the internet and many of the world-dominant tech companies as vehicles of invasive U.S. hegemony. But, to the strategists of the United States and its allies, the restraint Hannigan describes is troublingly real. Even more troubling has been the inability to use cyber power to compel Russia, Iran, North Korea, China, and perhaps others to change the behaviors that continue to threaten or rankle the more law-abiding states.

The persistence of gray zone contestation—in cyber, information operations, economics, and diplomacy—and the risks of escalation that hostile cyber operations could cause, point to the necessity of pacifying the relations between currently adversarial states. This is at once obvious and often neglected. Whether the coercive instruments are nuclear, cyber, Russia’s so-called little green men, Iran’s Revolutionary Guards, the U.S. Navy SEALs, or international sanctions, what’s most important are the interests and politics driving the contests between, for example, the North Atlantic Treaty Organization and Russia; the United States and China; North Korea and its neighbors and the United States; and Iran and its Gulf, Israeli, and U.S. adversaries. These adversaries who are confronting each other most actively in cyberspace have not yet mutually conveyed and recognized boundaries of tolerable cyber activity or the designation of off-limit targets and effects.

The central peacemaking challenge in cyberspace, therefore, is the same as it is in other domains: to stabilize, if not positively transform, the relationships between states that otherwise may move to war. Meanwhile, in the interval between now and when peace can be made, contestants and the rest of the world have a great interest in preventing escalatory warfare that can leave everyone much worse off. States will continue to probe, spy on, and potentially attack each other, but they must be restrained from taking actions that threaten the stable and secure civilian use of cyberspace.

There is some cause for optimism. For reasons that are not yet entirely clear, states, thus far, have eschewed the riskiest, most aggressive, and destabilizing cyber activities. Decisionmakers are inhibited by uncertainty as to whether a cyber weapon will reach the target and have the desired effect—a single patch in the target system could foil even the most elaborate operation. Large-scale cyber attacks also carry significant risks of collateral damage or unintended effects. They might harm the attacker’s own (or friendly) systems by spreading uncontrollably across the internet, as NotPetya did in 2017. Among NotPetya’s many victims worldwide was, apparently, Russia’s own state-owned oil company, Rosneft.15 States might also see their cyber weapons reverse engineered and reused by malicious actors. The possibility for the target to detect and attribute the attack and retaliate via cyber or other means gives further pause to states. Of course, a single miscalculated cyber attack might cross some unseen red line and trigger an aggressive response. One massively destructive or disruptive attack could change the picture entirely, as the assassination of an archduke did in 1914.

French President Emmanuel Macron delivers a speech at the opening session of the Paris Peace Forum, an event that is a part of the commemoration ceremonies to mark the centenary of the 1918 Armistice. On Sunday, November 11, 2018, in Paris, France. (Photo by Artur Widak/NurPhoto via Getty Images)

To begin to establish upper boundaries on aggressive cyber behavior, the UN GGE produced, in 2015, a set of voluntary norms and affirmed the applicability of international law and the UN Charter—and by extension the laws of armed conflict (LOAC)—to cyber activities.16 But China, Cuba, and Russia later opposed inclusion of a specific reference to LOAC. This disagreement contributed to the collapse of the process in 2017. China argues that affirming the applicability of LOAC would legitimate military responses to malicious cyber activity and further militarize cyberspace. Paradoxically, of course, China and Russia, along with other states, have developed military cyber commands. Moreover, if one wishes to argue that the LOAC should not be applied because no one should use cyber means in warfare, it would be difficult to argue that if someone did use cyber weapons their application should not have to conform to the LOAC.

The absence of shared rules of engagement for gray zone competition and clear boundaries between it and outright cyberwarfare fosters instability. The focus should be on preventing actions with systemically destabilizing consequences—that is, operations whose effects threaten the physical or psychological functioning of one or more globally important states and/or economies. Four major categories of such extreme behavior are most important.

First, cyber operations with targets and/or effects that threaten critical societal functions and services should be eschewed. Financial systems are the most obvious such target because undermining the integrity of financial data and transactions can threaten the operation of the global economy.17 Health, energy, and water infrastructures are similarly vital at the national level, and attacks on them would be most likely to cause escalatory conflict.

Second, and more broadly, cyber attacks with nondiscriminatory effects, such as self-propagating worms that harm any system they infect, are especially anathema to international civilization and peace. The wider the extent of harm, the greater the pressure on targeted states (or businesses) to retaliate with equal or greater impact. The norms promulgated by the UN Group of Governmental Experts reflect these two priorities for strategic restraint; all states should be expected to abide by them, and to suffer consequences for violating them.

Third, targeting extremely sensitive functions such as nuclear weapon command and control systems could trigger hugely destabilizing and destructive action-reaction dynamics.

Finally, adversarial states and the broader international community have clear interests in doing everything possible to prevent vulnerabilities and malware from proliferating. Offensive cyber weapons can be reverse-engineered and reused by hostile actors, as in the case of the Wiper malware used against and subsequently copied by Iran.18 The global WannaCry and NotPetya attacks were enabled by an exploit developed by the U.S. National Security Agency and leaked by the Shadow Broker hacking group, showing how careless safeguarding of cyber tools can lead to equally damaging proliferation.19

Mobilizing Cyber Peace Entrepreneurs

If the objectives sketched above are suitable priorities for peacemaking in cyberspace, how to achieve them? We began by suggesting that nascent norms and rules for civilizing behavior in this domain will have to be strengthened, along with public health-like measures for improving cyber hygiene, security, and resiliency. This will strengthen the hand of the cyber peacemakers. As cyber aggression becomes more clearly anathema and technically difficult and costly to conduct, states and private sector leaders will have more leverage for imposing costs on hostile states that would transgress strategic boundaries.

To temper cyber aggression, states will use the same tools and strategies that shape state behavior in other domains—tools such as diplomatic warnings, economic sanctions, law enforcement and diplomacy, and commercial regulation. Hard-power tools both in the conventional military and cyber spheres will also be needed to deter or defeat aggressive actors.20

More specifically, states must prepare and communicate their readiness to exercise these tools to impose costs on those who would violate the boundaries described above. The goal is to narrow the ground in the gray area between war and peace by restricting the most dangerous forms of cyber conflict and widening the safe space of peaceful commerce and information communication. Because this field of contestation is relatively new and difficult to perceive, states and key commercial actors must constantly and carefully assess whether and how various tactics and tools work—including unintended effects.

In all of this, there are three major, somewhat unique challenges:

  1. Cyber-related technology will continue to evolve. Even if security is more commonly and effectively designed into products, old vulnerabilities will persist, and new ones will be created. Hostile actors will continue to seek ways to adapt their weapons to get around defenses.
  2. Commercial actors will remain of paramount importance. Most of the machines, networks, and software that comprise cyberspace are built, owned, and operated by commercial actors and individual citizens. Changing their behavior poses distinct challenges.
  3. It is far from clear what those states most concerned by Russian, Chinese, North Korean, and Iranian cyber behavior can do and what risks they should be prepared to take to deal with threats emanating from these countries. Iran, North Korea, and Russia are already being sanctioned, economically isolated, and politically challenged for a range of behaviors. The likely costs, in treasure and lives, of war with those countries exceed the costs their hostile cyber actions impose on their opponents. China’s economic importance and power pose a different set of limits. Broadly speaking, clear victories or a transformed cyberspace are unlikely.

In the ideal world of the United Nations Charter, contesting states—influenced by the Security Council—would resolve these most threatening disputes peacefully. In a second-best world, as suggested above, major powers (including adversaries) would negotiate rules or codes of conduct that would prohibit or at least heavily penalize the most destabilizing forms of cyber action. As necessary, the diplomatically engaged states would encourage and facilitate participation of indispensable commercial technology providers and operators, and vice versa. Leading global companies have launched initiatives to shape norms for states and corporations alike, including Microsoft’s proposal for a Digital Geneva Convention proscribing certain offensive cyber activities, and its Cybersecurity Tech Accord committing tech companies to “oppose cyberattacks on innocent citizens and enterprises from anywhere.”21

Unfortunately, of course, neither this ideal nor second-best world is around the corner. When states are unwilling or unable to make peace—or, short of peace, to explicitly stabilize their contestations—and commercial actors are key actors, nonstate peace entrepreneurs must step to the fore. These entrepreneurs—from think tanks, activist organizations, universities, transnational businesses—can offer non-national, nonprofit perspectives that often are necessary to identify the accommodations that all actors will need to make in order to minimally satisfy competing interests. This kind of conflict resolution or public-private cooperation can bridge differences in situations where the narrowly vested interests of competing governments or businesses often make it difficult to directly negotiate compromises on their preferred positions. This type of third-party mediation is acutely necessary in the cyber domain, where contests are not simply bilateral and between governments but are multilateral, if not global and involve commercial and private interests as well as those of governments.

In the Europe of 1914, conflict escalated so quickly in large part due to the absence of institutions and empowered neutral facilitators that could channel and limit the underlying contestation between the antagonists. Such facilitators and institutions could have exchanged information, perceptions, and declarations of core interests within and between governments as they rushed reactively into war.22 Today, as intergovernmental institutions are being attacked or disused, and information and communication technologies are made and used by businesses and citizens so extensively, cyber peacemaking is too important to be left to governments. Governments will ultimately determine whether peace is made, and conflict is avoided or contained, but others may need to set the stage and write the script for them.


1 Kim S. Nash, Sara Castellanos, and Adam Janofsky, “One Year After NotPetya Cyberattack, Firms Wrestle With Recovery Costs,” Wall Street Journal, June 27, 2019,

2 “APT38: Un-usual Suspects,”FireEye,2018,

3 U.S. Department of Justice, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage” May 19, 2014,; Dustin Volz and Robert McMillan, “For Millions of Hacked Federal Employees, New Fears of Identity Theft,” Wall Street Journal June 22, 2018,

4 See, for instance, François Delerue, Alix Desforges, and Aude Géry, “A Close Look at France’s New Military Cyber Strategy,” War on the Rocks,April 23, 2019,; David Bond, “Britain Preparing to Launch New Cyber Warfare Unit,” Financial Times, September 21, 2018,; “German Military Can Use ‘Offensive Measures’ Against Cyber Attacks: Minister,” Reuters, April 5, 2017,; and Alex Grigsby, “Canada’s Military Gets More Cyber, and the Headaches That Come With It,” Net Politics, June 22, 2017,

5 See, for instance, Stephen Blank, “Cyber War and Information War a la Russe,” in Understanding Cyber Conflict: 14 Analogies,edited by George Perkovich and Ariel E. Levite (Washington DC: Georgetown University Press, 2017); “India in Final Stages of Setting Up Defence Cyber Agency,” Economic Times, January 15, 2019,; and Chris Bing, “How China’s Cyber Command Is Being Built to Supersede Its U.S. Military Counterpart,” Cyberscoop, June 22, 2017,

6 Proceedings of the National Arbitration and Peace Congress, New York, April 14th to 17th, 1907 (New York, NY: National Arbitration and Peace Congress, 1907), 52,

7 Brandon Valeriano and Benjamin Jensen, “The Myth of the Cyber Offense: The Case for Restraint,” CATO Institute, Policy Analysis Number 862, January 15, 2019,

8 For an overview of such initiatives see “Cyber Norms Index,” Carnegie Endowment for International Peace,

9 “Paris Call for Trust and Security in Cyberspace,” French Ministry of Foreign Affairs, November 12, 2018.

10 Robert Hannigan, “Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre,” Royal United Services Institute, Occasional Paper, February 2019, 23-24.

11 Ariel E. Levite, Scott Kannry, and Wyatt Hoffman, “Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance,” Carnegie Endowment for International Peace, November 7, 2018.

12 Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement and Tacit Bargaining: A Path Toward Constructing Norms in Cyberspace,” Lawfare, November 9, 2018,

13 Hannigan, “Organising a Government for Cyber,” 30.

14 Ibid.

15 Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018,

16 “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” United Nations General Assembly, A/70/174, July 22, 2015,

17 Tim Maurer, Ariel E. Levite, and George Perkovich, “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, 2017,

18 Kim Zetter, “The NSA Acknowledges What We All Feared: Iran Learns From US Cyberattacks,” Wired, February 20, 2015,

19 Charles Cooper, “WannaCry: Lessons Learned 1 Year Later,” Symantec, May 15, 2018.

20 James N. Miller and Neal A. Pollard, “Persistent Engagement, Agreed Competition and Deterrence in Cyberspace,” Lawfare, April 30, 2019,

21 “A Digital Geneva Convention to Protect Cyberspace,” Microsoft,; “Cybersecurity Tech Accord,”

22 Christopher Clark, The Sleepwalkers: How Europe Went to War in 1914 (New York, NY: HarperCollins, 2012); for a specific analogy between potential cyber conflict and the First World War, see Francis J. Gavin, “Crisis Instability and Preemption: The 1914 Railroad Analogy,” in Understanding Cyber Conflict: 14 Analogies,edited by George Perkovich and Ariel E. Levite (Washington DC: Georgetown University Press, 2017).