Content uploaded by Ryan Maness
Author content
All content in this area was uploaded by Ryan Maness on Aug 09, 2018
Content may be subject to copyright.
The Dynamics of Cyber Dispute Mediation and Resolution
Brandon Valeriano
Marine Corps University
Ryan C. Maness
Naval Postgraduate School
Introduction
The challenge that cyber actions pose to the international system have become a Tier
1 level threat for many states, and therefore they pose clear threats to domestic and
international stability (GCHQ 2016). No one is immune to the potential disasters that can
emanate from digital space. From the Stuxnet case of the United States and Israel leveraging
cyber tools to hamper Iran’s ability to produce nuclear weapons (Lindsay 2013) to Russia’s
attempt to influence the United States presidential election of 2016 (Inkster 2016, Valeriano
et. al. 2018: Chapter 6), cyber conflict events are prevalent and increasing. The missing link
is just what can be done to solve or stabilize these challenges? The securitization of the
domain has become inevitable (Hansen and Nissenbaum 2009), yet we should question the
foundations of the threat and seek pathways towards mitigation.
In a year-end review of cyber events during 2017, the Council of Foreign Relations
highlighted the Trump Administration’s challenge to cyber diplomacy practices (Fidler 2017).
The closure of the Office of Coordinator of Cyber Issues in the State Department, the
departure of Christopher Painter as the lead negotiation contact, and the lack of emphasis on
diplomacy and resolution in the Cyber Security Executive Order of 2017 all highlight
challenges to solving cyber disputes with mediation and negotiation. In response, the House
of Representatives offered the Cyber Diplomacy Act of 2017 to provide order and guidance
for cyber diplomacy actions absent direction from the executive branch (Tillerson 2017). All
these moves highlight the critical need for consideration and elevation of diplomatic issues in
cyberspace.
Diplomacy on cyber security issues can take two forms: crafting agreements and
promoting consultations that seek to alleviate concerns regarding cyber conflict or mediation
efforts during ongoing cyber disputes. While examinations of the institutional agreements at
the center of cyber security events have received more and more attention in the cyber
security discourse, understanding how diplomacy and mediation could constrain escalation
and conflict in cyberspace is a relatively unstudied topic.1
This chapter considers whether mediation might facilitate crisis management in the
context of ongoing cyber disputes. Our task is first to review cyber conflict and consider the
potential impact of mediation and diplomacy on cyber security. Diverging from conventional
wisdom, we propose that cyber incidents, as stand-alone events, serve as either a signal to the
opposition about the dangers of escalation or methods of information management between
adversaries. These factors paradoxically constrain escalation and attempts at domination. If
cyber signals themselves, apart from traditional forms of diplomacy, are useful covert tools to
manage escalation, mediation may have less of a role to play in crises involving contestation
in the cyber domain. Finally, we take the analysis a bit further and offer empirical evidence
that mediation efforts during cyber security events have yet to have an observable impact
toward the mitigation of cyber challenges between rival states.
The critical question of how to stop the process of cyber dispute escalation is too
important to leave to gross speculation absent of evidence. The conflict resolution dynamics
of this question have gone without investigation for too long. We start the process of
articulating an emerging research program on accounting for cyber mediation events
theoretically and empirically in this chapter.
The Process of Cyber Conflict
Speculation is rampant that the cyber security domain will be dominated by constant
conflict and escalation (Kello 2013, Buchanan 2017). Pundit after pundit suggests that the
1 To be clear, we are putting legal remedies in a separate theoretical box than diplomatic efforts.
future will be coloured by raging computer conflicts across the globe (Clarke and Knake
2010), painting cyber conflict as system transforming.
While it is undoubtedly true that cyber conflicts have increased through time
(Valeriano and Maness 2014), it is also likely these conflicts are just more noticeable now
than in the past because of better digital forensics and general interest. The conflicts we do
witness display a remarkably low level of severity overall (Valeriano and Maness 2015) and
remain absent of evident death that paints most conflicts (Rid 2013). The stability observed in
the internet, where commerce, access to information, and many modern conveniences
continue, despite its many security flaws, suggests we have failed to conceptualize the course
of digital conflict accurately.
There have only been five to six cyber conflicts where actual physical damage was
witnessed: two attacks in Ukraine including the Black Energy hack of 2015-2016; the Sony
hack; Stuxnet; and likely two attacks on Aramco networks by Iran, one in late 2017
(Choudhury and Gamble 2018). While escalation does happen during cyber disputes
(Valeriano et al 2018), the escalation that we witness tends to display tit-for-tat minor
escalation moves rather than dramatic conflict spirals. This flies in the face of predictions by
Kello (2013) and Buchanan (2016) of conflict spirals and security dilemmas dominating the
domain. Furthermore, where escalation does occur when a cyber incident is involved, it is
usually part of a larger campaign that involves conventional foreign policy tactics, including
diplomatic overtures, economic punishments, or military threats and displays.
The critical question, however, is why have cyber conflicts been relatively restrained
to this point? We have posited before that restraint is observed because of fears of blowback,
controls over cyber tools at the government level, fear of failure, and more recently, that the
effectiveness of cyber weapons is suspect and leaders are loath to use untested weapons
(Valeriano and Maness 2015). One unmentioned consideration is the influence of mediation
and diplomacy on the propensity for states to engage in cyber disputes. Failing to consider the
diplomatic context of cyber disputes would certainly leave out a major potential explanation
for the limitation and mitigation of cyber conflict.
Cyber Diplomacy and Mediation
Stopping cyber conflict as well as preventing its spread and escalation represent
critical challenges to the international system even if prophecies of cyber doom are grossly
exaggerated (Lawson 2013). The process of building international capacity to deal with cyber
issues has been slow, painted mainly by the failure of the United Nations Group of
Government Experts (GGE) to truly engage cyber conflict. Awareness of the need to establish
foundations for communication and sharing intelligence on cyber weapons is high; the
problem is that each state has its own goals. Western states mainly want to protect the free
flow of information along the ideals of democratic societies while autocratic states are
focused on maintaining control of their digital sovereignty. Totalitarian states such as North
Korea are barely creating a pathway towards engaging digital society; meanwhile, access is
expanding all throughout Asia, and Africa is seeing a boom through mobile phone
engagement.
Just how diplomacy and mediation will influence the course of future cyber conflict is
unknown and difficult given the various considerations of each state. It is surprising that the
field of cyber security has generally avoided covering such a critical issue through rigorous
scholarship. An edited volume in 2002 offers a consideration of how digital communications
might alter the course of international affairs but fails to engage in the actual practice of
diplomacy between states during ongoing cyber disputes (Potter 2002). We hope to begin that
process here.
Cyber diplomacy and mediation are clearly different than cyber norms, a prolific area
of study in cyber security (Valeriano and Maness 2015, Ch. 8, Finnemore and Hollis 2016).
The general idea is that a system of norms is being built in cyber security, but we are still at
the entrepreneur stage where innovators will make rules and norms that others might follow.
So far there has been a norm of avoiding the destruction of critical systems and minimizing
harm to life. There is also a slight degree of acceptance that harming domestic systems is off
limits. While Russia did seek to influence the US election of 2016 and even penetrated some
voting systems, they did not alter or manipulate the rolls (Samuels 2018).
Diplomacy can be a pathway towards the mitigation and resolution of ongoing
disputes between states and non-state actors alike. Without the critical step of offering a
venue to express disagreements, construct bilateral and multilateral agreements, and raise
issues of concern or criminality, we have little hope of solving some challenges inherent in
the cyber domain, one in which the norms and rules about proper behavior by actors are still
evolving and require diplomatic solutions rather than escalatory threats.
The challenges in the cyber domain are clear and pressing. The basic result in
cyberspace is that states as entities can never ensure their complete security in the digital
domain. Accepting this fact demands the engagement of states when rivals enter a dispute in
the digital domain. This should be backed with codified international agreements via the
United Nations and other international institutions once best practices can be established by
the majority of countries. The only other option would be self-isolation like North Korea.
Participating in international institutions will create forums for dispute mediation and
resolution that can be normalized and even codified as international law. Such forums would
also allow for the resolution of disputes on access and storing of data. This is an issue that is
becoming a critical problem as the location of information becomes a concern—the “cloud”
has a physicality to it in that data originating from all over the world must be stored
somewhere and subject to local rules. Mediation, along with legal processes such as
arbitration and adjudication, will serve a key role as actors manage conflicts of interests and
common pool resource problems in cyberspace.
While multilateral diplomatic initiatives are likely to prove essential to the
establishment of clear rules and norms, mediators have different, and potentially diminutive,
roles to play in the management of international crises that are contested in the cyber domain.
Our theory of how dispute mediation interacts with cyber security challenges is a bit
unconventional. Based on the inductive research of Valeriano et. al. (2018), we posit that
most cyber tactics are weak coercive tools and more useful as ambiguous signals to actually
constrain escalation. Cyber strategies as a standalone foreign policy tool between rival states
are non-escalatory and could even serve as a means to manage adversarial relations.
Valeriano et. al. (2018) also find that other foreign policy actions, including positive
inducements, when combined with certain cyber incidents, can lead states into being
compelled to change their foreign policy with certain combinations. When cyber incidents are
standalone, they are more often than not low-level, disruptive-type ambiguous signals that
express subtle displeasures with the target’s current foreign policy actions or policies. These
actions are usually rather benign and do not lead to escalatory responses in the cyber nor the
conventional domains. In this sense, mediation should not be expected to play much of a role
in limiting escalation in the cyber domain of international crises because the contestation in
the cyber domain is itself a form of escalation management.
Given the covert nature of cyber-attacks, engagement by outside parties tasked with
monitoring hostile acts and holding the actors to account also can result in accusations that
may lead to negative reactions by the accused culprit of the cyber event. Even if a valid
accusation, the accused initiator likely will deny responsibility and push back against the
accusations, especially from a third party that has inserted itself into a dispute, which
decreases the probability of constructive engagement with the mediation initiative. When a
state is accused of wrongdoing without adequate evidence, that state may even respond in a
manner considered escalatory by the targets of the cyber-attack. This can raise the possibility
of misperceptions that could escalate further into security-dilemma dynamics and eventual
crises between the states involved (Jervis 1976, Buchanan 2016).
Many cyber events are either clandestine espionage attempts where the initiator’s
ultimate goal is to never get caught; or disruptive cyber campaigns where the goal is to make
the daily lives of a government or population more difficult, and the plausible deniability
dynamic is still present for the accused malicious actor. No state accused of cyber
malfeasance has ever come forward and admitted responsibility when initially accused.
Technical attribution is difficult if the initiator is good at covering its tracks, which nation-
states are. Russia’s official government position, despite all the evidence presented by the
U.S. intelligence community (ODNI Report 2017), is that it was not involved in the 2016
election meddling and that it might have been patriotic hackers defending Russian interests.
Given that plausible deniability has thus far dominated in this domain, mediation and other
diplomatic initiatives that attempt to set the record straight have a high potential to backfire
when utilized in covert cyber events.
We therefore posit that cyber conflict will continue after mediation and not slow or
cease as a result of third-party involvement. Moreover, we argue that mediation will not only
struggle to limit future cyber events, but it will also struggle to limit escalation into other
domains. Cyber activities are typically accompanied by other, conventional tactics and have
an impact on broader escalation dynamics (Valeriano et. al. 2018). An overwhelming majority
of cyber events are combined with a variety of actions in the diplomatic, economic, and
military domains. Struggles of mediation in managing the cyber domain will also be
manifested in the continuation of contestation in the other domains. Moreover, if cyber
incidents are an alternative to military escalation, then effective diplomacy that limits cyber-
attacks could actually push the contestation into other domains including armed violence.
Exploration of the Empirical Record
To take a first cut at uncovering the dynamics of mediation and its influence on
international crises that are contested in the cyber domain, we utilize three datasets, the
International Crisis Behavior (ICB) Dataset, Version 12 (Brecher et. al. 2017); the Integrated
Crisis Early Warning System (ICEWS) database (Boschee et. al. 2015); and the Dyadic Cyber
Incident and Dispute (DCID) Dataset, Version 1.1 (Maness et. al. 2017). The ICB dataset
covers the period of 1918-2015 and has data on 476 international crises spanning the time
period. The data cover the sources, processes, and outcomes of all military-security crises
involving states, including a suite of mediation variables for crisis events (Brecher et. al.
2017). We combine the system-level ICB data with the DCID data, described below, which is
at the dyadic actor level. Our analysis covers the years 2000-2015 and the unit of analysis is
dyadic cyber incidents captured from DCID.2
The ICB data includes variables such as crisis setting, great power activity,
international organization involvement, system level polarity, and crisis outcome, the trigger
of the crisis, responses by adversaries, and outcome satisfaction, among others. For this
analysis we are only interested in the occurrence of mediation as coded in the ICB data.
2 Since the cyber incident data in DCID only covers 2000-2014, any cyber incident beginning in 2015 was
independently searched for and attributed for the purposes of this study. There were two crises that begin in
2015 that also have observable cyber incidents: the Korean Land Mine Crisis and the Turkey-Russia Jet
incident. Events during these crises were added and verified. Six total dyadic cyber events were added to this
study for a total of 198 events.
Mediation during a crisis must contain these attributes for it to be coded as occurring or
present: 1) intervention by a third party in a new or ongoing negotiation process; 2) mediation
is either offered by the mediator and accepted or requested and accepted by the mediator; 3)
the mediator is not a direct party to crisis; 4) all disputing parties must agree to the mediator’s
involvement; 5) the mediation results are non-binding; 6) the mediator does not have
decision-making powers; 7) mediation is a non-violent form of intervention; and 8) the
mediator’s presence is voluntary (Brecher et. al. 2017: 1-59).
Our dependent variables for the following first-cut analyses are derived from the
DCID, ICB, and ICEWS data. The DCID is a collection of all government-initiated or
sanctioned cyber incidents between rival states covering the years 2000-2015 (Maness et.
al.).3 Variables include method type (vandalism, DDoS, virus, etc.), strategic objective
(disrupt, espionage, degrade), and severity levels, among others. For the purposes of the
analysis below, we create new variables that use information from DCID based on
information in ICB. The first cyber-derived outcome variable records the presence or absence
of more cyber incidents between actors after mediation has ended or after a cyber incident
(when mediation did not occur) within a three-month timeframe.
The second dependent variable measures an improvement in relations between the
rivals in the DCID data. It is derived from the events dataset ICEWS (Boschee et. al. 2015),
which contains data for the years 1995-2015 and includes events ranging from diplomatic
meetings to military action including initiations and targets from both state and non-state
actors (Boschee et. al., 2015). Variables are coded as either negative or positive based on
whether they are a positive, olive branch-extending foreign policy action or a negative, more
threatening one. Coded variables in this dataset can include diplomatic negotiations, which
include high level meetings between state diplomats as well as telephone conversations
between leaders, economic reduction of trade, where bilateral deals are altered or terminated,
and military usage, which includes all use of conventional military force by one state against
another.
As we are searching for the positive after-effects of mediation in cyber events, we use
the ICEWS data to code positive diplomatic actions between the dyadic pairs of states
included in the DCID. Only two variables derived from ICEWS and Schrodt’s (2012)
Conflict Mediation Event Observations Event and Actor (CAMEO) interval conflict-
cooperation scale are included in the newly constructed binary variable that measures
positive diplomatic actions post-mediation: negotiation, which records if “negotiations,
bargaining, or discussions are involved in the meetings or consultations in question” (Schrodt
2012: 18); and coordination, comprising the actions of “initiate, resume, improve, or expand
diplomatic, non-material cooperation or exchange not otherwise specified” (Schrodt 2012:
31). Both dependent variables are binary.
With the two outcome variables so defined, do the cyber events that occurred in crises
that experienced mediation look similar to cyber events that did not? We use a crosstabulation
(crosstabs) method with Pearson residuals and chi-squared analyses. As all of the variables
explained above are categorical, either nominal or ordinal, this is an appropriate method to
test to explore the data. Crosstab analyses measure interaction between two or more
categorical variables to see if there are differences in what would be expected based on
median values and the actual observed values derived from the datasets.4
3 For a detailed description of all variables in the DCID, see
https://docs.wixstatic.com/ugd/4b99a4_4c7971ea7791464a8ac551fff85fb1f1.pdf
4 The amount of difference between the expected and observed values results in a Pearson residual score, which
covers the amount of standard deviations from the median expected values of the variables. The more distance
between expected and observed values, the higher the Pearson residual score. The chi-squared score is a sum of
all the Pearson residual scores squared, and the higher these values, the more evidence for significant interaction
between two variables.
More advanced statistical techniques were not used because there are not enough
cases with cyber events for a useful sample. This means that we cannot establish causality
between mediation and the outcomes, due to our small sample size and limited ability to
control for confounding variables. As we flesh out the data with non-rival interactions in
future analysis, there will be more leverage to utilize advanced methods. The exploration here
can set a baseline of expectations regarding mediation in cyber disputes. Future studies will
dive deeper into non-random selection effects as well as flesh out specific case studies. We
now turn to the data analysis of cyber mediation’s impact on crisis responses and outcomes.
In the 198 cyber dispute observations, we witness only 21 attempts at mediation
during a cyber engagement.5 The patterns observed in Table 1 indicate that when mediation is
present during a cyber incident, cyber interactions are even more likely to be a part of the
dyadic relationship in the future. Mediation does not appear to reduce the willingness of
actors to engage in cyber conflict. The comparison of outcomes where mediation is present
have a Pearson residual z-score above the 90 percent confidence level. Remembering that
cyber tactics could paradoxically have a stabilizing effect between adversaries by allowing
grievances to be addressed without escalating to more kinetic and dangerous foreign policy
tactics, the correlation observed here does not necessarily imply that mediation is
counterproductive in managing crises with an element of cyber contestation. We also do not
know from this analysis if mediation might help improve the relations among crisis actors in
other domains.
<Insert Table 1 Here>
Going further to examine if mediation after cyber incidents is more broadly associated
with improved relations when compared to the incidents that were not followed by mediation,
Table 2 displays the relationship between mediation and positive diplomatic relations
between states that have engaged in cyber conflict. As the table indicates, mediation has a
negative association with amicable diplomatic action. The comparison of diplomatic
outcomes where mediation is present have a Pearson residual z-score above the 90 percent
confidence level. Moreover, only 1 in 18 mediated cases experienced positive diplomatic
engagement after a cyber incident. Combined with the exploratory analysis above in which
more cyber incidents tend to follow mediation, we see that mediation faces stark challenges
in both reducing cyber incidents and improving relations following cyber incidents.
<Insert Table 2 Here>
Restraining the Coming Cyber Armageddon?
A key limitation to our analysis is that we do not have data on specific cyber
mediation events. Instead, we focus on ongoing mediation efforts in the context of crises with
cyber events, whether the mediation touched on security threats in the cyber domain or not.
We also do not have data on mediation outside of the temporal bounds of the ICB crises. In
the future, it would be important to code mediation attempts, diplomatic exchanges, and
diplomacy efforts specifically focused on cyber security issues. At this point these events are
rare with the United States and China conducting the most significant meetings in the context
of ongoing bilateral animosity.
5 There are no instances in the data in which the dyadic rivals requested mediation from an outside party but did
not receive it, which is not too surprising. There are only three cyber incidents where mediation is offered during
a known cyber incident but not accepted by the actors in the dyad. These three instances happened during
Russia’s non-linear conflicts with Georgia in 2008 and Ukraine in 2014-2015, where Russia sees mediation by
outside parties in its exclusive sphere of influence as hostile and is most likely the actor that rejected these
outside diplomatic overtures.
Otherwise, most diplomatic exchanges regarding cyber security are conducted
between allies seeking to share information regarding ongoing espionage efforts. The other
significant arena is international institutions and legal agreements. Recently, ASEAN has
moved to cover cyber security concerns while the United Nations Group of Government
Experts (GGE) effort has largely sputtered. In the future, we need a greater accounting and
consideration for the practice of cyber mediation and diplomacy.
We propose three clear paths to the resolution of cyber disputes between states. The
main avenue would be through negotiation and consultation, likely in both bilateral and
multilateral arenas. Through this path, states would be open about their disagreements and
clear about how the issue can be resolved.
This is of course would demand subverting the national interest at times for the
community interest, so it could be difficult to establish. The democratic order should be
united and push for a multilevel approach where the rights of states, businesses, and
individuals are considered in the future governance of international cyberspace. These
countries will experience pushback from authoritarian countries led by China and Russia,
who are proponents of cyber sovereignty.6 Democratic countries should find common ground
with authoritarian ones on a bilateral basis, and then push for the multi-stakeholder approach
in international venues such as the Group of 20 (G20) and UN.
The second path is through norms as constraining options. Behavior at the system
level that constructs basic patterns and shared expectations would provide a pathway towards
commonly understood methods of interaction at the international level. Under this path, a
pattern of avoiding cyber doom is agreed upon but not outright stated, let alone enforced.
While fragile, a normative system of shared standards of behaviour seems to be the best
possible route towards maintaining a fragile cyber peace.
The final path towards resolving cyber disputes is through escalation and domination.
This is the least likely path but is the most destructive. Often the most destructive path tends
to dominate strategic theory because it is thought to be easy to establish reliable paths
towards victory. The problem with this path is that cyber options have limited coercive value
if analysed from the strategic level (Valeriano et al 2018). If these tools generally prove to be
more of a nuisance, then there is little reason to utilize them for aggressive purposes.
We are generally hopeful about our cyber future because the path of aggression has
been limited for the last thirty years of digital engagement (Valeriano and Maness 2015);
taboos against destruction and death through digital avenues have emerged and promoted a
stable system of cyber peace. The best path forward is to construct an international system
where multilateral agreement dictates shared expectations of behavior. Diplomatic initiatives
by the major cyber actors in the system, where norms and expected modes of behavior are not
only assumed, but enforced, are key and crucial to a relatively safe, prosperous, and resilient
cyberspace. There is too much at stake to do otherwise.
Conclusion
Based on our understanding of contestation in the cyber domain and our
understanding of mediation, we have posited that mediation may struggle to reduce states’
reliance on cyber incidents during international crises and also struggle to help produce
positive engagements after cyber incidents have occurred. In an exploratory analysis, the data
confirm these limitations of international mediation. There is some stability to our current
cyber system that is enabled by the mutual vulnerability of all states to digital violations
6 These countries would push for more state control over the internet within domestic borders where content is
censored and the free exchange of ideas is discouraged
except the most remote of nations. Mediation is ill suited to reduce cyber incidents or reduce
the potential for cyber incidents to spill over into other forms of contestation.
The investigation of the data here only scratches the surface. We know little about the
process of negotiation and mediation during cyber disputes. How do states balance their
interests with their mutual vulnerability in the domain? Just how aware or controlling is the
state of their cyber tools? Just about anyone can make a zero-day exploit and seek to harm a
target, but the massive amount of effort and support needed to really target an opposing
country is still held in the hands of the few with the capacity. The field has also focused a bit
too much on the issue of public-private partnerships to control cyber conflict and rather
should seek to establish multilateral institutions that can deal with the coming digital conflict.
While collaboration between private industry and government is important in protecting a
state, to truly protect the system we need strong institutions.
Even though we do expect cyber conflicts to proliferate in the future, we do not
expect these conflicts to be escalatory to the point of spillover events into the military
domain, diffuse to the surrounding region, or lead to massive death. Instead these tools are
better leveraged against weak individuals not supported by state institutions, and this is the
true danger of cyber conflict. If there is going to be a role for mediation and resolution of
cyber conflicts, the human rights element of the question needs to be addressed. How do we
protect the most vulnerable and at risk? Accepting the danger to the individual is a key first
step in truly trying to tackle the problem of cyber weapons.
Table 1: Crosstabs of Cyber Mediation and the Presence of More Cyber Incidents After
Mediation, Either Crisis Actor or Adversary
Cyber Mediation? More Cyber Incidents?
No Yes
No Count 104 73
Expected
Count 100.1 76.9
z-score 0.4 -0.4
Offered, Not
Accepted
Count 3 0
Expected
Count 1.7 1.3
z-score 1.0 -1.1
Yes Count 5 13
Expected
Count 10.2 7.8
z-score -1.6* 1.9*
Total Count 112 86
Pearson Chi-squared 8.72**
***p<.01, **p<.05, *p<.10
N=198
Table 2: Crosstabs of Cyber Mediation and Positive Diplomatic Action after Incident
Cyber Mediation? Positive Diplomacy?
No Yes
No Count 122 55
Expected
Count 126.9 50.1
z-score -0.4 0.7
Offered, Not
Accepted
Count 3 0
Expected
Count 2.2 0.8
z-score 0.6 -0.9
Yes Count 17 1
Expected
Count 12.9 5.1
z-score 1.1 -1.8*
Total Count 142 56
Pearson Chi-squared 6.45**
***p<.01, **p<.05, *p<.10
N=198