Article contents
Sound the alarm! Updating beliefs and degradative cyber operations
Published online by Cambridge University Press: 20 March 2019
Abstract
To date, cyber security research is built on observational studies involving macro-level attributes as causal factors that account for state behaviour in cyberspace. While this tradition resulted in significant findings, it abstracts the importance of individual decision-makers. Specifically, these studies have yet to provide an account as to why states fail to integrate available information resulting in suboptimal judgements such as the misattribution of cyber operations. Using a series of vignette experiments, the study demonstrates that cognitive heuristics and motivated reasoning play a crucial role in the formation of judgements vis-à-vis cyberspace. While this phenomenon is frequently studied relative to the physical domain, it remains relatively unexplored in the context of cyberspace. Consequently, this study extends the existing literature by highlighting the importance of micro-level attributes in interstate cyber interactions.
- Type
- Research Article
- Information
- Copyright
- Copyright © British International Studies Association 2019
References
1 Borghard, Erica D. and Lonergan, Shawn W., ‘The logic of coercion in cyberspace’, Security Studies, 26:3 (2017), pp. 452–81CrossRefGoogle Scholar.
2 Valeriano, Brandon and Maness, Ryan, ‘The dynamics of cyber conflict between rival antagonists, 2001–11’, Journal of Peace Research, 51:3 (2014), pp. 347–60CrossRefGoogle Scholar.
3 The Stability-Instability Paradox is thought to occur with respect to the use of cyber operations by state actors.
4 Liff, Adam P., ‘Cyberwar: a new absolute weapon? The proliferation of cyberwarfare capabilities and interstate war’, Journal of Strategic Studies, 35:3 (2012), pp. 422–6CrossRefGoogle Scholar; Lindsay, Jon and Gartzke, Erik, ‘Coercion through cyberspace: the stability-instability paradox revisited’, in Greenhill, Kelly and Krause, Peter (eds), The Power to Hurt: Coercion in the Modern World (New York: Oxford University Press, 2018), p. 184Google Scholar; Valeriano, Brandon and Maness, Ryan, Cyber War Versus Cyber Realities: Cyber Conflict in the International System (New York: Oxford University Press, 2015), pp. 45–77CrossRefGoogle Scholar.
5 There are increasing arguments that call for its use in conjunction with other foreign policy instruments. This, however, is not in scope for this study.
6 Maness, Ryan and Valeriano, Brandon, ‘The impact of cyber conflict on international interactions’, Armed Forces & Society, 42:2 (2016), p. 305CrossRefGoogle Scholar.
7 Hansel, Mischa, ‘Cyber-attacks and psychological IR perspectives: Explaining misperceptions and escalation risks’, Journal of International Relations and Development, 21:4 (2016), p. 534Google Scholar.
8 Borghard and Lonergan, ‘The logic of coercion in cyberspace’; Slayton, Rebecca, ‘What is the cyber offense-defense balance? Conceptions, causes, and assessment’, International Security, 41:3 (2017), pp. 72–109CrossRefGoogle Scholar.
9 The experiment was registered via EGAP prior to execution and analysis. Details are available at: {http://egap.org/content/sound-alarm-bias-and-consequences-cyber-risk}.
10 McDermott, Rose, Cowden, Jonathan, and Koopman, Cheryl, ‘Framing, uncertainty, and hostile communications in a crisis experiment’, International Society of Political Psychology, 23:1 (2002), pp. 50–3Google Scholar.
11 It is useful to note though that some of these may overlap with one another to achieve a desired tactical or strategic objective.
12 Valeriano, Brandon, Jensen, Benjamin, and Maness, Ryan, Cyber Strategy: The Evolving Character of Power and Coercion (New York: Oxford University Press, 2018), pp. 22–52Google Scholar.
13 Buchanan, Ben, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations (London: Hurst & Company, 2017), pp. 5–6Google Scholar.
14 Council on Foreign Relations, ‘Cyber Operations Tracker’, available at: {https://www.cfr.org/interactive/cyber-operations} accessed 28 November 2018; Valeriano and Maness, ‘The dynamics of cyber conflict between rival antagonists, 2001–11’.
15 Moving forward, all references to ‘cyber operations’ or ‘operations’ refer to ‘degradative cyber operations’.
16 Borghard and Lonergan, ‘The logic of coercion in cyberspace’, p. 474; Lindsay and Gartzke, ‘Coercion through cyberspace’, p. 173; Slayton, ‘What is the cyber offense-defense balance?’, pp. 87–91.
17 United States of America, ‘National Cyber Security Strategy of the United States of America’, available at: {https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf} accessed 28 November 2018.
18 Elisabeth Bumiller and Thom Shanker, ‘Panetta warns of dire threat of cyberattack on U.S.’, The New York Times, available at: {https://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html} accessed 28 November 2018.
19 Cyber Security Agency of Singapore, ‘Singapore Cybersecurity Strategy’, available at: {https://www.csa.gov.sg/~/media/csa/documents/publications/singaporecybersecuritystrategy.pdf} accessed 28 November 2018.
20 Elena L. Aben, ‘ASEAN to form cybersecurity group’, Manila Bulletin, available at: {http://www.pressreader.com/philippines/manila-bulletin/20160528/281547995138115} accessed 28 November 2018.
21 Gomez, Miguel Alberto and Dai, Candice Tran, ‘Challenges and opportunities for cyber norms in ASEAN’, Journal of Cyber Policy, 3:2 (2018), pp. 217–35Google Scholar.
22 Martin Libicki, ‘Cyberdeterrence and Cyberwar’, RAND Corporation, available at: {https://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf} accessed 29 November 2018.
23 Perrow, Charles, Normal Accidents: Living with High Risk Technologies (New Jersey: Princeton University Press, 1984), pp. 62–100Google Scholar.
24 Cavelty, Myriam Dunn, ‘From cyber-bombs to political fallout: Threat representations with an impact in the cyber-security discourse’, International Studies Review, 15:1 (2013), pp. 114–15Google Scholar.
25 Saltzman, Ilai, ‘Cyber posturing and the offense-defense balance’, Contemporary Security Policy, 34:1 (2013), pp. 40–63CrossRefGoogle Scholar.
26 Healey, Jason, ‘Winning and losing in cyberspace’, in Pissanidis, Nikolaos, Rõigas, Henry, and Veenendaal, Matthijs (eds), 8th International Conference on Cyber Conflict (Tallinn: IEEE, 2016), pp. 37–49Google Scholar; Iasiello, Emilio, ‘Cyber attack: a dull tool to shape foreign policy’, in Podins, Karlis, Stinissen, Jan, and Maybaum, Markus (eds), 5th International Conference on Cyber Conflict (Tallinn: IEEE, 2013), pp. 451–70Google Scholar; Maness and Valeriano, ‘The impact of cyber conflict on international interactions’, pp. 301–23.
27 Valeriano, Jensen, and Maness, Cyber Strategy, pp. 22–52.
28 Furthermore, the extent with which cyber operations contributed to its success is also in doubt. This reflects the growing trend of considering cyber operations as one component of a larger strategic campaign.
29 Pytlak, Allison and Mitchell, George, ‘Power, rivalry, and cyber conflict: an empirical analysis’, in Friis, Karsten and Ringsmore, Jens (eds), Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives (London: Routledge, 2016), pp. 65–82Google Scholar; Slayton, ‘What is the cyber offense-defense balance?’, pp. 72–109.
30 Joseph Nye, ‘Cyber Power’, Belfer Center for Science and International Affairs, available at: {https://www.belfercenter.org/sites/default/files/legacy/files/cyber-power.pdf} accessed 29 November 2018.
31 Slayton, ‘What is the cyber offense-defense balance?’, pp. 72–109.
32 Liff, ‘Cyberwar’, pp. 409–21.
33 Valeriano and Maness, Cyber War Versus Cyber Realities, pp. 45–77.
34 Nadiya Kostyuk and Yuri Zhukov, ‘Invisible digital front: Can cyber attacks shape battlefield events?’, Journal of Conflict Resolution (2017).
35 Buchanan, The Cybersecurity Dilemma, p. 20.
36 Gartzke, Erik and Lindsay, Jon, ‘Thermonuclear cyberwar’, Journal of Cybersecurity, 3:1 (2017), p. 45Google Scholar.
37 Jacquelyn Schneider, ‘Cyber and Crisis Escalation: Insights from Wargaming’, US Naval War College, available at: {https://pacs.einaudi.cornell.edu/sites/pacs/files/Schneider.Cyber%20and%20Crisis%20Escalation%20Insights%20from%20Wargaming%20Schneider%20for%20Cornell.10-12-17.pdf} accessed 29 November 2018.
38 Clarke, Richard and Knake, Robert, Cyber War (New York: Harper-Collins, 2010), pp. 30–1Google Scholar.
39 Jarvis, Lee, MacDonald, Stuart, and Whiting, Andrew, ‘Unpacking cyberterrorism discourse: Specificity, status, and scale in news media constructions of threat’, European Journal of International Security, 2:1 (2017), pp. 64–87CrossRefGoogle Scholar.
40 Justin McCarthy, ‘Americans cite cyberterrorism among top three threats to U.S.’, Gallup, available at: {https://news.gallup.com/poll/189161/americans-cite-cyberterrorism-among-top-three-threats.aspx} accessed 29 November 2018.
41 NATO Cyber Defence Centre of Excellence, ‘Cyber Security Strategy Documents’, available at: {https://ccdcoe.org/cyber-security-strategy-documents.html} accessed 29 November 2018.
42 This is not to say, however, that a uniform perception of threat exists amongst these states.
43 Belief in the occurrence of a low-probability, high-damaging event that occurs at a given point in time; Camerer, Colin and Kunreuther, Howard, ‘Decision-processes for low probability events – policy implications’, Journal of Policy Analysis and Management, 8:4 (1989), p. 565CrossRefGoogle Scholar.
44 Reinhardt, Gina, ‘Imagining worse than reality: Comparing beliefs and intentions between disaster evacuees and survey respondents’, Journal of Risk Research, 20:2 (2017), pp. 169–94CrossRefGoogle Scholar.
45 Camerer and Kunreuther, ‘Decision-processes for low probability events’, pp. 565–92; Gigerenzer, Gerd, ‘Out of the frying pan into the fire: Behavioral reactions to terrorist attacks’, Risk Analysis, 26:2 (2006), pp. 347–51CrossRefGoogle ScholarPubMed; Viscusi, Kip and Zeckhauser, Richard, ‘Recollection bias and its underpinnings: Lessons from terrorism risk assessments’, Risk Analysis, 37:5 (2017), pp. 969–81CrossRefGoogle ScholarPubMed.
46 Valeriano and Maness, Cyber War Versus Cyber Realities, pp. 45–77.
47 Buchanan, The Cybersecurity Dilemma, pp. 75–100; Gartzke and Lindsay, ‘Thermonuclear cyberwar’, pp. 44–5.
48 Valeriano and Maness, ‘The dynamics of cyber conflict between rival antagonists, 2001–11’, pp. 347–60.
49 Whyte, Chris, ‘Ending cyber coercion: Computer network attack, exploitation and the case of North Korea’, Comparative Strategy, 35:2 (2016), pp. 93–102CrossRefGoogle Scholar.
50 Chong, Dennis, ‘Degree of rationality in politics’, in Huddy, Leonie and Sears, David (eds), The Oxford Handbook of Political Psychology (New York: Oxford University Press, 2013), pp. 96–129Google Scholar.
51 Herrmann, Richard, Voss, James, Schooler, Tonya, and Ciarrochi, Joseph, ‘Images in International Relations: an experimental test of cognitive schemata’, International Studies Quarterly, 41:3 (1997), pp. 402–33CrossRefGoogle Scholar; Holmes, Marcus, ‘Believing this and alieving that: Theorizing affect and intuitions in international politics’, International Studies Quarterly, 59:4 (2015), pp. 706–20Google Scholar; Jervis, Robert, Perception and Misperception in International Politics (New Jersey: Princeton University Press, 1976), pp. 13–31Google Scholar; Jervis, Robert, ‘Understanding beliefs and threat inflation’, in Thrall, Trevor and Cramer, Jane (eds), American Foreign Policy and the Politics of Fear (New York: Routledge, 2009), pp. 16–39Google Scholar; Mercer, Jonathan, ‘Emotional beliefs’, International Organization, 64:1 (2010), pp. 1–31CrossRefGoogle Scholar; Roach, Steven, ‘Affective values in international relations: Theorizing emotional actions and the value of resilience’, Politics, 36:4 (2016), pp. 400–12CrossRefGoogle Scholar; Sasley, Brent, ‘Affective attachments and foreign policy: Israel and the 1993 Oslo Accords’, European Journal of International Relations, 16:4 (2010), pp. 687–709CrossRefGoogle Scholar.
52 Jervis, Perception and Misperception in International Politics, pp. 13–31.
53 Bar-Joseph, Uri and Kruglanski, Arie, ‘Intelligence failure and need for cognitive closure: On the psychology of the Yom Kippur surprise’, Political Psychology, 24:1 (2003), pp. 75–99CrossRefGoogle Scholar.
54 Lodge, Milton and Taber, Charles, ‘Three steps towards a theory of motivated political reasoning’, in Lupia, Arthur, McCubbins, Matthew, and Popkin, Samuel (eds), Elements of Reason: Cognition, Choice, and the Bounds of Rationality (New York: Cambridge University Press, 2000), pp. 183–213CrossRefGoogle Scholar; Taber, Charles, Lodge, Milton, and Glathar, Jill, ‘The motivate construction of political judgements’, in Kuklinski, James (ed.), Citizens and Politics: Perspectives from Political Psychology (New York: Cambridge University Press, 2001), pp. 198–226CrossRefGoogle Scholar.
55 Mercer, ‘Emotional beliefs’, p. 9.
56 Boulding, Kenneth, ‘National images and international systems’, Journal of Conflict Resolution, 3:2 (1959), pp. 121–2CrossRefGoogle Scholar.
57 Both capabilities and cultural likeness may be significant to state interactions in cyberspace but are beyond the scope of this study.
58 Holsti, Ole, ‘The belief system and national images: a case study’, Journal of Conflict Resolution, 6:3 (1962), p. 247CrossRefGoogle Scholar; Holsti, Ole, ‘Cognitive dynamics and images of the enemy’, Journal of International Affairs, 21:1 (1967), p. 17Google Scholar.
59 Dreyer, David, ‘Issue conflict accumulation and the dynamics of strategic rivalry’, International Studies Quarterly, 54:3 (2010), pp. 779–95CrossRefGoogle Scholar.
60 Only a general idea of a previous event is retained in memory, which could result in mis-contextualisation when used in the future.
61 Blum, Scott, Silver, Roxane, and Poulin, Michael, ‘Perceiving risk in a dangerous world: Associations between life experiences and risk perceptions’, Social Cognition, 32:3 (2014), pp. 299–300CrossRefGoogle Scholar; Dreyer, ‘Issue conflict accumulation’, pp. 784–6.
62 Maness and Valeriano, ‘The impact of cyber conflict on international interactions’, p. 305.
63 Rid, Thomas and Buchanan, Ben, ‘Attributing cyber attacks’, Journal of Strategic Studies, 38:1 (2015), p. 25CrossRefGoogle Scholar.
64 Kruglanski, Arie and Webster, Donna, ‘Motivated closing of the mind: Seizing and freezing’, Psychological Review, 103:2 (1996), pp. 68–111CrossRefGoogle ScholarPubMed.
65 Lerner, Jennifer and Tetlock, Philip, ‘Accounting for the effects of accountability’, Psychological Bulletin, 125:2 (1999), pp. 255–75CrossRefGoogle ScholarPubMed.
66 Chong, ‘Degree of rationality in politics’, pp. 96–129.
67 Other aspects such as personality and leadership style may also severely impact the extent to which information is processed but these are not currently in scope; Bar-Joseph and Kruglanski, ‘Intelligence failure and need for cognitive closure’, p. 81.
68 While significant to the study of bias, the freezing effect is not tested explicitly in these experiments.
69 Rid and Buchanan, ‘Attributing cyber attacks’, p. 5.
70 Hansen, Lene and Nissenbaum, Helen, ‘Digital disaster, cyber security, and the Copenhagen School’, International Studies Quarterly, 53:4 (2009), pp. 1155–75CrossRefGoogle Scholar.
71 Slayton, ‘What is the cyber offense-defense balance?’, pp. 72–109.
72 Bar-Joseph and Kruglanski, ‘Intelligence failure and need for cognitive closure’, pp. 75–99.
73 Lau, Richard and Redlawsk, David, ‘Advantages and disadvantages of cognitive heuristics in political decision making’, American Journal of Political Science, 45:4 (2001), pp. 951–71CrossRefGoogle Scholar.
74 Factors such as task-specific instructions, length, and response format have been shown to influence the extent to which base rates are ignored.
75 Krosnick, Jon, Li, Fan, and Lehman, Darrin, ‘Conversational conventions, order of information acquisition, and the effect of base rates and individuating information on social judgments’, Journal of Personality and Social Psychology, 59:6 (1990), pp. 1140–52CrossRefGoogle Scholar.
76 The scenario is loosely based on the ongoing dispute between China and several Southeast Asian states.
77 When terms are italicised, these refer to specific variables being studied.
78 See Appendix.
79 Although it has been shown that the response format can influence the emergence of bias, this is not the primary concern of this study and is consequently not tested.
80 Mintz, Alex, Redd, Steven, and Vedlitz, Arnold, ‘Can we generalize from student experiments to the real world in political science, military affairs, and international relations?’, Journal of Conflict Resolution, 50:5 (2006), pp. 757–76CrossRefGoogle Scholar.
81 In light of the difficulty of acquiring political elites for these experiments, this serves as a viable proxy for the purpose of this study.
82 Aldrich, John and Lupia, Arthur, ‘Experiments and game theory's value to political science’, in Druckman, James, Green, Donald, Kuklinski, James, and Lupia, Arthur (eds), Cambridge Handbook of Experimental Political Science (New York: Cambridge University Press, 2011), pp. 89–101CrossRefGoogle Scholar.
83 Casler, Krista, Bickel, Lydia, and Hackett, Elizabeth, ‘Separate but equal? A comparison of participants and data gathered via Amazon's MTurk, social media, and face-to-face behavioral testing’, Computers in Human Behavior, 29:6 (2013), pp. 2156–60CrossRefGoogle Scholar; Gomez, Miguel Alberto and Villar, Eula Bianca, ‘Fear, uncertainty, and dread: Cognitive heuristics and cyber threats’, Politics and Governance, 6:2 (2018), pp. 61–72CrossRefGoogle Scholar.
84 Casler, Bickel, and Hackett, ‘Separate but equal’, pp. 2156–60; Crump, Matthew, McDonnell, John, and Gureckis, Todd, ‘Evaluating Amazon's Mechanical Turk as a tool for experimental behavioral research’, Plos One, 8:3 (2013), p. e57410CrossRefGoogle Scholar; Peer, Eyal, Brandimarte, Laura, Samat, Sonam, and Acquisti, Alessandro, ‘Beyond the Turk: Alternative platforms for crowdsourcing behavioral research’, Journal of Experimental Social Psychology, 70 (2017), pp. 153–63CrossRefGoogle Scholar.
85 Prolific allows researchers to screen participants based on predefined criteria. There is, however, no guarantee that individuals were truthful when they provided the required background information.
86 Mintz, Redd, and Vedlitz, ‘Can we generalize …?’, pp. 757–76.
87 Hafner-Burton, Emilie, Hughes, Alex, and Victor, David, ‘The cognitive revolution and the political psychology of elite decision making’, Perspectives on Politics, 11:2 (2013), pp. 368–86CrossRefGoogle Scholar.
88 McDermott, Rose, Political Psychology in International Relations (Michigan: University of Michigan Press, 2004), pp. 24–9CrossRefGoogle Scholar.
89 Hafner-Burton, Hughes, and Victor, ‘The cognitive revolution’, pp. 370–3.
90 Aronson, Elliot and Carlsmith, Merrill, Methods of Research in Social Psychology (New York: McGraw-Hill, 1990), pp. 42–9Google Scholar.
91 This is not statistically different from the first experiment.
92 Since the vignette presented the base rate for states, in general, as the source of cyber operations; a perfectly Bayesian actor should indicate a value even lower than 14.3 per cent.
93 Simon, Herbert, ‘Invariants of human behavior’, Annual Review of Psychology, 41:1 (1990), pp 1–20CrossRefGoogle ScholarPubMed.
94 Bjork, Robert and Whitten, William, ‘Recency-sensitive retrieval processes in long-term free recall’, Cognitive Psychology, 6:2 (1974), pp. 173–89CrossRefGoogle Scholar.
95 Miller, George, ‘The magical number seven, plus or minus two: Some limits on our capacity for processing information’, Psychological Review, 63:2 (1956), p. 81CrossRefGoogle ScholarPubMed.
96 Pennycook, Gordon, Trippas, Dries, Handley, Simon, and Thompson, Valerie, ‘Base rates: Both neglect and intuitive’, Journal of Experimental Psychology-Learning Memory and Cognition, 40:2 (2014), pp. 544–54CrossRefGoogle ScholarPubMed.
97 Rid and Buchanan, ‘Attributing cyber attacks’, pp. 4–37.
98 Gartzke and Lindsay, ‘Thermonuclear cyberwar’, pp. 37–48; Maness and Valeriano, ‘The impact of cyber conflict on international interactions’, pp. 301–23.
99 Kim Zetter, ‘Inside the cunning, unprecendented hack of Ukraine's power grid’, Wired Magazine, available at: {https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/} accessed 29 November 2018.
100 Hafner-Burton, Hughes, and Victor, ‘The cognitive revolution’, pp. 368–86; Mintz, Redd, and Vedlitz, ‘Can we generalize …’, pp. 757–76.
101 Borghard and Lonergan, ‘The logic of coercion in cyberspace’, pp. 464–6; Fearon, James, ‘Rationalist explanations for war’, International Organization, 49:3 (1995), pp. 379–414CrossRefGoogle Scholar.
102 Borghard and Lonergan, ‘The logic of coercion in cyberspace’, pp. 456–9; Buchanan, The Cybersecurity Dilemma, pp. 48–9.
103 Gartzke and Lindsay, ‘Thermonuclear cyberwar’, p. 45.
104 Galinsky, Adam, Gruenfeld, Deborah, and Magee, Joe, ‘From power to action’, Journal of Personality and Social Psychology, 85:3 (2003), p. 453CrossRefGoogle Scholar; Galinsky, Adam, Magee, Joe, Inesi, Ena, and Gruenfeld, Deborah, ‘Power and perspectives not taken’, Psychological Science, 17:12 (2006), pp. 1068–74CrossRefGoogle Scholar.
105 This would have required the experiment to be re-registered and for additional funding sought.
106 Experiments 1 and 2 were also tested to include Region but no significant results were found.
107 Rid and Buchanan, ‘Attributing cyber attacks’, pp. 4–37.
- 19
- Cited by