It’s Hard to Find a Black Cat in a Dark Room, Especially If It Isn’t There: RAND on the Search for Cyber Coercion

What is cyber coercion and how have states used cyber operations to coerce others? These are the questions addressed in the RAND think tank’s recent reportFighting Shadows in the Dark. Understanding and Countering Coercion in Cyberspace“. The authors discuss cyber operations conducted by four states — Russia, China, Iran and North Korea — and try to determine whether those activities amounted to cyber coercion.

Starting with the study findings, we will highlight the following points. Cyber operations intended to coerce are a small subset of overall cyber operations globally. Espionage remains the predominant purpose of states’ cyber operations. Despite that, the authors think that states like Russia and North Korea appear to be more likely to have used cyber operations as a coercive tool than China and Iran. The authors also find that, contrary to what coercion theory would predict, states do not make distinct threats with unambiguous demands for changes in behaviour often. Instead, they deny responsibility, hiding behind proxies. Despite the low probability of success, the authors anticipate states will continue to use and may, in fact, come to employ cyber operations more often in the future to coerce. To prepare for this outcome, the United States and its allies need to work now to develop methods to discern cyber coercion as it emerges and strategies to deter and counter it in the future.

Even though the report has certain scientific value, the authors have left quite a lot of space for criticism. First, we need to examine several serious methodological issues. Second, setting aside the fact that the study was sponsored by the United States Department of Defence and its affiliated entities, the authors specifically mention that they only used data from open sources. Indeed, the evidence is mostly taken from reports published by companies such as Mandiant and its eventual buyer FireEye, whose leadership has certain connections both with the Department of Defence and with the U.S. intelligence community. So the evidence of countries’ involvement in cyber operations cannot be seen as objective. Finally, it is lamentable that the ways suggested by the authors for solving problems are strikingly one-sided and do not contain the slightest hint of any possible affirmative action.


The authors attempt to base their methodology for defining coercion in cyberspace on the seminal work by the American economist Thomas Schelling Arms and Influence, among other things. They claim that Schelling described two forms of coercion: active coercion (compellence) and passive coercion (deterrence). In their words, the former involves the active use of force in some form to compel action by another. In contrast, the latter involves the threatened use of force to either motivate action or refrain from a particular activity. Schelling himself says the following:

“… partly deterrence has been a euphemism for the broader concept of coercion, as ‘defence’ has replaced words like ‘war’ and ‘military’ in our official terminology. It is a restrictive euphemism if it keeps us from recognizing that there is a real difference between deterrence and what, in Chapter 2, I had to call ‘compellence,’ that is, a real difference between inducing inaction and making somebody perform.” [1]

“… brute force succeeds when it is used, whereas the power to hurt is most successful when held in reserve. It is the threat of damage, or of more damage to come, that can make someone yield or comply. It is latent violence that can influence someone’s choice — violence that can still be withheld or inflicted … The threat of pain tries to structure someone’s motives, while brute force tries to overcome his strength. Unhappily, the power to hurt is often communicated by some performance of it. Whether it is sheer terroristic violence to induce an irrational response, or cool premeditated violence to persuade somebody of your intent and willingness to repeat, it is not the pain and damage itself but its influence on somebody’s behaviour that matters. It is the expectation of more violence that gets the wanted behaviour, if the power to hurt can get it at all.” [2]

It is obvious that Schelling draws a clear line between deterrence and coercion and, more importantly, points out that coercion implies limited use of force: force plays a secondary part, while the central condition is threatening damage.

Further, while describing the logic of coercion, the authors quote several scholarly works that repeat the key points made by Schelling. In one of them, coercion is summarized with the phrase “if you do not do X, I will do Y.” [3] Another work states that a coercive action or threat “demands clarity in the expected result … [and to] be accompanied by some signal of urgency.” [4] These appear to be true and ought to have been taken as the basis. Yet the authors of the report choose another path: they declare that the observed practice differs from the theory of cyber coercion (which, it should be noted, was inferred from practice) and claim that demands and threats expressed as part of such coercion are sometimes ambiguous, as identification of the threatening party can be. But what remains of coercion if its defining characteristics are removed? Large-scale cyber-attacks are not just a show of force but achievement of specific objectives, so they have nothing to do with coercion.

The above seems to challenge the accuracy of the question asked at the beginning of the paper under review: “What is cyber coercion?” Let us first consider what coercion is. It appears to be primarily a form of policy aimed at maintaining or changing the existing order of distribution of power and wealth in the global community [5]. From this standpoint, the essence of coercion is to change the political behaviour of other actors in the global political arena with the possibility of a limited demonstration of force that does not escalate into full-scale warfare. To some extent, the essence of coercive policy is described in the Art of War by Chinese General Sun Tzu: “Therefore the skilful leader subdues the enemy’s troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field.” Even so, coercive violence is also possible: discussing this, Schelling cites an example from the history of the Wild West: raids on some Indian settlements were intended to break the resistance of and subjugate all tribes. But here the Indians were clear about the source of the threat, the possible consequences of resistance and the demands that were put forward, as well as the ways out — either to submit or to retreat.

If we base our discussion on the above premise that coercion is a form of policy, a more appropriate question arises: can cyber-means be used to implement a coercion policy and, if so, how effectively? Based on the definition of coercion, its implementation generally requires A to demand that B change its policy in a specific way — with a demonstration of force that can be used to its full extent if the demand is not satisfied. In individual cases, demands, threats or demonstration of force can be implicit. Still, it is evident that the victimized party needs to be aware of such risks and understand them correctly. This imposes certain conditions on the means used for implementing a coercion policy.

The ICT environment has a number of properties making it an attractive medium for influence. First of all, it offers anonymity and action across borders, which complicates attribution, i.e., identification of the source of influence. The “plausible deniability” of involvement in cyber-attacks is one of their most significant benefits as a military-political tool. Experience shows that cyber-attacks can be used to project and demonstrate power. Still, the party that uses them for coercive purposes has to assume responsibility or reveal its involvement in some other way. According to some statistics, numerous cyber-attacks are carried out against the Russian public infrastructure every day (2.4 billion hostile actions were detected in 2017, rising to 4 billion in 2018). Recognizing a demonstration of force or a demand to change one’s policy within such a torrent of events appears impossible. Using the possibility of a cyber-attack as a threat also seems ineffective because it allows the potential adversary to prepare for the attack and to fend it off.

Public Policy

The authors of the report claim that, as the development of more connected and interconnected information systems and networks proceeds, the potential for actors to use cyber operations to exert influence and impact the economic, political, and social wellbeing of other states is incresing. When examining possible episodes of cyber coercion, however, the authors confine themselves to just four key global political actors identified by the U.S. Government: Russia, China, Iran and North Korea. For each country, open-source research was conducted to develop an overview of their capabilities, published doctrine on cyber operations, as well as available data on government-affiliated cyber operations groups.

The authors’ research into doctrines and documents disclosing states’ positions concerning operations in cyberspace is incomplete, inconsistent and sometimes merely erroneous. For example, when quoting strategic planning documents of the Russian Federation, the authors state that “[a]lthough Russia sees its adversaries conducting such [information] operations against it, these writings indicate how Russia thinks about the potential role for cyber operations in its operations as well.” Here it would suffice to consult the Russian Federation Armed Forces’ Information Space Activities Concept, which reads: “Cyberspace conflict settlement shall be carried out in the first place by means of negotiation, conciliation, addressing to the U.N. Security Council or regional agencies or agreements, or by other peaceful means.” The authors also quote Chinese experts, who point out a whole range of disadvantages of network deterrence and coercion operations, above all the fact that the ambiguous nature of cyber operations may reduce their efficacy [6]. Successful deterrence and coercion results from effective signalling — the adversary must first be aware of the source and motivation for the influence for it to take actions expected by the attackers. The authors conclude that China “is taking a more circumspect approach to using cyber operations for coercive purposes, focusing largely on stealing data or silencing critics of the regime. China may, however, seek to expand its use of cyber operations to coerce in the future.” It is an entirely groundless conclusion, especially considering all the disadvantages the Chinese experts have pointed out.

As for the specific cyber capabilities of each state, the work done by RAND is not based on concrete facts. For example, as corroboration of the claims of Russia’s involvement in cyber-attacks on Montenegro in 2018, they refer to an article stating that: “Three international I.T. security companies say the emails [containing malware] came from APT28, also known as Fancy Bear, which U.S. intelligence services say is connected to the Russian military intelligence service, GRU.” China’s involvement in cyber-attacks on South Korean networks and systems, as well as other episodes of cyber influence, are proven similarly. A case from 2017 is mentioned, when the U.S. Department of Justice brought cyber-espionage charges against three employees of the Chinese company Boyusec. Even though federal prosecutors deliberately avoided the question of whether Boyusec was affiliated or connected with the Chinese government, private sector representatives noted that they assumed that Boyusec had been working for the Ministry of State Security of China. Myths are born from repetition and persistent emphasis on facts long disproven. For instance, Russia is alleged to have carried out cyber-attacks on Estonian government agencies in 2008, even though this allegation has long been refuted: an independent investigation confirmed that the operation was, in fact, the work of activists with no government affiliation.

The RAND report relies on a biased selection of evidence provided by entities associated with the United States intelligence community, and it gives the impression of stretching facts to create a negative image of Russia, China, Iran and North Korea as malicious actors in cyberspace. Meanwhile, it is the current U.S. strategic planning documents that articulate a clear vision of a threat to freedom and democracy and set the goal of ensuring peace using force. This implies identifying adversaries and exerting influence using all available means. Coercion policy has already become the norm in the United States. Take, for example, this summer, when The New York Times published a piece claiming that the U.S. secret services have carried out offensive operations against the Russian electricity grid and power plants. The purpose of that publication is still unclear: was it a leak and, if so, was it intended? Or was it disinformation? U.S. President Donald Trump accused journalists of treason, and representatives of the U.S. National Security Council said there were no risks to national security. If we take the lead from RAND, however, and look at the broader context, we see that, against the backdrop of tension between Russia and the U.S., this publication was a clear signal of coercive policy.

Establishing peace through force does not provide a mutually acceptable mechanism for reducing tensions in the ICT sphere. And though, as the authors themselves note, not all of the cases examined in the report are explicit acts of cyber coercion, it is necessary to develop the means to detect early signs of cyber coercion and to craft deterrence and resilience strategies. It is assumed to be enough to respond successfully to cyber coercion. The authors see no ways of solving the problem other than developing strategies to counter this phenomenon (it may be assumed that those will include all available means, including “public attribution”).

In conclusion, the authors repeat the message that cyber operations may not be accompanied by clear signalling of a threat or expected behaviour, let alone means that can be used for coercion. It is also challenging to determine what exactly cyber operations carried out against another country are aimed at. Maybe the argument would benefit from Occam’s methodological principle: “entities should not be multiplied without necessity.” Indeed, just as the authors state, ICT tools are widely used by many states to accomplish military and political objectives. Yet, if an action is not aimed at changing the political behaviour of another country and if there is no direct threat or use of force (which would be a violation of the United Nations Charter, by the way), should we speak of so-called coercion or is it just regular cyber activity, which is now commonplace? A vivid example of a coercive policy that is mentioned, but not discussed by the authors, is the cyber-attack on Iranian nuclear programme facilities in 2010. First, specific countries demanded that Iran wind down its nuclear programme. Second, there was talk of a possible strike if the conditions were not fulfilled. As we know, Iran did not change its policy, and the cyber-attack that followed was not an act of coercion or a limited demonstration of force but fulfilled particular tasks: Iran’s nuclear programme was slowed down considerably.

What we need is not strategies against cyber coercion, which RAND experts call for, but international frameworks for precluding conflicts in cyberspace. One such framework could be built up from the norms, rules and principles of responsible behaviour in the ICT environment formulated by the international community through the United Nations Group of Governmental Experts.

From our partner RIAC

1. Thomas C. Schelling, Arms and Influence, New Haven, Conn.: Yale University Press, 1966., P. 174–175.

2. Ibid. P. 3.

3. Erica D. Borghard and Shawn W. Lonergan, “The Logic of Coercion in Cyberspace”, Security Studies, Vol. 26. No. 3, 2017, pp. 433–34.

4. Christopher Whyte, “Ending Cyber Coercion: Computer Network Attack, Exploitation and the Case of North Korea”, Comparative Strategy, Vol. 35, No. 2, 2016.

5. For a definition of policy, see Kokoshin A.A. Global politics: theory, methodology, applied analysis [Mirovaya politika: teoria, metodologia, prikladnoy analiz]. Komkniga, 2005. ISBN 5484000874 (in Russian).

6. Shou Xiaosong, ed., The Science of Military Strategy [战略学], Beijing, China: Military Science Press, 2013, p. 194.

Pavel Karasev
Pavel Karasev
Research Fellow, MSU Institute of Information Security Issues