Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

David Edelman examines deterrence, law, and norms to restrain cyber conflict

Emily Otto 3 December 2024
Share On:
A deep dive into strategic and legal frameworks, ‘Rethinking Cyber Warfare’ assesses whether states can truly control cyber warfare and limit digital threats to security
Main Top Image
Image created using DALL-E 2 and Chat GPT-4o

As people, organisations, and states become more digitally interconnected, governments are increasingly pursuing strategic goals in the cyber domain. State actors online have targeted the confidentiality, integrity, availability, and safety of sensitive information, critical infrastructure, or institutional trust. In his ‘Rethinking Cyber Warfare: The International Relations of Digital Disruption’ David Edelman asks, ‘Are we any closer, today, to the confidence that these tools [cyberattacks] will not be used to bring life to a halt, infrastructure to a meltdown, or militaries to an early surrender? (pg. 2)’.

Based on two decades of experience working to address the security problem posed by cyberspace, Edelman examines the mechanisms of restraint through their ability to limit state cyberattacks. He does this through the lenses of international law, strategic studies, and normative theory. Edelman challenges the notion that ‘There is nothing new under the sun in warfare (Preface)’ in an interdisciplinary analysis of cyberattacks within the context of international relations. ‘Rethinking Cyber Warfare’ offers academics, practitioners, and policymakers a comprehensive analysis of the effectiveness of traditional tools of restraint in tackling a modern security threat. 

The book is divided into three parts, each dedicated to a traditional mechanism of restraint: deterrence, international law, and humanitarian considerations. In each section, Edelman explains first how cyberspace’s unique features make it harder to use that tool and, second, explores the impact of structured competition on cyberattacks. Structured competition is a way of managing rivalry between nations by establishing rules or norms to prevent conflict and maintain stability. It allows countries to compete in areas like economy or technology while avoiding actions that could escalate into open hostility (pg. 6).

Edelman’s investigation of deterrence reveals that a lack of clear rules and norms for cyberwarfare has led states to resort to broader power structures – conventional military power, economic sanctions, or diplomatic pressure – rather than isolated actions or policies to discourage cyberattacks. However, even these traditional instruments fail because there are no agreed-upon norms and mutual understanding. The author concludes that deterrence is unlikely to be an effective tool to curtail cyberattacks (pg. 125).

His examination of international law comes to a similar conclusion. Laws that dictate how states can engage in war or armed conflict are not very effective as a means of restraint, especially those covered by ‘jus ad bellum,’ the set of principles or criteria in international law that determine whether going to war is legally and morally justifiable. Edelman argues that cyberattacks complicate the application of the law because they rarely meet a clear threshold to justify using force in self-defence. 

States have adapted to this ambiguity by sharpening their response capabilities and strategies. For example, he highlights the United States’ ‘defend forward’ policy, arguing that it blurs the distinction between defensive and pre-emptive actions, pushing legal boundaries to accommodate more assertive acts of self-defence (pg. 230). Consequently, he claims, legal frameworks like jus ad bellum will likely not deliver the level of restraint achieved in the conventional and nuclear environment (pg. 236).

The last major section studies a normative restraint regime: humanitarian prohibitions, specific restrictions to protect civilians and minimise suffering during conflicts. These include bans on indiscriminate attacks, adherence to proportionality, and safeguards for essential services.

Edelman argues that restraint through humanitarian prohibitions might be the most effective way to curtail cyberattacks (pg. 241).  This approach can sidestep multiple issues that undermine the use of more explicit restraint mechanisms like arms control, which faces challenges in carrying out ‘weapons’ inspections. He argues that prohibitive norms can align with states’ motivations by providing clear guidelines that help maintain international stability and protect civilian infrastructure, which is in the interest of all states. While not a perfect solution, norms are the most flexible and well-suited mechanism for addressing cyberattacks. They depend on collective agreement and mutual interest rather than rigid enforcement, allowing them to adapt to states’ diverse interests and capabilities. This insight underpins Edelman’s suggestion that prohibitive norms are the most promising avenue for achieving a measure of restraint (pg. 290-291).

Applying existing solutions to new issues

Academia is in the early stages of understanding the nature and dynamics of cyberspace as a security concern for states. As a result, scholars are compelled to take calculated risks in their assumptions when engaging in academic inquiry. Edelman characterises cyberattacks as a coercive capability – a tool to force someone to act through threats or violence – a premise that is widely contested. Many scholars argue that cyberattacks are not coercive but exploitative. Exploitation can degrade strategic power in diplomatic, informational, military, or economic spheres through cumulative impact. For example, China’s intellectual property theft has caused substantial financial losses, hurting US companies’ competitiveness. This unauthorised acquisition of sensitive technologies has also bolstered Chinese military capabilities and eroded trust in the global trade regime. It would have been interesting for Edelman to explore how altering cyberattacks’ assumed utility from coercion to exploitation might impact his analysis and subsequent conclusions. 

Edelman effectively uses analysis of traditional restraint mechanisms, such as deterrence, international law, and humanitarian protections, in a new arena. This provides a valuable contribution to the debate on applying old tools to a novel problem. However, in his conclusion regarding the development of shared expectations of restraint, he overlooks the realist perspective. 

This school of thought argues that hard power, which includes deterrence, coercion, and legal frameworks, often reinforces constructivist normative regimes that underpin humanitarian prohibitions. The reinforcement of normative regimes is usually executed by a hegemonic state with unmatched hard power that can strengthen norms and pressure weaker states to accept them. Conversely, the constructivist school of thought argues that international relations are shaped by ideas, norms, and social interactions rather than just material power or self-interest. According to realists, constructivist norms only emerge when powerful states’ interests align with those proposed norms. It would have added depth if the author had considered this perspective and explored the role or requirement of a hegemon on the restraint effectiveness of prohibitive norms.

Edelman sets out to assist academics and practitioners in reflecting on their shared understanding of cyberattacks, but the language feels overly academic, potentially inaccessible to half the target audience. This limits the book’s potential reach, especially among practitioners who would benefit from its insights. A more inclusive style could have widened its impact. That said, the depth of analysis and the richness of the ideas presented are impressive, showcasing the author’s expertise and dedication to pursuing new knowledge on a significant national security problem. 

A must-read

Overall, David Edelman’s ‘Rethinking Cyber Warfare’ offers a valuable contribution to discussions on managing cyberattack security challenges. The book’s strength lies in its comprehensive analysis of traditional restraint mechanisms 

and their suitability for curtailing cyberattacks. Although Edelman’s writing style may be challenging for those outside academia, the book’s insights and analysis illuminate our understanding of cyberattacks’ unique characteristics. Furthermore, Edelman’s effort to comprehend why these mechanisms falter and determine the most effective solution is crucial for scholars, policymakers, and practitioners. ‘Rethinking Cyber Warfare’ is a must-read for anyone seeking to understand the complexities of applying old tools to a new problem, develop a cyberwarfare governance regime, or broaden their understanding of state competition in the digital domain.

avatar
Emily Otto

Related

Featured image
Book Binder
What does critical cybersecurity look like?
Noran Fouad 14 November 2024
Read more arrow
Featured image
Book Binder
The story behind the uncovering of the Pegasus spyware scandal
Stella Blumfelde / Kamil Bojarski / James Shires / Max Smeets 24 October 2024
Read more arrow
Featured image
Book Binder
Offensive cyber operations in the test of time
Daniel Moore 7 November 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.