Governing cyber crises: policy lessons from a comparative analysis

Abstract

In cyberspace, the notion of crisis is multifaceted. The complexity of cyber crises pertains to the diversity of actors, activities, targets, and effects involved, creating governance challenges. For example, information campaigns on the Internet have created a crisis of trust in political discourse and authority in many democratic societies. A recent ransomware attack by a criminal actor brought the entire nation of Costa Rica to a standstill. Incidents such as the state-sponsored SolarWinds and Microsoft Exchange hack have put pressure on the demarcation line between cyber espionage and disruptive cyber operations. Strategic shifts to more proactive and continuous operations as a method of addressing cyber conflict short of war raise questions about key concepts like sovereignty and breed concerns about crisis escalation. State-sponsored malware is increasingly being found in critical infrastructure and electoral systems. The current armed conflict in Ukraine, which has seen an unprecedented involvement of cyber hacktivist groups and private actors, brings to the fore new difficulties of cyber crisis management for both the belligerents and third states. These ongoing developments in the threat landscape continually shift the goal posts on acceptable state behavior in cyberspace. Despite important strides in cyber policy development by some governments, many strategies are still in the early stages of maturity and provide little guidance for the diversity of cyber crises that can unfold. Moreover, there is much variance in national, regional, and multilateral approaches to what is sometimes called a cyber “wild west” in the international realm, yet these divergences remain understudied. Additionally, states do not always abide by their own policies or the ones agreed internationally, both in their practice of offensive cyber operations and in addressing