The chances are growing that the United States will find itself in a cybercrisis—the escalation of tensions associated with a major cyberattack, suspicions that one has taken place, or fears that it might do so soon. Bycrisis, we mean an event or events that force a state to take action in a relatively short period or face the fraught consequences of inaction. Typically, because of fear that failure to act leads to war or a great loss of standing, states believe they must quickly decide whether to act.¹ When we use the termcyberattack, we refer to what...

Norms, we¹ now argue, can be an important component in modulating cybercrises, given some realism about what norms can or cannot do.

Those norms that call on states to separate themselves from freelance hackers and organized-crime elements not only make the ecosystem of cyberspace more trustworthy; they also limit the number and power of rogue actors that might otherwise go fishing in troubled waters. Those norms that require the victims of cyberattacks to exercise caution assigning responsibility to other states or in modulating how they respond can help spread oil on those troubled waters. Adroitly applying the laws of war...

The writer Tom Wolfe used to argue that modern art had “become completely literary: the paintings and other works exist only to illustrate the text.”¹ Using this insight, he argued that a modern art museum that, like classical art museums, had large paintings and small explanations of them should instead have large explanations with small paintings in order to illustrate the point. So, too, with narratives about cyberwar. What happened may pale compared with what people say happened. Perhaps more than any other form of combat, cyberwar is storytelling—not inappropriately for a form of conflict that means to alter...

Once a crisis has blossomed into conflict, crisis management becomes escalation management. The success of escalation management depends on the fact that both sides would prefer less disruption and violence rather than more of it—but not necessarily before they make their point to one another. At the very least, both sides share an interest in keeping control over what breaks out rather than ceding control to fate, the passions of warriors, the intrigues of factions, or third parties.

Admittedly, escalation in cyberspace remains a speculative topic. Few government officials have declared their red lines. The cyber equivalent of Herman...

Cyberwar is said to present stability problems similar to those associated with nuclear weapons. Not for nothing did a summer 2010 cover story in theEconomistpicture cyberwar as the digital equivalent of the nuclear bomb, a threat to civilization that necessitated international negotiations and arms control. But does cyberwar threaten strategic stability? Although the matter is still not settled,¹ this chapter argues that the factors that make nuclear instability an issue do not apply in cyberspace, or at least not in the same way.

If the definition ofstrategic stabilityis widened to include all possible sources of inadvertent...

Crises are usually best avoided or resolved with speed. Cybercrises are no exception. Perhaps there are times when a lesson needs to be forced on others. Perhaps, someone else wants a crisis for reasons having nothing to do with what any other state (or at least the United States) did, and a response of some sort is, alas, unavoidable. But, often, there are choices that can be made.

Cybercrises are not an inevitable feature of cyberspace per se. Because it is nearly impossible to disarm cyberattackers, and because cyberdefense is rarely utilized to its fullest (e.g., by disconnecting networks), states...