What is cyber coercion, and how have states used cyber operations to coerce others? Based on unclassified, open-source material, the authors of this report explore how four states — Russia, China, Iran, and North Korea — have used cyber operations, and whether that use constitutes cyber coercion.
States like Russia and North Korea appear to be more likely to have used cyber operations as a coercive tool than China and Iran. The authors also find that, contrary to what coercion theory would predict, states often do not make distinct threats with unambiguous demands for changes in behavior. Rather, states use cyber operations to try to coerce their neighbors while denying responsibility, often hiding behind proxies and without issuing clear demands. Despite the low probability of success, the authors anticipate states will continue to use and may, in fact, come to employ cyber operations more often in the future to coerce. To prepare for this outcome, the United States and its allies need to work now to develop methods to discern cyber coercion as it emerges and strategies to counter it in the future.
Cyber operations intended to coerce are a small subset of overall cyber operations globally
- Espionage remains the predominant purpose of states’ cyber operations.
- Russian cyber operations appear to have had some coercive intent in Ukraine and Montenegro.
- Chinese cyber operations show a continued focus on espionage, but potentially with some coercive intent as a secondary objective.
- Iranian cyber operations appear more focused on retaliating against regional neighbors and the West, rather than serving a direct coercive purpose.
- North Korea has routinely engaged in coercive acts in the physical world and sees cyber operations as another means to coerce others.
- The assessment of these cases indicates how the threat, threat actor, and the desired change in behavior is often unclear or ambiguous, though this ambiguity does not appear to prevent countries from pursuing these coercive campaigns.
- The United States and its partners need to develop a richer understanding of how cyber coercion might emerge, build systems to provide warning of impending operations, and craft strategies to deter and respond to cyber coercion.