This summer I attended a Zoom workshop (what else) with some renowned cyber-scholars from all around the world and we discussed cyber escalation dynamics. Do cyber-attacks escalate in the sense, that they increase in quantity or quality? Do they escalate into the physical domain, resulting in conventional attacks? There are still many unknowns. Some people like Herbert Lin argue, that cyber-attacks are akin to sub crisis maneuvering meaning they are just a harassment tactic short of war. Brandon Valeriano et Al. argue that cyber-attacks are an offramp for de-escalation, once the conventional threshold has been reached. I am testing some of those assumptions in my recent working paper on cyber escalation.
I analyze the cyber-conflict interaction between Iran and USA, both potent cyber-powers that are also engaged in conventional attacks without being involved in an armed conflict. We collected data on roughly 60 conflict interactions over the last two years and coded them in terms of conflict intensity. We find evidence that supports the offramp thesis for the USA. Additionally, there seems to be a „Las Vegas effect“: what happens in cyber-space, stays in cyber-space, meaning cyber-attacks are rarely answered with conventional retaliation. If you are interested, you can read the full paper here.