The ever-increasing dependence on information and communication technologies (ICTs) in all aspects of society raises many challenges for national crisis management agencies. These agencies need to prepare not only for new cyberthreats and cyber vulnerabilities, but also for the fact that the aftermath of a cyber incident affecting critical infrastructure has its own challenges. On the one hand, the practical disruptions caused by an isolated incident can be hard to predict and control and, on the other hand, the consequences and perceptions of an incident whose cause is not yet determined can be equally hard to manage. Uncertainty around the cause of the incident and remedial actions being taken often lead to public speculation and political pressure to respond in ways that could create political tensions, and possibly conflict, between countries.
This policy paper is the result of a nine-month research project that was jointly conducted by SIPRI and the Swedish Civil Contingencies Agency (MSB) on cyber-incident management. It explores what national crisis management authorities can do to improve their cyber-incident prevention, detection and response strategies and also how they can do better to deal with the larger societal and potentially political aftermath. It investigates why and how cyber incidents may lead to escalatory scenarios and how these scenarios can be avoided and contained using various de-escalatory approaches. It comprises an introduction providing background and the inspiration of this report (section I); four sections that explore the dynamics of escalation and de-escalation from conceptual (section II), analytical (sections III–IV) and empirical (section V) standpoints; and two sections that present the main findings and recommendations (sections VI–VII).
I. Introduction
II. Analytic framework: The concepts of escalation and de-escalation and the actors involved
III. Escalation threats in the aftermath of a cyber incident
IV. Escalation vulnerabilities in the aftermath of a cyber incident
V. Lessons from past cyber incidents and country studies
VI. General conclusions and recommendations
VII. Targeted recommendations for cyber-incident management in Sweden