The independent resource on global security

Cyber-incident Management: Identifying and Dealing with the Risk of Escalation

Cover_Cyber-incident Management: Identifying and Dealing with the Risk of Escalation
Publisher: SIPRI
SIPRI, Stockholm:
September, 2020

The ever-increasing dependence on information and communication technologies (ICTs) in all aspects of society raises many challenges for national crisis management agencies. These agencies need to prepare not only for new cyberthreats and cyber vulnerabilities, but also for the fact that the aftermath of a cyber incident affecting critical infrastructure has its own challenges. On the one hand, the practical disruptions caused by an isolated incident can be hard to predict and control and, on the other hand, the consequences and perceptions of an incident whose cause is not yet determined can be equally hard to manage. Uncertainty around the cause of the incident and remedial actions being taken often lead to public speculation and political pressure to respond in ways that could create political tensions, and possibly conflict, between countries.

This policy paper is the result of a nine-month research project that was jointly conducted by SIPRI and the Swedish Civil Contingencies Agency (MSB) on cyber-incident management. It explores what national crisis management authorities can do to improve their cyber-incident prevention, detection and response strategies and also how they can do better to deal with the larger societal and potentially political aftermath. It investigates why and how cyber incidents may lead to escalatory scenarios and how these scenarios can be avoided and contained using various de-escalatory approaches. It comprises an introduction providing background and the inspiration of this report (section I); four sections that explore the dynamics of escalation and de-escalation from conceptual (section II), analytical (sections III–IV) and empirical (section V) standpoints; and two sections that present the main findings and recommendations (sections VI–VII).


I. Introduction

II. Analytic framework: The concepts of escalation and de-escalation and the actors involved

III. Escalation threats in the aftermath of a cyber incident

IV. Escalation vulnerabilities in the aftermath of a cyber incident

V. Lessons from past cyber incidents and country studies

VI. General conclusions and recommendations

VII. Targeted recommendations for cyber-incident management in Sweden


Fei Su is a Researcher in the SIPRI China and Asia Security Programme.
Dr Vincent Boulanin is Director of the Governance of Artificial Intelligence Programme at SIPRI.
Johan Turell is a Senior Analyst and Research Coordinator at the Department for Cybersecurity and Secure Communications at the Swedish Civil Contingencies Agency, in Stockholm. His responsibilities span several areas and issues, with a focus on the strategic implications of emerging technologies (such as 5G telecommunications), EU cybersecurity policy, national cyber capabilities development, and research and development funding. He has a particular interest in breaking down the walls of the cybersecurity silo and connecting the subject with the rest of the world.