Winner of the 2024 Bernard Brodie Prize

Bernard Brodie lecturing, by Walter Sanders for Life Magazine, September 1946

Contemporary Security Policy awards the Bernard Brodie Prize annually to the author(s) of an outstanding article published in the journal the previous year. The award is named after Dr. Bernard Brodie (1918-1978), author of The Absolute Weapon (1946), Strategy in the Missile Age (1958), and War and Strategy (1973). Brodie’s ideas remain at the center of security debates to this day. One of the first analysts to cross between official and academic environments, he pioneered the very model of civilian expertise that Contemporary Security Policy represents. Contemporary Security Policy is honored to acknowledge the permission of Brodie’s son, Dr. Bruce R. Brodie, to use his father’s name.

The winner of the 2024 Bernard Brodie Prize is:

This article was selected by a jury consisting of five members of the Editorial Board. The jury selected the winner from a shortlist put together by the Editors. This shortlist also included:

The previous winners of Bernard Brodie Prize are:

  • Kjølv Egeland, “A theory of nuclear disarmament: Cases, analogies, and the role of the non-proliferation regime”, January 2022.
  • Eleanor Gordon and Katrina Lee-Koo, “Addressing the security needs of adolescent girls in protracted crises: Inclusive, responsive, and effective?”, January 2021;
  • Elvira Rosert and Frank Sauer, “How (not) to stop the killer robots: A comparative analysis of humanitarian disarmament campaign strategies”, January 2021;
  • Jeffrey Berejikian and Zachary Zwald, “Why language matters: Shaping public risk tolerance during deterrence crises”, October 2020;
  • Tracey German, “Harnessing protest potential: Russian strategic culture and the colored revolutions”, October 2020;
  • Jo Jakobsen and Tor G. Jakobsen, “Tripwires and free-riders: Do forward-deployed U.S. troops reduce the willingness of host-country citizens to fight for their country?”, April 2019;
  • David H. Ucko and Thomas A. Marks, “Violence in context: Mapping the strategies and operational art of irregular warfare”, April 2018;
  • Betcy Jose, “Not completely the new normal: How Human Rights Watch tried to suppress the targeted killing norm”, August 2017;
  • Martin Senn and Jodok Troy, “The transformation of targeted killing and international order”, August 2017;
  • Trine Flockhart, “The coming multi-order world”, April 2016;
  • John Mitton, “Selling Schelling Short: Reputations and American Coercive Diplomacy after Syria”, December 2015;
  • Wyn Bowen and Matthew Moran, “Iran’s Nuclear Program: A Case Study in Hedging”, April 2014;
  • Nick Ritchie, “Valuing and Devaluing Nuclear Weapons”, April 2013;
  • Patrick M. Morgan, “The State of Deterrence in International Politics Today”, April 2012;
  • Sebastian Mayer, “Embedded Politics, Growing Informalization? How Nato and the EU Transform Provision of External Security”, August 2011;
  • Jeffrey Knopf, “The Fourth Wave in Deterrence Research”, April 2010;
  • Diane E. Davis, “Non-State Armed Actors, New Imagined Communities, and Shifting Patterns of Sovereignty and Insecurity in the Modern World”, August 2009.

Saving Face in the Cyberspace: Responses to Public Cyber Intrusions in the Gulf

How do states “save face” following a cyber intrusion directed at them? A new article identifies how Gulf states employ diverse rhetorical strategies—beyond attribution—to narrate cyber intrusions and keep cyber conflict contained.

In July 2017, nearly two months after Qatar had suffered a public cyber intrusion, the Qatari Ministry of Interior (MOI) revealed evidence concerning the intrusion. Rather than only providing technical details about the intrusion, the MOI broadcasted a dramatic video with intense music, thrilling graphics, and a spy-style vibe to reveal the intrusion step-by-step. In addition to delegitimizing cyber intrusions as acts of terrorism, the video emphasizes the Qatari remarkable success in containing the intrusion and detecting its source despite the intrusion’s sophistication.

This Qatari press conference was not unique. When cyber intrusions become public, states do not only engage in technical strategies to deal with the intrusion and identify the initiator, but also manage their public relations – they publish messages, hold press conferences, brief reporters, and rhetorically try to manage the crisis.

However, these performative and symbolic strategies are often left unnoticed in existing research on cyber discourse. Of course, many studies zoom in on the strategy of attribution, but as we see, much more is going on following a public cyber intrusion.

In this article, we explore the rhetorical strategies used by governments in the Gulf in response to a public cyber intrusion they suffered. We do so via an original discourse analysis of official statements and state-sponsored media reports in five cyber intrusions that differ in their targets and methods: Saudi Arabia’s response to cyber intrusion against its oil company Aramco (“Shamoon” 2012), Saudi Arabia’s response to a “hack-and-leak” intrusion (2015), Saudi Arabia’s response to intrusions using “Shamoon 2.0” malware (2017), Qatar’s response to a “hack-and-fake” intrusion (2017), and Bahrain’s response to multiple hacking operations (2019).

Responding to Public Cyber Intrusions

When a cyber intrusion becomes public knowledge, targeted states must find ways to address and explain the resulting social costs. The need to “save face” in these situations arises from the undesirable implications for the identity and image of the state in front of both domestic and international audiences. We suggest that states employ rhetorical strategies to “save face” – to protect their public image in front of domestic, regional, or international audiences.

To better understand these strategies, we propose a typology of “face-saving” strategies that can be categorized into three broad groups: diminishing strategies, self-complimenting strategies, and accusing strategies.

Diminishing strategies involve minimizing the effect of the intrusion, normalizing it, or debunking false information. Minimizing means that states try to reduce the magnitude of the intrusion. Normalizing means that states frame the intrusion as a common occurrence in global politics, highlighting that other countries also experience cyber intrusions. Debunking means that states try to dispute the authenticity of leaked information and provide evidence to counter false claims. These strategies serve to diminish the impact and prevent further dissemination of damaging information.

Self-complimenting strategies are used to enhance the positive perception of the targeted state. States employ bolstering rhetoric to emphasize their successes, international connections, and positive values. Reasserting control is a rhetorical move that showcases measures taken to ensure future protection, often involving investigations, new cyber institutions, and regulations. Correcting is a rhetoric that aims to replace leaked or fabricated information with a more positive narrative by providing an alternative and beneficial account.

Accusing strategies involve exposing the intrusion, condemning the perpetrators, and attributing the attack to specific actors. By adopting these strategies, states shift blame and position themselves as victims.

Findings

When thinking about the public response of states to public cyber intrusions, existing literature primarily discusses the risks of retaliation or escalation as well as attribution. However, as this article shows, states engage in multiple “face-saving” strategies to manage their image and legitimize their restraint. Attribution is only one rhetorical option out of many.

The results of our systematic discourse analysis suggest that different contextual factors shape the specific strategies used. In cyber intrusions that involve leaking or faking information involve, unique strategies of debunking or correcting were used.

Regarding attribution, the cases involving Saudi Arabia – a regional power – did not include public attribution. In contrast, Bahrain and Qatar – smaller powers – did attribute the intrusions but did so only after such attribution was made by American media. These suggestive contextual factors might be used in future research on the rhetoric of cyber responses in other areas.

Understanding these face-saving strategies is crucial for two reasons. First, it provides insights into the restraint and limited nature of cyber conflicts. Existing research focuses on operational aspects and restraint shown by targeted states, but the public narrative and strategic narration of these events are often overlooked. By adopting face-saving strategies, targeted states aim to reduce pressure to retaliate or escalate and justify why such actions are unnecessary. Second, this study contributes to constructivist scholarship by expanding the repertoire of strategies used by states to cope with embarrassment. By focusing on the Gulf countries, we highlight the agency of states in the Global South to interpret cyber intrusions in front of different audiences.

Yehonatan Abramson and Gil Baram are the authors of “Saving Face in the Cyberspace: Responses to Public Cyber Intrusions in the Gulf” in Contemporary Security Policy, which is available here.

The cyber-domain as a narrative battlefield

How do the main actors in cyberspace make sense of its fragmented governance, and how does that translate to their broader strategic narratives? André Barrinha and Rebecca Turner study strategic narratives in their new article in order to find out.

In an era of increasing digital connectivity, the governance of cyberspace has become a critical global concern. Multilateral efforts to navigate the complexities of cyber governance are well underway, with two cyber initiatives currently ongoing at the United Nations (UN).

At the forefront is the Open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security overseen by the UN General Assembly’s (UNGA) First Committee. The OEWG is responsible for negotiating norms related to international cybersecurity and responsible state behaviour in cyberspace. The second more recent group is the Ad Hoc Committee (AHC) on cybercrime, overseen by UNGA’s Third Committee. The AHC was created with the intention to create a new treaty specifically addressing cybercrime. These two groups are operating in parallel because of the assumption that international cybersecurity and cybercrime should be addressed separately, as two distinct cyber regimes under the same complex.

International cybersecurity is understood to be divided along three main groups: the liberals, also known as the gatekeepers of cyberspace and custodians of the internet’s core principles, including the UK, US, EU and other likeminded states; the sovereigntists, led by Russia and China, who are inspired by a much more state-centric and territorialised approach to cyberspace regulation; and finally, the non-aligned or swing states, including Brazil, India and South Africa, who oscillate between the former two groups depending on the policy issue.

In our article, we explore the narrative battlefields of the OEWG and AHC using strategic narratives as our starting point. By examining the approaches of key actors from each of the groups – the EU as a representative of the liberals, Russia as an advocate for the sovereigntists and India as a swing state – we aim to uncover their storytelling techniques and the associated implications for the multilateral governance of cyberspace.

As we conclude, the existence of two different forums does not seem to impact the consistency of each actor’s strategic narratives. Rather, there is a strong continuum across the two forums, as described below.

The EU: a force for good

For the EU, both forums serve as opportunities to reinforce its position as a global force for good, committed to responsible leadership and democratic values. Central to the EU’s narrative is the defence of the rules-based order and the founding principles of the internet, which emphasise its global, open, free, stable, and secure nature. In championing these values, the EU establishes itself as an advocate for maintaining the status quo. The EU’s commitment to being a status quo actor is likely motivated by concerns about “Westlessness” – the perception that the world, and cyberspace, is gradually becoming less Western-centric and less aligned with liberal ideals. The EU’s force for good identity narrative and rules-based order system narrative directly facilitates its policy narratives around cooperation, development, and capacity-building.

Russia: the norm-entrepreneur

Russia’s strategic narratives in the OEWG and AHC revolved around four main themes: Russophobia, anti-Westernism, sovereignty and multilateralism. These narrative elements were consistently present in both forums, indicating that Russia’s establishment of the AHC was driven less by a belief in the institutional separation of crime and international cybersecurity as distinct cyber regimes, and more by a desire to counter existing legal and diplomatic structures that Moscow perceives as leaning towards liberal ideals. Through these strategic narratives, Russia aims to position itself at the forefront of cyber diplomacy as a norm-entrepreneur, shape future policy decisions to its advantage, and influence the global discourse on cyberspace governance.

India: the multi-aligner

India is still in the process of formulating a comprehensive strategic approach to cyberspace that aligns with its national interests and aspirations. This ongoing process helps to explain why India adopts a position of multi-alignment in the cyber domain, seeking to maintain connections with both ‘Liberals’ and ‘Sovereigntists’. Consequently, India’s strategic narratives in the cyber realm appear more ambiguous in comparison to the EU and Russia. India articulates narratives around sovereignty, technological autonomy, multilateralism, democracy, and its status as a developing nation. But, while these narratives are present in both the OEWG and AHC, they often lack coherence and occasionally conflict with one another. For instance, the struggle between upholding human rights and asserting stringent sovereign controls exemplifies India’s discursive frictions on fundamental cyber issues.

Narratives matter

Given the relatively nascent stage of the cyber domain and the conflicting views and priorities of the three groups under analysis, the way cyber issues are discursively approached offers intriguing insights into the state of cyber diplomacy. As the AHC moves towards a draft convention on cyber-crime and the OEWG into the second year of its second iteration, the world remains significantly divided on what should and should not be allowed to happen in cyberspace. Understanding the narratives underpinning those divergences is crucial if we are to move towards a safe and stable cyberspace.

As we conclude in the article, for all the specificities and technicalities associated with cybercrime or with the potential application of international humanitarian law to cyberspace, there are over-arching narratives told by the active actors in this domain that need to be taken into consideration. Ultimately, the successful implementation of any agreement or norm will rely on the incorporation of those positive steps within those actors’ strategic narratives of cyberspace.

André Barrinha and Rebecca Turner are the authors of  “Strategic narratives and the multilateral governance of cyberspace: The cases of European Union, Russia, and India” in Contemporary Security Policy, which is available here.

The Paradox and Perils of Authoritarian Support for Multilateral Cyber Governance

Support for international organizations remains a foreign policy mainstay for most democratic states. In a new article, Mark Raymond and Justin Sherman explain why the situation is more complicated with respect to cyber governance. They find that major authoritarian states are championing their own distinct variant of authoritarian multilateralism, while many democratic states have embraced a contemporary form of multilateralism that incorporates substantial elements of multistakeholder governance. The divergence on how to accomplish cyber governance is rooted in a difference over what multilateralism means and the appropriate way to practice it, with deep implications for the broader trajectory of rule-based global order. The widespread adoption of authoritarian multilateralism would amount to CRISPR gene editing the liberal DNA out of the post-1945 order, leaving the form but not the vital substance of liberal multilateralism.

Varieties of Multilateralism 

International Relations scholarship recognizes multilateralism as one of the pillars of the contemporary rule-based global order. Language invoking multilateralism as an idea, and as a practice instrumental to maintaining global security, also features prominently in leaders’ public foreign policy statements. President Biden’s preferred formulation, “rules-based order,” is a close cognate of multilateralism, at least to the ears of listeners in democratic states, who largely accept the notions that the rule of law entails the equal application of rules to actors regardless of power differentials, and that rules should be authored by those subject to them.

However, we think there are good reasons to suspect not only that authoritarian states have different views of how multilateralism should be practiced, but also that democratic states are experiencing ‘dri’ over time in their understandings of what multilateralism entails. We identify and describe two distinct variants of multilateralism: liberal and authoritarian.

The liberal variant is the familiar one, rooted in notions of equality before the law and representation in rule-making processes. In contrast, authoritarian multilateralism is rooted in notions of great power privilege, akin to hierarchical notions of great power management more commonly associated with nineteenth-century world politics. It also differs from liberal multilateralism in the underlying purpose it accords to global governance arrangements. Liberal multilateralism emphasizes transparency and participation, and the realization of human rights as a key goal of global governance arrangements more generally; authoritarian multilateralism is more opaque and statist, and privileges state sovereignty over the welfare of individuals.

Authoritarian Multilateralism in Cyber Governance 

There is broad agreement that China and Russia are the main players in a substantial international coalition seeking to nudge cyber governance arrangements toward multilateralism and away from private and multistakeholder governance modalities. Our analysis goes further by drawing atention to the specific means that they are using in service of this goal: (1) exploiting established procedures to subvert established liberal multilateral governance arrangements; and (2) parallel order-building efforts that employ or create new governance arrangements that lack the distinctive hallmarks of liberal multilateralism.

Russia first sought a multilateral arms control treaty for cyberspace at the United Nations in 1998, leading to the Group of Governmental Experts (GGE) process that continued until 2021. Russia and China supplemented this flagship UN process with increasing involvement in private and multistakeholder Internet and cyber governance arrangements, especially for establishing technical standards.

Landmark GGE reports in 2013 and 2015 and deteriorating relations with the United States and other Western states led China and Russia to shi their UN strategy. They criticized the GGE as fundamentally undemocratic because it included only a select group of states, calling for the establishment of an Open-Ended Working Group (OEWG). Crucially, the OEWG expanded participation to tilt the composition in favor of authoritarian states, and it shied the terms of reference to include negotiation of international agreements rather than the study oriented GGE mandate. Although the first OEWG became more inclusive of non-state actors over time due to democracies’ efforts, the initial design was more akin to authoritarian rather than liberal multilateralism.

Outside the UN, China and Russia also seek to advance authoritarian multilateralism by way of increased engagement with technical standard-seng processes for digital technologies and in bilateral infrastructure diplomacy. However, the parallel order-building strategy is most evident in long-standing efforts by the Shanghai Cooperation Organization, which stands out as an explicitly illiberal international organization substantially less transparent than IGOs created with strong involvement from the world’s major democracies. Most recently, China has announced that it intends to transition its World Internet Conference into a new multilateral organization specifically for cyber governance. Such a step would substantially elevate parallel order-building efforts in the cyber regime complex.

Implications for Rule-Based Global Order 

Cyber governance is not only vitally important, it is also an especially stark contrast between two different visions of what multilateralism means and how it should be practiced. The authoritarian variant illustrated here is opaque, insulated from participation by non-state actors, and aims at creating an international order that excises core aspects of the post-1945 order rooted in democracy and human rights as core values. The liberal variant, in contrast, has evolved over time to be more inclusive of nonstate actors than its initial form, such that multilateralism as practiced by democratic states now incorporates elements of multistakeholder governance.

Which of these variants predominates in global governance is thus a consequential question for policymakers, and for the trajectory of the rule-based global order. It also poses foreign policy challenges for democratic states. If China moves ahead with a multilateral international organization for cyber governance, democracies will face a choice: should they join such an organization, hoping to influence its decisions? If so, they will need to operate in a fundamentally different procedural context than most major international organizations. If they stay out, it will provide greater freedom of action for Russia, China and other authoritarian states to shape the future of cyber governance in ways that may have significant global effects over time.

Mark Raymond and Justin Sherman are the authors of “Authoritarian Multilateralism in the Global Cyber Regime Complex,” Contemporary Security Policy, which is available here

 

Call for the 2025 Special Issue

CSP CoverContemporary Security Policy is seeking proposals for a special issue to be published in January 2025 (volume 46(1)). The special issue should address a topic within the aims and scope of the journal. CSP has an impact factor of 5.900, which ranks the journal #3 out of 96 in the category International Relations.

One of the oldest peer reviewed journals in international conflict and security, CSP promotes theoretically-based research on policy problems of armed conflict, intervention and conflict resolution. Since it first appeared in 1980, CSP has established its unique place as a meeting ground for research at the nexus of theory and policy. Topics of interest include:

  • War and armed conflict
  • Peacekeeping
  • Conflict resolution
  • Arms control and disarmament
  • Defense policy
  • Strategic culture
  • International institutions

CSP is committed to a broad range of intellectual perspectives. Articles promote new analytical approaches, iconoclastic interpretations and previously overlooked perspectives. Its pages encourage novel contributions and outlooks, not particular methodologies or policy goals. Its geographical scope is worldwide and includes security challenges in Europe, Africa, the Middle-East and Asia. Authors are encouraged to examine established priorities in innovative ways and to apply traditional methods to new problems.

Special Issue Information

Special issue proposals should contain (in one PDF document):

  • A short discussion of the rationale and contribution of the special issue (3 pages max). Please also state why the topic falls within the aims and scope of the journal and why the proposal would be of interest to a large audience.
  • Contact details, institutional affiliation, one paragraph biography of the special issue co-editors, and three recent publications of each of the co-editors. Feel free to include a link to the personal website of the co-editors. Do not submit full CVs.
  • A list of confirmed articles and authors. Please include for each article (a) the title; (b) 150 word abstract; (c) a very short statement how the article contributes to the special issue and why it needs to be included; (d) a one paragraph author biography; and (e) three recent publications of the author(s).
  • The current state of the special issue. Please describe the background (e.g. previous workshops and conferences) and the timeframe towards the submission deadline.

The special issue will consist of a substantive introduction and 6-7 articles. The introduction should stand on itself. It should serve as a state-of-the-art article and be a reference point for all the other articles in the special issue. It is recommended that special issue proposals include 9-10 articles. All articles will be sent by the journal for peer-review on an individual basis. It is unlikely that all articles will eventually make the cut.

Most articles in CSP are around 9,000-10,000 words (including notes and references). However, manuscripts up to 12,000 words are accepted, for example when they include multiple case studies or use mixed methods. Total word limits will be discussed in case of acceptance.

Please submit your application (one PDF file) to csp@nullmaastrichtuniversity.nlThe deadline for the special issue proposal is 18 November 2023. The decision will be announced soon afterwards. The decision by the editors is final. All articles will have to be submitted by 16 February 2024. The full special issue should go into production in October 2024.

U.S. Alliance Credibility after the 2021 Afghanistan Withdrawal

In late 2021, numerous commentators feared that America’s dramatic troop withdrawal from Afghanistan would hurt its credibility as a great-power security patron among onlookers in key allied and adversarial countries. A new article by D.G. Kim, Joshua Byun, and Jiyoung Ko shows why such fears are likely overblown. 

The Joe Biden administration’s highly publicized military pullout from Afghanistan in August 2021 evoked widespread fears that the credibility of U.S. security commitments around the world would be ineluctably damaged. “[E]very enemy will draw the lesson that the United States is a feckless power,” one commentator wrote in the New York Times, “[a]nd every ally—Taiwan, Ukraine, the Baltic States, Israel, Japan—will draw the lesson that it is on its own in the face of its enemies.” 

Such arguments were hugely popular and intuitive, but we found them puzzling for several reasons. To begin with, Afghanistan was not a formal ally of the United States by the time of the 2021 troop withdrawal, since the legal framework for security cooperation between the two countries had been terminated with the signing of the Doha Agreement by the Donald J. Trump administration and the Taliban in February 2020. Would onlookers in countries that are formal treaty allies of the United States—as well as those among the adversaries that confront such allies—really jump to the conclusion that U.S. behavior toward such “informal” security partners is likely to be replicated in their own neighborhood? 

Moreover, while many Americans apparently feared that their country’s reputation as a great-power ally in vital regions will be fatally undermined if it fails to defend any individual security partner, recent works drawing on qualitative case studies suggested that foreign audiences do not necessarily evaluate U.S. credibility in such terms. Indeed, such works seemed to hint at the possibility that allied and adversarial audiences might draw the opposite inference under certain conditions. If these onlookers understand U.S. military capabilities and attention as finite resources that must be competitively allocated across different regions, the American decision to abandon a security partner in one region might not necessarily hurt the perceived trustworthiness of its security commitments in another; in fact, such decisions might help improve widespread perceptions of U.S. credibility. 

To test these competing intuitions, we deployed parallel survey experiments in the United States, South Korea, and China—the latter two respectively representing a key ally and adversary for the United States in the strategically vital region of East Asia—approximately five months following the dramatic Afghanistan withdrawal. The idea was to randomly treat ordinary members of the public in each country with a vivid reminder about the U.S. decision to abandon its decades-long military commitment to Afghanistan, including the fact that “the Taliban took control of Afghanistan amidst the ensuing chaos.” 

 After assigning the treatment, we would ask our U.S. respondents to give us their best guess about the level of confidence people in South Korea and China would have in America’s support for its South Korean ally should a militarized conflict arise between the two East Asian powers. We would then compare the American guesses with actual perceptions reported by the publics of these two states when asked about how credible they would deem U.S. military support for South Korea in the same hypothetical clash. 

Our findings were unequivocal. While Americans who were reminded of the Afghanistan pullout tended to become more pessimistic that key audiences in East Asia will view the U.S. security commitment to South Korea as credible, their pessimism was not corroborated by foreign views. Neither the South Korean nor Chinese respondents significantly revised their confidence in America’s regional alliance commitment when presented with the Afghanistan withdrawal reminder. 

More importantly, the results suggested that appropriate diplomatic messaging can help strengthen the credibility of U.S. security commitments among foreign publics in the wake of events like the Afghanistan pullout. When given a short additional message that the United States might henceforth be able to further prioritize East Asia when allocating military resources abroad, the South Korean and Chinese respondents who had been reminded of the Afghanistan withdrawal became significantly more confident that the United States would follow through on its commitment to defend South Korea in the event of a local military conflict. The upshot was that the impact of the Afghanistan withdrawal reminder is channeled through the information observers have about their local strategic context, such that its implications for perceptions of American credibility could be diametrically opposed to those feared by U.S. analysts. 

These findings offer clear takeaways for how to think about U.S. alliance credibility in the wake of decisions like the Afghanistan withdrawal. Policymakers, for one, should be more willing to consider extricating the United States from costly military commitments in strategically peripheral areas without fearing the loss of a “reputation for resolve” and the widespread erosion of credibility in more important regions. Indeed, by foregrounding the potential for a favorable reallocation of strategic resources, they might be able to turn such events into an asset in the campaign to enhance the credibility of their country’s alliance commitments in key regions, rather than a liability. 

More broadly, concerned Americans should be mindful of research findings such as ours when observing doomsaying about their country’s broader credibility that typically follows decisions to retrench from—or not become more forcefully involved in—distant regions where the United States harbors only limited strategic interests and informal defense obligations. By and large, audiences among critical strategic interlocutors like South Korea and China do not distrust America’s willingness and ability to defend its alliance commitments in their own region just because it has failed to stand up for an informal protégé half a world away. They understand that the two are different places. 

D.G. Kim, Joshua Byun, and Jiyoung Ko are the authors of “Remember Kabul? Reputation, Strategic Contexts, and American Credibility after the Afghanistan Withdrawal”, Contemporary Security Policy, which is available here. 

Privatizing security and authoritarian adaptation in the Arab region since the 2010–2011 uprisings

In a new article, Engy Moussa studies the rise of private security companies in the Arab region since the 2010-2011 uprisings. She finds that this development offer new venues to enrich and strengthen the ruling elites.

Regardless of where you look in the Arab region, the uprisings didn’t lead to democratization. Instead, authoritarian systems prevailed through enhanced strategies of public security, political co-optation and social control. This ongoing authoritarian adaptation features considered input from private security actors amid intense security market diversification and considerable outsourcing of domestic security and guarding services.

Addressing ‘how privatizing security contributes to perpetuating authoritarian practices post-2010,’ my recent article argues that contemporary security privatization and outsourcing provide alternative agents and strategies for social control, while offering new venues to enrich and strengthen ruling elites. Supplementing the continuous dominance of repressive state security forces, privatizing and outsourcing security essentially support practices of authoritarian adaptation by cultivating networks of patronage; diversifying ruling elites’ bases of security; and curbing constant sources of unrest.

Ongoing security privatization across the region is multifaced, with notable variation among cases, particularly privatizing security in conflict zones versus under relatively stable regimes. Alongside the military facet of the private security industry (PSI), widespread in conflict zones as in Libya and Syria, the steady rise of private security, rather than military, companies (PSCs) across the region is remarkable. From an international perspective, the PSI development in the region, starting in the 1980s, follows the global move toward neo-liberal governance, which advocates replacing public provision of welfare and social security with notions of privately purchased security.

While predating the uprisings, the latter hastened PSCs’ growth in terms of profit-making, scope of activities, suppliers and clients, among other factors. On one level, the contemporary heightened resort to PSCs within the private sector responds to turbulent security environments shaped by post-uprisings developments. Immune to the general decline in domestic economies, PSI has thus steadily expanded to meet increasing demands from different social sectors, being simultaneously boosted by growing outsourcing of public security functions. As it continuously prospers, PSI opens wide venues for employment and business growth; thus, indirectly enhancing some authoritarian systems’ economic viability by helping to alleviate widespread economic hardships.

Amidst the patrimonial networks within the post-2010 security markets, PSCs’ status is noteworthy. While attracting many newcomers, and enabling old players to flourish, a close look at PSI’s structure and members suggests a considerable share of the industry belongs to already powerful actors: state personnel and institutions alongside established businessmen. Yet, the dominant position occupied within the expanding PSI by security personnel alongside different state institutions and business elite is not what makes Arab states distinct. Across cases, private security actors are well-connected with state actors, with PSCs commonly owned or run by ruling elite members or state institutionsand ex-security officers working as private guards.

Instead, it is the role these actors have played, before and after 2010, in perpetuating authoritarianism and preserving ruling elites’ security that raises concerns about their prevalence over the mounting provision of private security. In this light, including PSCs in networks of patronage and entrusting private security provision to business and security elites, who are loyal to and dependent on autocratic ruling elites, provide the latter with substantial influence over private security and diffuse the distinction between public and private security agents as the latter become closely linked to ruling elites and potentially implicated in authoritarian strategies and policies.

Beyond nurturing networks of patronage, outsourcing security mirrors the tense relationship between ruling elites and state security institutions. The uprisings’ early phase severely shook the mutual dependency between some Arab ruling elites and their coercive institutions. After all, the police forces’ retreat from the streets, as in Egypt and Tunisia, alongside the military leadership’s decision to abandon the presidents, gave substantive ground to the uprisings and marked a reshuffle of power relations among ruling elites. In this regard, state preference to employ PSCs, instead of police or armed forces, to fulfil certain public security functions, arguably implies a diversification of the ruling elites’ coercive allies and an attempt to decrease dependence on state forces.

With many PSCs closely linked to ruling elites, they exhibit great loyalty to them and consider the authoritarian system’s security and stability among their main priorities. Compared to a recurrently inefficient police force, internally fragmented and whose loyalty is considerably uncertain in some Arab states, PSCs arguably represent more secure and reliable agents for selected public security tasks. Moreover, PSCs’ competitive nature and private dynamics of operation offer an advantage with respect to their performance: being presumably more professional, effective and cost-efficient; while the need to regularly renew contracts with the state boosts their incentive to enhance performance and reassert loyalty to secure new contracts and remain strong in the market.

Ultimately, privatizing and outsourcing security in some Arab countries reflect broad transformations in governance where public and private sectors are continuously reconfigured. Outsourcing security is profoundly shaped by domestic politics, especially the impact of authoritarianism on state security forces and the damaged state-society relationship it produces. Particularly, mistrust in the state’s ability or willingness to provide protection alongside public fear from the state’s abusive and arbitrary power are central to examining PSCs expansion in the Arab region amid a lack of serious public debates on the repercussions of growing privatized violence.

Engy Moussa is Teaching Associate at the Department of Politics and International Studies at the University of Cambridge and James Buchanan Fellow at the Mercatus Center at George Mason University. She lectures on Middle East Politics and pursues a multi-disciplinary research agenda covering the politics and economics of authoritarian systems, critical security studies, and international relations. She is the author of “Privatizing security and authoritarian adaptation in the Arab region since the 2010–2011 uprisings”, Contemporary Security Policy, which can be accessed here.

Zero-day vulnerabilities are powerful cyber weapons: Use them or patch them?

The U.S. government faces a dilemma regarding zero-day vulnerabilities: it can either stockpile or disclose them. In a new article, Marcelo M. Leal and Paul Musgrave show that Americans overwhelmingly support the disclosure of information about zero-day vulnerabilities to vendors.

In 2017, the WannaCry and NotPetya malware exploited a vulnerability in the Windows operating system, causing widespread havoc. Ironically, the U.S. National Security Agency (NSA) had been aware of this vulnerability for about five years. Instead of disclosing the vulnerability to Microsoft, however, NSA held on to the knowledge—until the vulnerability was leaked in public forums.

This case illustrates a dilemma that the United States government faces when it discovers zero-day vulnerabilities. Zero-day vulnerabilites are software and hardware flaws that are unknown to computer vendors. As a result, they are enormously valuable to attackers since there is no defense against them. Intelligence agencies such as the NSA and CIA—as well as other governments and even some private firms—work hard to develop such zero-day exploits because of the advantages they afford the attackers.

Once a vulnerability is discovered, an agency can either disclose information about it to vendors so that it can be patched or withhold it so that it can add the vulnerability to its stockpile of cyber weapons. By withholding information, U.S. national security agencies can exploit zero days to penetrate the computer systems of its adversaries—yet doing so also leaves U.S. and allied entities vulnerable should an adversary independently discover these flaws and use them against the United States. By disclosing information to vendors, the U.S. government allows vendors to fix the vulnerability and secure their systems in a timely manner—but it also denies the use of such attack vectors against adversaries by U.S. national security agencies.

Debates about how and where to draw the line between disclosure and stockpiling are a staple of cyber policy discourse. This is less of a dilemma for the U.S. public. Results from a survey experiment we conducted in late 2021 show that it’s likely that respondents are squarely in favor of disclosing information to vendors, even when informed that withholding this information could save many Americans lives in a future conflict. Our results also demonstrate that the likelier it is that an adversary could use a given zero day, the more Americans favor disclosing the vulnerability to a vendor.

The Vulnerabilities Equities Process

Since 2010, the U.S. government has a policy in place to address this dilemma. The vulnerabilities equities process, or VEP, guides executive branch officials in their decision to disclose or to retain publicly unknown vulnerabilities. Official documents released to the public in recent years show that officials are believed to take several factors into consideration when they discover a zero-day vulnerability, like the consequences of an adversary exploitation and how quickly an exploit could be patched. Nonetheless, analysts have singled out two factors that are critical for decisionmakers: how long a vendor will remain unaware about the flaw (longevity of a zero day) and the likelihood that an adversary will independently discover it (its collision rate).

Those who think that vulnerabilities need to be patched to protect American interests from adversaries think the VEP is too weak. Those who think that a strong cyber offense is more important think that it is (or could become) too strong. Understanding how this debate will resolve requires researching many topics, such as the influence of different agencies and interest groups, but it also requires investigating public opinion. Even though cybersecurity is a technical field, and even though zero-day vulnerabilities are among the U.S. government’s most prized secrets, the public’s views on the issue could shape how politicians and officials craft policy—particularly if there’s another major incident involving zero-day flaws known to the U.S. government.

To explore how the American public thinks, we conducted a survey experiment testing whether different levels of longevity and collision rates influence respondents support for disclosing or withholding zero-day vulnerabilities. Respondents read a scenario that pitted retaining a vulnerability for use in a potential attack against Iran (saving many American servicemembers’ lives) against the possibility that it could be independently discovered by an adversary and used against the United States. We manipulated this collision rate to specify that there could be a high, low, or medium chance that an adversary could acquire the zero day. Separately, we also manipulated whether the vulnerability would be likely to exist for a few months, a year, or several years.

The results were unequivocal. We found that the longevity of a vulnerability does not make respondents more or less likely to support disclosure. On the other hand, collision rates do influence respondents’ evaluations. As the likelihood that an adversary could independently discover a vulnerability goes up, support for informing the vendor about the vulnerability also increases.

Policy implications

There may be a substantial disconnect between the preferences of the public and those of the U.S. government regarding zero-day disclosure policy. Even though U.S. officials hint that disclosure is the default option in the vulnerabilities equities process, recent studies show that this might not be true in practice. Some research also suggests that the interests of the intelligence and law enforcement agencies are more represented in the VEP than those of the public and technology firms, suggesting a bias toward stockpiling zero days.

This public-government disconnect could lead to policy changes. Previous leaks showing that U.S. intelligence agencies failed to disclose zero-day vulnerabilities to vendors have already led the federal government to disclose information about the vulnerabilities equities process several times. Congress has also reacted to these cases. In recent years, lawmakers have introduced two bills that aimed to codify the VEP and could make disclosure the default option by law. None, however, advanced in their legislature. Given our findings, it is possible that agency policies may be subject to correction should policy windows open for a long enough period.

Marcelo M. Leal and Paul Musgrave are the authors of “Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity”, Contemporary Security Policy, which is available here

What drives states to join universal WMD treaties

Our understanding of WMD treaties is largely based on what we know about the nuclear Non-Proliferation Treaty (NPT). In a new article, Jan Karlas studies state participation in all 10 universal treaties. He finds that states ratify those treaties for a variety of reasons.

Currently, there are 10 universal treaties that were adopted since the end of the Second World War and regulate weapons of mass destruction (WMD). These treaties limit the possession or testing of nuclear weapons (nuclear weapons treaties), prohibit chemical and biological weapons (CBW treaties), and ban the deployment of WMD in Antarctica and outer space, and on the seabed (zonal treaties). Almost all of them came into being during the second half of the 20th century as a result of the convergence in the interests of the two nuclear superpowers, represented by the USA and the USSR, and the majority of the other states.

To be effective and legitimate, WMD treaties need be truly universal and involve ideally all sovereign states. However, they only hardly manage to reach this goal. Typically, a certain number of countries ratify a WMD treaty relatively quickly, others wait to ratify for a longer time, and some even do not become parties to it. For the example, the Biological Weapons Convention joined together more than 75% states only 31 years after its adoption, and at this moment, only 41% of states ratified the Seabed Treaty.

It is important to understand when states enter WMD treaties, and when they do so only with a considerable delay, or even stay outside a treaty. The neorealist theory of international relations would, in this regard, differentiate states on the basis of their security situations and capabilities. Those that face security threats and have the necessary capabilities to develop WMD should be more likely to keep their autonomy and postpone the ratification of WMD treaties. Those that are not confronted with security threats, or do not have the necessary capabilities, are more likely to join these treaties quickly. Several scholars used these ideas to explain the ratification of the most prominent WMD treaty, the Nuclear Non-Proliferation Treaty (NPT).

In my paper, I go beyond the NPT, seeking to explain what drives ratification decisions generally, in relation to all the categories of WMD treaties. I reconsider the costs and benefits from participation in the different categories of treaties, and formulate a new explanation for this participation. A statistical analysis that maps the ratification behaviour of 204 states during the years 1960-2022 confirms this explanation.

The findings of the paper show that there are four specific factors that determine propensity of states to commit to WMD treaties. First, the possession/pursuit of WMD delays participation in treaties that completely ban these weapons, or they testing (CBW treaties and the majority of nuclear weapons treaties). This finding has two non-trivial implications. The first of them is that by far not all states that live in insecure environments necessarily postpone the ratification of WMD treaties. At the same time, the majority of states that possess or pursue WMD do not immediately destroy them, or stop the effort to acquire them, once there is a new treaty that calls for it. They sometimes join such a treaty, but after a relatively long time.

Second, the attitudes of countries to the US-led, liberal hegemonic order influences their decisions on participation in nuclear weapons treaties. My findings show that when countries are satisfied with this order, they generally join nuclear weapons treaties quickly. This can be explained by the fact that the nuclear order, which most of these treaties support, is closely linked to the liberal hegemonic order. The preliminary data also shows that the countries that have critical views of the US-built order have been entering the recently adopted Treaty on the Prohibition of Nuclear Weapons, which, unlike other nuclear weapons treaties, challenges the hegemonic nuclear order, considerably more quickly than the states that are content with this order.

Third, economically developed states commit more quickly than less developed states to CBW treaties and zonal treaties. These treaties stipulate that states take necessary domestic legal and policy measures to regulate the use of biological and chemical materials, or set-up the basic rules for economic, scientific, and other activities taking place in Antarctica and outer space. The large biotechnological and chemical industries, and the resources needed for the exploration and exploitation of remote international spaces, increase the stakes that developed states have in the CBW and zonal treaties.

Fourth, the probability that a state will ratify any of the three categories of WMD treaties raises when a certain number of its regional peers joined it. When observing the positive ratification decisions of their peers, state representatives become more convinced that a given treaty represents a useful policy tool to strengthen national and international security. And they also react to the ratification decisions of their peers to act in line with the dominant preferences within their regional political community.

All these findings also imply that WMD treaties do not perform particularly well at identifying the states that comply with their provisions, simply because many countries join them with delays, or stay out of them, unless they have some benefits from participation. Due to this, these treaties do not work as ideal screening devices that would provide accurate information about states complying with the international rules on WMD. The lack of universal membership also limits their authority to provide legitimization to these rules.

Scholars suggested several ways that can ensure the widespread participation of states in WMD treaties and regimes. They argue that the most powerful states must act as leaders and provide incentives to smaller states, or that strong verification mechanisms must support treaties so that the participating states have information about the (non-)compliant behaviour. My paper identifies two additional important aspects. First, WMD treaties have a greater chance to reach a widespread membership if their functions provide substantial benefits to the different groups of states. Second, the existence of certain minimal numbers of states that support a WMD treaty in the individual world regions is another crucial precondition for its widespread ratification.

Jan Karlas is the author of “Explaining state participation in ten universal WMD treaties: A survival analysis of ratification decisions”, Contemporary Security Policy, which can be accessed here.

Promoting the “Rules-Based Order” through strategic narratives

In a new article, Rebecca Strating studies strategic narratives around the “Rules-Based Order” (RBO) in Asia-Specific. She studies three asymmetrical bilateral maritime disputes that involve the UK, India and Australia, and finds that RBO narratives constrained the behaviours of the states that adopt the term.

In November 2022 the United Kingdom’s Foreign Secretary James Cleverly announced that the UK would open negotiations with the Republic of Mauritius on the sovereignty of the Chagos Archipelago, a small group of atolls claimed by both states in the Indian Ocean.

This announcement indicated a reversal of UK policy. London had previously rejected Mauritian sovereignty claims and expressing its commitment to ceding sovereignty only when the Chagos islands were no longer required for its defence purposes. In 1966, the UK leased the biggest island – Diego Garcia – to the United States, where it set up its key military base in the Indian Ocean that was subsequently used in major US military operations. As the Indian Ocean is increasingly subject to strategic contestation, both the UK and US has viewed UK’s continuing sovereignty of Chagos Archipelago as important to countering the regional presence of the People’s Republic of China.

Given the strategic value of Diego Garcia to the UK and its relationship with the US, what explains the new government’s approach?

Mauritius and its supporters have engaged in a campaign based on strategic litigation and public diplomacy to put reputational pressure on the UK both domestically and internationally. This campaign has emphasised how the UK – by refusing to deal with the legacy of colonialisation in the Indian Ocean – was actively undermining the international ‘rules-based order’ (RBO) that it has sought to defend in its own strategic narratives.

This campaign has been long-running. In 2010, Mauritius initiated an arbitration under the United Nations Convention on the Law of the Sea (UNCLOS) protesting the UK’s declaration of a Marine Protected Area around Chagos islands. The UK initially responded by disputing the tribunal’s jurisdiction to hear the case. When the ruling largely fell in Mauritius’ favour, the UK interpreted its newly-defined legal responsibilities in a minimalist way.

In 2019, Mauritius asked the UN General Assembly to request an International Court of Justice (ICJ) advisory opinion on Chagos sovereignty in 2019, which UK narratives cast Mauritius as inappropriately ‘internationalising’ the bilateral dispute. The resultant ICJ advisory opinion rejected UK sovereignty over the Chagos Archipelago on the grounds that Mauritius’ decolonisation was not lawfully completed. The same year, the UN General Assembly voted in favour of strongly condemning British occupation of Chagos Islands, calling for complete decolonisation. In 2021, a Special Chamber in the Mauritius-Maldives maritime boundary dispute re-affirmed the ICJ’s advisory opinion as having legal effect.

Cumulatively, these legal rulings and the associated discourses around them has made it more difficult for the UK to defend its sovereign and maritime claims around the Chagos archipelago to an international audience, especially in light of its own RBO narratives.

This article uses the Chagos example as one case study to demonstrate how states can become ensnared in their own strategic narratives that are designed to compel emerging great powers to abide by existing norms and international law.

In the context of dramatic power shifts in Asia, regional allies and partners of the US such as the UK, Australia, Japan, and India, have adopted new ‘Indo-Pacific’ strategic narratives to stabilise, promote and defend their preferred vision of an RBO, one in which ostensibly all states – even global and authoritarian powers – comply with existing and commonly agreed upon standards of behaviour.

‘Indo-Pacific powers’ are particularly concerned about the revisionist intentions of China. Beijing’s maritime assertions in the South China Sea are the key example used to argue that China desires to ‘re-order the region’ by ‘bullying’ its smaller neighbours in maritime disputes and pursuing ‘unilateral changes to the status quo’ through coercive activities that violate or ignoring UNCLOS. Beijing’s rejection of the 2016 South China Sea Arbitral Tribunal ruling in the case initiated by Philippines – which found China’s ‘historic rights’ claim in the South China Sea inconsistent with international law – as a challenge to the prevailing RBO.

Yet, as these states encourage emerging powers to abide by the ‘rules’ in their strategic narratives, they can be held to the same standard in their own asymmetrical disputes. RBO narratives can promote greater state compliance with international law and norms, but this tends to be among states who adopt the narrative rather than its targets: emerging revisionist powers who violate, ignore, or seek to re-write international law.

The article compares the rhetoric and actions of three Indo-Pacific powers in asymmetrical bilateral maritime disputes: the Timor Sea United Nations Compulsory Conciliation between Australia and Timor-Leste, the Bay of Bengal Maritime Boundary Arbitration between India and Bangladesh, and the Chagos Island Marine Protected Area Arbitration between the UK and Mauritius.

In each case study, there is evidence that reputational concerns became as important – if not more so – than material considerations, although this played out in different ways across the case studies.

The bigger powers – Australia, India and the UK – came to interpret the disputes in the context of their overarching strategic interests and concerns about great power revisionism, particularly in maritime domains.

Ultimately, RBO narratives constrained the behaviours of the states that adopt the term. Adopters were compelled to take different approaches in their own maritime disputes with smaller powers to reduce the perceived inconsistencies between their RBO rhetoric and their actions. For states, this suggests that there are risks involved in invoking the RBO in their strategic narratives. In an increasingly contested region, reputation and credibility can play an important role in regional diplomacy as Indo-Pacific powers seek to persuade other states that the existing order is preferable to authoritarian alternatives. This produces positive affects for the legitimacy of international regimes such as UNCLOS even though it is not necessarily the intended outcome of Indo-Pacific states’ rhetorical strategies. The RBO, however, is less effective in changing the approaches of the primary disrupters, including authoritarian powers such as China and Russia.

Rebecca Strating is the author of “The rules-based order as rhetorical entrapment: Comparing maritime dispute resolution in the Indo-Pacific”, Contemporary Security Policy, which can be accessed here.