global politics, relationally

Making Progress with Data: Updating the Cyber Incident and Dispute Data


With Ryan Maness

We have recently released Cyber War versus Cyber Realities and our cyber conflict dataset has been out in the public for some time.  It has been encouraging to see scholars start to use the data, even more so to see it being used by governments in their evaluation of the cyber security threat. That being said, the data should come with a few notes of caution, especially during this time of concern and mistrust of data.  data world

The Warning

All data, at least good data, is a work in progress.  It should be continually updated and corrected as errors are pointed out, additions are made, and subtractions are warranted given evidence. No dataset should ever be considered fixed or constant, instead it should be seen as a work in progress.

It should also be clear that the interpretation of data comes with its own biases.  While data might be independent, the evaluation of data never is and will come loaded with our own perceived notions and ideals. We are looking forward to the day when someone takes our data and presents it in the complete opposite way that we do, focusing on the threats and retaliations rather than restraint.  To us, this is why data is fascinating.  Lots of different avenues can be pursued with evidence, the key is that evidence is at least used and not molded to fit expectations.

Improvements and Additions

Our next update of Dyadic Cyber Incidents and Disputes Dataset (DCID) will be version 1.5 and will have two key additions.  One will be a reworked severity variable and is discussed in greater detail below and two, the data will go from 2001-2015 for all states considered to be rivals, adding incidents from 2012-2015 to the dataset.

Version 2.0 will be something else entirely and we are currently seeking funding since this will be an ambitious update.  Version 2.0 will be a comprehensive update for all states in the system from 2000-2015 including information on cyber power and capabilities (cyber units, amounts spent), variables for objectives and success in cyber actions, and greater sourcing and links for further information, including narratives for each cyber dispute.

Fixing Severity

This leads up to the current issue at hand, fixing the severity measure.  Once we started publishing work using DCID, I found the variable we created was not really suited to our needs. Severity was coded between 1-5, with all incidents residing between 1-3 since no severe cyber actions had been witnessed yet.  While we want to leave the option of coding higher level incidents in the future, doing so left us with a measure that was basically between 1-3.  The new severity measure we propose is between 0-10 and gives us greater range and flexibility in using the measure.

It is listed below in full and we hope for and welcome suggestions as we seek to implement this new update (email if you do not wish to publicly comment.


Dyadic Cyber Incident and Dispute Dataset (DCID) 1.5

Updated Severity Scale

10-Massive death as a direct result of cyber incident

Example – NORAD hacked and missiles launched, Air traffic control systems manipulated, commercial airliner hacked and brought down

Notes – For this measure to be coded, a state must direct a cyber incident against another state’s or private organizations’ network where the system is manipulated and massive loss of life is a result (over 100 deaths).

9- Critical national infrastructure destruction as a result of cyber incident

Example – power grid hack, hydroelectric dams shut down, indirect death

Notes – For this measure to be coded, a state’s critical infrastructure must be breached and the network manipulated so that widespread functionality is disrupted for a period of time.

8-Critical national economic disruption as a result of cyber incident

Example – stock market price manipulation, critical e-commerce shut down for extended periods

Notes – For this measure to be coded, a sophisticated infiltration must be responsible for the manipulation of prices that affect stock market indexes and prices for extended periods of time. Another example would be a cyber incident being responsible for the slowing or shutting down commerce online.  This attack must be severe and critically threatening beyond compromising payment systems.

7-Minimal death as direct result of cyber incident

Example – Auto hacked, pacemaker hacked

Notes – Here a state-sponsored cyber incident would be responsible for the death of an individual or group of individuals of another state by either hacking into the automobile of the victim(s) and causing it to crash, or if the victims(s) is dependent on a pacemaker to live and this device is hacked, leading to that person’s death.

6-Single critical network widespread destruction

Example – (Aramco, DoD taken offline, Lockheed Martin database wiped out)

Notes – For this measure to be coded, a single network that is critical to national security must be breached and widespread destruction must be successful. Critical stored information is destroyed or unrecoverable or functionality of the network must be limited to non-existent for a period of time.

5-Single critical network and physical attempted destruction

Example – (Stuxnet, Flame, DoD secure network intrusion)

Notes – This measure entails the successful breach of a network where damage is done, however the breached network is left intact in terms of functionality and recoverable losses.

4-Widespread government, economic, military, or critical private sector theft of information

Example – (US OPM hack, DoD employee records stolen, IRS hack)

Notes – Phishing and intrusion espionage campaigns that successfully steal large troves of critical information, such as the OPM hack.

3-Stealing targeted critical information

Example – (Chinese targeted espionage, government-sanctioned cyber crime, Sony Hack)

Notes – This involves the use of intruding upon a secure network and stealing sensitive or secret information. The theft of Lockheed Martin’s F-35 jet plans or the U.S. Department of Defense’s strategy in the Far East are examples. Or if the target was critical to national security or the objective of the attack had national security implications.

2-Harrassment, propaganda, nuisance disruption

Example – (Propagandist messages in Ukraine, Vandalism, DDoS in Georgia, Bronze Soldier dispute)

Notes – Mainly vandalism or DDoS campaigns, this measure is coded when pockets of government or private networks are disrupted for periods of time and normal day to day online life is difficult, but recoverable.

1-Probing without kinetic cyber

Example – (US NSA dormant infiltrations)

Notes – Using cyber methods to breach networks but not utilize any malicious actions beyond that. Hacking a power grid but not shutting it down, planting surveillance technology within networks, and unsophisticated probing methods are examples of this severity level.

0-No cyber activity


Author: Brandon Valeriano

Brandon Valeriano is the Donald Bren Chair of Armed Politics at the Marine Corps University.