Spatiotemporal characteristics and drivers of global cyber conflicts

Abstract

In recent years, state-sponsored malicious cyber activities have emerged incessantly, which has resulted in an increasingly severe international cybersecurity landscape. To respond to this challenge, researchers have engaged in extensive inquiries. Regrettably, these studies seldom quantitatively analyse the characteristics and factors influencing cyber conflicts from a geopolitical perspective. In this context, on the basis of a dataset encompassing cyber conflict incidents, national internal attributes and bilateral relations, we employ methods such as social network analysis and statistical regression analysis to explore the evolutionary trends, network structure, connectivity patterns, and drivers behind cyber conflicts. The results indicate that, on the one hand, cyber conflicts among countries mirror the geopolitical dynamics of the physical world and exhibit characteristics of regionalism similar to traditional geopolitical competition. There are several obvious cyber conflict groups in cyberspace, such as the South Asian conflict group, which is composed of India, Afghanistan, and Pakistan. On the other hand, interstate cyber conflicts are influenced by domestic characteristics and foreign policies, with pronounced regional differences. For example, in areas such as the Middle East and Eastern Europe, where disputes and wars are frequent, confrontational military policies and strong technological innovation capabilities could exacerbate cyber conflicts within the region. In summary, we adopt a comprehensive and multidimensional approach with the aim to provide insights and references for related studies.

Introduction

Cyberspace not only reflects the real world but also fundamentally alters the competitive landscape of the physical world (Asal et al. 2016). Every country is invariably subjected to illicit cyber operations by foreign states or organizations in one way or another (Hunter et al. 2021), and no country is immune from cyber threats (Nejjari et al. 2021). In recent years, the number of state-sponsored cyberattacks has increased drastically. The number of cyberattacks related to cyber warfare or geopolitical conflicts rose from 19% in 2018 to 27% in 2019 (González-Manzano et al. 2022), and the number of attacks on critical infrastructure increased from 20% in 2019 to 40% in 2022 (Microsoft 2022). Moreover, state actors are initiating increasingly sophisticated cyberattacks, deployed independently or combined with kinetic military operations, to complement ground force conflicts, retaliate against other states’ policies and actions, and interfere in their elections (Gartzke 2013; Goel 2020; Kostyuk and Zhukov 2019). The deployment of cyberweapons in the Russia–Ukraine hybrid war marked the onset of a new era of conflict. Indeed, these cyber conflicts not only have a detrimental effect on bilateral relations and regional/global stability but also further amplify the power asymmetries of dominant countries (Microsoft 2022).

In response to the increasingly severe cybersecurity situation, governments and international organizations worldwide have been establishing national cybersecurity centres and formulating relevant policies and regulations to safeguard domestic cybersecurity (Kirichenko et al. 2018). The international community’s attention to cyber conflicts has also been steadily increasing. Cyberspace has evolved into a mature geopolitical entity and a new strategic research field (Limonier et al. 2021). Scholars have conducted extensive research on this subject, contributing to both theoretical and quantitative analyses of cyber conflicts. Theoretical studies explore various perspectives, including realism, liberalism, constructivism, and the theory of persistent engagement, whereas recent research further integrates insights from intelligence competition, subversion strategies, and security governance (Craig and Valeriano 2018; Dunn et al. 2024; Eriksson and Giacomello 2006; Fischerkeller and Harknett 2019). Quantitative studies focus predominantly on the perspective of cyberattacks and consider malicious software, spam emails, and DDoS attacks as research subjects (Asal et al. 2016; Garg et al. 2013; Goel and Nelson 2009; Levesque et al. 2016; Mezzour et al. 2015). However, the primary initiators of these malicious cyber activities are individuals or organizations, and they do not fully reflect the strategic actions of states in cyberspace. Second, researchers have proposed various potential factors that influence a country’s propensity to launch or suffer from cyberattacks, including economic capabilities, military power, corruption levels, regime types, geopolitical events, and social media sentiments (Chen et al. 2023; González-Manzano et al. 2022; Hunter et al. 2021; Kumar and Carley 2016b; Li et al. 2022; Mezzour et al. 2017). However, there is still debate over the relative importance of different factors. In addition, studies have utilized social network analysis to examine cyber conflicts from an international relations perspective (Baronchelli 2018; Kumar and Carley 2016a; Nejjari et al. 2021). However, comprehensive analyses that consider both a country’s internal characteristics and its external relationships are lacking.

Therefore, our current understanding of the factors and mechanisms that influence interstate cyber conflicts remains limited. This issue cannot be resolved solely from the perspectives of computer science or international relations but requires an interdisciplinary approach (Dunn et al. 2024). We need to investigate how national-level factors, such as technological strength and military power, relate to cyber conflicts and identify optimal predictors. We also need to comprehensively examine the competition and interactions among countries in military, diplomatic, and economic aspects within the global sociopolitical context. The more we understand about national cyber actors, the better we can predict their behaviours and mitigate damage (Nejjari et al. 2021).

To better understand the patterns, factors, and motivations behind cyber conflicts, we approach the study of interstate cyber conflicts from the perspective of both internal and external national factors and on the basis of existing theoretical studies and quantitative analyses. Specifically, we begin by conducting a qualitative analysis of the historical trends and overall structure of global cyber conflicts. We describe the relevance of conflicts in cyberspace and real space, explore the connectivity patterns of cyber conflict networks, and validate the regionalism of interstate cyber conflicts. Second, drawing on previous research, we collect national-level characteristics and use factor analysis to consolidate them into 10 factors, which serve as internal variables that drive states to engage in or suffer from cyber conflicts. We then employ negative binomial regression analysis to compare the impact of each factor on cyber conflicts. Finally, cyber conflicts involve dyadic states and essentially constitute a tangible relational network. Hence, we construct a cyber conflict network along with three foreign policy networks (economic, military, and diplomatic) and use the multiple regression quadratic assignment procedure (MRQAP) to examine how foreign policies affect the number of cyber conflicts between two countries.

In conclusion, our study is comprehensive and novel in the examination of cyber conflicts at the national level. We employ an integrative methodology that combines factor analysis and regression analysis, network modelling and MRQAP analysis to systematically analyse the evolution trends, connectivity patterns, and drivers of cyber conflicts from multiple perspectives, including network structure, national attributes, and international relations. We endeavour to unveil the factors and mechanisms that either foster or hinder cyber conflicts, with the aim of providing scientific foundations for preventing threats and devising policies in cyberspace. We hope that this study can offer a geographically oriented standpoint as an innovative paradigm for the field of cybersecurity research.

Literature review

Theoretical research on cyber conflict

As cyberspace has gradually become a crucial domain for national strategic competition, cyber conflict has emerged as a key topic of research in international relations. Scholars have attempted to incorporate international relations theories, such as realism, liberalism, and constructivism, into the analytical framework of cyber conflict and, on this basis, have given rise to theories more tailored to the characteristics of cyberspace, notably persistent engagement theory. Moreover, recent research has expanded the scope of cyber conflict studies by integrating insights from intelligence research, subversion strategies, and governance perspectives.

First, realism has long been the dominant paradigm in the field of international relations. Its core assumption is that states are the most important actors, and competition and conflict among states stem from the pursuit of core interests in power and security (Craig and Valeriano 2018). Realists view cyberspace as a new force multiplier and argue that cyber capabilities can be used to achieve strategic advantage, ensure power balance, and conduct deterrence (Eriksson and Giacomello 2014). However, the implementation of cyber deterrence faces numerous challenges. Owing to the virtual and covert nature of cyberattacks, as well as the asymmetry between offense and defence in cyberspace, traditional military deterrence theory is difficult to apply effectively in the cyber domain (Caton and Libicki 2011; Lupovici 2011; Mitchell and Pytlak 2020). As Liff (2012) noted, the frequent occurrence of low-level cyber conflicts among states reflects the stability–instability paradox, wherein states tend to maintain low-intensity, persistent cyber confrontations rather than one-time, large-scale attacks. This phenomenon occurs because states are unwilling to escalate cyber disputes into conventional or nuclear warfare, which undermines the effectiveness of cyber deterrence.

Second, unlike the state-centric perspective of realism, liberalism emphasizes the diversification of international actors, the importance of domestic political factors in determining state behaviour, and the role of international institutions in establishing rules of conduct for state actors (Duncan et al. 2008; Eriksson and Giacomello 2006). Specifically, liberals focus on the role of social ideas, interests, and institutions in shaping state preferences and influencing state behaviour (Moravcsik 1997). They consider both domestic society, such as political systems and culture, and the operation of international nonstate actors. They underscore the positive outcomes of interdependence and interconnectedness rather than the increasing vulnerability and insecurity that might ensue (Eriksson and Giacomello 2006; Reardon and Choucri 2012). This provides a perspective for understanding the multiple actors and complex interactions in cyberspace.

Social constructivism was explicitly introduced into the discipline of international relations in the late 1980s. The contribution of constructivism lies in its pragmatic meta-theoretical stance on material and social reality, as it emphasizes the dynamic interplay among social factors, such as norms, identities, interests, and institutions (Eriksson and Giacomello 2006). Constructivists argue that many structural practices in international politics are not driven solely by material interests but are rather based on socially constructed identities, worldviews, and ideas (Reardon and Choucri 2012). In the study of cyber conflict, constructivists contend that state interactions in cyberspace often reflect their political, cultural, and social contexts. For example, web defacement is viewed as an explicit attack on symbols–the online equivalent of flag burning. Moreover, rhetoric such as cyber warfare and cyber terrorism are not only linguistic expressions but also tools for shaping international public opinion and policy (Eriksson and Giacomello 2014).

The emerging persistent engagement theory offers a novel perspective for understanding cyber conflict. This theory posits that cyberspace is a distinctive strategic environment–a domain of exploitation–that differs from the conventional domain of conflict and the nuclear domain of coercion. Here, the combination of interconnectedness and persistent contact, along with the constantly evolving characteristics of cyberspace, further encourages operational persistence and persistent engagement to protect and exploit critical data and data flows (Fischerkeller and Harknett 2019). As a result, states can operate at low cost in cyberspace and gain limited unilateral benefits through persistent cyber operations without resorting to traditional warfare. This necessitates that in this virtual domain, states must strive to achieve dominance through relentless engagement and exploitation of adversaries’ cybersecurity vulnerabilities while seeking to protect their own networks, critical infrastructure, and national privileges as much as possible (Fischerkeller et al. 2022; Healey 2019). This theory challenges the approach of incorporating cyber conflict into traditional warfare or deterrence paradigms and prescribes a strategy that is closely aligned with the realities of cyberspace.

In addition to the above theories, the field of cyber conflict research has become increasingly diverse. An emerging perspective views cyber operations as an ongoing intelligence competition and emphasizes the covert nature of cyber actions and their role in shaping perceptions. This viewpoint suggests that cyber operations resemble traditional espionage activities, where states attempt to gain strategic advantages by gathering intelligence, weakening adversaries’ capabilities, and influencing public opinion (Baram 2023; Robert and Max 2020). Some scholars regard cyber conflict as a form of subversion and highlight the use of cyber operations to manipulate, erode, and overthrow adversaries’ political, economic, or security structures. This involves the exploitation of vulnerabilities in information systems to disrupt conventional power dynamics and influence target states without direct confrontation (Maschmeyer 2023a, b). However, the “subversive trilemma" of cyber actions (i.e., the trade-off among speed, intensity, and control) limits their effectiveness as a tool for subversion (Maschmeyer 2021). Moreover, beyond state-centric analyses, recent studies have explored the role of nonstate actors (such as private companies and hacker groups) in shaping the strategic landscape. The involvement of these actors complicates traditional state-centric analytical models (Robert and Max 2020) and creates the need for a broader framework. As a result, an interdisciplinary approach that integrates insights from political science, international relations, sociology, and computer science is needed to better understand and address these complexities (Dunn Cavelty et al. 2024; Stevens 2018).

In summary, realism, liberalism, constructivism, and persistent engagement theory offer different perspectives for understanding interstate cyber conflict. Realism emphasizes the struggle for state power and security issues, liberalism focuses on the impact of diverse actors and transnational relations, and constructivism elucidates the role of social factors in cyber conflict. The rise of persistent engagement theory provides a new explanatory framework for understanding the frequent, low-intensity cyber conflicts between states. Recent research has further enriched theoretical studies through intelligence competition, security governance, subversion theory, and multiactor perspectives. These different theories complement one another and collectively reveal the complex logic of state behaviour in cyberspace.

Quantitative analysis of cyber conflict

At the national level, cybersecurity behaviours are complex phenomena that are associated with social culture, economic issues, political motivations, military strategies, and other related factors. When these observable or monitorable characteristics are monitored, they can serve as early predictive indicators of abnormal activities, hostile actions, and other security vulnerabilities in cyberspace. Therefore, research on the factors influencing national cybersecurity behaviours has flourished in the past decade, and related studies can be categorized into the following two major areas. The first branch focuses on determining the factors that cause a country to become a primary instigator of cyberattacks or a haven for cybercrime and quantifying the relative importance and impact differences. The second branch focuses on studying cyber conflicts between two countries, with the aim to reveal the mutual influence between national cyber behaviour and geopolitics, military strategies, economic trade and other aspects from the perspective of interstate interactions. Below, a detailed exposition is provided for these two categories of research.

Factors influencing national cybersecurity

In the first branch of research, scholars have examined how national sociocultural backgrounds, economic development levels, political systems and other pertinent factors influence a state’s cybersecurity behaviour. As early as 2011, Gandhi et al. (2011) studied the nature of cyberattacks and the underlying motivations and categorized them into various types, such as political motives, economic interests, religious beliefs, and extremism. This research provided an overall understanding of cyberattack motivations and laid a foundation for subsequent investigations.

Later, Asal et al. (2016) examined politically motivated distributed denial-of-service (DDoS) attacks via logistic regression to analyse the relationships between multiple independent variables and DDoS attacks. The findings revealed that the frequency of DDoS attacks targeting a country increases with increasing male education levels, repression, and nonviolent activism. Mezzour et al. (2014, 2017) utilized multivariate regression to study the social and technical factors influencing a country’s susceptibility to cyberattacks. The results showed that Western Europe and North America suffer more attacks due to their abundant computational and monetary resources. Moreover, certain countries in Eastern Europe and Central America exhibit a particular allure for hosting attack computers because of their well-developed ICT infrastructure and severe corruption. From the perspective of network analysis, Kumar and Carley (2016a) constructed a national network of cyberattacks and conducted an analysis using the quadratic assignment problem (QAP) method between this network and other networks, such as the network of corruption index differences, GDP differences, and alliance/hostility. They reported that more severe corruption and greater internet bandwidth are advantageous for launching cyberattacks, whereas higher per capita GDP and better ICT infrastructure make a country more prone to victimization.

Additionally, Li et al. (2022) investigated the impact of national regime types on cyberattacks using Poisson time series regression analysis and discovered that authoritarian countries initiate more attacks, especially towards democratic countries. Similarly, Hunter et al. (2021) studied the relationships among regime type, military power, economic strength and cyberattacks. The findings showed that more powerful and authoritarian countries are most likely to launch cyberattacks, and the probability of strong entities attacking weak entities significantly increases as the power gap increases. Lutscher et al. (2020) employed a log-linear model to investigate the impact of the election period and the autocracy index on the number of DoS attacks. The results revealed that in authoritarian countries, the number of DoS attacks indeed increased during election periods. However, these attacks were primarily directed not at the countries themselves but at other nations hosting news websites related to those countries.

Finally, Chen et al. (2023) considered cybercrime as a social phenomenon and constructed a theoretical framework that integrated various factors, such as social, economic, political, and technological factors, to understand the factors affecting cybercrime. This study used a generalized linear model to identify the key factors and employed a structural equation model to estimate the direct and indirect effects of various factors. The results revealed causal relationships between cybercrime and diverse background factors, with technological factors playing an intermediary role between socioeconomic conditions and cybercrime. Furthermore, the findings demonstrated that the incorporation of a wide range of socioeconomic factors can particularly enhance the explanatory power of the model.

Interaction between cyber space and realistic space at the national level

The second research branch focuses on the relationship between national cyber activities and factors such as foreign policies, national sentiment, economic trade, and geopolitics from the perspective of national interactions or international relations. Such studies aim to uncover the mutual influence between cyberspace and the physical world.

First, Kumar and Carley (2016b) utilized social media data to capture interstate sentiment and quantitatively analysed the impacts of sentiment on cyberattacks. They reported that holding negative perceptions towards a country increases the probability of victimization, whereas conversely, holding positive perceptions decreases this likelihood. This phenomenon indicates that cyberattacks rise with intensifying bilateral tensions. Akoto (2021) employed a natural cubic spline to investigate the nonlinear dynamic impacts of national trade composition on state-sponsored cyberattacks. The results revealed that when a country engages in more interindustry trade, it is more likely to launch cyberattacks, whereas the opposite effect was observed for intra-industry trade. These effects are nonmonotonic, varying with the share of interindustry (or intra-industry) trade in total trade. Moreover, countries with high concentrations of high-tech industries are more prone to participating in cyber espionage activities.

The examination of cyberattacks from a geopolitical perspective is another important entry point in academic research. González-Manzano et al. (2022) built a set of linear regression models using 234 million geopolitical events to analyse the relationships between APT attacks and geopolitics for each country, explaining APT attacks through factors such as economy, strategy, and cyber warfare. Nejjari et al. (2021) modelled cyber events and geopolitical events as networks and calculated the similarity between the two graphs using the QAP method. Significant similarities were found in terms of graph isomorphism and structure, which indicates that countries with adversarial or conflictual relations are more likely to become perpetrators or victims of cyberattacks. Lee et al. (2021) utilized social network analysis to examine the relationships between the source and target countries of cyberterrorist attacks, with a focus on the network structures and clusters of Al-Qaeda and ISIS cyber terrorists. The results revealed that cyberterrorism was clustered by source country, exhibiting a certain form of regionalism. Moreover, cyberattacks differed distinctly across Western, African, Asian, and Middle Eastern countries and reflected various strategic approaches, such as centralized and decentralized approaches and regional and international approaches, which correspond to traditional terrorism.

Finally, in terms of the impact of national cyber activities on the physical world, Maness and Valeriano (2016) studied how cyberattacks influence a country’s foreign policies on the basis of the dyadic cyber incident and campaign data (DCID). They reported that only DDoS attacks affect the conflict–cooperation dynamics among countries. That is, the utilization of DDoS attacks as a foreign policy tool can lead to the deterioration of bilateral relations. In addition, on the basis of event data concerning cyber and kinetic operations during the Ukrainian armed conflict and the Syrian civil war, Kostyuk and Zhukov (2019) conducted a quantitative analysis of the relationship between cyberattacks and kinetic violence using vector autoregressive models. The findings showed that cyberattacks have a limited impact on violence in the physical world and fail to clearly alter battlefield behaviour.

Definition of concepts related to cybersecurity behaviour

In the above literature, researchers addressed several relevant concepts related to cybersecurity behaviour, such as cyberattacks, cybercrime, cyber conflicts and cyberterrorism. In this section, we attempt to elucidate and distinguish the meanings and differences of these different terms to prevent conceptual confusion and gain a more accurate understanding of the viewpoint and content of our study.

Cyberattacks typically refer to hostile actions initiated through computer networks, with the purpose of invading, interfering in or sabotaging target systems or stealing information. The perpetrators can be either state or nonstate actors. State-sponsored cyberattacks, on the other hand, denote computer-driven illegal, criminal, or destructive activities that can be legally attributed to a government or its affiliated institutions (Akoto 2021). Cybercrime encompasses a broad range of criminal activities and harmful behaviours involving computers, the internet, or other forms of information and communication technologies. It focuses on illegal online activities carried out by individuals or organizations to obtain economic benefits (Chen et al. 2023). Cyber conflict refers to cyber incidents in which state-sponsored threat actors carry out denial-of-service attacks, espionage, defacement, data destruction, sabotage, doxing and other cyber actions against another state (Hunter et al. 2022). Cyber warfare, as the most advanced and intricate form of cyberattack, is carried out against national interests and has the most severe consequences (Li and Liu 2021). Finally, cyberterrorism refers to the convergence of terrorism and cyberspace, characterized by computer-based attacks or threats, intended to intimidate or coerce governments or societies in pursuit of political, religious, or ideological goals (Lee et al. 2021).

Based on a comparison of the aforementioned concepts, we argue that cyberattacks emphasize invasive actions at the technical level, cyber conflicts stress the political attributes of competition for national sovereignty, cybercrime concerns mostly illicit activity driven by the pursuit of financial gain, and cyberterrorism is undertaken with a focus on the social impact. Given that this research is dedicated to exploring cyberspace adversarial behaviours at the national level, cyber conflict underscores the state as an actor and reflects the competition and confrontation between nations. Hence, compared with terms such as cyberattack and cybercrime, cyber conflict is a more appropriate term.

Method

Data

Cyber conflict incidents

The dyadic cyber incident and campaign data (DCID) (Maness et al. 2022b) constitute the only peer-reviewed dataset of cybersecurity conflict events that can be attributed solely to states. Each pair of countries involved in a cyber conflict consists of countries on opposite sides of the cyber incident, with an initiator state and a target state. In this context, the initiator must originate from a government, or there must be evidence indicating explicit government approval for the campaign. The target entity, on the other hand, must be government entities, national security agencies (e.g., power grids, defence contractors), major media organizations (e.g., 4th estate), or critical companies (e.g., banks, retail giants). The dataset covers more than 400 cyber conflict events involving more than 30 countries/regions from 2000–2020 and provides information on attributes such as initiator/target states, start/end dates, methods of incident, target types, critical infrastructure sectors, and severity levels.

National characteristic indicators

In geopolitical research, the importance of analysing multidimensional factors (e.g., geography, climate, politics, military, religion) is emphasized. TheGlobalEconomy (Valev 2024) provides over 500 indicators related to more than 200 countries/regions spanning from 1960 to the present. The data come from multiple official sources, such as the World Bank, the International Monetary Fund, the United Nations and the World Economic Forum, and cover a wide range of fields, including the economy, society, education, energy, healthcare and military. On the basis of this database and with reference to previous research, we select 54 indicators to describe national attributes. We then utilize factor analysis to construct 10 factors, namely, economic and trade capability (e.g., merchandise exports), technological strength (e.g., high-tech product trade), military power (e.g., military expenditure), war impacts (e.g., armed conflicts), economic freedom (e.g., monetary freedom), government governance level (e.g., control of corruption), technological innovation ability (e.g., research and development expenditure), network transmission capability (e.g., fixed broadband subscriptions), fragile state (e.g., refugees and displaced persons) and globalization level (e.g., economic globalization). These factors serve as explanatory variables for both initiating and suffering cyber conflicts at the national level. All the aforementioned factor variables are standardized for further analysis. Additionally, we use the variance inflation factor (VIF) to exclude variables with VIF > 10 before modelling to eliminate the influence of multicollinearity.

National foreign policies

Bilateral cyber conflicts embody state-to-state relations in specific practical activities. These malicious cyber actions do not occur in isolation but are inevitably influenced by a complex interplay of foreign political, economic, military, and diplomatic factors among countries to achieve deterrence or alter the balance of information with adversaries (Maness et al. 2022a). Therefore, on the basis of the variables related to diplomatic, economic and military foreign policies in the DCID dataset, specifically the CAMEO (conflict and mediation event observations) scores, we construct 3 types of international relations networks as explanatory variables and use MRQAP regression to investigate their impacts on the cyber conflict network. The CAMEO scores were modelled in the style of the Goldstein conflict–cooperation scale and updated using the ICEWS dataset and provide conflict or cooperation ratings for the dyadic countries involved in each cyber conflict event in terms of economics, military, and diplomacy, ranging from -10–10. A lower score indicates more conflictual bilateral relations, which leads to the adoption of more hostile measures in foreign policies. Conversely, a higher score suggests more relaxed relationships, with a greater inclination towards cooperative actions.

Model

Negative binomial regression

The dependent variable in this study is the annual number of cyber conflicts initiated or suffered by each country, which is count data (i.e., a simple accumulation of the occurrences of certain events within a fixed time interval or a spatial unit at a specific time point Britt et al. 2018). Its distribution is no longer a normal distribution, which violates the basic assumption of the traditional linear regression model. There are several common methods for analysing count data, each of which is derived from the Poisson probability function,

$$P(y=k)=\frac{{e}^{-\lambda }{\lambda }^{k}}{k!}$$

(1)

where k is a nonnegative integer representing the number of cyber conflicts and where λ is the expected number of conflicts occurring per year in each country, often expressed as

$$E(y)=\lambda ={e}^{(\beta X)}$$

(2)

where X is the vector of factors that affect cyber conflict and where β is the parameter vector.

A basic assumption of Poisson regression is that the mean equals the variance. However, real-world data rarely follow this specific pattern; instead, the variance of most data is greater than the mean, which is referred to as overdispersion in statistics (Qi et al. 2023). To address this problem, a random error term ϵ is introduced to capture individual heterogeneity or unobservable factors. The mean λ is expressed as follows:

$$\lambda ={e}^{(\beta X+\varepsilon )}$$

(3)

where e^ε follows a gamma distribution with a mean of 1 and a variance of α. At this point, the Poisson model can be extended to the negative binomial model, with similar parameter estimation and interpretation, hypothesis tests and goodness-of-fit tests as those in Poisson regression. The probability density function (Britt et al. 2018; Yirga et al. 2020) is shown in below equation:

$$P(y=k)=\frac{\Gamma ({\alpha }^{-1}+k)}{k!\Gamma ({\alpha }^{-1})}{\left(\frac{\lambda }{{\alpha }^{-1}+\lambda }\right)}^{k}{\left(\frac{{\alpha }^{-1}}{{\alpha }^{-1}+\lambda }\right)}^{{\alpha }^{-1}}$$

(4)

where Γ(⋅) denotes the gamma distribution.

MRQAP regression

Traditional multiple regression models are based on ordinary least squares (OLS), which assumes that the observed outcomes are statistically independent. However, in relational data, nodes are interconnected and interdependent, which contradicts the assumption of an independent and uniform distribution. The application of generic statistical methods would induce multicollinearity, leading to increased variance in parameter estimation and rendering inferences about variable importance meaningless (Nejjari et al. 2021; Yan et al. 2022). To address this issue, the multiple regression quadratic assignment procedure (MRQAP) takes the nonindependence of network data into account through a random permutation method to obtain accurate parameter estimates and significance tests.

Specifically, MRQAP is used to examine regression relationships between one relational matrix (i.e., the dependent variable) and multiple relational matrices (i.e., independent variables) and assess the impact and significance of the independent variable on the dependent variable. The calculation process is as follows (Bai et al. 2023). First, the independent variable matrix and the dependent variable matrix are converted into long vectors, and a standard multiple regression is performed. Then, the rows and corresponding columns in the dependent variable matrix are randomly permuted, and the regression coefficients between the permuted matrices are calculated. This process is repeated to obtain the distribution of regression coefficients. Finally, it is necessary to determine whether the regression coefficients fall within the acceptance region of the distribution and test their significance.

In this study, we hypothesize that foreign policy matrices affect the cyber conflict matrix. To test the validity of this hypothesis, we utilize the MRQAP method to study the factors influencing the global cyber conflict network. Specifically, we transform the cyber conflict network into a matrix, treating it as the dependent variable. Similarly, we convert the scores of foreign economic, military and diplomatic policies into matrices of the same size, which serve as the independent variables. Finally, we employ MRQAP to conduct a nonparametric test on the independent and dependent variables. The model is described by Equation (5)(Zhang et al. 2021):

$$Y={\beta }_{0}+{\beta }_{1}* {X}_{1}+{\beta }_{2}* {X}_{2}+\, +{\beta }_{n}* {X}_{n}+\mu$$

(5)

where n is the number of independent variables and where β represents the regression coefficients of the influencing factors. Y is the dependent variable matrix, and Y_ij denotes the number of cyber conflicts initiated by the i-th country against the j-th country. X is the independent variable matrix, which is a specific indicator of national external relations (i.e., the foreign economic, military and foreign policy score matrix). Y and X are both represented by m × m adjacency matrices, where m is the size of the matrix.

Results

Trends in the number of cyber conflict incidents from 2000–2020

Figure 1 presents the number of cyber conflict incidents in each country from 2000–2020, considering both the instigators and the victims. Figure 2 highlights important geopolitical events that occurred in the real world during the corresponding years. As shown in Fig. 1, the ability to conduct cyberattacks is currently concentrated mainly in the hands of a few major countries, such as the United States and Russia. These countries possess relatively strong offensive capabilities in cyberspace. In contrast, a wider range countries suffer cyberattacks; these include the aforementioned major countries and developed countries such as Japan, South Korea and Israel, as well as some weak and developing countries, such as Pakistan, Vietnam, Georgia and Ukraine.

Fig. 1: Changes in the number of cyber conflicts of various countries from 2000 to 2020.

a Shows the number of cyber conflicts launched by each country, while b shows the number of cyber conflicts encountered by each country. The x-axis represents the year, and the y-axis represents countries using ISO 3166 three-letter codes. The color intensity in the heatmaps corresponds to the count of cyber conflicts. The bar charts summarize the total number of cyber conflicts grouped by region.

Fig. 2: Comparison of physical conflicts and cyber conflicts.

The line chart depicts the number of cyber conflicts (y-axis) from 2000 to 2020 (x-axis). Arrows and corresponding text labels indicate the occurrence of major physical conflicts during this period.

Combining Figs. 1, 2, relatively few incidents of cyber conflicts occurred from 2000–2005, possibly because the related network technologies and cyberspace strategies were still in the nascent stages. After 2005, the number of cyber conflicts began to grow rapidly. Particularly in 2008, when the Russo–Georgia war broke out, the number of cyber conflicts sharply increased to 34, of which Russia initiated 9 incidents and suffered 9 incidents, involving a total of 18 cyber conflicts. The war introduced a new form of combat that integrated cyber warfare with other conventional military forces. This fusion of capabilities transformed the pattern of warfare in the information age and set the stage for the prevailing trend of incorporating cyberattacks into military operations. It has been widely regarded as a watershed in the history of modern warfare (Hollis 2011). During Crimea annexation in 2014, the number of cyber conflicts reached a peak of 49, of which Russia initiated 8 incidents and suffered 13 incidents, involving a total of 21 cyber conflicts. Multiple forces (e.g., Russia, Ukraine, the United States, and the United Kingdom) engaged in intense competition in the battlefield of cyberspace, which fully underscores the significance of cyberspace in the context of geopolitical struggles. After 2015, although the number of cyber conflicts slightly declined, it remained at a high level of approximately 40 incidents per year, reflecting the enduring nature of competition and confrontation in the realm of cyberspace among countries.

Global cyber conflict network and community division

Figure 3 illustrates the dyadic countries involved in cyber conflicts during the study period, along with the total number of corresponding conflict events. Fig. 4 represents the global network of cyber conflicts and the division of various communities. By combining the two figures, we find that the network of cyber conflicts closely resembles the international relations network in the real world.

Fig. 3: Number of cyber conflicts between dyadic countries.

Countries, identified by ISO 3166 three-letter country codes, are grouped according to their respective regions. Each color bar represents conflicts from one country to another, with the width of the bar indicating the number of conflicts.

Fig. 4: Community division of cyber conflicts among countries.

a–d Display the four distinct communities identified through network analysis. Nodes are labeled with country names using ISO 3166 three-letter codes. Edges represent cyber conflicts between countries, with arrows indicating the direction of these conflicts.

On the one hand, the United States, China, and Russia are the three most influential countries globally and are at the centre of the network of cyber conflicts. Specifically, the United States, as the global hegemon, is one of the most “plugged-in" states (Valeriano and Maness 2014). The targets of cyber conflicts initiated by the United States are spread worldwide, including but not limited to China, Russia, Iran, North Korea, and Syria. Comparatively, cyber conflicts involving Russia are concentrated primarily at the regional level. Owing to historical, geopolitical and territorial disputes, Russia chiefly targets Eastern European countries, such as Ukraine, Georgia, Estonia, and Lithuania.

On the other hand, the majority of cyber conflicts among countries are driven by regional tensions. There are several obvious cyber conflict communities, such as the conflict community comprising mainly former Soviet Union member states, such as Russia, Ukraine, and Georgia; the South Asian conflict community, which is composed of India, Afghanistan, and Pakistan; the conflict community formed by North Korea and South Korea; and the Middle Eastern conflict community, which consists of Iran, Iraq, Syria, and Israel. Over the years, there have been border disputes and geopolitical conflicts among these countries, which have also resulted in strained relations in cyberspace.

The impact of the internal attribute characteristics of a country on cyber conflicts

In this section, we combine factor analysis and negative binomial regression to quantitatively examine the impacts of national internal factors, such as the economy, technology, military and network infrastructure, on cyber conflicts across different countries and regions worldwide from the two perspectives of the initiators and the victims of cyber conflicts. The results of the regression analysis are shown in Fig. 5.

Fig. 5: Effects of predictor variables on cyber conflicts.

The coefficient values are represented as dots, and the bars represent 95% CIs.

Through a comparison of the experimental results, we find that cyber conflicts are closely correlated with economic and trade capabilities, military power, technological innovation ability, and national fragility. Globally, technological innovation ability is the foremost shared factor influencing both cyber conflict instigation (OR = 2.81, 95% CI = 1.88–4.26) and victimization (OR = 3.72, 95% CI = 2.66–5.29). There is a negative correlation between economic freedom and cyber conflicts, which means that countries with high levels of economic liberalization tend to have low motivation to initiate conflicts (OR = 0.22, 95% CI = 0.14–0.34) and a small probability of experiencing conflicts (OR = 0.44, 95% CI = 0.32–0.61). Furthermore, countries with strong economic and trade capabilities are more likely to launch cyber conflicts (OR = 2.82, 95% CI = 1.67–4.89), whereas countries with high state fragility are more prone to becoming targets of cyber conflicts (OR = 3.11, 95% CI = 2.04–4.82).

Further regional comparisons reveal geographical differences in the impact mechanisms of cyber conflicts. In East Asia and the Pacific, economic and trade capacity is the most crucial influencing factor for countries to initiate cyber conflicts (OR = 2.84, 95% CI = 1.38–6.22), and the number of cyber conflicts a country suffers is negatively correlated with economic freedom (OR = 0.27, 95% CI = 0.12–0.56). In North America and Western Europe, the main variable driving countries to initiate cyber conflicts is military power (OR = 4.31, 95% CI = 2.10–9.52). In the Middle East, Eastern Europe, Central Asia and South Asia, technological innovation ability has the greatest impact on conducting (OR = 6.35, 95% CI = 3.58–11.88) and suffering cyber conflicts (OR = 3.25, 95% CI = 1.92–5.66).

The impact of the external foreign policies of a country on cyber conflicts

In this section, we use MRQAP regression to explore the relationships between cyber conflicts and three types of foreign policies (i.e., economic, military, and diplomatic policies) in different regions. The R² values of the four regression models are 0.810, 0.697, 0.434, and 0.478, respectively, and the significance levels of the F tests are all less than 0.01, which indicates that the regression models are statistically significant. The standardized regression coefficients and p values for each independent variable are presented in Table 1.

Table 1 MRQAP regression results of factors influencing cyber conflicts.

The results demonstrate that the occurrence of cyber conflicts is closely tied to bilateral foreign policies, with distinct characteristics observed in the impact effects of different regional policies. There is a notable correlation between interstate cyber conflicts and national external economic, military, and diplomatic policies on a global scale. In particular, military policy is the primary influencing factor affecting global cyber conflicts, and the relaxation of this policy can effectively reduce such conflicts (coefficient = –0.92). Conversely, proactive economic policy between two countries is likely to escalate cyber conflicts (coefficient=0.52). In addition, there is a negative correlation between diplomatic policy and cyber conflicts (coefficient = –0.29), which indicates that a passive and negative diplomatic attitude is unfavourable for containing cyberspace confrontations, while an active and prudent strategy is more conducive to reducing cyber conflicts.

Finally, it is worth noting that the external foreign policy factors influencing cyber conflicts among various countries have distinctive regional characteristics. In East Asia and the Pacific, economic policy plays a pivotal role, as positive policy can exacerbate bilateral cyber conflicts (coefficient=1.71). In the Middle East, Eastern Europe, Central Asia and South Asia, military policy is the most important factor, and the moderation of this policy can help alleviate the intensification of cyber conflicts (coefficient=−0.85). In North America and Western Europe, diplomatic policy stands as the primary factor, with a significantly greater impact than military and economic policies (coefficient=-1.26).

Discussion

Interstate cyber conflicts reproduce geopolitical relations in the physical world

As shown in Fig. 1, since the beginning of this century, confrontational behaviours among countries in cyberspace have shown a markedly increasing trend, and the internet has increasingly become an important variable affecting international relations and geopolitics. Currently, cyberspace is viewed as the “fifth domain" with equal strategic status to land, sea, air and space, which is explicitly stated in the military doctrines of the world’s most powerful countries (Goel 2020).

In general, cyber threats do not emerge in a vacuum detached from the realities of politics, economics, and geopolitics; instead, they often constitute a manifestation or an extension of preexisting tensions and rivalries (Tran Dai and Gomez 2018). As a result, similar to traditional geopolitical competition, regionalism also plays a significant role in conflicts within the cyber world (Baronchelli 2018; Valeriano and Maness 2014). The majority of incidents occur between longstanding rivals and are often linked to regional disputes, where territorial issues commonly serve as the primary catalyst for cyber conflicts between the two sides in the region. In this context, the participants must demonstrate their authority and ability to resist adversaries, with cyber power playing an indispensable role in this process (Sheldon 2014). Russia is a typical representative in this regard, as it has conducted multiple cyberattacks against Ukraine, Georgia, and Estonia to maintain its influence in former Soviet states. In 2008, Russia launched a joint military and cyberattack against Georgia, conducting large-scale cyberattacks on the websites of Georgian television stations and news agencies (Guchua et al. 2022). Since the outbreak of conflict with Russia in 2014, Ukraine has been confronted with a series of cyberattacks. Over the past decade, Russia has carried out and continues to launch cyberattacks against strategic facilities, government websites, and infrastructure in Ukraine (Gibney et al. 2022; Guchua et al. 2022).

Certainly, cyber conflicts are not constrained by geographical boundaries. The virtually borderless nature of cyberspace has caused cyber conflicts to transcend regional disputes and enabled them to occur across vast geographical distances and thereby exacerbate existing geopolitical tensions (Ramadhan 2021).For example, the United States possesses vested military and economic interests in the Middle East. Hence, in addition to military actions, a variety of measures have been implemented in cyberspace to safeguard US benefits (Culbertson et al. 2022). In 2010, the United States employed Stuxnet, a computer worm virus, to target Iran’s nuclear facilities, which resulted in the disruption of Iran’s nuclear enrichment activities. This was the first known instance of a computer cyberattack that caused physical damage across international borders (Lindsay 2013). Similarly, for historical and practical reasons, there has been a long-term core conflict between the United States and North Korea, and cyber confrontations between them have emerged from time to time. In November 2014, Sony Pictures Entertainment, one of the “Big Five" major American film studios (commonly known as Sony Pictures or SPE and formerly known as Columbia Pictures Entertainment Wikipedia 2024), was attacked by hackers and suffered the complete paralysis of its telephone, email, and computer systems. The United States attributed this cyberattack to North Korea, claiming it to be the mastermind behind the incident. However, North Korea denied any involvement in this attack (Haggard and Lindsay 2015; Kim 2022).

Interstate cyber conflicts are jointly influenced by internal characteristics and foreign policies with regional differences

As shown in Fig. 5 and Table 1, internal attribute characteristics, such as economic ability, military power, and innovation ability, as well as external foreign policies, such as economic policy, military policy, and diplomatic policy, are important factors that influence a country’s engagement in cyber conflicts. These factors play different roles in different regions. By integrating the two perspectives, we aim to both highlight the characteristics of each region and identify some commonalities, thus achieving a comprehensive understanding of the intricate issue of cyber conflicts.

In East Asia and the Pacific, strong economic and trade capabilities and proactive economic policy jointly drive frequent cyber conflicts. In other words, the factors promoting cyber conflicts in this region are associated primarily with the economy. Taking a realistic view, this region is recognized as a global economic growth hotspot, and countries attach great importance to economic construction. Development has become the foremost national policy orientation in this region (UN 2014). For example, Japan, South Korea, Singapore and other countries have made remarkable achievements in economic construction and become exemplars of development in the region. The active economic policies and the increase in bilateral trade have propelled regional economic integration, promoted national trade and financial cooperation, and formed complex collaborative relationships in industrial chains (Ishikawa 2021; UN 2014). However, this situation also increases the opportunities for economic competition among countries in the region and inevitably leads to friction, disputes, protectionism and other conflicts of economic interest during the development process (Deacon 2022; Zhao 2019). Some countries may adopt cyber means to gain economic competitive advantages, which leads to the collision of economic interests that transform into geopolitical confrontations in the realm of cyberspace and thereby increases the risk of bilateral cyber conflicts (Center for Strategic and International Studies 2024; Tran Dai and Gomez 2018).

In North America and Western Europe, strong military power is a key factor in leading countries to initiate cyberattacks, whereas positive diplomatic policy contributes to reducing the occurrence of cyber conflicts. As a hub for developed countries, this region presents massive military expenditures and holds a prominent position in terms of cyber capabilities on a global scale (The International Institute for Strategic Studies 2021). Among them, the United States, benefiting from its superpower status, has achieved global dominance over ideology and geopolitical agendas. It pursues an overt policy of cyber deterrence and tends to use cyber means to directly attack targets it perceives as representing potential threats (Pendino et al. 2022). Other Western countries, such as the United Kingdom, France, Canada, and other North Atlantic Treaty Organization (NATO) members, as allies of the United States, not only address increasingly complex cyber threats through the alliance framework but also serve as collaborative implementers of the United States’ cyber strategy (Tekir 2022). Therefore, owing to the solid alliance relationships among Western countries, despite certain conflicts and contradictions of interest, cyber confrontations in this region can be effectively reduced through active diplomatic policy.

In the Middle East, Eastern Europe, Central Asia and South Asia, adversarial military policy and robust technological innovation ability can exacerbate cyber conflicts. Countries in these regions have long-standing border disputes, territorial contentions, and religious issues, and wars and conflicts occur frequently, such as the Russia–Ukraine war, India–Pakistan confrontation, Arab–Israeli conflict, etc. In such an environment, tough military policy is regarded as an important means to deter opponents and contain conflicts (Lüthi 2020). In addition, the realistic dilemma of political turmoil has compelled countries in this region to consider cyberspace as a novel battlefield for obtaining strategic advantages (Netolická and Mareš, 2018). However, there are obvious gaps among countries, with significant disparities in scientific and technological innovation ability and uneven development in internet infrastructure construction. This has resulted in some countries having overwhelming advantages in the field of cyberspace security and led to high asymmetry in terms of cyber capabilities. Consequently, this can easily translate into potential threats causing cyber conflicts (Ott 2022). Consequently, we believe that the cyber conflicts in this region may stem from the confrontational nature of military policy at the national level, as well as the asymmetric capabilities in cyberspace, both of which drive the high incidence of cyber conflicts in the region.

Conclusion

In this work, we analyse the fundamental characteristics and changing trends of global cyber conflicts from 2000–2020 and reveal the influencing factors behind cyber conflicts among countries from the perspectives of national attributes and bilateral relationships. First, cyber conflicts are an extension of traditional geopolitical games. On the one hand, cyberspace has gradually become a critical new battleground for geopolitical competition. On the other hand, interstate cyber conflicts also reproduce the geopolitical relations of the physical world. Second, cyber conflicts are influenced by multiple factors within a country and are closely associated with various aspects, such as the national economy, technology, and military. There are also regional differences in the influencing mechanisms. Finally, cyber conflicts are highly correlated with three types of foreign policies (i.e., bilateral economic, military, and diplomatic policies), and the impact of each policy exhibits pronounced regional characteristics. In conclusion, our study offers very interesting insights that greatly enrich the realm of cybersecurity research.

However, this study also has certain limitations. There may be issues with the attribution of the DCID dataset. That is, a country must acknowledge its involvement in initiating a cyber conflict, or the evidence must demonstrate the participation of a state. Otherwise, the relevant cyber conflict events are not included in the dataset. Moreover, we investigated only the impact of foreign policy networks on cyber conflict networks. It would be beneficial to incorporate other types of networks, such as physical conflict networks and international alliance networks, to better understand the influence of bilateral relations on cyber conflicts. Finally, it is also possible to leverage national attributes and bilateral relationships to enhance the attribution and prediction of cyberattacks, which would be particularly valuable for the analysis and detection of cyber threat intelligence.