We Aren't Clashing into a Cyber Pearl Harbor; but Sleepwalking into a Cyber Sarajevo

For years, security experts have warned of a "Cyber Pearl Harbor"—a deliberate, devastating digital strike that cripples a nation's infrastructure overnight. This scenario, while captivating in its clarity, fundamentally misunderstands the nature of cyber risk. Pearl Harbor was a calculated act of aggression, meticulously planned and intentionally executed. The real danger we face isn't such deliberate warfare, but rather a "Cyber Sarajevo": an unexpected black swan event where a minor cyber incident in the murky gray zone of digital espionage accidentally triggers a cascade of miscalculations, alliance obligations, and public pressure that spirals into a catastrophic conventional war nobody intended or wanted.

The assassination of Archduke Franz Ferdinand in 1914 wasn't supposed to usher in a generation of global warfare. It was a localized act of terrorism that, through a toxic combination of rigid alliance systems, diplomatic failures, and domestic political pressures, transformed into the Great War. Today, we're constructing an eerily similar powder keg in cyberspace. 

Alliances in the Digital Domain: Promise and Peril

As nations extend their mutual defense commitments into the digital domain, with NATO explicitly declaring that a cyberattack could trigger Article 5, and the United States making similar commitments to Pacific allies, we're creating conditions where a single cyber operation gone haywire could become our generation's shot heard 'round the world.

Consider the intricate reality of modern cyber alliances. When Australia suffered a massive cyber campaign in 2020, allegedly from Chinese state actors, it wasn't just an Australian problem. Under the Five Eyes intelligence alliance and ANZUS treaty, the incident immediately involved the United States, United Kingdom, Canada, and New Zealand. Similarly, when Estonia faced devastating cyberattacks in 2007, NATO had to grapple with whether this constituted an "armed attack" requiring collective response under Article 5, but failed to reach a conclusion due to difference in view about aggressor attribution and legal definition.

The interconnectedness goes deeper than formal treaties. Modern critical infrastructure transcends borders in ways our traditional alliance frameworks haven't fully grasped. The North American power grid is a single, integrated system where a cyber intrusion in Canadian utilities directly threatens American cities. European energy pipelines are tightly connected and an attack on one country’s can instantly cascade through others’. When Salt Typhoon targeted telecommunications infrastructure across the Pacific, it wasn't attacking individual nations but an entire ecosystem of allied communications.

The Twilight Zone: When Espionage Becomes Attack

Things aren’t always clear as black and white in cyber operations; photo: pixabay

The fundamental challenge is that adversarial operations in cyberspace are in perpetual twilight. Unlike conventional military domains where the difference between a reconnaissance flight and a bombing run is clear, cyber operations exist in an indistinguishable gray zone. The same techniques used for legitimate intelligence gathering, which every nation conducts and tacitly accepts—are identical to those used for pre-positioning attacks on critical infrastructure.

Take China's Volt Typhoon campaign, discovered embedded in American water treatment facilities, power grids, and transportation systems. These actors use "living-off-the-land" techniques, leveraging legitimate system tools to move undetected through networks. Are they conducting espionage, or are they planting digital time bombs, ready to detonate during a future Taiwan crisis? The terrifying truth is there’s no way of telling because they use the same tools, distinguished only by intent. And intent can change in microseconds.

This ambiguity becomes explosive when filtered through the lens of public opinion and domestic politics. Imagine a scenario: headlines scream that foreign hackers have penetrated the power grid serving the capital city, cable news runs 24/7 coverage with ominous graphics of darkened cities. Social media erupts with panic and fury. Politicians denounce the intrusion and demand the President to retaliate, or even to invoke mutual defense treaty obligations and call upon their allies to join forces.

But what actually could have happened? Perhaps it was routine espionage that went too far. Maybe it was a criminal group using state-developed tools. Possibly it was pre-positioning for future conflict, or it could have been a probe to test defenses with no immediate hostile intent. The concerning truth is, by the time we figure out the truth, the pressure for action may have already pushed us past the point of no return.

Public Pressure: The Escalation Engine

Because it is difficult to immediately verify the identity and motive behind the cyber operations, allegedly concerned parties tend to have vastly different opinions about basic facts. Upon the U.S. accusation of China as perpetrator, China's National Computer Virus Emergency Response Center shortly released a report claiming Volt Typhoon is an false flag operation of the U.S. and its allies, designed to hide U.S.’s own hacking campaigns overseas.

These contrasting narratives also eerily mirror the propaganda campaigns in the lead up to World War I, when peoples of each power were convinced their adversaries were plotting against them: German newspapers warned of British encirclement, British papers detailed German militarism, Russian media described Austrian aggression. Each narrative had kernels of truth, making them believable to domestic audiences. Today's cyber attribution debates likely parallels this pattern, at the speed of light over the internet. Where our great-grandfathers had weeks to digest competing claims about naval buildups and troop movements, we have hours to process allegations about infrastructure infiltration and false flag operations. 

If these events are any hints, then, in the event of a consequential cyber incident, each population will likely believe their own government's narrative, and the allegedly aggrieved party’s people will demand bolder action against perceived aggressors. The pressure for retaliation builds on both sides simultaneously, creating a bilateral escalation dynamic where both nations feel they're responding defensively and legitimately to the other's aggression.

Public opinion in cyber conflicts is uniquely volatile and dangerous. Unlike traditional military threats that governments can often manage behind closed doors, cyber intrusions become instant public spectacles, and this immediacy transforms these incidents from abstract security concerns into visceral public crises demanding immediate response.

The media ecosystem amplifies this volatility. Every discovered intrusion becomes "breaking news," often sensationalized before facts are clear. Attribution—already difficult in cyberspace—becomes impossible when the news cycle demands answers in hours, not the days and weeks proper investigation requires. Democratic governments, especially those facing elections, cannot ignore public pressure for gratifying, forceful responses, even when restraint might be wiser in the long run.

This dynamic creates a terrible paradox: the more democratic and transparent a society, the more vulnerable it becomes to cyber escalation. Authoritarian regimes can absorb cyber intrusions quietly, controlling information and managing responses deliberately. Democratic nations face immediate public scrutiny, opposition criticism, and allied pressure, forcing rapid decisions with incomplete information. Then, how do we go about solving this conundrum?

Guardrails for Cyber Peace: Norms, Drills, and Circuit Breakers

The path forward requires abandoning two comfortable illusions that have indeed served the world well during the 20th century: that deterrence will work to preserve peace between nations, and that global consensus through institutions such as the UN will help impose rules and maintain stability. After nearly two decades of continual negotiations, the UN has produced only a handful of similar sounding discussion mechanisms and a set of voluntary, non-binding cyber norms, often ignored by major powers. 

If we are to avoid stumbling into a Sarajevo moment in cyberspace, the world must move beyond platitudes and begin constructing tangible guardrails. Vague calls to protect “critical infrastructure” are no longer sufficient; they are invitations to ambiguity, not dissuasion nor deterrence. 

Arms control history offers a lesson on specificity: treaties on nuclear and chemical weapons succeeded not because nations suddenly found goodwill, but because they imposed precise, verifiable thresholds–for example, 25kg of highly enriched uranium (HEU), and 10kg of Schedule 1 chemicals, respectively. If these thresholds have been violated in many instances by rogue nations, they nevertheless were successful in establishing an international taboo where the ones violating these rules publicly become, well, rogue nations.

In the same vein, rules and norms in cyberspace require similar levels of granularity to be taken seriously by governments. That means grounding norms in technical reality. Instead of abstract prohibitions, states should agree on bright-line rules that can be monitored and enforced: forbidding unauthorized crossings from corporate IT into operational technology (OT) systems that run power plants or pipelines; banning manipulation of industrial control protocols; and declaring weaponization of the OT software supply chain a hostile act. These are not theoretical principles but concrete actions that can be verified and held to a standard. A norm rooted in the technical fabric of cyberspace gives the international community clarity and legitimacy to respond when crossed.

But norms alone are insufficient. States that extend defense commitments into cyberspace must prepare for the fog of crisis. We propose that allies convene annual “Operation Sarajevo” tabletop exercises as part of routine military drills, to stress-test decision-making chains under the scenario most likely to spark escalation: an ambiguous cyber incident against an ally with incomplete intelligence and intense public outcry. These simulations should force leaders to navigate domestic pressure, assess adversary intent, and practice emergency communication channels. By rehearsing in peacetime, states can reduce the risk of catastrophic miscalculation.

Finally, alliances need systemic restraints: escalation circuit breakers to slow momentum when emotions run hottest. A mandatory 72-hour “cyber pause protocol” before invoking collective defense would prevent precipitous escalation. During this pause, pre-designated multinational investigation teams should deploy to establish facts, while leaders follow pre-agreed response menus ranging from sanctions to legal indictments. These measures do not signal weakness—they introduce deliberation precisely when rash decisions could spiral into war.

Implementation cannot rest on international consensus. Alliances—whether NATO, Five Eyes, ANZUS, or China and Russia within their blocs—must lead the charge without waiting for international rules or norms to arise. These coalitions already bind states through security commitments and shared intelligence, making them natural venues to operationalize norms, run joint “Operation Sarajevo” drills, and enforce pause protocols in crises.

In short, the path forward is threefold: build enforceable, technical norms; rehearse the political fog of cyber crisis; and embed systemic brakes into alliances. Without these pillars, the ambiguity of cyber incidents will remain a live fuse, one spark from a chain reaction no one intended but everyone will regret.

Sleepwalking into Cyber Sarajevo

History won’t forgive sleepwalkers who saw danger coming; photo: pixabay

History teaches us that wars often begin not with a deliberate charge, but with leaders stumbling forward like sleepwalkers trapped in uncertainty, pressured by public outrage, and blind to the unintended consequences of their choices. The July Crisis of 1914 was not a march to war; it was a series of missteps that turned a single assassination into a world conflagration.

Cyberspace today holds the same peril. Without clear thresholds, practiced communication protocols, and systemic restraints, governments risk sleepwalking into a cyber Sarajevo of our own making. The choice is stark: either we construct prohibitive, verifiable norms and crisis safeguards now, or we leave ourselves at the mercy of confusion, fear, and momentum when the next ambiguous incident strikes.

The question isn't whether we'll ever face a cyber crisis serious enough to entertain these scenarios—that's virtually certain given the thousands of intrusions occurring daily. The question is whether that crisis becomes our generation's sleepwalk into catastrophe, or whether we'll have built the institutions, norms, and safeguards to manage it without triggering the very war that the establishments of the post-World War were supposed to make obsolete.

The clock is ticking. Every day without action is another day we gamble that the next cyber incident won't be the spark that lights the powder keg. History doesn't forgive those who see danger coming but fail to act. The time to wake up is now. We cannot afford to be the sleepwalkers of the digital age. 

The views expressed in this article are those of the author and do not represent those of any previous or current employers, the editorial body of SIPR, the Freeman Spogli Institute, or Stanford University.