The term gray zone, in the context of cyberspace, refers to a state of ambiguity and uncertainty in which cyber operations and malicious activities occur in ways that blur the line between normal behavior and acts of aggression or conflict, thereby fostering conditions conducive to maintaining plausible deniability (Schmitt, 2017; Wirtz, 2017). These conflicts are marked by ambiguity, attribution difficulties, and multiple actors. Although not amounting to armed conflict, gray zone actions may generate significant political, economic, and strategic consequences, blurring boundaries between cybersecurity and cyber defense.

The challenges posed by the gray zone on security governance have a direct impact on countries’ cyber statecraft. This issue becomes particularly relevant as states such as Brazil, Chile, and Costa Rica are currently debating their national policies and strategies on cybersecurity and cyber defense (see, for instance, Brazil, 2023; Costa Rica, 2023; Goldoni et al., 2023; Goldoni et al., 2024; Chile, 2025). Examining the case of the United States, widely regarded as one of the most advanced nations in these areas, may thus provide valuable insights into potential challenges and pathways available to other states.

The objective of this article is to examine how the fogginess of security governance of cyberspace, coupled with the expansion of security and defense actors beyond their formal mandates, may shape the perception of conflict in this domain. The research question guiding the paper is: How can states address the challenges posed by the security governance of cyberspace? To achieve the objective and to answer the question, the article will explore how the United States navigates governance challenges.

While the literature on gray zone conflicts in cyberspace has largely focused on ambiguity, attribution problems, and the diffusion of actors, this article suggests the existence of a gray security governance in cyberspace; that is the presence of a multiplicity of actors involved in the securitization of cyberspace who, at times, operate beyond their formal institutional responsibilities and, at other times, act in an uncoordinated manner. More specifically, gray security governance captures how institutional overlaps, fragmented mandates, and blurred conceptual as well as legal and normative frameworks of cybersecurity and cyber defense contribute to the perception of an environment characterized by uncertainty and persistent attribution challenges.

Given the scope of the article, it does not aim to theorize gray security governance. Instead, the term is employed as an analytical lens to account for gray zone phenomena in cyberspace. Gray security governance is treated primarily as an intervening analytical condition that shapes how gray zone conflicts may emerge, rather than as a direct causal driver or a purely dependent outcome.

Uncertainty in cyberspace is often presented as an intrinsic characteristic of the domain. However, this article argues that such uncertainty is also shaped by legal, institutional, and governance arrangements that evolve unevenly across states. In this sense, ambiguity in cyberspace should not be understood solely as a technological or ontological feature, but also as a product of how states design, interpret, and implement governance structures in this domain.

The article advances the existing gray zone literature in two ways: (i) It shifts the focus from gray zone activities as isolated strategic practices to the governance structures that condition and shape such practices in cyberspace. Beyond that, (ii) it highlights how security governance arrangements themselves may become gray not only because of deliberate strategic choices, but also due to the interaction between the fluid nature of cyberspace and the multiplicity of actors involved in its regulation, protection, and defense.

The use of the United States as an illustrative case does not aim at generalization in a strict empirical sense. Instead, it serves to demonstrate how a highly developed cyber governance structure can still exhibit governance ambiguity when multiple organisms with partially overlapping mandates operate within the same domain. The broader insight, therefore, is not tied to the specific institutional design of the United States, but to structural features of cyberspace that may similarly affect other states, although in different configurations.

Cyberspace is composed of three layers: the physical layer, which encompasses cables, satellites, and hardware; the syntactic layer, referring to software and communication between networks; and the human layer, which represents decision-makers and the cognitive dimension that shapes this domain (Rattray, 2009; Cornish, 2015). These layers help explain core peculiarities of cyberspace explored in this section: attribution difficulties, uncertainty, and the multiplicity of actors. Attribution remains one of the most challenging tasks in cyberspace, as aggressive acts can be carried out under the belief that anonymity will be preserved. Episodes such as the 2007 Estonian cyberattacks and Stuxnet in 2010 are still formally unattributed, despite the existence of indications regarding potential responsible actors (Guitton, 2012; McKenzie, 2017).

Uncertainty is equally central to understanding state action in the cyber domain (Kaminska, 2021). States are often cautious before responding to cyberattacks, aware of the risks associated with misattribution. According to Kaminska, uncertainty derives from the nature of cyberspace itself and the relative ease with which cyber capabilities can proliferate among diverse actors. This proliferation contributes to the diffusion of power in cyberspace, including to non-state actors, and increases the potential impact of cyber capabilities when deployed by a wide range of actors operating under different motivations and levels of accountability.

When considering the multiplicity of actors in cyberspace, this dynamic may also extend into national governance structures. In the United States, there is a considerable number of government agencies, such as the United States’ Cyber Command (USCYBERCOM), the National Security Agency (NSA), the Department of Homeland Security (DHS); the Cybersecurity and Infrastructure Security Agency (CISA); the Federal Bureau of Investigation (FBI); the National Cyber Investigative Joint Task Force (NCIJTF); the U.S. Secret Service; the Department of Justice’s Cybersecurity Unit; the Department of Defense’s Cyber Command; and the Department of Defense’s Cyber Crime Center, involved with cybersecurity and cyber defense related issues. On the one hand, the number of agencies involved in the country’s cyber governance structure reflects the strategic importance attributed to cyberspace. On the other hand, if not well-coordinated, such governance arrangements may generate duplicated efforts and overlapping operational spaces, which can blur institutional boundaries and operational responsibilities.

The ambiguity associated with these characteristics connects directly to the broader discussion of gray zone dynamics. While discussing this concept, Cormac and Aldrich (2018) highlight the role of plausible deniability, where actors may deny responsibility due to the absence of conclusive evidence. However, for the authors, covert actions in the gray zone are “less about plausible deniability and more about non-acknowledged intervention as performance” (Cormac and Aldrich, 2018, 493). Covert action may therefore be designed to signal capability, even without formal recognition. In the context of U.S. cyber governance, the overlap among CISA, USCYBERCOM, the NSA, and the FBI illustrates how the multiplicity of actors can complicate attribution processes and expand the range of operational responses available to state institutions operating within ambiguous institutional and normative environments.

Due to the intrinsic characteristics of cyberspace, the domain may provide particularly permissive conditions for gray zone activities. The ambiguity often associated with gray zone conflicts can create opportunities for state actors to pursue strategic objectives, avoid escalation into traditional armed conflict, operate under reduced expectations of immediate accountability, and signal capabilities through operational performance (Lindsay, 2013; Rid and Buchanan, 2015; Segal, 2016; Cormac and Aldrich, 2018).

Even states with traditional deterrence capabilities may operate in the gray zone to pursue strategic goals while attempting to avoid the political and strategic consequences typically associated with open conflict (Hoffman, 2016). Schadlow (2014) notes that the space between war and peace contains diverse competitions requiring state attention, while Brands (2016, 1) characterizes gray zone conflicts as coercive but engineered to remain “below the threshold of conventional military conflict and open interstate war.”

In the United States, the USCYBERCOM holds the responsibility to plan, coordinate, and execute large-scale cyber operations in response to cyber threats (United States, 2018). This institutional flexibility allows the Cyber Command to engage in defensive cyber operations, as well as in activities that may be interpreted as offensive or pre-emptive within gray zone dynamics, enabling the state to pursue strategic objectives without crossing the threshold of armed conflict. Acting below the threshold of war or armed conflict may involve activities or strategies that fall short of open military confrontation but still aim to shape strategic outcomes.

According to Brands (2016), although gray zone conflicts are not limited to a specific domain, cyberspace may offer particularly favorable conditions for this type of action. Among the factors that contribute to this dynamic are the difficulty in determining clear operational boundaries, challenges associated with accountability, and the persistent lack of clarity in international norms and regulatory frameworks governing cyber activities (Brown and Poellet, 2012; von Heintschel Heinegg, 2013).

The gray zone represents a state of ambiguity in which cyber operations and malicious activity occur without crossing the threshold of armed conflict. Security governance refers to the structures, processes, policies, and practices used by actors to coordinate and address national security and defense issues. Gray security governance can be understood as a form of governance marked by institutional and normative ambiguity, which may create permissive conditions in which actors operate beyond strictly defined traditional roles. This may occur when agencies operate within ambiguous boundaries between concepts such as cybersecurity and cyber defense.

It is acknowledged that there are many uses to the concept of Governance, such as bureaucratic control (Furtado Rodrigues and Pacheco Filho, 2025), public integrity (Oliveira et al., 2024); collaboration (Ansell and Gash, 2008), domestic concertation of actors, processes and decision-making in a domestic set (Goldoni et al., 2023) and so forth. According to Peters and Pierre (1998), governance increases governmental capacity through strategic inter-organizational coalitions with actors beyond the state. It is therefore necessary to observe how governance develops and to assess the influence of actors within a given structure. Yong and Wenhao (2012) add that governance reflects the various ways individuals and institutions manage common affairs. Thus, governance can be defined as a joint approach to addressing specific issues, involving public and private actors and civil society organizations.

For Krahmann (2003), security governance refers to the structures and processes that allow actors to coordinate mutual needs and interests via decision-making and implementation in the security area in the absence of a central authority. The concept of security governance was introduced in the field of International Relations at the end of the Cold War (Flemes and Radseck, 2009). The term reflects the fragmentation of the security agenda during a transitional period in which there was no longer a unified military threat, but an expansion of threats and risks arising from both state and non-state actors.

Similar to constructivist interpretations of anarchy, ambiguity in cyberspace governance can be understood as socially and institutionally produced rather than purely technologically determined. In this sense, governance arrangements in cyberspace may reflect not only technical constraints but also institutional design choices, organizational interactions, and evolving policy interpretations.

When considering the United States, it is possible to identify an established security governance structure operating in cyberspace. However, when comparing the definitions provided in U.S. documents for the concepts of “cybersecurity” and “cyberdefense” (see Table 1) with the observed activities of actors involved in these areas, governance may appear blurred in practice. The United States case is therefore used not as a universal model of cyber governance, but as an empirical illustration of how advanced institutional architectures can still operate within ambiguous legal and operational boundaries in cyberspace. In this context, gray zone dynamics may emerge not only from the intrinsic characteristics of cyberspace, but also from legal gaps, overlapping institutional mandates, and fragmented governance arrangements.

From the definitions of cybersecurity and cyberdefense (see Table 1), one can infer that, while the former is primarily defensive or preventive in nature, the latter entails a more active and assertive posture, since it emphasizes the proactive and, at times, offensive dimension of its capabilities.

One example of cyberspace’s security governance structures in the United States is the NCIJTF, led by the FBI. This task force coordinates, integrates, and shares information on cyber threat investigations (United States, 2021a; United States, 2021b; United States, 2021c; United States, 2021d; United States, 2021e). The FBI’s responsibilities in cyberspace include defending networks and information systems, holding malicious actors accountable, suggesting sanctions, and considering retaliation. The FBI’s United States (2022c) aims to impose risk and consequences on adversaries, asserting the agency’s ability to influence the behavior of criminals and nation-states targeting US networks. This offensive posture contrasts with Morgenthau’s (2003) concept of power. Although primarily an investigative and domestic intelligence agency, the FBI has expanded operational practices into areas traditionally associated with cyber defense, such as responding to cyberattacks. In doing so, its actions may extend beyond the country’s formal definition of cybersecurity and into activities that could be interpreted as cyber offense, which are traditionally associated with USCYBERCOM.

As its name indicates, the Cybersecurity and Infrastructure Security Agency (CISA) represents a security agency. Nonetheless, its activities may, in practice, extend beyond the US’s definition of Security (Table 1). CISA takes on responsibilities for promoting assistance, analyzing the impact, and identifying those responsible for cyberattacks, as well as coordinating responses to attacks that may have been carried out by external actors and/or other states (United States, 2023). Carrying out offensive measures against external actors has traditionally been associated with cyber defense organizations, such as USCYBERCOM.

But why is it that cybersecurity agencies in the United States continue to act beyond their traditional attributions? This, however, is not a simple question, and there are several possible explanations. One possibility is that, up until this moment, US agencies may have operated within ambiguous institutional and legal environments that reduce clear mechanisms of accountability. Another possible explanation could be the non-existence of internationally standardized and widely accepted terms for cybersecurity and defense, which may allow states to coordinate cyber operations with greater interpretive flexibility. A further explanation may lie in bureaucratic competition over authority, resources, and budgetary allocations among agencies.

The reason why we argue that there is gray security governance occurring in cyberspace is that, even though states have cyber-specific organizations to deal with cybersecurity and cyber defense – as illustrated by the U.S. examples – and although these structures may appear highly organized from an external perspective, it is still possible to observe that these organizations may not always be fully aligned or coordinated to respond according to their formally defined attributions. However, it is important to highlight that this dynamic may reflect both bureaucratic adaptation to a complex domain and, in some cases, the strategic advantages created by operating within ambiguous governance environments, rather than necessarily representing deliberate institutional design.

The lack of clarity in international norms, regulations, and legislation in cyberspace (Brown and Poellet, 2012; von Heintschel Heinegg, 2013) may create permissive conditions that make cyberspace an appealing environment for gray zone activities, which could lead to significant security and governance challenges. Rather than assuming a deterministic relationship, this article suggests that structural ambiguity in cyberspace and institutional ambiguity in governance arrangements interact in mutually reinforcing ways, creating permissive environments in which gray zone practices can develop without necessarily being predetermined.

Furthermore, the existing legal gap in cyberspace may contribute to sustaining conditions associated with gray security governance among the securitizing actors in this domain. In the U.S. examples, for instance, it is possible to observe that both security and defense agencies operate within spaces that may overlap with gray zone dynamics, a pattern that may also be observed in different forms in other countries. Due to the lack of legal clarity and international agreement regarding the roles of security and defense actors in cyberspace, and because of the persistent ambiguity surrounding this domain, mechanisms of accountability may be more difficult to operationalize, potentially reducing the likelihood of sanctions when agencies operate beyond their formal assignments.

Consequently, the very meaning of Security and Defense in cyberspace might become more fluid and context-dependent. Unlike traditional domains, where there are territorial and operational limitations, as well as clearer legislation defining the expected roles of security and defense agencies, these limits are still not fully consolidated in cyberspace, even though countries such as the U.S. have opted to recognize cyberspace as a domain of conflict alongside air, land, sea, and outer space. This legal gap, therefore, could create conditions in which state actors operate with greater interpretive flexibility, sometimes extending beyond their formally defined assignments. Thus, gray security governance in cyberspace conditions and shapes gray zone dynamics, rather than determines them.

These issues point to broader reflections surrounding the drivers of gray security governance in cyberspace. Such governance may reflect a lack of institutional adaptation to cyber-specific security challenges, but it may also stem from strategic convenience, bureaucratic inertia, or the fluid and evolving nature of cyberspace itself. Organizations originally conceived within an “analog” security environment may therefore struggle to respond effectively to a domain that transcends territorial boundaries and challenges traditional expressions of state power. In this sense, and echoing Wendt’s constructivist argument that anarchy is what states make of it, cybersecurity, cyber defense, and gray zone dynamics may likewise be shaped by how states define, interpret, and operationalize these concepts over time.

These insights highlight that gray security governance is not merely an analytical concern, but also a practical policy challenge. The following policy considerations are derived directly from the governance dynamics discussed throughout this article.

Firstly, clarifying the roles of security and defense organizations in cyberspace could strengthen accountability mechanisms and improve governance coordination. Beyond operational efficiency, clearer role definition may help reduce ambiguity generated by overlapping mandates and fragmented institutional authority, which, as illustrated in the U.S. case, can create conditions in which different actors interpret their responsibilities in partially conflicting ways. In this sense, role clarification should also be understood as a mechanism for reducing structurally produced governance ambiguity, thereby reducing the conditions under which gray security governance may persist.

Secondly, promoting interagency coordination mechanisms, both domestically and internationally, might improve information-sharing and operational coherence. Beyond improving response efficiency, stronger coordination may help reduce situations in which multiple organizations develop parallel or partially conflicting interpretations of authority, responsibility, and operational scope. In governance environments characterized by institutional overlap, coordination mechanisms may therefore function as stabilizing tools that help limit the emergence of operational ambiguity and reduce the likelihood of fragmented responses that contribute to gray security governance dynamics.

Finally, advancing international discussions on norms of responsible state behavior in cyberspace could contribute to cooperation among states facing shared threats and might help reduce opportunities for actors to operate within ambiguous governance environments. In this sense, norm development should not be understood only as a regulatory or diplomatic process, but also as a mechanism through which shared expectations of behavior can reduce interpretive uncertainty across jurisdictions. Over time, clearer normative environments may contribute to reducing structurally produced ambiguity in cyberspace governance, particularly in areas where legal frameworks and institutional mandates remain unevenly developed across states.