The cyber paranoia mentality continues, spreading through hyperbole and fear. While cyber conflict is a real problem and an issue of concern, exaggerated claims of insecurity are the order of the day in the cyber security community.
I refrain from suggesting this community is academic because very few real questions or hypotheses are investigated. Instead, outlandish statements are the norm, devoid of context, history, or any real analysis.
Mikko Hypponen, a leading cyber security expert who regularly keynotes technical conferences and advises governments on cybercrime, is a case in point. He recently tweeted, “Cyber arms don’t work as a deterrent like nuclear weapons – because nobody knows what cyber arms countries have.” And he declared at AusCERT last month that we are in the age of a cyber arms race, without any evidence beyond a few examples. Many others believe a cyber arms race is ongoing. A survey by internet security firm McAfee finds that “57 percent of global experts believe a cyber arms race is ongoing.”
While it is an open question whether cyber weapons work as a deterrent, the second part of the statement is not informed by historical and contemporary policy analysis scholars have conducted on nuclear questions. Ask ten North Korean nuclear scholars how many nuclear weapons North Korea has, and there will be a set that will say none, a set that will say one, and a set that will say 2-3 weak ones. There might even be a few outliers saying five, but the point is no one knows for sure. After all, the entire point of many nuclear programs is complete secrecy. How many nukes does Israel have? What about the United States? We know how many weapons the US is supposed to have according to various nuclear arms reduction treaties but how accurate is this number? Does it count weapons in development? If you believe deterrence worked during the Cold War, you also have to accept that this period of deterrence operated without perfect information and with the Soviets only having minimal capabilities when compared to the United States.
When thinking about cyberwar, it behooves us to remember the debate during the Cold War. Various American policy makers and candidates asserted that the Soviet Union had far surpassed the United States in nuclear weapons capabilities. They were all wrong. The United States was far ahead of the Soviet Union the entire time and all that talk was hyperbolic and contributed to country spending too much money producing and deploying nuclear weapons. Just as thousands of nuclear weapons were not necessary to provide suitable deterrent a modest investment in cyber capabilities would likely be sufficient to prevent a massive cyber attack.
Returning to the debate over cyber conflict, prognosticators are right to point out the danger in the future of cyber war, but how dangerous might this world be? Cyber capabilities are important, but the enemy is knowable and limited.
Deterrence exists on many levels in cyber conflict.
First, collateral damage is a key issue. No country is willing to commit a cyber catastrophe due to the public relations fallout and moral hazard involved. The fallout from David Sanger’s series of articles about the Stuxnet operation makes this point clear. The Obama administration was fearful of collateral damage and dismayed to find out that Stuxnet escaped the lab through a thumb drive and laptop (much the same way the virus came into Iran). Instead of applauding the effort as a successful strategy, Congress has instead threatened investigations of leaks in the administration.
Even during outright war, countries have refused to use cyber capabilities for fear of crossing the line towards non-combatants. While there have been minor incidents, including low level denial of service attacks and website defacements by the Russians during the 2008 conflict with Georgia, no one has crossed the threshold into anything worthy of the label “cyberwar.”
It is possible to control some civilian industrial machinery to the point where systems can overload and many can die in an industrial accident, but few countries would be willing to go this far. Cyber terrorists might not have the moral limitations as governments, but so far they have proven to be completely ineffective and unable to compete with the cyber resources of states.
There is also limited cyber conflict because of fears of retaliation. While the United States is weak in its ability to protect itself from the outside attacks, there is no internet kill switch in the event of a massive attack. The issue still remains that while the US can be hit hard by a cyber attack, the collective capabilities of the US would far overwhelm any attacker. The final reason there is cyber deterrence is because of cyber blowback in the form of replicative attacks. Attack someone with cyber capabilities and risk them learning your tactics, replicating them, and reproducing them right back against you. The new Cyber Catch-22 if you will.
There is a fear to be associated with cyber conflict, but that fear is not unlimited and the threats aligned against the US are not unknowable. We cannot perpetuate this myth of a vast and dirty world of cyber conflict that is ready to destroy the US or other states. Deterrence in the cyber world can work, at least for now, and that means that cyber institutions in response to the this problem should focus on maintaining basic defenses to the problem, avoiding hyperbole, replicating positive cyber norms, and spending money in a rational manner in proportion to the threat faced.
Brandon Valeriano is an assistant professor at the University of Illinois at Chicago (soon to be University of Glasgow) and can be reached at [email protected].