Changes in the fundamental dynamics of cyber conflict have been insignificant since Cuckoo’s Egg in 1986, the first cyber incident with national security implications. The constant change that many identify with cyber conflict only applies to the technology involved, stressed Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, not the strategic implications.
On November 15, 2013 a panel of cyber experts, featuring Mr. Richard Bejtlich, the chief security officer of MANDIANT, Dr. Greg Rattray, senior fellow in the Cyber Statecraft Initiative and chief executive officer of Delta Risk, and Mr. Jason Healey, director of the Cyber Statecraft Initiative addressed the past, present, and future of cyber conflict.
The discussion, moderated by Tom Gjelten of National Public Radio, highlighted the argument that although current cyber threats and incidents are considerable, the cyber domain hasn’t matured as rapidly as have other war fighting domains over the course of history.
A study of cyber conflict history reveals the value of using the term “cyber conflict” instead of “cyber war.” Cyber conflict covers a wider array of implications and options for decision-makers than cyber war, which prompts the consideration of only traditional kinetic responses. Mr. Bejtlich pointed out that in his consideration the current cyber espionage from China can be identified as a form of conflict—the goal of the activity is to gain competitive advantage which will allow the country to sustain its economic and military power.
The cyber domain has not matured as rapidly as the traditional military domains, emphasized Dr. Rattray. The claims that cyber is the next big decisive capability in war fighting have tended to be more exaggerated than the actual progression in the field indicates. However, as the past incidents such as Stuxnet or the Iranian attacks on financial systems suggest, the increased reliance of our societies on the Internet may advance the rate and scale of incidents. It is not the danger of a digital “Pearl Harbor” but of many digital guerilla wars that may categorize the future cyber conflict.
In current cyber conflicts, non-state actors take an offensive stance while the private sector remains on the defense. Dr. Rattray stressed that there is a need to leverage a broader set of resources to protect the United States. This new approach may include a cyber force trained and equipped separately from the military, which would be able to respond to cyber incidents, suggested Mr. Bejtlich.
A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, the first cyber conflict history, edited by Mr. Healey, highlights the overall lessons to be learned regarding cyber conflict. Mr. Healey concludes that “the more strategically significant the cyber conflict, the more similar it will be to the existing the conflict in air, land, and sea.” Strategic attacks do not happen at the speed of light, as the current narrative about cyber conflict in general suggests, they typically take place over a period of time. A change in mindset is needed to tackle current cyber challenges and will come from a shift in focus from the technical and tactical aspect of the cyber conflict to considering cyber conflicts as just another type of national security conflict.