Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. But it would be a mistake for the policy establishment to double down on an outdated view of cyber conflict rooted in Cold War analogies. To improve U.S. cyber security, policymakers should draw instead on more relevant strategic lessons from the study of terrorism and counter-terrorism.
The tendency to draw simple comparisons between cyber and nuclear attacks has been repeatedly critiqued, but the residue of this thinking lingers. Debates over how to deter or punish cyber attacks still frame them as infrequent and catastrophic. In practice, though, cyber security looks more like counter-terrorism than nuclear strategy — with frequent and repeated interactions between antagonists, a continual contest for information, and multi-party engagements amidst a sea of unaligned parties. Approaching cyber security with reference to counter-terrorism strategy would offer benefits to policymakers, particularly by highlighting the importance of ruthlessly prioritizing risk, winning the intelligence competition, privileging detection over reaction, and promoting strong private sector cooperation.