The Fog of Cyberwar

Reading List

What to Read on Cybersecurity

Adam Segal

An annotated Foreign Affairs syllabus on cybersecurity.

Snapshot

The Pentagon's Cyberstrategy, One Year Later

William J. Lynn III

More destructive cyberweapons are being created every day, and an increasingly sophisticated technology black market virtually guarantees that they will eventually land in the hands of the United States' enemies. Robust defenses are no longer a luxury, they are a necessity.

A chart showing cybertattacks by initiator and victim between 2001-11. (Sam Pepple / Sample Cartography) Click here to enlarge.

In mid-2010, thousands of centrifuges, enriching uranium at Iranian nuclear research facilities, spun out of control. The instruments were mysteriously reprogrammed to operate faster than normal, pushing them to the breaking point. Iranian computer systems, however, inexplicably reported that the centrifuges were operating normally. This incident, it was later revealed, was the work of the infamous Stuxnet computer worm, presumed to be the creation of the United States and Israel, and one of the most sophisticated cyberweapons to date. The infiltration was initially thought to have set back Iran’s suspected nuclear weapons program three to five years, although current estimates are in the range of two years to a few months.

Stuxnet was followed by the Flame virus: a new form of malware that infiltrated several networks in Iran and across the Middle East earlier this year. Flame copied text, recorded audio, and deleted files on the computers into which it hacked. Israel and the United States are again the suspected culprits but deny responsibility.

These two attacks generated substantial buzz in the media and among policymakers around the world. Their dramatic nature led some experts to argue that cyberwarfare will fundamentally change the future of international relations, forcing states to rethink their foreign policy. In a speech to the New York business community on October 11, 2012, U.S. Defense Secretary Leon Panetta expressed fear that a cyber version of Pearl Harbor might take the United States by surprise in the near future. He warned that the U.S. government, in addition to national power grids, transportation systems, and financial markets, are all at risk and that cyberdefense should be at the top of the list of priorities for President Barack Obama’s second term.

The Stuxnet and Flame attacks, however, are not the danger signs that some have made them out to be. First of all, the viruses needed to be physically injected into Iranian networks, likely by U.S. or Israeli operatives, suggesting that the tactic still requires traditional intelligence and military operation methods. Second, Stuxnet derailed Iran’s nuclear program for only a short period, if at all. And Flame did nothing to slow Iran’s nuclear progression directly, because it seems to have been only a data-collection operation.

Some cyberattacks over the past decade have briefly affected state strategic plans, but none has resulted in death or lasting damage. For example, the 2007 cyberattacks on Estonia by Russia shut down networks and government websites and disrupted commerce for a few days, but things swiftly went back to normal. The majority of cyberattacks worldwide have been minor: easily corrected annoyances such as website defacements or basic data theft -- basically the least a state can do when challenged diplomatically.

Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals -- defined as the most conflict-prone pairs of states in the system -- engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is 600 times more likely to be the target of a terrorist attack than a cyberattack. We used a severity score ranging from five, which is minimal damage, to one, where death occurs as a direct result from cyberwarfare. Of all 95 cyberattacks in our analysis, the highest score -- that of Stuxnet and Flame -- was only a three.

To be sure, states should defend themselves against cyberwarfare, but throwing vast amounts of money toward a low-level threat does not make sense. The Pentagon estimates it spent $2.6 to $3.2 billion on cybersecurity in fiscal year 2012. And it is likely that such spending will only increase. The U.S. Air Force alone anticipates spending $4.6 billion on cybersecurity in the next year. Even if the looming “fiscal cliff” guts the Defense Department’s budget, Panetta has made clear that cybersecurity will remain a top funding priority. At a New York conference on October 12, 2012, he described the United States as being in a “pre-9/11 moment” with regards to cyberwarfare and said that the “attackers are plotting,” in reference to the growing capabilities of Russia, China, and Iran.

Of the 20 ongoing interstate rivals in our study, China and the United States cybertargeted each other the most. According to our study, Beijing attacked U.S. assets 18 times and Washington returned fire twice. Two notable attacks were the 2011 Pentagon raid, which stole sensitive files from the Defense Department, and the 2001 theft of Lockheed Martin’s F-35 fighter-jet schematics. These attacks get only a moderate severity score because they targeted specific, nonessential state documents and were not intended to affect the general public. Over the same time span, India and Pakistan targeted each other 11 times (India five times, Pakistan six), as did North and South Korea, with North Korea being the aggressor ten times and South Korea launching one return attack. These ranged from minor incidents, such as Pakistan defacing an Indian government website, to more serious ones, such as North Korea stealing sensitive state documents from South Korea.