The Fog of Cyberwar

Reading List

What to Read on Cybersecurity

Adam Segal

An annotated Foreign Affairs syllabus on cybersecurity.

Snapshot

The Pentagon's Cyberstrategy, One Year Later

William J. Lynn III

More destructive cyberweapons are being created every day, and an increasingly sophisticated technology black market virtually guarantees that they will eventually land in the hands of the United States' enemies. Robust defenses are no longer a luxury, they are a necessity.

Israeli-Iranian tensions have risen in recent months, but despite all the talk, this conflict is not playing out in the cybersphere. There were only eight cyberattacks between these states from 2001 to 2011, four launched by Israel, four by Iran. Although Stuxnet and Flame were more severe, Iranian attempts to disrupt government websites have not been very sophisticated. And Israel’s near-insistence on an armed conventional attack proves that even the most sophisticated cyberattacks are not changing state behavior.

Cyberattacks are rare, and when they do occur, states are cautious in their use of force. As with conventional and nuclear conflict, some of the principles of deterrence and mutually assured destruction apply. Any aggressor in cyberspace faces the acute threat of blowback: having techniques replicated and repeated against the initiator. Once developed, a cyberweapon can easily be copied and used by a tech-savvy operative with access to a critical system such as the Defense Department’s network, which foreign-government hackers have had success infiltrating.

Far from making interstate cyberwarfare more common, the ease of launching an attack actually keeps the tactic in check. Most countries’ cyberdefenses are weak, and a state trying to exploit an adversary’s weakness may be similarly vulnerable, inviting easy retaliation. An unspoken but powerful international norm against civilian targets further limits the terms of cyberwarfare.

The United States and other responsible powers should restrain their use of the tactic in order to avoid escalation. Attacks such as Flame and Stuxnet are dangerous because they break down the standard of mutually beneficial restraint. These attacks caused little damage in the end, but they still may have encouraged other states to bulk up their own capabilities. The main danger is that one state will overuse the tactic and push other states to do the same.

There is also concern that some countries will overreact to the cyberthreat by clamping down on the freedoms that make the Internet an open and dynamic space. A paranoid government might be tempted to develop extreme defenses, such as a kill switch, that would allow it to shut down all incoming and outgoing cybertraffic. Such a drastic step would have a chilling effect on society, creating more problems than it would solve. This is yet another reason why international standards and communication are crucial.

Cooperation on the cyberwar threat originated in an unlikely place: Estonia. A tiny country with a population of just over one million, it has become a global leader in promoting cyberspace rules and norms that keep states, democratic and autocratic alike, in line. Estonia was thrust into the spotlight after the 2007 cyberattack by and subsequent widespread international condemnation of Russia. Instead of lashing out against its attacker, the small state sought a world forum to discuss its case; since then, it has hosted the International Conference on Cyber Conflict four times. This conference is an outcropping of NATO and hosts countries such as the United States, Canada, the United Kingdom, France, Germany, and Italy.

The gatherings have successfully promoted the adoption of norms and modes of restrained behavior in cyberspace. Developments include the agreement that territorial sovereignty applies to a state’s cyberspace, and that cyberwarfare is covered by Article 51 of the UN Charter, which allows a state to take action in response to an attack. Along these same lines, cyberattacks are now being categorized on an intensity scale to help determine what a proper international response might be.

To be sure, cyberterrorism is still a danger. This is a development that will be more difficult to deter. However, fear of a lone cyberterrorist -- like the recent Bond villain in Skyfall who is capable of bringing a government to its knees -- is unfounded. To be effective, cyberwarfare requires substantial infrastructure, money, and ground operatives. Because these resources are hard to come by, most cyberattacks launched by rogue individuals are trivial or personal. For example, in 2011 the hacker group Anonymous attacked and shut down the PlayStation network in response to a lawsuit against programmers who modified the software. The network was down for weeks, but aside from creating some disgruntled gamers, the attack left no real damage.

In short, this seldom-used tactic will not change foreign policy calculations anytime soon. Cyberwarfare poses a threat only if it is grossly overused or mismanaged, or if it diverts resources toward a mythical fear and away from real threats.