Abstract
In this essay, the author argues that cyber war does not pose the existential threat to humanity that nuclear weapons do. Still, some experts have called for cyber arms control negotiations and formal treaties. Differences in cultural norms and verification difficulties make such treaties hard to negotiate. International talks and cooperation might, however, develop rough rules of the road—analogous to those developed for nuclear weapons early in the Cold War—that can limit cyber conflict. The most promising early areas for international cyber cooperation are probably not bilateral conflicts but problems posed by third parties such as criminals and terrorists. It is likely, the author contends, that major governments will eventually give higher priority to cooperation that works against the insecurity created by non-state actors with cyber weaponry. But the world is far from such a response at this stage of cyber development, just as the major powers did not begin such cooperation on nuclear weapons until the third decade of the nuclear era.
Gen. Martin E. Dempsey, chairman of the US Joint Chiefs of Staff, recently declared that cyber attacks had “escalated from an issue of moderate concern to one of the most serious threats to our national security. We now live in a world of weaponized bits and bytes, where an entire country can be disrupted by the click of a mouse.” 1 And while 20 nations now have military units dedicated to employing cyber in war, we may not be sure whether the hand on that mouse will be that of an official or a non-state actor.
“Cyber” is a prefix standing for computer- and electromagnetic spectrum-related activities, and the cyber domain includes not only the Internet of networked computers but also intranets, cellular technologies, fiber optic cables, and space-based communications. This domain is a complex man-made environment in which the barriers to entry are so low that non-state actors and small states can play significant roles. In The Future of Power, I describe the diffusion of power away from governments as one of the great shifts of this century, and cyberspace is a perfect example of the trend (Nye, 2011). The largest powers are unlikely to be able to dominate the cyber domain as they have others like sea, air, or space. Large countries may have greater cyber resources than non-state actors, but they also have greater vulnerabilities, and at this stage in the development of the technology, offense dominates defense in cyberspace.
Until recently, the issue of cyber security was largely the domain of computer experts. When the Internet was created 40 years ago, its users comprised a small community, a virtual village of people who knew each other, and they designed an open system with little attention to security. Since then, the commercial web has exploded from a mere 10 million users in the early 1990s to some three billion users today. This burgeoning user base has created growing interdependence, along with great opportunities and vulnerabilities that strategists do not yet fully comprehend. In a chronological comparison to the nuclear technology revolution, strategic studies of the cyber domain might be considered equivalent to those of nuclear 1960, but conceptually, our understanding of the cyber domain is more reasonably comparable to strategic assessments of nuclear arms circa 1950. Analysts of cyberspace are still not clear about the meaning of offense, defense, deterrence, escalation, norms, and arms control. At the same time, there is a danger of hyping the cyber threat. As Thomas Rid warns in his recent book, Cyber War Will Not Take Place, it is important not to exaggerate the dimensions of cyber attack (Rid, 2013).
The term “cyber attack” covers a wide variety of actions, ranging from simple probes, to defacing web sites, to denial of service, to espionage and destruction. Similarly, the term “cyber war” is used very loosely for a wide range of behaviors. In this, it reflects dictionary definitions of “war” that range from armed conflict to almost any hostile contention (including, for example, the metaphorical “war on drugs”). A more useful definition of cyber war equates it to hostile actions in cyberspace that have effects that amplify or are equivalent to major physical violence. If one treats hacktivism (i.e., individual and group use of the cyber realm to promote political and social protest) as mostly a disruptive nuisance at this stage, there are four major categories of cyber threats to national security, each with a different time horizon and with different solutions (at least in principle): Cyber war and economic espionage are largely associated with states; cyber crime and cyber terrorism are mostly associated with non-state actors. At present, the highest costs come from espionage and crime, but over the next decade or so, sabotage, war, and terrorism may become greater threats than they are today. Moreover, as alliances and tactics evolve among different actors, the categories may increasingly overlap.
Cyber and nuclear war
From what we can discern now, nuclear and cyber war would be enormously different experiences. Nuclear explosions are unambiguous and immediate; cyber intrusions can plant logic bombs in the infrastructure that may go unnoticed for long periods. Moreover, cyber destruction can be disaggregated, and small doses of destruction can be administered over time. Even more dramatic is the difference in destructiveness. Unlike nuclear hostilities, cyber war does not pose an existential threat to humanity. As Martin Libicki of the RAND Corporation once commented, destruction of cyber systems could return us to the economy of the 1990s—a huge loss of GDP—but a major nuclear war could return us to the Stone Age (Libicki, 2009, 2011). In that and other dimensions, cyber weaponry might be more appropriately compared with biological and chemical arms.
While there are many degrees of nuclear destruction, all are above a dramatic threshold or firebreak, and there has been a taboo against any nuclear weapons use for seven decades. In addition, although there is an overlap of civilian and military nuclear technology, nuclear technology originated in the war-fighting apparatus. Its civilian and military uses are more clearly different than in the cyber realm, where the web has burgeoned in the civilian sector. For example, the “dot mil” domain name represents only a small part of the Internet, and 90 percent of military telephone and Internet communications travel over civilian networks. Finally, because of low costs and easy commercial access to the web, the barriers to entry to cyberspace are much lower for non-state actors than is the case in the nuclear realm. While nuclear terrorism is a serious concern, the barriers for non-state actors gaining access to nuclear materials remain high—but renting a botnet to wreak destruction on the Internet is both easy and cheap. (At the same time, a sophisticated program like Stuxnet that destroyed Iranian nuclear centrifuges was difficult and costly.)
Cyber and nuclear learning
Despite these important technical and political differences between nuclear and cyber hostilities, there are some similarities in the learning experience that governments go through as they try to understand any transformative technology. Large groups and organizations often learn by crises and major events that serve as metaphors, organizing and dramatizing diverse sets of experiences. The Berlin crises and particularly the Cuban Missile Crisis of the early 1960s played such a role. Having come close to the precipice of war, both US President John F. Kennedy and Soviet Premier Nikita Khrushchev drew lessons about cooperation. It was shortly after the Cuban Missile Crisis that Kennedy gave his American University speech that laid the basis for the atmospheric test ban discussions. Of course, crises are not the only way to learn. Early steps in cooperation in the nuclear domain encouraged later steps, without requiring a change in the competitive nature of the overall relationship. These governmental steps were reinforced by informal “track-two” dialogues such as the Pugwash conferences.
Thus far, there have been no major crises in the cyber domain, though denial of service attacks in 2007 and 2008 on Estonia and Georgia and the Stuxnet malware attack on Iran give hints of what might come. In the area of industrial espionage, China has had few incentives to restrict its behavior because the benefits far exceed the costs. Spying is as old as human history and does not violate any explicit provisions of international law. Nevertheless, at times governments have established rules of the road for limiting espionage, and it is interesting to note that China and the United States discussed cyber issues at the California “shirt-sleeves” summit in 2013 as well as in their annual Strategic and Economic Dialogue and in informal track-two settings.
While US–Soviet political and ideological competition limited the countries’ cooperation in some areas, awareness of nuclear destructiveness led them to develop a crude code of conduct to guide the competition. These basic rules of prudence included no direct fighting, no nuclear use, and communication during crisis via the hotline between Washington and Moscow, as well as through the mechanisms set out in the Accidents Measures and Incidents at Sea agreements. Similarly, the two sides discovered a common interest in the issue of nonproliferation and began to cooperate in the mid 1960s, well before the bilateral arms control agreements about issues of arms race stability in the 1970s. Unlike the view that says nothing is settled in a deal until everything is settled, nuclear learning and agreements proceeded at different rates in different areas.
Cooperation in the cyber domain is likely to follow an analogous course. There are already some institutions that relate to the basic functioning of the Internet, and a normative framework for cyber crime has already been started in the Budapest Convention. But it is likely to take longer before the major powers reach agreement on contentious issues such as cyber intrusions for espionage and for preparing the battlefield. Nevertheless, the inability to envisage an overall agreement need not prevent progress on sub-issues. For example, Russia and the United States agreed this year to establish various cyber security links “to reduce the mutual danger we face from cyber threats” (White House, 2013).
Interdependence and deterrence
Early views of deterrence in the nuclear era were relatively simple and relied on massive retaliation to a nuclear attack. Retaliation remained at the core of deterrence throughout the Cold War, but as strategists confronted the usability dilemma and the problems of extended deterrence, their theories became more complex. Nuclear deterrence was supplemented by other measures, such as forward basing of conventional forces, declaratory policy, changes of alert levels, and force movements.
Many analysts argue that deterrence does not work in cyberspace because of the problem of attributing attacks to specific actors, but that assertion is too simple. Interstate deterrence through entanglement and denial (i.e., defensive measures) still exists, even when there is inadequate attribution. Even when the source of an attack can be successfully disguised under a “false flag,” governments may find themselves sufficiently entangled in symmetrically interdependent relationships that a major attack would be counterproductive. Unlike the single strand of military interdependence that linked the United States and the Soviet Union during the Cold War, the United States, China, and other countries are entangled in multiple networks. China, for example, would itself lose from a cyber attack that severely damaged the US economy, and vice versa.
In addition, an unknown attacker may be deterred by denial. If firewalls are strong, or the prospect of a self-enforcing response (an “electric fence”) seems possible, attack becomes less attractive. Offensive capabilities for immediate response to a cyber attack can create an active defense that serves as a deterrent, even when the identity of the attacker is not fully known. Futility can also help deter an unknown attacker if the target is well protected, or redundancy and resilience allow quick recovery. Moreover, attribution of the source of a cyber attack does not have to be perfect; to the extent that false flags are imperfect and rumors of the source of an attack are widely deemed credible (though not provable in a court of law), damage to an attacker’s reputation may threaten its “soft power” and thereby contribute to deterrence. Finally, a reputation for offensive capability and a declared policy that keeps open the potential means of retaliation can help to reinforce deterrence. Of course, non-state actors are harder to deter, and improved defenses such as preemption and human intelligence become important in such cases. But among states, nuclear deterrence was more complex than it first looked, and that is doubly true of deterrence in the cyber domain.
Negotiating rules of the road
Although the United States and the Soviet Union developed some tacit rules of the road about prudent behavior early on, direct negotiation and agreements concerning arms race stability and force structure took longer. Early efforts at comprehensive arms control (e.g., the Baruch Plan) were total nonstarters. And even the eventual SALT and START agreements were of limited value in controlling numbers of weapons and involved elaborate verification procedures that themselves sometimes became issues of contention. The first formal agreement was the Limited Test Ban Treaty, for which verification was easy; also, the treaty could be considered largely an environmental, rather than an arms control, measure. The second major agreement, the Nuclear Non-Proliferation Treaty of 1968, aimed at limiting the spread of nuclear weapons to third parties. Because they involved nature and third parties, both these agreements were perceived as positive-sum games from the point of view of the United States and the USSR.
In the cyber domain, the global nature of the Internet requires international cooperation. Some people call for cyber arms control negotiations and formal treaties, but differences in cultural norms and the difficulty of verification make such treaties hard to negotiate or implement. At the same time, it is not too early to explore international talks and cooperation to try to develop rough rules of the road that can limit conflict. The most promising early areas for international cooperation are probably not bilateral conflicts but problems posed by third parties such as criminals and terrorists.
Cultural differences present a difficulty in reaching broad agreements on regulating content on the Internet. Russia and China have sought a treaty for broad international oversight of the Internet and “information security,” banning deception or the embedding of malicious code or circuitry that could be activated in the event of war. But the United States has argued that arms control measures banning offense can damage defense against attacks and would be impossible to verify or enforce. Moreover, the United States has resisted agreements that could legitimize authoritarian governments’ censorship of the Internet. Nonetheless, it may be possible to identify behaviors like cyber crime that are illegal across cultural and economic systems. Trying to limit all intrusions would be impossible, but one could conceivably start with cyber crime and cyber terrorism involving non-state third parties; there, major states would seem to have a joint interest in limiting damage by agreeing to cooperate on forensics and controls. A UN Group of Governmental Experts has begun to make some progress on recommendations for norms, as well as on the applicability of international law and state responsibility.
An inexact but useful analogy
Historical analogies are always dangerous if taken too literally, and the differences between nuclear and cyber technologies are great. The cyber domain is new and dynamic, but so was nuclear technology at its inception. It may help to remember that nuclear learning was slow, halting, and incomplete. The intensity of the ideological and political competition in the US–Soviet relationship was much greater than that between the United States and Russia or the United States and China today. There were far fewer positive strands of interdependence in the relationship. Yet the intensity of the zero-sum game did not prevent the development of rules of the road and cooperative agreements that helped to preserve the concurrent positive-sum game.
That is the good news. The bad news is that cyber technology gives much more power to non-state actors than does nuclear technology, and the threats such actors pose are likely to increase. The transnational, multi-actor games of the cyber domain pose a new set of questions about the meaning of national security. Some of the most important security responses must be national and unilateral, focused on hygiene, redundancy, and resilience. It is likely, however, that major governments will gradually discover that cooperation against the insecurity created by non-state actors must be given higher priority. The world is a long way from such a response at this stage in the development of cyber technology. But such responses did not occur until we approached the third decade of the nuclear era.
Footnotes
Funding
This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.