Cyberwarfare's "Cuban Missile Crisis" Moment
BY David Eaves | Tuesday, March 12 2013
The United States and China seem poised to begin negotiations around the militarization of the Internet, and just in time — because the uncertainty surrounding what might be proportional response to an attack over the Internet, and a dearth of international agreement around what has already become a venue for hostilities, puts international relations in far more precarious a position than many might realize.
The recent publicity around cyberattacks on the United States — especially those blamed on China — have moved the issue of "cybersecurity" to the mainstream. It might not be immediately obvious why we should care — but we should.
Isn't this just a continuation of the games nations play? Same as it ever was? Maybe. But there is a real risk that increased connectivity of the world is changing the nature of the threat — with serious implications for peace and stability.
This would certainly not be the first time technology altered a balance of military power and destabilized global political orders everyone thought was robust. One reason the world plunged into global war in 1914 after a relatively minor terrorist attack — the assassination of Arch-Duke Ferdinand — was because the hot new technology of the day, the speedy railway, caused strategists to believe it would confer a decisive advantage on those who mobilized first. The advent of nuclear intercontinental ballistic missiles of the 1950s had a similar effect, with fears that a first strike "decapitation attack" against Moscow from Turkey, or against Washington from Cuba, could preempt a counter attack.
Cyber warfare may be evolving into a similarly destabilizing type of technology. Prior to the 21st century, cyber attacks were relatively localized affairs. People imagined the main threats of a cyber attack being with virtual thefts from banks, identify theft against individuals and even industrial piracy. Serious problems to be sure, but not end-of-the-world stuff. Even when targeted against the state, cyber attacks rarely pose an existential threat to a country. The loss of state secrets, the compromising of some officials could, cumulatively, be corrosive on a state's ability to defend itself or advance its interests, but it was unlikely even a combination of operations would shake a mature state to its core.
Two things have changed.
First, as cyberspace has grown its networked nature has altered the potential scale and reach of cyber-attacks. The ability to take a country's critical infrastructure offline, or worse, turn it against its owners, creates the possibility that it could pose an existential threat in the same way nuclear weapons did — but with complexity added because the country under attack won't be easily able to pinpoint the source of the threat. The threats of a cyber attack are becoming more significant.
Second, the potential impact of an attack are increasing in magnitude but the consequences have not become clear. Bruce Schneier — who is very much worth reading and will likely disagree with this piece — may be right that most cyber "attacks" are really just acts of espionage, but there is not a clear line between espionage and warfare. At some point the potential size and scale of the act moves it out of the former category and into the latter. Here, other forms of warfare there have evolved a set of norms, a sort of code of conduct, between states. However frightening, these codes of conduct — often a series of escalating maneuvers to show one is serious about protecting one's interests — are nonetheless stabilizing since it gives the whole system some predictability and thus stability.
And herein lies the problem. There is no accepted norm for how to deal with a cyber attack. Indeed there isn't even an accepted definition of what constitutes a cyber-attack. Consequently it may be getting harder and harder to predict a state's response to an attack. This could introduce an enormous amount of uncertainty into the international system — uncertainty that can make it easier to miscalculate a target's reaction to cyber attack with potentially deadly consequences.
This is the reason why the United States' own policy around cyberwarfare — to not deny it is responsible for Stuxnet while also claiming it will respond to a cyber attack on its interests in the same way it would respond to a traditional attack — is doubly depressing. In essence the United States is avoiding fostering any norms for the military use of this new technology, while at the same time rapidly expanding its apparent capacity to conduct offensive cyber-operations (almost certainly cheered on by various defence contractors looking for new enemies and new contracts). As a result, the current norm is, "cyberwarfare is a legitimate tool for the state to assert its powers beyond its border and if you can do it and you think no one has the power to stop you … do it."
This may offer the United States a modicum of protection against many actors (although not, apparently, against the Chinese). But it will be destabilizing for smaller countries — who lack the coercive means to create a deterrence — in the short term and for everyone in the long term as the messy (potentially very messy) process of figuring out what types of responses which cyberattacks generate roll out over the coming decades.
In other words, it's as if we've entered the Guns of August or Cuban Missile Crisis stage of cyberwarfare — a period where no one knows what act will generate a response, and so acts will keep escalating until a crisis demonstrates what the boundary will be. In August 1914 it turned out that suddenly a relatively minor act in the periphery of Europe was enough to trip the world into war. In 1962 arming a tropical island off the U.S. coast got us within inches of a nuclear catastrophe (although at least in this case, the crisis created new norms, such as the famous "hot-line" between Moscow and DC in 1963 and eventually the 1971 "Accidents Measures" Agreement which cause each country to alert the other about missile launches).
This might already be happening. In remarks prepared for a speech to The Asia Society in New York on Monday, White House National Security Adviser Tom Donilon said of the U.S.'s relationship with China:
We do not want our relationship to become defined by rivalry and confrontation. And I disagree with the premise put forward by some historians and theorists that a rising power and an established power are somehow destined for conflict. There is nothing preordained about such an outcome.
Later in his remarks, he added:
The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.
Tuesday morning, the Associated Press quoted China's Foreign Ministry spokesman, Hua Chunying, as agreeing to discuss cybersecurity with the United States.
"Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States," Hua is quoted as saying Tuesday.
Be forewarned, we need to find a way to enable the international system to develop the capacity to adapt to this new form of warfare. You don't need to fear a Pearl Harbor. All that is sometimes needed to send a world into war is the right bullet, fired at the person under the right circumstances. It's a frightening prospect.