WASHINGTON: Many a mother has warned roughhousing children that “it’s all fun and games until somebody loses an eye.” On Monday, four cybersecurity experts (two Americans and two Brits) agreed that the online attacks we’ve seen so far are all either espionage or sabotage: It doesn’t count as war until somebody dies.
We have not yet seen a real cyberwar, they agreed, and tossing the word around can misguide billion-dollar decisions and warp cybersecurity policy. Where they disagreed, however, was how likely we are to see a lethal cyberwar in the future.
“We’re going to look back at the days when no one had died from this stuff [as] the halcyon days, when all you had to worry about was credit card theft or somebody putting a picture of their butt on your website,” said Jason Healey, a former Air Force officer and White House cybersecurity aide now at the Atlantic Council, speaking yesterday at the Brookings Institution.
“We’re going to have ‘cyberwar’ when there’s dead people,” Healey told me afterward. “Of course we’re not at cyber war [today]. We’ve never had anyone that’s died from this and you can’t go around using terms like ‘war’.” But, he warned, as we rely more and more on networks to remote-control real, physical machines — from power generators to unmanned aircraft to, eventually, our cars and houses — the greater the risk of a cyber attack causing real, physical destruction and death.
The future’s not so dark, retorted the guest of honor at Brookings, Thomas Rid, whose new book is boldly titled Cyber War Will Not Take Place. Not only has no cyber attack to date risen to the level of lethal violence, the King’s College London scholar said, but online conflict seems increasingly to be replacing and displacing physical violence, not increasing it.
“Using cyber capabilities is not producing more violence,” Rid told the audience at Brookings. “In fact, it often takes violence and physical risk out of the question.”
Political movements that once might have resorted to acts of terrorism to get attention for their cause instead can organize a flash mob, use viral video, or deface highly trafficked websites. Spy agencies that once had to infiltrate human agents to insert a physical bug can now hack into enemy data from the safety of Langley or Fort Meade. Militaries that once had to drop bombs or launch missiles can now insert a program to make the target damage itself, as the US-Israeli Stuxnet virus did to Iranian centrifuges.
“We have to respect violence, we have to respect war,” Rid said, or we dishonor its victims. “Exfiltrating data, even crashing an entire company’s network… is different from hurting, killing, and injuring human beings, even a single one.”
“I think the experts agree there has been a fair amount of hype and hysteria in this space,” said Peter Singer, Brooking’s host and moderator at the event, when I asked him to sum up afterward. “If someone steals my jet fighter design or clogs my bank lobby for a few hours, I may not like it, but it doesn’t make it war.”
That said, Singer went on, “where I would disagree with Thomas [Rid] is the notion that it forever ‘will not take place.'” The military, business, and individuals are all becoming increasing dependent on computers and networks to get through the day. Malware that cuts this electronic lifeline can have severe, even violent consequences. “[Rid] describes Stuxnet as a one-off,” Singer said, “whereas I see it as the first of breed.”
While other observers find Stuxnet deeply disturbing, Rid held it up as an example of just how hard it is for a cyber attack to do physical damage. Stuxnet’s programmers needed a huge amount of intelligence about their target. It then took a great deal of expertise and effort to develop code that could exploit the weaknesses that the intelligence found. Finally, after all that work, the result was malware specifically tailored to damage one part of one Iranian facility, not a general purpose cyber weapon. By contrast, Rid noted, a cruise missile can destroy all sorts of targets and a dirt-cheap AK-47 can kill all sorts of people, whenever you want to.
With cyber attacks, added Healey, “It’s very easy to take a target down; it’s very hard to make it stay down.” Stuxnet was only a temporary, if significant, setback to the Iranian nuclear program. In a future conflict in, say, Syria, the US probably has cyber attack capabilities that can scramble enemy air defenses temporarily, he said, but “I don’t think we’re going to be able to keep the air defenses down, command down, power down, for more than a day or two for the most.” Those 24-48 hours, of course, would be enough to open a window of opportunity for conventional airstrikes.
So the military value of cyber attacks, at least for now, is to enable and supplement physical strikes, not to substitute for them. “You’re unlikely to get a, quote, ‘war’ that happens between two states purely in cyberspace,” said the fourth panelist, former British Ministry of Defense official Ian Wallace, when I called him after the Brookings event. “That doesn’t mean we don’t need to pay attention to cyber capabilities in relation to wars that are fought in cyberspace as well as other domains,” such as the land, air, sea, and space. “Just because cyber capabilities may be best classified as sabotage, subversion, espionage, that doesn’t mean that those instruments aren’t going to be useful in fighting a war.”
Cyber needs to considered alongside traditional military operations, Healey agreed, but “I’m doubtful it ever gets too fully integrated,” he told me. “It can be used more like special operations,” for clandestine strikes on specific, high-value targets, he said. With large-scale cyber attacks, however, “the effects are far too uncertain.”
It’s hard enough to ensure a physical bomb lands in the right place, even with precision guidance — ask the staff of the Chinese Embassy in Belgrade if you doubt it — and to determine afterwards whether the explosion destroyed, damaged, or just shook up the actual target. But at least commanders, their legal counsels and their political masters have decades of experience to draw on with physical attacks. Not so in cyberspace. Since cyber weapons attack networks, however, and networks are by definition interconnected in complex ways, it’s hard to predict how attacking one element will affect the whole system especially if the weapon is a computer virus that can self-replicate across the web. “You can’t be sure it’s going to cascade or not,” Healey told me.
Western militaries swore off biological and chemical weapons not only for ethical reasons but because their military effects were so difficult to control. (In one case in the eighties, for example, an Iraqi chemical attack on an Iranian position drifted back downhill onto the Iraqis). The same concerns may inhibit military use of cyber, at least in the West: “Non-western militaries — Iranians, Russians, Chinese — that don’t necessarily care about that stuff that much, they might make different decisions,” Healey said.
Healey doesn’t think much of some of the ethical and strategic choices the US has made, either. “I’m so against things like Stuxnet [and] how aggressive the NSA has been,” he said at Brookings. “We’ve got glass infrastructure and we shouldn’t be throwing stones.” Indeed, Healey argued that the military has grown too dominant in cybersecurity policy, which has been “militarized” in large part because of over-hyped fears of cyberwar.
Having the military play too large a role isn’t good for the military itself, either, added Wallace: “While we have defense secretaries and organizations like NATO focusing on defending the homeland, they’re arguably not focusing on how they fight.”
For example, Wallace told me, Senate Armed Services Committee hearings with Gen. Keith Alexander, the chief of Cyber Command and the National Security Agency, tend to be dominated by questions about protecting domestic infrastructure and privacy rights, not about the military’s own vulnerabilities. Likewise, NATO meetings about cybersecurity tend to fixate on how the alliance’s militaries can protect civilian networks, he said, “despite the fact that their own networks are not fully protected.”
US defenses on both military and civilian networks, Healey said, are “atrocious and wide-open.” But the military has gotten fixated on protecting US civilian networks and hacking foreign military ones, rather than getting its own house in order first. “When I first got involved in the business in 1998,” he recalled, “defense was the most important.” The Clinton-era thinking was that “we’re probably not going to win the next war with information warfare” — as the term was at the time — “but we could certainly lose it.”
Today, the Defense Department is still vulnerable, but “we’ve lost all that humility, we’ve lost all that focus on defense,” Healey lamented. “We’re a long ways into this debate with very, very little progress.”