CAMBRIDGE – Until recently, cyber security has primarily interested computer geeks and cloak-and-dagger types. The Internet’s creators, part of a small, enclosed community, were very comfortable with an open system in which security was not a primary concern. But, with some three billion or so users on the Web nowadays, that very openness has become a serious vulnerability; indeed, it is endangering the vast economic opportunities that the Internet has opened for the world.
A “cyber attack” can take any number of forms, including simple probes, defacement of Web sites, denial-of-service attacks, espionage, and destruction of data. And the term “cyber war,” though best defined as any hostile action in cyberspace that amplifies or is equivalent to major physical violence, remains equally protean, reflecting definitions of “war” that range from armed conflict to any concerted effort to solve a problem (for example, “war on poverty”).
Cyber war and cyber espionage are largely associated with states, while cyber crime and cyber terrorism are mostly associated with non-state actors. The highest costs currently stem from espionage and crime; but, over the next decade or so, cyber war and cyber terrorism may become greater threats than they are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap. Terrorists might buy malware from criminals, and governments might find it useful to hide behind both.
Some people argue that deterrence does not work in cyberspace, owing to the difficulties of attribution. But that is facile: inadequate attribution affects inter-state deterrence as well, yet it still operates. Even when the source of an attack can be successfully disguised under a “false flag,” governments may find themselves sufficiently enmeshed in symmetrically interdependent relationships such that a major attack would be counterproductive. China, for example, would lose from an attack that severely damaged the American economy, and vice versa.
An unknown attacker may also be deterred by cyber-security measures. If firewalls are strong, or redundancy and resilience allow quick recovery, or the prospect of a self-enforcing response (“an electric fence”) seems possible, an attack becomes less attractive.
While accurate attribution of the ultimate source of a cyber attack is sometimes difficult, the determination does not have to be airtight. To the extent that false flags are imperfect and rumors of the source of an attack are widely deemed credible (though not legally probative), reputational damage to an attacker’s soft power may contribute to deterrence.
Finally, a reputation for offensive capability and a declared policy that keeps open the means of retaliation can help to reinforce deterrence. Of course, non-state actors are harder to deter, so improved defenses such as pre-emption and human intelligence become important in such cases. But, among states, even nuclear deterrence was more complex than it first looked, and that is doubly true of deterrence in the cyber domain.
Given its global nature, the Internet requires a degree of international cooperation to be able to function. Some people call for the cyber equivalent of formal arms-control treaties. But differences in cultural norms and the difficulty of verification would make such treaties hard to negotiate or implement. At the same time, it is important to pursue international efforts to develop rules of the road that can limit conflict. The most promising areas for international cooperation today most likely concern problems posed for states by third parties such as criminals and terrorists.
Russia and China have sought to establish a treaty establishing broad international oversight of the Internet and “information security,” which would prohibit deception and embedding malicious code or circuitry that could be activated in the event of war. But the US has argued that arms-control measures banning offensive capabilities could weaken defenses against attacks and would be impossible to verify or enforce.
Likewise, in terms of political values, the US has resisted agreements that could legitimize authoritarian governments’ censorship of the Internet – for example, by the “great firewall of China.” Moreover, cultural differences impede any broad agreements on regulating online content.
Nonetheless, it may be possible to identify behaviors like cyber crime that are illegal in many domestic jurisdictions. Trying to limit all intrusions would be impossible, but one could start with cyber crime and cyber terrorism involving non-state parties. Here, major states would have an interest in limiting damage by agreeing to cooperate on forensics and controls.
The transnational cyber domain poses new questions about the meaning of national security. Some of the most important responses must be national and unilateral, focused on hygiene, redundancy, and resilience. It is likely, however, that major governments will soon discover that the insecurity created by non-state cyber actors will require closer cooperation among governments.