Archive | Cyberwarfare RSS for this section

Cyberwarfare and Public Accountability

One of the reasons that American presidents go to war – not a good reason, mind you – is known as the “Rally Around the Flag” effect.  When America gets involved in an armed conflict, whether as defender or aggressor, the president becomes more popular and more highly-approved, and often the conflict itself is accompanied by a burst of legislation unrelated to the war.  There’s a lot of debate over precisely how strong the effect is and what drives it, but the existence of the effect itself is one of the best-known findings of political science.

This could be relevant for the decision to embrace cyberwarfare.  Today the NYT reveals that the Obama adminstration was deeply divided over the question of whether to use cyberweapons to attack the Syrian government.  The NYT reveals the deep discussion over the strategic benefits and risks – but one that does not appear there is the potential effect on American public opinion.  Cyberwarfare is still visible to affected foreign players (and possibly friendly/neutral ones too) and America is strategically accountable for its actions in this sphere, but it can be plausibly denied in a way that bombers and paratroopers can’t.  If Obama had decided to go forward with attacks on Syria, he would have had to deal with the fallout from Syria and Russia, but it likely would have remained secret until the next Edward Snowden leaked it.

If cyberwarfare is normalized, more acts of national aggression will take place out of the public eye.  As a positive question – a question of facts – public opinion is a significant constraint on executive action.  As a normative question, people differ a lot on whether this constraint is a good or bad thing.  Perhaps the people stop wise Presidents from taking the actions necessary to protect the country; perhaps the people’s reluctance to go to war stops foolhardy Presidents from making dangerous leaps into conflict.

The growth of cyberwarfare will be a neat and potentially worrying test of who is right.

Cyberwarfare and Deterrence

It is tempting to consider the dominant strategy of cyberwarfare as roughly analogous to that of mutually assured destruction.  After all, global supply chains are such that computers across the world will have parts of widely varied provenance.  American-written operating systems, Thai-fabricated microchips, Chinese-assembled circuit boards, pre-installed software of god-knows-what origin, and of course ubiquitous Internet access guaranteeing that every computer is exposed to a constant blast of malware from across the world.  The probability that there are logic bombs, back doors, and kill switches hidden in every bit of the modern computing world is…unknowable, but I’d be more surprised if that weren’t the case.  This is in addition to the formal “cyberwarfare” units incorporated in the militaries of at least 20 nations ranging from the US to Russia to France to North Korea (yes, really).  Presumably all of these nations could do extremely serious strategic-level damage to each other.  So they don’t, because of MAD.  Having thought it through, I think this is bunk. There are two major factors driving the game-theoretical problem here.
Problems of attribution: A strategic cyber attack doesn’t have a trivially obvious source the way that an ICBM does.  It’s fairly easy to completely obscure the source of an attack, and the proximate source doesn’t necessarily give the attacked any useful information as to the source.  For example, I personally suspect a large amount of the cyberespionage emanating out of China has approximately nothing to do with Chinese surveillance.  For example, the Israelis have a large and active intelligence operation targeting the United States and are well aware that the Pentagon is naturally looking to China first as a “cyber adversary”.  So…where should Mossad look to establish botnets for targeting the US?*
While the “mutual destruction” part of MAD seems possible, there is at least one key assumption for MAD that is missing here, the idea that agents will be able to identify and retaliate against hostile action.  But that actually isn’t the most severe problem for analogizing cyberwarfare to nuclear threats…just look back at the previous sentence.  Who is an “agent” here?
Proliferation Run Amok:  The most relevant difference from the MAD paradigm is that thousands of actors across the globe have access to weapons of mass destruction.  If that sounds alarmist, let me assure you – it sounds that way because it is alarming.  The United States military can wreak strategic, society-crippling damage on an adversary with computer viruses – so can a bunch of Russian teenagers huddled over laptops in a basement in Ekaterinaburg.  It may sound ridiculous, but some combination of Russian intelligence and netizen Fifth Columnists have done just that to Estonia and Georgia.
Nation-states cannot hope to control their cyber-brigades.  In fact, they to some degree vulnerable to them – China’s PSB would be helpless to exert prior restraint if some angry netizens took down Japan’s network backbone tomorrow.  They could find and punish, probably, but no prior restraint.  The computer revolution puts a weapon of mass destruction in the hands of every world citizen who cares to learn how to use it.**  Even if we grant world leaders the assumption of rationality, we are moving towards a world where foreign policy can be effectively held hostage by the most extreme elements that are able to recruit skilled hackers.  I don’t think deterrence can hold up under those assumptions.
So we have two compelling reasons why cyberwarfare should be impossible to deter, and can cause significant harm.  So the question of why it’s not happening becomes a key mystery, from a game-theoretical perspective.  Some hypotheses:
·         It happens all the time, on a sub rosa level.
  • ·         Cybersecurity is substantially better than is widely believed.
  • ·         Anyone sufficiently skilled is picked up by the “pros”.
  • ·         Hacker communities are terrified of foreign retaliation.
  • ·         Hacker communities are terrified of their national law enforcement.
  • ·         Key strategic systems like power grids are sufficiently primitive to provide the protection of backwardness.
  • ·         There is a secret détente between major powers.
  • ·         The most potent weapons are too valuable to risk being deployed, caught, and reverse-engineered unless there is a truly pressing need.

Most of these fail due to the conditions of dispersion and anonymity, and I think the answer that clearly has the most explanatory power is that cyberwar is all around us.
*: Hint – it’s China.
**: Underappreciated, but this is kind of incredible.