Cybèle C. Greenberg
The battles in a global cyberwar are visible only through periodic glances in the rearview mirror: Indra, Colonial Pipeline, SolarWinds, WannaCry.
Such an episodic view obscures the fact that this jousting by nation-states, criminal networks and private actors is happening constantly — right now — without foreseeable end.
It’s hard to wrap our minds around that. It’s a departure from thousands of years of conventional warfare that leaves us wondering how exactly to categorize cyberattacks. Are they espionage? Sabotage? Acts of war? Some cyberattacks, like North Korea’s targeting of Sony Pictures, entail central involvement from states. Others, like ransomware, are simply criminal. But the spy and the hacker have a lot in common: They both trespass into others’ information.
During the Cold War, the United States, China and Russia sat on stockpiles of world-ending weapons. Now, these same countries routinely employ an array of offensive cyberweapons, though not quite to their full power grid-zapping, water system-clogging, society-crippling potential.
Indeed, despite its many consequences and dangers, there is no documented instance in which cyberwarfare has directly killed anyone (although it has come close).
As the post-Sept. 11 conflicts come to an abrupt end, we are now at an important crossroads when it comes to determining just how far we are willing to take cyberwar. One possible avenue points to perilous conflict escalation between great powers further enabled by digital technologies.
But an alternative perspective sees cyberwar as an opportunity to decrease global violence. Could such tactics shift war’s focus away from human casualties?
In other words, can nations settle for slugging it out online, rather than with guns and missiles?
Fighting digitally offers a unique opportunity: the continuation of politics by other means, without the physical invasion of a sovereign territory or the inevitable sacrifice of lives. Tempered by responsible use and appropriate controls, cyberwarfare is a safer and more flexible strategic alternative, one critical step between sanctions and bombs.
“The purpose of warfare is not to fight; it is to achieve a political objective,” said Nora Bensahel, a visiting professor of strategic studies at Johns Hopkins School of Advanced International Studies. “If you can achieve this objective without kinetic conflict, so much the better.”
Consider Nitro Zeus. In the late 2000s, as The Times reported, the U.S. government developed a detailed plan for cyberattacks that would disable sections of Iran’s air defenses, communications systems and power grid. The plan provided President Barack Obama with a nonlethal means to neutralize Iranian military assets in case negotiations to halt the country’s rogue nuclear enrichment program failed and Tehran sought to retaliate.
The Nitro Zeus contingency plan remained active until the fulfillment of terms in the nuclear deal signed in 2015, ready to offer phased escalation short of all-out war if diplomatic and economic pressures proved ineffective.
Since Nitro Zeus was ultimately shelved, it is difficult to assess the scope and likelihood of the collateral damage it could have caused. The integration of cyberweapons into a national security strategy points to a certain reluctance to default to the conventional — and more lethal — option. But whether it’s a drone strike or the hacking of a telecommunications network, a cyberattack will always have harmful repercussions for civilians and private enterprises.
Counterintuitively, however, cyberweapons can also increase geopolitical stability.
Cyberattacks have helped nations achieve nuclear nonproliferation in a way that, in the past, would have required physical force and increased risk to personnel, said Vipin Narang, a Massachusetts Institute of Technology professor who specializes in nuclear strategy.
In 2007, Israeli fighter jets equipped with 500-pound bombs struck a suspected nuclear reactor in Syria. The facility was destroyed and Israel was internationally criticized for violating another country’s sovereignty. Ten North Korean scientists reportedly may have been killed in the attack.
The U.S.-Israeli offensive cyber operation known as Stuxnet, which was launched around the same time, achieved a similar objective — impeding a rogue nation’s enrichment efforts — but from afar, with no human cost. The program destroyed nearly one-fifth of Iran’s operating centrifuges and may have slowed its nuclear program by up to two years. No one was reported to have been physically harmed or killed during the yearslong operation. It may have even deterred Israel from launching a conventional attack on Iran’s Natanz uranium enrichment site.
What does responsible use of cyberweapons look like going forward?
If cyberwar has the potential to channel conflict into a nonlethal form, now is the moment — before it is fully tested on the battlefield — to develop both treaties and unwritten customary laws governing its employment.
Leaders in the technology sector such as Brad Smith, the president of Microsoft, and William Leigher, a retired Navy rear admiral and former cyber strategist at Raytheon, have repeatedly called for the creation of a digital Geneva Convention that would mandate restraint in the exercise of cyberweapons and prevent the sabotaging of civilian infrastructure.
Informal norms are just as important as formal laws. In May, the United Nations released an advance copy of its report on responsible state behavior in cyberspace. It urged countries to crack down on cybercrime within their borders and report the discovery of digital vulnerabilities within networks.
When it comes to international deterrence, history shows us that U.S. leadership is key: Cold War-era multinational organizations such as the International Atomic Energy Agency were chartered at the behest of U.S. presidents, after all. The Biden administration should continue to champion restraint and caution in the context of cyberwarfare.
This means avoiding misattribution and curbing for-profit cybercrime. The cyber realm is still shrouded in secrecy. A mechanism to keep open lines of communications between the U.S. and its adversaries after an attack could limit false accusations and prevent events from spiraling out of control. Regarding ransomware, the Biden administration is right to encourage reporting, discourage compliance with perpetrators and provide financial assistance to victims.
The much feared cyber-Pearl Harbor that’s so much fodder for cable news? “Chances are, we will never see such an event,” said Dmitri Alperovitch, a co-founder of cybersecurity firm CrowdStrike and now chairman of the think tank Silverado Policy Accelerator. “But it’s death by a thousand cuts, where every week, every day, we get hit by a ransomware attack.”
With proper controls and some rules of the road, cyberwar between nations may not be all that bad. Instead of endangering lives, it could actually help save them.
That’s an important idea to keep in mind when news of the next big hack breaks.
No comments:
Post a Comment