Despite all the attention, cyberspace is far from secure. Why this is so reflects flawed technologies and conceptual weaknesses. The result is institutionalized stalemate. Two questions highlight shortcomings in the discussion of cybersecurity. The first is why, after more than two decades, we have not seen anything like a cyber Pearl Harbor or cyber catastrophe. The second is why, despite the increasing volume and quantity of recommendations and dire warnings, there has been so little progress. To begin, a quick summary of the status quo:
- The technologies that form cyberspace are inherently vulnerable, especially when aggregated into large networks of multiple devices and programs. This will not change anytime soon.
- Many technology users still neglect to take the most basic protective measures, and the widespread use of pirated software in some countries amplifies the costs of neglect.
- Governments see cyberspace as a largely unconstrained space for action, and a few governments actively support cyber criminals.
- Governance in this space is weak and no longer adequate for a more confrontational and conflictive international environment.
- Our most dangerous opponents in cyberspace are states, two of which – Russia and North Korea – use cybercrime as a tool of state power. We can dismiss the idea that terrorist or non-state actors will launch massive and damaging cyber attacks.
- State actors using cyber attacks for coercive purposes will manage escalation risk by staying below the threshold of activity that would justify a forceful response.
- The effect of “cyber attack” is exaggerated. There have been no deaths, little destruction, and the aggregate cost has been minimal. The actions of greatest concern have involved espionage, crime and political coercion – not attacks on critical infrastructure.
- Changing social attitudes toward risk skew perceptions of the perils of cyber attack.
- Powerful ideologies in the U.S. on the role of government complicate and slow the development of cybersecurity policy relative to other cyber powers.
Ideas from the 1990s that still shape cybersecurity policy are inadequate for a very different international security environment. They reflect the ideas and aspirations of a different time. This is a new terrain for conflict, and it has not been well-mapped, but just as medieval cartographers were hampered by their belief that the earth was flat, cybersecurity is hampered by inaccurate beliefs about opponents and risk.
The conceptual framework for cybersecurity is an aggregation of historical approaches and political concerns. It is largely tactical and reactive, and this ensures attackers have an advantage. Some of this reflects the newness of the technology – the old bromide that “technology changes too fast” is wrong since for security, it certainly doesn’t change fast enough. More importantly, how we think about cybersecurity is shaped by powerful ideologies and by outdated concepts of international relations, governance and technology. These distort our understanding of the problem and the nature of its solutions.
One reason for this is that we have miscalculated risk. The fear of non-state actors launching crippling cyber attacks against critical infrastructures is inaccurate. Our most dangerous opponents are other nation-states. They have the capabilities, the resources and the intent to use cyber capabilities to damage the U.S. and its allies. They are responsible – through commission or intentional inaction – for most of malicious cyber actions. These opponents do not seek “cyber catastrophe.” They have used espionage, coercion, and crime to advance their aims – most importantly, the dismantling of the world order created after 1945 and replacing it with something more favorable to their own interests – and damage us. A failure to recognize the centrality of state action for creating the dangerous cyber environment makes much of the discussion irrelevant.
The U.S. possesses powerful conventional and nuclear deterrent forces. Unsurprisingly, when our opponents decided to challenge American “hegemony,” they planned to circumvent these forces by adopting unconventional strategies and ensuring that their actions stayed below the level that could trigger the engagement of the U.S. military. In American military and intelligence parlance, this is not a Title 10 world, but a Title 50 one.
Cyber operations are ideal for achieving the strategic effect our opponents seek in this new environment. State opponents use cyber techniques in ways consistent with their national strategies and objectives. Cyber operations provide unparalleled access to targets, and the only constraint on attackers is the risk of retaliation, a risk they manage by staying below an implicit threshold – avoiding actions that would provoke a damaging American response. Almost all cyber attacks fall below this threshold, including crime, espionage and to date, politically coercive acts. By focusing our defenses on destructive cyber attacks against critical infrastructure, we have built a Maginot Line in cyberspace that our opponents easily circumvent.
A strong case can be made for mis-estimation of risk in cyberspace. A range of hypothetical threats with extreme consequences is placed in front of the public without considering the probability of occurrence. America’s attackers in cyberspace are nation-states, not terrorists, and their goals are not to carry out a cyber 9/11. The Chinese focus on espionage. The Russians use criminal groups who specialize in financial crime. Under Moscow’s 2010 military doctrine on disruptive information operations – part of what they call ‘New Generation Warfare” – the Russians want “cognitive effect” by manipulating opponent thinking and emotion.
Iran and North Korea use cyber actions against American companies that they want to punish, but their goal is political coercion, not destruction. None of these countries talk about death by 1000 cuts or attacking critical infrastructure to produce a cyber Pearl Harbor.
Perceptions of the risk from cyber attack are inappropriately shaped by the analogies of strategic bombing and nuclear war. Strategic bombing sought to destroy critical infrastructure using mass attacks to reduce an opponent’s ability to resist. We assume that current opponents will also target critical infrastructure, but the rationale for massive crippling attacks on critical infrastructure no longer exists. Strategic bombing was linked to a theory of how to achieve victory. Cyber attacks against critical infrastructure do not have the same underpinning that would make them attractive to those states capable of carrying them out.
While cyber attacks can produce effects similar to kinetic weapons, their intangible effects are more important. There is an informational and cognitive element involving the manipulation of information and decision-making that is more likely to produce strategic effect and place opponents at a disadvantage. This cognitive approach uses cyber tools to manipulate opponent thought processes, data and emotions to achieve strategic effect. It challenges conventional, kinetic-oriented strategies, but it is not a new concept, with the classics of strategy emphasizing the important of affecting opponent thinking and will as “the ultimate determinants in war.” The political and psychological effects of cyber technologies provide an ideal vehicle for creating psychological effect in both domestic audiences and foreign opponents, allowing opponents to manipulate how and when decisions are made.
Cyber operations provide a new way to use force, to coerce or to gain intelligence advantage, but the aspect of cyber as an instrument of national power that is often the least appreciated is its cognitive and informational capacity. Cyber is most useful in creating uncertainty among opponents. An astute opponent might only need to affect a limited penetration to create a high degree of uncertainty – recognizing that using an easily detectable penetration to create uncertainty and fear would hamper the ability to carry out more damaging penetrations, the target might move to a heightened state of defense as a result.
We keep trying to force cyber operations into the mold of tangible effect and 20th Century policy. The role of information has changed, but our strategies have not changed with it. The majority of cyber incidents involve espionage, crime, or coercion by state actors or their proxies. The primary targets in future cyber conflict will be data, algorithms and cognition – not critical infrastructures. Data manipulation and interfering with algorithms are both ways to affect directly decision-making and achieve cognitive effect, where the friction of war and politics is expanded to hobble opponents.
The error of the Maginot Line or any fixed defense is in constructing powerful obstacles to block an opponent’s expected line of attack only to find that opponents attacked elsewhere. As we focus on protecting critical infrastructure, our opponents found other ways to inflict harm. That this has happened repeatedly reflects the complexity of the terrain to be defended and the difficulty of agreeing to how to defend it when the discussion is shaped by outdated concepts regarding the role of states and the nature of international conflict.
If our perceptions of cybersecurity risks are skewed, and so are our defenses. Better cybersecurity requires reconceptualization. This is a new terrain for conflict, and it has not been well-mapped. But just as medieval cartographers were hampered by their belief that the earth was flat, cybersecurity analysis and policy are hampered by inaccurate beliefs about the role of government and technology, and the most likely and damaging lines of attack through cyberspace.
The pace at which we rethink our approaches to cybersecurity dictates the rate of improvement. German Nobel laureate Max Planck’s observation that “new ideas only succeed when their opponents eventually die” is too gloomy. In both markets and warfare, we have seen rapid adjustment to new technologies, but change is often forced upon us by external forces – bankruptcy, defeat or surprise.
There is no imminent crisis to force change in cybersecurity, but there are also few external constraints on moving in new directions. It would be better if change was not forced upon us, but that will require a painful reexamination of cherished beliefs.