The cyber arms race

A worrisome new arms race is accelerating—in cyberspace. This week, The Wall Street Journal broke an important story: the Pentagon has concluded computer sabotage from another nation could be considered an act of war, opening the door for the military to respond with conventional force. The decision is contained in a Defense Department strategy document, ...

Yoshikazu Tsuno/AFP/Getty Images
Yoshikazu Tsuno/AFP/Getty Images
Yoshikazu Tsuno/AFP/Getty Images

A worrisome new arms race is accelerating—in cyberspace.

A worrisome new arms race is accelerating—in cyberspace.

This week, The Wall Street Journal broke an important story: the Pentagon has concluded computer sabotage from another nation could be considered an act of war, opening the door for the military to respond with conventional force. The decision is contained in a Defense Department strategy document, portions of which will be declassified soon. The Journal said  military action against cyber attacks would come if the hackers disrupted industry or caused civilian casualties. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” a military official told the Journal.

Additional stories followed today in The New York Times and The Washington Post.

There is a hidden risk here. When U.S. military officials threaten retaliation for cyber attacks, it sounds logical and reassuring. After all, no one wants to be vulnerable to attack. But conflict in cyberspace offers some complexity that did not exist in the nuclear arms race.

First, what is called “attribution,” or figuring out who attacked. As David Clark and Susan Landau noted in a study published by the National Academy of Sciences, “Attribution is central to deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation. Retaliation requires knowing with full certainty who the attackers are.

In cyber conflict, it is not often possible to know who the attackers are. By some accounts, attacks have some from hackers operating under the umbrella of a government, but not directly controlled by it. If a group of hackers in China or Russia carried out an attack on a power grid in the United States, would we really launch a missile, risking escalation into a wider conflict? What if we were wrong?

In the nuclear arms race, we knew a lot about our adversaries, if not everything. We set up early warning systems that could track a missile trajectory. We knew where the enemy silos were located. We established “counterforce” targets that could hit those silos with great precision. The Times quoted a participant in the debates in the administration as saying, “Almost everything we learned about deterrence during the nuclear standoffs with the Soviets in the ‘60s, ‘70s and ‘80s doesn’t apply.” Exactly.

The United States has created a new Cyber Command, and much of its mission is defensive: to protect U.S. computer networks and build firewalls against attack. But there is also an offensive element, which is not being discussed as much in the open. General Keith B. Alexander, who heads the command, has published an article about the new command in the current issue of Strategic Studies Quarterly. Alexander does not use the word “offensive” once in the piece, but he hints at such a mission.

He writes:

We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger; in conflict areas where US forces are engaged we have indeed seen the Internet used for recruiting, fundraising, operational training, and other activities directed against our service personnel and coalition partners. At Cyber Command much of our focus is on helping our troops in the field limit their vulnerabilities in and from cyberspace. This effort reflects the likelihood that, henceforth, all conflicts will have some cyber aspect, and our efforts to understand this development will be crucial to the future security of the United States.

One wonders if the offensive operations will go well beyond taking out a website. Was the Stuxnet worm which damaged the Iranian nuclear facility an example of U.S. offensive cyber operations? That worm was engineered to do damage to infrastructure—to basically destroy the Iranian nuclear enrichment machine.

Thus, ever so quietly, begins the cycle of an arms race. If we are engaging in offensive operations, then others will surely follow.

For argument’s sake, let’s take the new U.S. strategy that reserves the right to carry out military attacks on anyone who fools with our power grid or nuclear power plants. Let’s assume that Iran adopts exactly the same strategy. What would we think if Iran decided to attack the United States—with a missile down a smokestack—in retaliation for Stuxnet?

It may be too late to stop this arms race. Clearly, other nations are also building offensive cyber weapons. The threats are real, but deterrence is going to be very, very difficult.

The offensive cyber battlefield promises to be far more chaotic than in the nuclear arms race, with many smaller players and non-state actors, and the risks of retaliation against the United States might be quite high. We need good defenses, no question. But should we be fighting back with cyber warheads and real missiles? Are we ready for what could follow? Is there an alternative?

 

David E. Hoffman covered foreign affairs, national politics, economics, and served as an editor at the Washington Post for 27 years.

He was a White House correspondent during the Reagan years and the presidency of George H. W. Bush, and covered the State Department when James A. Baker III was secretary. He was bureau chief in Jerusalem at the time of the 1993 Oslo peace accords, and served six years as Moscow bureau chief, covering the tumultuous Yeltsin era. On returning to Washington in 2001, he became foreign editor and then, in 2005, assistant managing editor for foreign news. Twitter: @thedeadhandbook

More from Foreign Policy

The USS Nimitz and Japan Maritime Self-Defense Force and South Korean Navy warships sail in formation during a joint naval exercise off the South Korean coast.
The USS Nimitz and Japan Maritime Self-Defense Force and South Korean Navy warships sail in formation during a joint naval exercise off the South Korean coast.

America Is a Heartbeat Away From a War It Could Lose

Global war is neither a theoretical contingency nor the fever dream of hawks and militarists.

A protester waves a Palestinian flag in front of the U.S. Capitol in Washington, during a demonstration calling for a ceasefire in Gaza. People sit and walk on the grass lawn in front of the protester and barricades.
A protester waves a Palestinian flag in front of the U.S. Capitol in Washington, during a demonstration calling for a ceasefire in Gaza. People sit and walk on the grass lawn in front of the protester and barricades.

The West’s Incoherent Critique of Israel’s Gaza Strategy

The reality of fighting Hamas in Gaza makes this war terrible one way or another.

Biden dressed in a dark blue suit walks with his head down past a row of alternating U.S. and Israeli flags.
Biden dressed in a dark blue suit walks with his head down past a row of alternating U.S. and Israeli flags.

Biden Owns the Israel-Palestine Conflict Now

In tying Washington to Israel’s war in Gaza, the U.S. president now shares responsibility for the broader conflict’s fate.

U.S. President Joe Biden is seen in profile as he greets Chinese President Xi Jinping with a handshake. Xi, a 70-year-old man in a dark blue suit, smiles as he takes the hand of Biden, an 80-year-old man who also wears a dark blue suit.
U.S. President Joe Biden is seen in profile as he greets Chinese President Xi Jinping with a handshake. Xi, a 70-year-old man in a dark blue suit, smiles as he takes the hand of Biden, an 80-year-old man who also wears a dark blue suit.

Taiwan’s Room to Maneuver Shrinks as Biden and Xi Meet

As the latest crisis in the straits wraps up, Taipei is on the back foot.