The cyber arms race

A worrisome new arms race is accelerating—in cyberspace.

This week, The Wall Street Journal broke an important story: the Pentagon has concluded computer sabotage from another nation could be considered an act of war, opening the door for the military to respond with conventional force. The decision is contained in a Defense Department strategy document, portions of which will be declassified soon. The Journal said  military action against cyber attacks would come if the hackers disrupted industry or caused civilian casualties. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” a military official told the Journal.

Additional stories followed today in The New York Times and The Washington Post.

There is a hidden risk here. When U.S. military officials threaten retaliation for cyber attacks, it sounds logical and reassuring. After all, no one wants to be vulnerable to attack. But conflict in cyberspace offers some complexity that did not exist in the nuclear arms race.

First, what is called “attribution,” or figuring out who attacked. As David Clark and Susan Landau noted in a study published by the National Academy of Sciences, “Attribution is central to deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation. Retaliation requires knowing with full certainty who the attackers are.”

In cyber conflict, it is not often possible to know who the attackers are. By some accounts, attacks have some from hackers operating under the umbrella of a government, but not directly controlled by it. If a group of hackers in China or Russia carried out an attack on a power grid in the United States, would we really launch a missile, risking escalation into a wider conflict? What if we were wrong?

In the nuclear arms race, we knew a lot about our adversaries, if not everything. We set up early warning systems that could track a missile trajectory. We knew where the enemy silos were located. We established “counterforce” targets that could hit those silos with great precision. The Times quoted a participant in the debates in the administration as saying, “Almost everything we learned about deterrence during the nuclear standoffs with the Soviets in the ‘60s, ‘70s and ‘80s doesn’t apply.” Exactly.

The United States has created a new Cyber Command, and much of its mission is defensive: to protect U.S. computer networks and build firewalls against attack. But there is also an offensive element, which is not being discussed as much in the open. General Keith B. Alexander, who heads the command, has published an article about the new command in the current issue of Strategic Studies Quarterly. Alexander does not use the word “offensive” once in the piece, but he hints at such a mission.

He writes:

We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger; in conflict areas where US forces are engaged we have indeed seen the Internet used for recruiting, fundraising, operational training, and other activities directed against our service personnel and coalition partners. At Cyber Command much of our focus is on helping our troops in the field limit their vulnerabilities in and from cyberspace. This effort reflects the likelihood that, henceforth, all conflicts will have some cyber aspect, and our efforts to understand this development will be crucial to the future security of the United States.

One wonders if the offensive operations will go well beyond taking out a website. Was the Stuxnet worm which damaged the Iranian nuclear facility an example of U.S. offensive cyber operations? That worm was engineered to do damage to infrastructure—to basically destroy the Iranian nuclear enrichment machine.

Thus, ever so quietly, begins the cycle of an arms race. If we are engaging in offensive operations, then others will surely follow.

For argument’s sake, let’s take the new U.S. strategy that reserves the right to carry out military attacks on anyone who fools with our power grid or nuclear power plants. Let’s assume that Iran adopts exactly the same strategy. What would we think if Iran decided to attack the United States—with a missile down a smokestack—in retaliation for Stuxnet?

It may be too late to stop this arms race. Clearly, other nations are also building offensive cyber weapons. The threats are real, but deterrence is going to be very, very difficult.

The offensive cyber battlefield promises to be far more chaotic than in the nuclear arms race, with many smaller players and non-state actors, and the risks of retaliation against the United States might be quite high. We need good defenses, no question. But should we be fighting back with cyber warheads and real missiles? Are we ready for what could follow? Is there an alternative?