GG2022 - All Quiet on the Cyber Front? The Twisted Logic of Cyber Security...

London - Cyberspace has lost its innocence – if it ever had one. Defense departments in Washington, London, Beijing or Moscow have drastically increased their role in cyber space under the pretext of safeguarding national security. Yet, national deterrence strategies do not provide more safety – to the contrary. They increase the likelihood of attacks and conflict in both the physical and the cyber realm rather than diminish it.

“The attackers are plotting,” warns, for example, outgoing U.S. Defense Secretary Leon Panetta. Indeed, the Obama administration has continuously highlighted the dangers of a potential cyber attack over the last four years. It almost seems that we are only one click away from derailing subway trains, melting reactors and a blow out of the national power grids. Or as Panetta and other officials like to phrase it: a cyber-Pearl Harbor.

The dramatic rhetoric is self-serving. Armed forces, defense departments as well as intelligence, military and law enforcement agencies have stressed the role of cyber in national defense – and by reverse logic, their own role in cyberspace. The process is particularly transparent in the United States. But we observe similar developments in France, Germany, Russia, China or the United Kingdom where governments have predominantly adopted national deterrence strategies which threaten to impose physical retaliation in the face of large scale cyber intrusions. Yet, three externalities render such strategies ineffective, if not outright counterproductive.

First, national cyber strategies actually broaden the scope of state-to-state conflict. Governments have extended the jus ad bellum to incorporate instances of cyber attacks that allow for a physical response. But what kind of cyber attack justifies physical retaliation? The U.S. administration, for example, bases its determination on the notion of equivalence, as the State Department’s chief legal advisor Harold Koh explains:

“If the physical consequences of a cyberattack work the kind of physical damage that dropping a bomb or firing a missile would, that cyberattack should equally be considered a use of force.”

Yet, the physical damage caused by a missile is irrevocable and relatively easy to assess. But how do we assess the destruction brought forth by a temporary blackout of America’s Eastern shores or London? What happens if looters seize the opportunity and casualties arise as Americans try to protect their livelihood against fellow Americans? Absent any red lines (and amid public pressures following an incident), we may well assume judgments to be based on knee-jerk principles. A military official recently described his interpretation of equivalence: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks". True, the potential magnitude of “cybotage” incidences distinguishes them from traditional sabotage. But simply incorporating such incidences into current jus ad bellum norms actually broadens the specter of conventional conflict.

Second, deterrence depends on attributability. Yet, even when cyber attacks are detected, all too often the perpetrators remain hidden. In the decade after the World Trade Center attacks, the perpetrators have been brought to justice. Yet, we still don’t know who unleashed the Code Red and Nimda computer viruses in the summer and fall of 2001. Digital warriors are hard to find – and even harder to tie down. U.S. intelligence officials believe that Cutting Sword of Justice, the hacker group behind to Shamoon virus that destroyed data from 30,000 computers at Saudi Aramco, is tied to the Iranian regime while other analysts are far less convinced. Who then counts as a “proxy actor”? And how do we verify that criminals and hacktivists indeed operate under the order of a state before taking military action? Should the use of force really rely on a guessing game – no matter how elaborate it may be?

Third, armed forces portray their interest in cyberspace as purely defensive. Yet, the U.S. already “crossed the Rubicon”, as former CIA director Michael Hayden succinctly remarked, and employed cyber weapons offensively against Iran. As Stuxnet caused significant disruptions in the nuclear facility at Natanz, some officials have already questioned why cyber weapons are not used against Korea, China or Syria. Other states already follow and invest in offensive and defensive capabilities making a cyber arms race increasingly likely.

Defense departments and military agencies justify their demands for an increased role under the pretext of enhancing cyber security. Yet, this logic is twisted. The militarization of cyberspace makes us less rather than more secure, as national deterrence strategies increase (rather than minimize) the likelihood of cyber and physical conflict. There is, however, an alternative route to cyber security based on technological advances and international cooperation.

Indeed, the advancement and increased use of strong encryption and “evasive routing”, argues John Arquilla, professor of defense analysis at the U.S. Naval Postgraduate School, provides more security in cyberspace than (empty) threats of retaliation. Such technologies are purely defensive in nature and aim to prevent attackers from finding victims and/or sensitive content. And the establishment of an international body would surely facilitate efforts to establish a catalogue of universally accepted norms, procedures and codes of conduct that help prevent “cyber conflicts” from spiraling over to the physical sphere - collective action problems notwithstanding. Is this dual strategy an easy option? Definitely not. Despite being long and bumpy, however, this route seems more likely to effectively provide security in cyberspace - and beyond - than the current militarization based on deterrence.


Mark T. Fliegauf is a fellow of the GG2022 program and a doctoral candidate at the University of Cambridge where he focuses on international security and organizational dynamics. This column is part of a series from the GG2022 fellows. For more information on the GG2022 please see here.