Joseph S. Nye, a former assistant US secretary of defense, is a professor at Harvard University and author, most recently, of The Future of Power.
Project Syndicate, April 16 2012
CAMBRIDGE – Two years ago, a piece of faulty computer code infected Iran’s nuclear program and destroyed many of the centrifuges used to enrich uranium. Some observers declared this apparent sabotage to be the harbinger of a new form of warfare, and United States Secretary of Defence Leon Panetta has warned Americans of the danger of a ‘cyber Pearl Harbour’ attack on the US. But what do we really know about cyber conflict?
The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.
The costs of developing those vessels – multiple carrier taskforces and submarine fleets – create enormous barriers to entry, enabling US naval dominance. But the barriers to entry in the cyber domain are so low that non-state actors and small states can play a significant role at low cost.
In my book The Future of Power, I argue that the diffusion of power away from governments is one of this century’s great political shifts. Cyberspace is a perfect example. Large countries like the US, Russia, Britain, France, and China have greater capacity than other states and non-state actors to control the sea, air, or space, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states that can be exploited by non-state actors.
Four decades ago, the US Department of Defense created the Internet; today, by most accounts, the US remains the leading country in terms of its military and societal use. But greater dependence on networked computers and communication leaves the US more vulnerable to attack than many other countries, and cyberspace has become a major source of insecurity, because, at this stage of technological development, offence prevails over defence there.
The term ‘cyber attack’ covers a wide variety of actions, ranging from simple probes to defacing Web sites, denial of service, espionage, and destruction. Similarly, the term ‘cyber war’ is used loosely to cover a wide range of behaviors, reflecting dictionary definitions of war that range from armed conflict to any hostile contest (for example, ‘war between the sexes’ or ‘war on drugs’).
At the other extreme, some experts use a narrow definition of cyber war: a ‘bloodless war’ among states that consists solely of electronic conflict in cyberspace. But this avoids the important interconnections between the physical and virtual layers of cyberspace. As the Stuxnet virus that infected Iran’s nuclear program showed, software attacks can have very real physical effects.
A more useful definition of cyber war is hostile action in cyberspace whose effects amplify or are equivalent to major physical violence. In the physical world, governments have a near-monopoly on large-scale use of force, the defender has an intimate knowledge of the terrain, and attacks end because of attrition or exhaustion. Both resources and mobility are costly.
In the cyber world, by contrast, actors are diverse (and sometimes anonymous), physical distance is immaterial, and some forms of offence are cheap. Because the Internet was designed for ease of use rather than security, attackers currently have the advantage over defenders. Technological evolution, including efforts to ‘reengineer’ some systems for greater security, might eventually change that, but, for now, it remains the case. The larger party has limited ability to disarm or destroy the enemy, occupy territory, or use counterforce strategies effectively. Continue reading