The Militarisation of Cyber Security as a Source of Global Tension

Cyber security is seen as one of the most pressing national security issues of our time. Due to sophisticated and highly publicized cyber-attacks such as Stuxnet, it is increasingly framed as a strategic issue. The diffuse nature of the threat, coupled with a heightened sense of vulnerability, has brought about a growing militarization of cyber security. This has resulted in too much attention on the low probability of a large scale cyber-attack, a focus on the wrong policy solutions, and a detrimental atmosphere of insecurity and tension in the international system. Though cyber operations will be a significant component of future conflicts, the role of the military in cyber security will be limited and needs to be carefully defined.

The discovery of the industry-sabotaging Stuxnet computer worm, numerous tales of (Chinese) cyber espionage, the growing sophistication of cyber criminals, and the well-publicized activities of hacker collectives have combined to give the impression that cyber-attacks are becoming more frequent, more organized, more costly, and altogether more dangerous. As a result, a growing number of countries consider cyber security to be one of the top security issues of the future.

This is just the latest ‘surge’ of attention in the three- to four-decade-long history of cyber issues. The importance attached to cyber security in politics grew steadily in response to a continual parade of incidents such as computer viruses, data theft, and other penetrations of networked computer systems, which, combined with heightening media attention, created the feeling that the level of cyber insecurity was on the rise. As a result, the debate spread in two directions: upwards, from the expert level to executive decision-makers and politicians; and horizontally, advancing from mainly being an issue of relevance to the US to the top of the threat list of more and more countries.

The debate on ‘cyber security’ originated in the US in the 1970s, built momentum in the late 1980s, and spread to other countries in the late 1990s. Early on, US policy-makers politicized the issue. They presented cyber security as a matter that requires the attention of state actors because it cannot be solved by market forces. As concern increased, they securitized the issue: They represented it as a challenge requiring the urgent attention of the national security apparatus. In 2010, against the background of the Stuxnet incident, the tone and intensity of the debate changed even further: The latest trend is to frame cyber security as a strategic-military issue and to focus on counter-measures such as cyber offense and defense, or cyber deterrence.

Though this trend can easily be understood when considering the political (and psychological) effects of Stuxnet, it nonetheless invokes images of a supposed adversary even though there is no identifiable enemy, is too strongly focused on national security measures instead of economic and business solutions, and wrongly suggests that states can establish control over cyberspace. Not only does this create an unnecessary atmosphere of insecurity and tension in the international system, it is also based on a severe misperception of the nature and level of cyber risk and on the feasibility of different protection measures. While it is undisputed that the cyber dimension will play a substantial role in future conflicts of all grades and shades, threat-representations must remain well informed and well balanced at all times in order to rule out policy reactions with excessively high costs and uncertain benefits.

This chapter first describes the core elements of the cyber security debate that emerged over the past decades. These elements provide the stage and scenery for the more recent trend of increasing militarization of cyber security. Five factors responsible for this trend are described in section two. The effects of the discovery of Stuxnet as the culmination point of the cyber threat story are the focus of section three: Though the actual (physical) damage of Stuxnet remains limited, it had very real and irreversible political effects. The fourth section critically assesses the assumptions underlying the trend of militarization and their negative effects. The chapter concludes by arguing that military countermeasures will not be able to play a significant role in cyber security due to the nature of the information environment and the nature of the threat. Finally, it sketches the specific, though limited role that military apparatuses can and should play in reducing the overall level of cyber insecurity nationally and internationally.

To read the full report, please visit the Strategic Trends Analysis website.