The Militarisation of Cyber Security as a Source of Global Tension (page 3)

Flawed assumptions and detrimental effects

The militarisation of cyber security is first and foremost based on the belief in a massive threat of a large-scale cyber attack. There are two aspects to this perception: In the first subsection, it is shown how and why the past and current level of the threat is overrated. The second subsection places the future likelihood of cyber war into perspective. It shows that now and in the future, the probability of a large-scale attack is very low. The third subsection looks at an additional reason for how widespread the fear of cyber war has become: Most countries simply follow the threat perception and reasoning of the US, even though the strategic con- text and disparity in power positions warrant a different threat assessment. The fourth subsection finally criticises the widespread use of vocabulary that is full of military analogies. Such vocabulary insinuates a reality governed by the traditional logic of offense and defence – a reality that does not exist. Even worse, it is decoupled from the reality of the threat and the possibility for meaningful countermeasures and is complicit in solidifying the militarisation of cyber security.

An overrated threat

There is no denying that different political, economic, and military conflicts have had cyber(ed) components for a number of years now. Further- more, criminal and espionage activities involving the use of computers hap- pen every day. It is a fact that cyber incidents are continually causing minor and only occasionally major inconveniences: These may be in the form of lost intellectual property or other proprietary data, maintenance and repair, lost revenue, and increased security costs. Beyond the direct impact, badly handled cyber attacks have also damaged corporate (and government) reputations and have, theoretically at least, the potential to reduce public confidence in the security of Internet transactions and e-commerce if they become more frequent.

However, in the entire history of computer networks, there are no examples of cyber attacks that resulted in actual physical violence against persons (nobody has ever died from a cyber incident), and only very few had a substantial effect on property (Stuxnet being the most prominent). So far, cyber attacks have not caused serious long-term disruptions. They are risks that can be dealt with by individual entities using standard information security measures, and their overall costs remain low in comparison to other risk categories such as financial risks.

These facts tend to be almost completely disregarded in policy circles. There are several reasons why the threat is overrated. First, as combating cyber threats has become a highly politicised issue, official statements about the level of threat must also be seen in the context of competition for resources and influence between various bureaucratic entities. This is usually done by stating an urgent need for action and describing the overall threat as big and rising.

Second, psychological research has shown that risk perception, including the perception of experts, is highly dependent on intuition and emotions. Cyber risks, especially in their more extreme form, fit the risk profile of so-called ‘dread risks’, which are perceived as catastrophic, fatal, un- known, and basically uncontrollable. There is a propensity to be disproportionally afraid of these risks despite their low probability, which translates into pressure for regulatory action of all sorts and the willingness to bear high costs of uncertain benefit

Third, the media distorts the threat perception even further. There is no hard data for the assumption that the level of cyber risks is actually rising– beyond the perception of impact and fear. Some IT security companies have recently warned against over-emphasising sophisticated attacks just because we hear more about them. In 2010, only about 3 per cent of all incidents were considered so sophisticated that they were impossible to stop. The vast majority of attackers go after low-hanging fruit, which are small to medium sized enterprises with bad defences. These types of incidents tend to remain under the radar of the media and even law enforcement.

Cyber war remains unlikely

Since the potentially devastating effects of cyber attacks are so scary, the temptation is very high not only to think about worst-case scenarios, but also to give them a lot of (often too much) weight despite their very low probability. However, most experts agree that strategic cyber war remains highly unlikely in the foreseeable future, mainly due to the uncertain results such a war would bring, the lack of motivation on the part of the possible combatants, and their shared inability to defend against counterattacks. Indeed, it is hard to see how cyber attacks could ever become truly effective for military purposes: It is exceptionally difficult to take down multiple, specific targets and keep them down over time. The key difficulty is proper reconnaissance and targeting, as well as the need to deal with a variety of diverse systems and be ready for countermoves from your adversary.

Furthermore, nobody can be truly interested in allowing the unfettered proliferation and use of cyber war tools, least of all the countries with the offensive lead in this domain. Quite to the contrary, strong arguments can be made that the world’s big powers have an overall strategic interest in developing and accepting internationally agreed norms on cyber war, and in creating agreements that might pertain to the development, distribution, and deployment of cyber weapons or to their use (though the effectiveness of such norms must remain doubtful). The most obvious reason is that the countries that are currently openly discussing the use of cyber war tools are precisely the ones that are the most vulnerable to cyber warfare attacks due to their high dependency on information infrastructure. The features of the emerging information environment make it extremely unlikely that any but the most limited and tactically oriented instances of computer attacks could be contained. More likely, computer attacks could ‘blow back’ through the interdependencies that are such an essential feature of the environment. Even relatively harmless viruses and worms would cause considerable random disruption to businesses, governments, and consumers. This risk would most likely weigh much heavier than the uncertain benefits to be gained from cyber war activities.

Certainly, thinking about (and planning for) worst-case scenarios is a legitimate task of the national security apparatus. Also, it seems almost inevitable that until cyber war is proven to be ineffective or forbidden, states and non-state actors who have the ability to develop cyber weapons will try to do so, because they appear cost-effective, more stealthy, and less risky than other forms of armed conflict. However, cyber war should not receive too much attention at the expense of more plausible and possible cyber problems. Using too many resources for high- impact, low-probability events – and therefore having less resources for the low to middle impact and high probability events – does not make sense, neither politically, nor strategically and certainly not when applying a cost-benefit logic.

Europe is not the US

The cyber security discourse is American in origin and American in the making: At all times, the US government shaped both the threat perception and the envisaged countermeasures. Interestingly enough, there are almost no variations to be found in other countries’ cyber threat discus- sions – even though the strategic contexts differ fundamentally. Many of the assumptions at the heart of the cyber security debate are shaped by the fears of a military and political superpower. The US eyes the cyber capabilities of its traditional rivals, the rising power of China and the declining power of Russia, with particular suspicion. This follows a conventional strategic logic: The main question is whether the cyber dimension could suddenly tip the scales of power against the US or have a negative effect on its ability to project power anywhere and any- time. In addition, due to its exposure in world politics and its military engagements, the US is a prime target for asymmetric attack.

The surely correct assumption that modern societies and their armed forces depend on the smooth functioning of information and communication technology does not automatically mean that this dependence will be exploited – particularly not for the majority of states in Europe. The existence of the cyber realm seems to lead people to assume that because they have vulnerabilities, they will be exploited. But in security and defence matters, careful threat assessments need to be made. Such assessments require that the following question be carefully deliberated: ‘Who has an interest in attacking us and the capability to do so, and why would they?’ For many democratic states, particularly in Europe, the risk of outright war has moved far to the background and the tasks of their armies have been adapted to this. Fears of asymmetric attacks also rank low. The same logic applies to the cyber do- main. The risk of a warlike cyber attack of severe proportions is minimal; there is no plausible scenario for it. Cyber crime and cyber espionage, both political and economic, are a different story: They are here now and will remain the biggest cyber risks in the future.

The limits of analogies

Even if the cyber threat were to be considered very high, the current trend conjures up wrong images. Analogies are very useful for relating non-familiar concepts or complex ide- as with more simple and familiar ones. But when taken too far, or even taken for real, they begin to have detrimental effects. Military terms like ‘cyber weapons’, ‘cyber capabilities’, ‘cyberoffence’, ‘cyber defence’, and ‘cyber deterrence’ suggest that cyberspace can and should be handled as an op- erational domain of warfare like land, sea, air, and outer space (cyberspace has in fact been officially recognised as a new domain in US military doc- trine). Again, this assumption clashes with the reality of the threat and the possibilities for countermeasures.

First, calling offensive measures cyber weapons does not change the fact that hacker tools are not really like physical weapons. They are opportunistic and aimed at outsmarting the technical defences. As a result, their effect is usually not controllable in a military sense– they might deliver something useful or they might not. Also, even though code can be copied, the knowledge and preparation behind it cannot be easily proliferated. Each new weapon needs to be tailored to the system it is supposed to attack. Cyber weapons cannot be kept in a ‘silo’ for a long time, because at any time, the vulnerability in the system that it is targeted at could be patched and the weapon would be rendered useless.

Second, thinking in terms of attacks and defence creates a wrong image of immediacy of cause and effect. How- ever, high-level cyber attacks against infrastructure targets will likely be the culmination of long-term, subtle, systematic intrusions. The preparatory phase could take place over several years. When – or rather if – an intrusion is detected, it is often impossible to determine whether it was an act of vandalism, computer crime, terrorism, foreign intelligence activity, or some form of strategic military attack. The only way to determine the source, nature, and scope of the incident is to investigate it. This again might take years, with highly uncertain results. The military notion of striking back is therefore useless in most cases.

Third, deterrence works if one party is able to successfully convey to an-other that it is both capable and willing to use a set of available (of- ten military) instruments against the other side if the latter steps over the line. This requires an opponent that is clearly identifiable as an attacker and has to fear retaliation – which is not the case in cyber security be- cause of the attribution problem. Attribution of blame on the basis of the cui bono logic is not sufficient proof for political action. Therefore, deterrence and retribution do not work in cyberspace and will not, unless its rules are changed in substantial ways, with highly uncertain benefits. Much of what is said in China and in the US about their own and the other’s cyber capabilities is (old) deterrence rhetoric – and must be understood as such. The White House’s new International Strategy for Cyberspace of 2011 states that the US reserves the right to retaliate to hostile acts in cyberspace with military force. This ‘hack us and we might bomb you’ statement is an old-fashioned declaratory policy that preserves the option of asymmetrical response as a means of deterrence, even though both sides actually know that following up on it is next to impossible.

Fourth, cyberspace is only in parts controlled or controllable by state actors. At least in the case of democracies, power in this domain is in the hands of private actors, especially the business sector. Much of the expertise and many of the resources required for taking better protective measures are located outside governments. The military – or any other state entity for that matter – does not own critical (in- formation) infrastructures and has no direct access to them. Protecting them as a military mandate is impossible, and conceiving of cyberspace as an occupation zone is an illusion. Militaries cannot defend the cyberspace of their country – it is not a space where troops and tanks can be deployed, be- cause the logic of national boundaries does not apply.

(external pageContinue Readingcall_made)