Think Information. Think Security.
The magic of the digital medium is rendering us more powerful, but also more dependent on a secure and stable cyberspace.

Human beings have fought over land for millennia, beginning with the first agrarian communities. More recently, in the era of mass conscription and rapid industrialization, nation-states also have fought for people's collective thinking or for access to oil. In the 21st century, groups and institutions will increasingly struggle for control of cyberspace, the digital domain where most human activity is already managed - from music distribution to industrial manufacturing, the electricity grid and individual banking accounts. All this is at risk today.

Cyberspace is far more than the Internet. It is a digital medium in which it is possible to reflect or express all human activities, from communication and calculation, to decision making and implementation. It involves software; hardware, from chips to satellites; and people, from developers to end-users. It is threatened by cyber-warfare.

To paraphrase Carl von Clausewitz, cyber-warfare is a corruption of the digital medium that disrupts human activity in order to compel one's enemies to conform to one's will. As agents that produce or transmit information, humans are key assets in cyber-warfare. Some of the most dangerous cyber-weapons are the brains of skilled hackers.

How do cyber-weapons operate? Once their users find (or create ) flaws in software, hardware or users, they exploit them to corrupt the target. Though the first attempts at cyber-warfare took place as much as 30 years ago, the most resounding shots of this new age were fired when the Stuxnet worm disrupted the supervisory control system of the Natanz nuclear enrichment plant in Iran, between 2009 and 2010.

The issue of attribution (or lack thereof ) is one of the most critical elements in the emerging doctrine of cyber-warfare. Without clearly established attribution, suspected aggressors can claim "plausible deniability," as Russia did after the cyber-attacks against Estonia in 2007. Establishing attribution becomes even harder when a global cyber-infection seemingly impacts everyone. Being unable to convince your allies of the true identity of the aggressor considerably restricts your range of military options. More fundamentally, if you are unable to demonstrate your ability to identify a potential enemy, you will not be able to establish deterrence.

A secondary but nontrivial issue is the need to understand escalation thresholds. The emerging American doctrine on the destructive potential of cyber-attacks states that they can be treated as acts of war. But America may never "declare war" against near-peer cyber competitors if the latter also possess weapons, as they often do. Significant threats would be exchanged well before that. But at what moment during a major cyber-attack-induced blackout should the defender threaten war? After one day? One week? More?

This is complicated by the fact that a cyber-attack neither destroys nor kills - even as it degrades capabilities and instills debilitating uncertainty.

And yet an even worse scenario is possible: war triggered by a false alarm. The Cold War was full of technical errors that could accidentally have led to war. Similarly, at present, there are dozens of major electrical blackouts in the U.S. every year, and during a period of diplomatic tension, for example, decision makers could mistakenly think they are the result of Chinese cyber-attacks.

Furthermore, in general, weapons are of either an offensive or defensive nature. As noted by economic and foreign-affairs scholars Prof. Thomas Schelling and Prof. Robert Jervis, the spread of offensive weapons technologies in particular creates international instability and increases anxiety. This was the case in Europe just before World War I - and may also be the case with cyber-weapons, which by design are mostly first-strike weapons.

Traditionally, maintaining peace means being able to restore order by force. In the information realm of cyberspace, it requires being able to present a 360-degree understanding of the situation after an attack, starting with "whodunit." The response to a high-stakes cyber crisis could take the form of a criminal probe conducted in close cooperation with allies. The "suspected" states could be quarantined and "lined up," without their governments being accused of direct involvement at this stage. A nation that refuses to cooperate would then single itself out. And once the attribution is resolved, the defending state can leverage all means of power to respond - from cyber to economic, diplomatic or military.

This is not fiction anymore. The magic of the digital medium is rendering us more powerful, but also more dependent on a secure and stable cyberspace. This is not making the rest of our military capacities irrelevant. We still have formidable conventional and strategic forces. But in the age of nuclear weapons, we cannot afford for screens to go dark, for meaning to be corrupted and lost, and, finally, for fear and panic to be allowed to dominate. This would indeed be the computer's worst "fatal error" - that is, fatal for all of mankind.

Cross-posted from:

Leave a Reply.