Arms Race in Cyberspace?
Earlier this month, the Obama Administration unveiled its legislative proposal to enhance America’s cybersecurity, calling for better protection of systems running critical infrastructure like the electrical grid, financial systems and nuclear power plants. The White House also laid out an international cyberspace strategy for strengthening Internet security while helping ensure that citizens everywhere have the freedom to express themselves online. The Pentagon's Cyber Command has stated its intention to strike back at cyberattacks that threaten U.S. national security. And the Chinese, Russians, and other nations aren’t far behind with their own strategic plans for cyberspace.
Today, we find ourselves at an inflection point in the Internet’s short history. All modern armed conflict now invariably features a cyberspace component: consider the 2006 Israel-Hezbollah war; the 2007 “Web War I” denial-of-service attacks on Estonia; the 2008 Russian-Georgian war over South Ossetia; continuing hostilities in Iraq and Afghanistan; and internal clashes throughout the Middle East. Yesterday’s kinetic strikes on communications infrastructure, hacked computer networks, and geolocation-guided missile attacks have given way to sophisticated cyberattacks designed to shut down critical national infrastructures or to coerce or intimidate a government or civilian population. Consider, for example, the 2010 Stuxnet worm that successfully attacked and disrupted Iran’s nuclear facility in Natanz, which raised new questions about the Internet’s potential for becoming a new weapon of war.
Should we be worried about accelerating moves toward a militarization of cyberspace? Understandably, some observers express doubts about the threat posed by cyberwarfare: the term itself is ill defined, having been used to describe everything from computer-enabled surveillance to critical infrastructure attacks. Some cyberwar alarmists may even have other motives for needlessly ramping up fears, including desires to diminish Internet privacy, encourage Sino-American rivalry, or increase the value of private commercial interests in cybersecurity ventures.
Yet a troubling recent shift toward censorship, surveillance, sabotage, and—yes—militarization in cyberspace is unmistakable. The United States recently launched USCYBERCOM, a new combatant command charged with both defensive and offensive operations. China and others are responding in kind. Surveillance in the public and private sectors is now commonplace, Internet filtering is becoming more accepted worldwide, and a growing culture of cybercrime and state-sponsored espionage threatens industry, government and civil society alike. The ways and means of cyberwarfare remain distinct from those of other conflicts, but there exist no international rules of engagement for this largely ungoverned domain.
All of these trends have the potential for converging into a perfect storm that threatens traditional Internet values of openness, collaboration, innovation, limited governance and free exchange of ideas. As global competitors continue to develop their cyber capabilities and expand their national influence over the Internet, the world community can minimize negative consequences of international rivalries and preserve the best of the Internet’s core values by recalling three lessons learned from past arms races:
1. Strategic Advantages Are Fleeting. The United States was the first nation to develop nuclear weapons, and it retained this technical advantage for four short years. The U.S. is the dominant nation in assigning domain names, routing traffic, creating new Internet technologies, and developing protocols and standards. But Brazil, China, India, Russia, and other nations are actively seeking opportunities to play a stronger role in Internet governance. Their rapidly growing technical capabilities, manufacturing expertise and domestic user markets will make it difficult to disregard their views in issues relating to Internet governance. Acting collectively or alone, one or more of these regional powers could establish rival Internet systems, fostering a “technical Cold War” in which China, Europe and the United States develop technically different secure protocols that fit each society’s values, ethics and legal systems but do not “speak” to each other. The result would be a balkanized Internet with dramatically reduced network effects. Unless all stakeholder nations are permitted a degree of involvement in Internet governance, the global network’s continued interoperability could be at risk.
2. Don’t Get MAD. During the Cold War, the doctrine of MAD (mutually assured destruction) led to the end of direct warfare between the major powers. The possibility that any conventional conflict could become a nuclear war in which both attacker and defender were destroyed served as a powerful deterrent. In cyberspace, however, there exists no analogous “mutually assured disruption” deterrent. Cyberattacks are fundamentally asymmetric, networked and distributed events: protocols governing Internet traffic remain insecure, attackers can easily work across multiple international jurisdictions, the origin of packets can be disguised, and prosecutions frequently remain impractical even when relevant laws exist. Deterring an adversary is difficult when consequences cannot be delivered effectively. Even if it were possible to replicate a truly MAD state in today’s cyberspace, “mutually assured disruption” does not hold the same promise of a bipolar equilibrium between Cold War rivals. To arrive at effective solutions, nations must abandon the inadequate strategic posture of MAD military deterrence in favor of collaborative approaches to protecting the world's computer networks.
3.Talk Is Cheap(er). Between 1940 and 1996, the United States alone spent over $8.66 trillion (in current dollars) on an arms race that resulted in a net decline in the national security of both sides. The costs for preventing, defending against and repairing damage from cyberattacks on corporations alone have been estimated to exceed $1 trillion globally every year. Cyber arms control agreements may not be realistic in light of the current absence of shared understandings about the Internet’s core values. For example, China and Russia define cyberwar to include dissemination of information “harmful to the spiritual, moral and cultural spheres of other states” and argue for greater state surveillance capabilities. The United States, by contrast, focuses on cyberwar’s infliction of physical and economic damage and considers reduced anonymity on the Internet as damaging to its core values of privacy and free speech. To ensure that cyberwarfare becomes constrained and validated by politics, ethics, and the development of shared norms, values and objectives for cyberspace, responsible stakeholders must remain dedicated to the process of forming such shared understandings. Absent continued discussion, the debate can become unbalanced in favor of value-destroying military and technological responses to emerging threats.
The militarization of cyberspace is not a far-fetched fear. While warnings of “digital Pearl Harbors” might be overheated rhetoric, a very real geopolitical conflict has arisen among political rivals contending with a steadily rising tide of cybercrime, surveillance and Internet espionage. Nations tempted to manage this conflict in ways that mimic strategies and behaviors borrowed from past arms races will subvert the open architecture that makes possible the Internet’s flexibility, scalability, reliability, and adaptability. As the world community seeks to chart a responsible course toward a future that protects and preserves the Internet’s tremendous benefits to our modern networked world, it will discover that successful approaches will be characterized by the same features that best describe the Internet itself: innovative, collaborative, efficient, distributed, and interdependent.