It’s easy to forget what the Cold War was like. Generations of children thought that a silent, blinding flash of light would signal their annihilation. In this most important respect, our cyber-insecurities are nothing like the Cold War.
There are parallels between cybersecurity and the twentieth-century rivalry between the United States and Soviet Union. We have a military gunning to protect us. Our political class has only one frame of reference: geopolitics. And, like the cold war, this one won’t ever turn hot—unless we let our leaders use “cyber” as a pretense for dropping real bombs.
Let’s assess the risk of cyberattack, not by going saucer-eyed about vulnerabilities, of which there are many, but by focusing on threats: Who plans to attack global trade and finance or nation-states? And what do they stand to gain?
A minor power’s cyberattack on a major one would be a losing proposition. The upside is modest, strategically insignificant, damage to the victim. Cyber assets are easily restored and kinetic damage is hard to produce with computers. The downside is retaliation—disproportionate retaliation.
When you strike at a king, you must kill him. No small state is going to (literal) war against a major power using the internet.
What about non-state-sponsored cyberattacks? Any response would simply produce collateral damage and new enemies. We can’t use cyberwarfare to punish or dissuade these actors. Why develop the capability?
Happily, non-state actors can’t pull it off. The head of the National Security Agency, General Keith Alexander, said at an American Enterprise Institute event in July that al Qaeda doesn’t pose a cyberthreat.
The actors that are both sophisticated enough to produce serious cyberattacks and strategically positioned to use them are the industrialized world’s governments— our governments. The Stuxnet virus, which interrupted Iran’s weapons program for a time, is a rare example of a cyberattack that caused physical damage. It is widely credited to the United States and Israel. Cyberwar is something we’re doing to them. It’s not the other way around.
Successful though it was at exploiting interlocking and previously unknown vulnerabilities, Stuxnet and more recent successors may have propagated knowledge about attack techniques, making the world less safe for the time being. The U.S. government and other large powers may be hoarding vulnerabilities and cultivating new attacks rather than contributing to worldwide security by helping to close gaps in vulnerable technologies.
The true pro-security policies are quite a bit different than what we’ve seen—and less interesting. The world’s powers could be less cyber-bellicose. The bulk of the security gains to be had are achieved simply, and boringly, by patching software.
The threats that remain are serious, but nothing like the threat of war: graffiti-like denial-of-service attacks; corporate and governmental espionage; crime; and insider attacks, whether cultivated by competitors or just the product of disgruntlement.
American founder Elbridge Gerry called a standing army “the bane of liberty.” We needn’t have one on the internet.