The immediate and direct damage from a major cyberattack can range from zero to tens of billions of dollars (e.g., from a broad outage of electric power). Direct casualties would likely be few, and indirect causalities may have to be inferred from guessing what would have happened if, say, emergency 911 service had not been taken down. In this essay’s scenario, total damage would likely be less than $1 billion.
Indirect effects may be larger if a cyberattack causes a great loss of confidence — in the banking system, for example, which could trig ger a recession. But it is a stretch to argue that even a cyberattack that stopped the banking system completely (much less the sort that merely prevented 24–7 access to a bank’s website) would damage customers’ confidence that their bank accounts would maintain their integrity. NASDAQ’s three‐hour shutdown on August 22, 2013, for example, did not spark a wave of selling.20 It would require data corruption (e.g., depositors’ accounts being zeroed out) rather than temporary disruption, before an attack would likely cause depositors to question whether their deposits are safe.
Is corruption that easy to carry out, however? To put the question another way, what kind of technique would allow hackers to reduce a depositor’s account balance without allowing them to increase the balance of another depositor — such as themselves? If that transfer were possible, why don’t more such state‐sponsored hackers go into business for themselves?
So although one hesitates to say that a major cyberattack can never ever be as catastrophic as the 9/11 attacks (or natural events such as Hurricane Katrina or Superstorm Sandy for that matter), the world has been living with the threat from cyberspace for nearly a quarter century, and nothing remotely close to such destruction has taken place.
The ultimate damage, however, may well depend on the extent of the reaction from the United States. A major cyberattack on the United States could conceivably lead to restrictions on the use of the Internet, which could limit the development of e‐commerce or suppress innovation of leading information technology firms (just as export restrictions because of national security concerns harmed the leadership position of the U.S. satellite industry). Or a reaction could sharply reduce the amount of privacy that U.S. citizens (think they) enjoy on the Internet. Therein lies the key question. A minor cyberattack is more like a crime than a national security event. Should even a major cyberattack be considered a national security event, one capable of calling forth an enormous many‐tentacle national security creature as a response? After World War II, American politics exhibited a profound tendency to react more energetically to challenges that could be subsumed within the national security umbrella. Note the 1956 passage of the National Interstate and Defense Highways Act or the way in which Russia’s 1957 Sputnik launch intensified federal interest in local education (and led to the adoption of new math). That tendency waxes and wanes: President Carter’s attempt to persuade Congress to put the nation’s energy affairs in order by referring to the effort required as the “moral equivalent of war” fared less well.
Then came 9/11, which was immediately considered an act of war rather than an enormous crime. The United States reacted to the deaths of 3,000 and damage of roughly $100 billion by waging two wars, which killed more than 6,000 Americans, wounded tens of thousands more, and cost at least $1.5 trillion (depending on how postconflict costs are counted). In part, the disproportionate response reflects the failure to make the distinction between national security and personal security. The only way that jihadist terrorists could conceivably have threatened the sovereignty or the Constitution of the United States was to have sparked state‐ending sectarian violence between enraged opponents and defensive supporters — something that Iraq suffered in 2006–2007 and may possibly have restarted in 2013. There was no prospect of that in the United States. Rather, the government assumed responsibility for preventing the deaths of Americans from further attacks (reflecting a very high ratio of funds spent to lives saved). Clearly, vengeance was another impetus for action, but if one puts that all‐too‐human motive aside, one must, therefore, ask whether going to war twice in the Islamic world was the most cost‐effective way of preventing future incidents of large‐scale death (particularly once U.S. airlines finished installing hardened cabin doors, thereby making it nearly impossible to take over a plane and crash it into a building).21
Compared with terrorism involving conventional explosives, the ratio of death and destruction from cyberattacks is likely to be several orders of magnitude lower; in that respect, 9/11 was an outlier among terrorist attacks, with the March 11, 2004, Madrid attacks or the July 7, 2005, London attacks being more typical. It is by no means clear what the worst plausible disaster emanating from cyberspace might be (it is far clearer that it would not come from Iran, whose skills at cyberwarfare likely pale in comparison with China’s, much less Russia’s). Doomsayers argue that a coordinated attack on the national power grid that resulted in the loss of electric power for years would lead to widespread death from disease (absent refrigeration of medications) and starvation (the preelectrified farm sector was far less productive than today’s). But even if their characterization of the importance of electricity were not exaggerated (it is), killing electric power for that long requires that equipment with lengthy repair times (e.g., transformers, few of which are made here) be broken.
Can cyberattacks have physical effects? Stuxnet would suggest it can; but more than three years have elapsed since it was revealed, and there has yet to be a Stuxnet II. It seems more and more to have been an exceptional event. In essence, if the United States and Israel had carried out the attack, then Iran, a country without a great depth of experience in running complex industrial operations, was up against two first‐rate cybersavvy countries. One can see what a tempting target was Natanz, the crippling of which could increase the security of both Israel and the United States. It is hard to think of many other targets anywhere in the world whose destruction would so clearly benefit the national security of a potential cyberattacker.
Stuxnet featured four zero‐day exploits: exploits that take advantage of vulnerabilities in software that the software provider has not patched, frequently because the software provider is unaware they exist (whereas the hackers are quite aware they exist). Four zero days is three more than even the most sophisticated cyberattacks have. Iran was getting nearly no help in operating and maintaining Natanz (against such hazards as cyberattacks, for instance). Natanz had no active Internet connection (and thus no obvious way to become infected), and no one had yet broken anything with a real‐world cyberattack.22 The Iranians could have easily ascribed the self‐destruction of their centrifuges to many causes other than a cyberattack (such as the fact that it was getting parts of questionable reliability from channels of questionable legality), thereby allowing the malware to do its job over and over. As it is, Stuxnet destroyed few if any centrifuges that were already on the floor and completely programmed when the malware appeared.23 It affected only those centrifuges that were being newly programmed (or perhaps reprogrammed) before entering (or perhaps reentering) their cascades. Today, the four zero‐day vulnerabilities have been long patched, the possibility that cyberattacks could destroy machinery has been established, and the notion that air gapping suffices to protect against all cyberattacks has been refuted — to that extent the immune systems of machine‐control networks to future attacks have been prepared. The extrapolation from Stuxnet to the destruction of the North American grid remains a much longer leap.
If, therefore, the death count is zero, or at least low by terrorism standards, there will be few dramatic videos, and the popular cry for vengeance is likely to be muted. Some will direct their ire to the institutions whose fecklessness about cybersecurity allowed such an attack to happen. One would hope that some share of the policy community will frame the response question as this: what is the best way of preventing future attacks? If so, it is by no means clear that retaliation would come out on top, particularly if policymakers recognize that retaliation creates pressure for counterretaliation, as history suggests it might.
First, consider retaliation limited solely to cyberspace. Such retaliation could easily lead to a series of escalated cyberattacks on both sides.24 It is unclear who might cry uncle first. The United States — its economy as well as its society — is far more dependent on the unimpeded use of networks than Iran is. Indeed, Iran may well use the risk of hostile activity on the Internet as the clinching argument in its campaign to create a separate national (referred to as a “halal”) Internet — which might have little effect on the U.S. ability to insert malware into Iran’s electronic networks, but might have a substantial effect on the U.S. ability to insert uncomfortable memes into Iran’s social networks.
Conversely, the U.S. capacity for cyberwarfare is unmatched, and the dependence of other countries on U.S. companies for software, systems administration, and cybersecurity assistance is even greater. All told, the unknowns exceed the knowns in making any such predictions. Were the attackers from North Korea (which has essentially no connectivity to the outside world from its networks) or were they nonstate actors without infrastructure, then the ability of the United States to impress them using retaliatory cyberattacks would be considerably reduced.
However, the retaliation may catch the attention of the supposed attacker and not necessarily in a good way, particularly if the supposed attacker is not the real attacker. In some ways, the reaction cycle in response to a cyberattack may be more destabilizing than it is for a kinetic attack. Bear in mind that because combat in cyberspace is presumed to take place in nanoseconds, one can ask whether there are any circumstances in which there is no need for speed. Now, couple that with the current notion of “active defense” (admittedly a term made popular because there is little agreement about what it means). At one end are actions that can be deemed fairly legitimate: for example, honeypots to capture the actions of the attacker, files with misleading information to fool those who steal them, and use of tools of intelligence to anticipate what attackers do.
At the other end are far more questionable actions, notably attacks on the networks through which cyberattacks are commanded and controlled. We would like to believe that such cyberwarfare command‐and‐control networks can be clearly distinguished from afar from command‐and‐control networks for kinetic combat or from similar networks that operate civilian infrastructures. Similarly, we would like to believe that attribution is always correct and that what looks in the first few seconds like a cyberattack (rather than, say, a software glitch or penetration for the purposes of espionage) is, in fact, a cyberattack. But would both always be true? And if they may be false, how stabilizing would it be for the determination of such matters and thus the choice of response mechanisms — which would not necessarily write a conclusion to the confrontation — to be in the hands of an organization with a vested interest in the importance of cyberwarfare, whether offensively or defensively?