This page collects and links writing challenging the popular notion that cyber-doom is approaching. Concerns about cybercrime, cyberterrorism, and cyberwar have escalated dramatically in the United States. Billions of dollars are being thrown at these problems, and most of the discussion is alarmist in the extreme.
The articles and papers summarized and linked below provide some balance to the discussion. The authors generally support judicious efforts to secure technology and information systems against hacking, theft, and espionage but believe that the national security threat from cyberattacks has been greatly exaggerated.
• Brandon Valeriano and Benjamin Jensen, “The Myth of the Cyber Offense: The Case for Restraint,” Cato Institute Policy Analysis No. 862, January 15, 2019.
The authors use empirical analysis of cyber incidents to demonstrate that cyber is a relatively restrained domain with few aggressive attacks that seek a dramatic, decisive impact. A more offensively-oriented cyber posture, however, risks undermining norms around restraint.
• Joshua Rovner and Tyler Moore, “Does the Internet Need a Hegemon?” Journal of Global Security Studies, Vol. 2, Issue 3, 1 July 2017, Pages 184-203.
The authors argue that the fragility of the internet is relatively resilient and therefore does not require the United States to play the role of cyber hegemon in providing global public goods in cyberspace.
• Erica D. Borghard & Shawn W. Lonergan, “The Logic of Coercion in Cyberspace”, Security Studies, Vol.26, No.3 (May 2017), pp. 452-481.
Demonstrates that “cyber power alone has limited effectiveness as a tool of coercion, although it has significant utility when coupled with other elements of national power.”
• Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace”, International Security, Vol. 41, Issue 3, (Winter 2016/17), pp.44-71
The author argues that problems of attribution don’t necessarily undermine deterrence in cyberspace.
• Erik Gartzke & Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace,” Security Studies, Vol.24, No. 2 (June 2015), pp. 316-348
The authors push back against the claim that cyberspace weakens deterrence and defense, showing how the strategy of deception in cyberspace leads covert attackers to exercise restraint, while defenders can employ deceptive concealment to confuse or ensnare aggressors.
• Jon R. Lindsay, “Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack,” Journal of Cybersecurity, Vol. 1, Issue 1 (September 2015), pp. 53-67.
The author explains that deterrence in the cyber domain results in many low-value anonymous cyberattacks but few high-value ones. Reliance on deception provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders.
• Brandon Valeriano and Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford University Press, 2015).
The authors use empirical analysis of cyber incidents to demonstrate that the threat of cyberwarfare has been inflated. States tend to use cyberspace in a limited, low-intensity fashion, usually within already-existing regional rivalries, that doesn’t produce long-term effects.
• Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, Vol. 39, No. 3 (Winter 2014/2015), pp. 7-47.
The U.S.-China cyber relationship is more stable than it appears because for every Chinese advantage, there are also weaknesses to be exploited through the strengths of American capabilities. Each country has incentives to moderate their actions in the cyber domain, which will likely keep the balance of power stable for the foreseeable future.
• Jon R. Lindsay, “Stuxnet and the Limits of Cyber Warfare”, Security Studies, Vol.22, No.3 (August 2013) pp.365-404.
Through an empirical analysis of the Stuxnet attack, the author challenges claims that the internet gives militarily weaker actors asymmetric advantages, that offense is becoming easier as defense gets harder, and that deterrence is weak in cyberspace.Also see Jon R. Lindsay, “Stuxnet Debate Continues: How Should Cyberweapons Be Used?” WebProNews, July 12, 2012
• Erik Gartzke, “The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth,” International Security, Vol. 38, No. 2 (Fall 2013), pp. 41-73.
Following the argument that cyberwar is a revolution in military affairs with the potential even to overturn the prevailing world order, the author notes that cyberattacks are more an adjunct to existing forms of political violence rather than a substitute.
• Ivanka Barzashka, “Are Cyber-Weapons Effective?”, The RUSI Journal, Vol.158, No.2, (April 2013) pp. 48-56.
The author argues that the 2010 Stuxnet attack on Iran’s uranium centrifuges failed to impose lasting damage, much less to sabotage, Iran’s nuclear enrichment program.
• Martin Libicki, “Don’t Buy the Cyberhype,” Foreign Affairs (online), August 16, 2013).
Examines howthe United States can limit the risk of cyberattacks by assessingthese risks in commercial software, as well as encouraging better IT systems management and the development of tools able to detect potential attacks.
• Mary Ellen O’Connell, “Cyber Security without Cyber War,” Journal of Conflict Security Law, Vol. 12, No. 2 (Summer 2012), pp. 187-209.
The author argues that we should move away from both military analogies and Cold War deterrence theories when we deal with cyber issues. She suggests that international law governing economic activity and communications is more relevant to monitor activity on the internet.
• Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5-32.
The author rejects the term “cyber war,” noting that cyber attacks never fit all three characteristics necessary for an act of war: violence, instrumentality, and a political goal. He concludes that cyber war has never happened and is unlikely to occur. See also Thomas Rid, “Think Again: Cyberwar,” Foreign Policy, March/April 2012.
• David Betz, “Cyberpower in Strategic Affairs: Neither Unthinkable nor Blessed,” Journal of Strategic Studies, Vol. 35, No. 5 (2012), pp. 689-711.
The author demonstrates that
cyberattacks are can be quite costly, but anonymous attacks have
limited effectiveness as a form of coercion. See also David Betz,
“Cyber Power in Strategic Affairs: Neither Unthinkable nor
Blessed,” Geopoliticus (blog), Foreign Policy Research Institute,
November 28, 2012.
• Adam P. Liff, “Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War,” Journal of Strategic Studies, Vol. 35, No. 3 (May 2012), pp. 401-428.
The author explains how the untraceability and offensive bias of cyberweapons will not increase either the frequency of interstate conflicts. Liff sees the possibility for countriesto balance each other, as well as mitigate potential large-scale confrontation by gaining cyberwarfare advantage.
• Jerry Brito and Tate Watkins, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” Harvard National Security Journal, Vol. 3, No. 1 (April 26, 2011), pp. 39-84.
This paper argues that increased political attention to cybersecurity, along with the parochial interests of a public-private complex, have contributed to threat inflation. Also see Jerry Brito and Tate Watkins, “The Cybersecurity-Industrial Complex,” Reason, August/September 2011; Jerry Brito and Tate Watkins, “Cyberwar Is the New Yellowcake,” Wired, February 14, 2012.
• Allan Friedman, “Economic and Policy Frameworks for Cybersecurity Risks,” Center for Technology Innovation at Brookings, July 21, 2011.
The author sets out differences between various cybersecurity risks and advocates a risk management approach to these dangers. He warns, however, that many security efforts could overwhelm the benefits of information technology.
• Sean Lawson, “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History,” Mercatus Center, Vol. 10, No. 77 (January 2011).
This paper argues that cybersecurity policy should be based on empirical evidence of threats. He also explains how modern technologies and decentralized security providers are necessary to prevent cyberattacks.
• Peter Sommer and Ian Brown, “Reducing Systemic Cybersecurity Risk,” Organization for Economic Cooperation and Development, January 14, 2011.
The authors use quantitative risk assessment to study the potential effects of various cyber-attacks. They conclude that almost all of them are unlikely to have global ramifications.
• Ryan Singel, “Richard Clarke’s Cyberwar: File Under Fiction,” Wired, April 22, 2010.
The author debunks Richard Clarke’s claims about past damages caused by hackers and explains how this sort of alarmism could be a threat to internet openness. See also Ryan Singel, “Is the Hacking Threat to National Security Overblown?” Wired, June 3, 2009;Ryan Singel, “Cyberwar Hype Intended to Destroy the Open Internet,” Wired, March 1, 2010.
• Evgeny Morozov, “Cyber-Scare: The Exaggerated Fears over Digital Warfare,” Boston Review, July/August 2009.
This article discusses the murky legal issues around cyber-attacks, such as liability and Geneva Convention considerations, and argues for improving the already considerable resilience of internet infrastructure.See also Evgeny Morozov, “Battling the Cyber Warmongers,” The Wall Street Journal, March 8, 2010.
Cyberterrrorsm and Online Terrorism Training
• John Mueller, “The Cybercoaching of Terrorists: Cause for Alarm?,” CTC Sentinel, Vol.10, Issue 9, October 2017, pp. 29-35.
Mueller argues that the problem of “cybercoaching” potential terrorist recruits is typically a failure for terrorist organizations and much less of a national security threat than many observers claim.
• Kathy Gilsinan, “Is ISIS’s Social-Media Power Exaggerated?,” The Atlantic, February 23, 2015.
Gilsinan scrutinizes the ability of groups like ISIS to radicalize young Muslims worldwide through social media. While terrorist organizations sometimes use social media to great effect, the groups are mostly engaging with people that are already radicalized.
• Peter W. Singer, “The Cyber Terror Bogeyman,” Armed Forces Journal, November 2012.
Singer argues that fears of a cyber-terror attack are vastly overwrought. Although Singer believes that cyberterrorism is a concern, targeted attacks require expertise that terrorists lack.
• Michael Kenney, “Beyond the Internet: Metis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists,” Terrorism and Political Violence, Vol. 22, No. 2 (April 2010), pp. 177-197.
• Anne Stenersen, “The Internet: A Virtual Training Camp?” Terrorism and Political Violence, Vol. 20, No. 2 (April 2008), pp. 215-233.
• Mette Eilstrup-Sangiovanni and Calvert Jones, “Assessing the Dangers of Illicit Networks: Why al-Qaida May Be Less Dangerous Than Many Think,” International Security, Vol. 33, No. 2 (Fall 2008), pp. 7-44.
The authors question the popular notion that terrorism has been greatly aided by the internet. Although the internet is a great communication tool, online terrorism training is unlikely.
• Myriam Dunn Cavelty, “Cyber-Terror-Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate,” Journal of Information Technology and Politics, Vol. 1, No. 4 (2007), pp. 19-36.
The author explains why fear of cyberterrorism is so pervasive despite no confirmed instances of its occurrence. She advocates the adoption of a risk frame that focuses attention on probability.
• Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, “Measuring the Cost of Cybercrime,” Paper presented to the Workshop on the Economics of Information Security, June 2012.
The authors argue that the costs of cyber-crime come largely from the attempts to protect against it, suggesting that resources now used to protect systems against cyber-criminals might be better spent on finding and arresting them.
• Dinêi Florencio and Cormac Herley, “Sex, Lies and Cyber-crime Surveys,” Microsoft Research, June 2011.
This article argues that the way we measure cyber-crimes is biased and has substantially exaggerated the scope of the problem. See also Dinêi Florencio and Cormac Herley, “The Cybercrime Wave That Wasn’t,” The New York Times, April 14, 2012.
• Paul Ohm, “The Myth of the Superuser: Fear, Risk, and Harm Online,” UC Davis Law Review, Vol. 41, No. 4 (April 2008), pp. 1327-1402.
Ohm argues that debates about cybersecurity often overemphasize the importance of so-called “superusers”. These discussions, however, not only leave countries and individuals more vulnerable to these forms of cybercrime, but also induce them to waste important resources to prevent unrealistic threats.
Appendix: The Non-Digital Pearl Harbor
• John Mueller, “Pearl Harbor: Military Inconvenience, Political Disaster,” International Security Vol. 16, No. 3 (Winter 1991/92), pp. 172-203.
John Mueller looks at the net damage perpetrated at Pearl Harbor, describing it as an “inconvenience” rather than a catastrophe. Mueller uses this analogy to suggest that a digital attack on our country would also merely be an inconvenience, since we have the resources to prevent a major setback.