Lately, there have been a lot of articles and specials about cyber conflict — in particular cyber crimes carried out by states, which seems to be slowly winning as the colloquial definition of cyberwar. The primary reason for this is that enough time has passed to generate more thoughtful and researched reactions to the most important cyber-story of the year: Russia’s alleged role in the theft and later release of private emails from the US Democratic National Committee (DNC).
Cyber or otherwise, it’s a strident attempt to interfere in an American election — but is it “unprecedented” in the way it is often described? More generally, are these particular sorts of cyber attacks really changing the world all that much?
First, let’s dispense with the idea that foreign countries, and even Russia in particular, have never before tried to influence an American election. Justified worries about misinformation (and just plain information) planted by the French to affect Americans’ thinking on international issues led to the anti-free speech Alien and Sedition Acts of 1798, some of which are still in force today. The founders of America thought foreign meddling was a big enough problem that they wrote a whole provision of the constitution trying to prevent bribery by foreign powers: Article I, Section 9, Clause 8.
During the Cold War, the Soviets developed political meddling into almost an art, and the KGB became notorious for its various attempts to influence American electoral outcomes. From pushing conspiracy theories about the Kennedy assassination to strategically fanning the flames of racial tension throughout the 1960’s, Russia has never viewed politics as off-limits to its espionage establishment. And, more specific to this situation, the espionage in question didn’t always involve the dissemination of lies; the US really did need to face up to its race problem in the 1960’s, just like the DNC really did have inappropriate conversations behind the scenes.
In other words, political interference in American politics, both with true facts and false ones, is much older than the cyber age. There’s nothing more old school “spy” than getting your hands on papers you’re not supposed to — in principle, there’s nothing new about this cyber-incursion beyond the fact that it was easier and less dangerous than it would have been to physically break into the same office and steal the same files in the traditional fashion.
Cyber also takes old attacks and blows them out of all proportion. While spies were always able to steal personal information, it would be quite the spy indeed who could physically smuggle 21.5 million personal records out of a physical government office.
As pointed out in a recent Politico article, “these attacks do not live up to the visions of doom and mass hysteria described in many cyberwar scenarios”. So how is cyber conflict living up to its reputation for being revolutionary?
First and foremost, it’s changing how we think about the use of force. To a great extent, the global conversation now lumps together hacks that steal information with those that cause outages in systems, and occasionally even those that cause damage to systems. Many have referred to the DNC hack as an act of “cyberwar,” though none of them have to my knowledge called it an act of “regular old war.” This perceived lesser severity of cyberwar has allowed nonviolent cyber attacks to become more brazen than even Cold War espionage.
The New York Times produced what is still the seminal piece of reporting on the Russian cyber-propaganda industry, and teams of aggressive hackers have been known to operate in much the same capacity as remote limbs of the Russian government. Computer skills are a hell of a lot more common than spy skills. Unlike with physical espionage, you don’t have to use people whose life histories can be traced to your agencies — you can use recent university grads, or even former/current criminals, and keep it all casual enough that no definite link ever develops between you and your de-facto agents. Not only is it generally easier to pull off a cyber-theft, you also don’t have to worry nearly as much if the target does manage to identify their assailants.
That’s all if the attack is below a certain threshold of severity, however. Above that threshold, things are still unclear. Purely military cyber weapons, for instance those that might take down an air defense grid in advance of a raid (like the Bin Laden raid in Pakistan), as well as those carried out as part of an openly declared military agenda (like the Stuxnet attack on Iran), are a bit beside the point. That’s because when you’ve already shown that you’re willing to shoot people or incinerate a building, releasing a worm into the computers of government employees or even tanking local infrastructure as a part of that military operation becomes legally and politically insignificant. We may not know quite where their use begins to be allowed, but we do know the threshold lies before you start blowing up facilities full of people. Without admitting it was responsible for the Stuxnet attack, the US has been clear that without the nonviolent destruction of those centrifuges, America, Israel, or some other power would have achieved the same thing with bombs.
In this context, there’s only one aspect of Stuxnet that can be called provocative: the virus was largely indiscriminate, in that it jumped from device to device aggressively and without the need for intervention from an overseer. Though it was programmed to remain silent in all systems except those it was meant to attack, this is definitely a new level of ability to disseminate what is, in some ways, a weapon. Still, it’s notable that even with all this potential in the hands of Russia, Iran, and others ever since Stuxnet’s discovery, the only known Stuxnet-like malwares (names include Duqu, Flame, Gauss, and Reign) are all investigative rather than destructive in nature. Even massive likely-Iranian Shamoon attack on Saudi Aramco, which deleted the contents of tens of thousands of devices, didn’t cause Stuxnet-type physical damage.
Even the US and Israel seem to be backing away from the abilities they themselves released into the world, as it clearly introduces all new potential for the deliberate use of chaos in geopolitics. This danger is becoming so great that major world powers seem to view cyber as filling a nuclear-like role; call the effect mutually assured disruption. Some experts certainly argue that cyber doesn’t have great enough potential for harm for states to be scared enough of it. But the worst sorts of prophesied attacks, the ones that cut power to half of California or halt shipping across a whole seaboard, are equally capable of ruining any developed economy in the world.
Delta Airlines recently suffered crippling cyber-problems that affected a huge swathe of the country, and that seems to have been the result of a genuine bug. Infrastructure-level cyber-attacks are too easy to imagine being too widely effective, and the defenses against them are too spotty and reliably broken, for any major power to want to open that door and have everyone else run through after. There isn’t even the dim hope of taking out all their silos before retaliation, since with cyber even a defeated enemy can likely find some way to fire back.
There’s a problem, though: that sort of rational nobody-shake-the-boat thinking only makes sense to those who see themselves as having something to lose.
As such, cyber is changing the landscape by empowering fringe actors to carry out, and particularly to credibly threaten to carry out, more widely harmful attacks. Obviously, the attacks of September 11 proved that small groups don’t necessarily need cyber to affect a whole country. But such physical attacks have mostly psychological impacts, affecting the thinking and behavior of the whole population. Thanks to cyber, a sufficiently brilliant group of attackers could directly affect millions or tens of millions of people through their access to power, communications, transportation, and more. Global powers are dis-incentivized from exploiting the true fragility of the modern world by the prospect of chaos at home. That calculus stops working in the case of failing states like North Korea, however, and breaks down even further in the case of stateless, nihilistic groups like Al Qaeda that are often trying to provoke large-scale international retaliation.
Nuclear weapons are nowhere near this accessible. An ISIS member might well come up with a new super-cheap form of suitcase nuke, but such a terrifying individual would still need to physically acquire fissile material to make said bomb, presenting a target for preventative enforcement. You cannot, by contrast, stop everyone with a brilliant mind for systems infiltration from being born in North Korea, or even from joining the Islamic State, and there’s no rare material to try keep out of their hands.
Mostly though, cyber is just plain new, which means that leaders who are willing to work within this uncertain realm can often benefit from the legal and even moral ambiguity that surrounds it. Later this year, a team of influential experts and former officials in international affairs will release the Tallinn Manual 2.0, aimed at clearing up much of this confusion with non-binding recommendations for legally interpreting cyber actions on the world stage. The original Tallinn Manual confined itself to cyber actions that could be called a use of force in the classical sense, while this newer update will look at cyber attacks below that threshold — those like the DNC hack, or those which actually occur on a regular basis.
Without nuclear weapons, North Korea would be a pure human rights tragedy, not a strategic problem for the West. With all respect to Japan’s war dead, the primary overall impact of nuclear weapons has been to radically change how power can be gained and distributed throughout the world. Now cyber weapons have the potential to similarly lower the bar for acquiring meaningful power on the global stage, and this time that democratizing effect may be strong enough to empower groups with even less rational agendas than the likes of North Korea.
These groups will break the global nuclear detente if they ever acquire nuclear weapons — and they’re just as certain to break the current moratorium on truly devastating cyber attacks just as soon as they’re capable.