22 October 2012
Cyber-security has become a strategic issue. But while offensive cyber-operations are becoming a significant component of modern conflicts, Myriam Dunn Cavelty argues that the role of the military in cyber-security will be limited and still needs to be carefully defined.
By Myriam Dunn Cavelty for Center for Security Studies (CSS)
Author’s Note: This article was published in March 2012. It has since been confirmed (at least unofficially) that the United States government was behind the programming of the computer worm called ‘Stuxnet’, which sabotaged the Iranian nuclear program. In June 2012, a New York Times article revealed that Stuxnet was part of a U.S. and Israeli intelligence operation called ‘Olympic Games’. The certain knowledge that the world’s biggest military superpower is actively engaging in cyber-operations has most likely triggered even more research into offensive capabilities worldwide, with the result of a growing cyber-security dilemma: more and more states are already making more or less subtle shows of cyber-capabilities, likely to act as deterrent. Still, the main argument of this article remains unchanged: military capabilities, both offensive and defensive, are simply not enough to ensure cyber-security (and are more likely to create more cyber-in-security). Cyber-security is and remains an issue that needs to be tackled as a shared responsibility between public and private actors.
Over the last few years, cyber security has been catapulted from the confined realm of technical experts into the political limelight. The discovery of the industry- sabotaging Stuxnet computer worm, numerous tales of (Chinese) cyber espionage, the growing sophistication of cyber criminals, and the well-publicised activities of hacker collectives have combined to give the impression that cyber attacks are becoming more frequent, more organised, more costly, and altogether more dangerous. As a result, a growing number of countries consider cyber security to be one of the top security issues of the future.
This is just the latest ‘surge’ of attention in the three- to four-decade-long history of cyber issues. The importance attached to cyber security in politics grew steadily in response to a continual parade of incidents such as computer viruses, data theft, and other penetrations of networked computer systems, which, combined with heightening media attention, created the feeling that the level of cyber insecurity was on the rise. As a result, the debate spread in two directions: up- wards, from the expert level to executive decision-makers and politicians; and horizontally, advancing from mainly being an issue of relevance to the US to the top of the threat list of more and more countries.
The debate on ‘cyber security’ originated in the US in the 1970s, built momentum in the late 1980s, and spread to other countries in the late 1990s. Early on, US policy-makers politicised the issue. They presented cyber security as a matter that requires the attention of state actors because it cannot be solved by market forces. As concern increased, they securitised the issue: They represented it as a challenge requiring the urgent attention of the national security apparatus. In 2010, against the background of the Stuxnet incident, the tone and intensity of the debate changed even further: The latest trend is to frame cyber security as a strategic-military issue and to focus on countermeasures such as cyber offence and defence, or cyber deterrence.
Though this trend can easily be understood when considering the political (and psychological) effects of Stuxnet, it nonetheless invokes images of a sup- posed adversary even though there is no identifiable enemy, is too strongly focused on national security measures instead of economic and business solutions, and wrongly suggests that states can establish control over cyberspace. Not only does this create an unnecessary atmosphere of insecurity and tension in the international system, it is also based on a severe misperception of the nature and level of cyber risk and on the feasibility of different protection measures. While it is undisputed that the cyber dimension will play a substantial role in future conflicts of all grades and shades, threat-representations must remain well informed and well balanced at all times in order to rule out policy reactions with excessively high costs and uncertain benefits.
This chapter first describes the core elements of the cyber security debate that emerged over the past decades. These elements provide the stage and scenery for the more recent trend of increasing militarisation of cyber security. Five factors responsible for this trend are described in section two. The effects of the discovery of Stuxnet as the culmination point of the cyber threat story are the focus of section three: Though the actual (physical) damage of Stuxnet remains limited, it had very real and irreversible political effects. The fourth section critically assesses the assumptions underlying the trend of militarisation and their negative effects. The chapter concludes by arguing that military countermeasures will not be able to play a significant role in cyber security due to the nature of the information environment and the nature of the threat. Finally, it sketches the specific, though limited role that military apparatuses can and should play in reducing the overall level of cyber insecurity nation- ally and internationally.
The backdrop of the cyber security debate
The combination of telecommunications with computers in the late 1970s and the 1980s – the basis of the cur- rent information revolution – marks the beginning of the cyber threat debate. The launch and subsequent spread of the personal computer created a rise in tech-savvy individuals, some of whom started to use the novel networked environment for various sorts of misdeeds. In the 1990s, the information domain became a force- multiplier by combining the risks to cyberspace (widespread vulnerabilities in the information infrastructure) with the possibility of risks through cyberspace (actors exploiting these vulnerabilities). The two core elements of the cyber security debate that pro- vide the stable backdrop for the cur- rent trend of militarisation emerged: A main focus on highly vulnerable critical infrastructures as ‘referent object’ (that which is seen in need of protection) and the threat representation based on the inherent insecurity of the information infrastructure and the way it could be manipulated by technologically skilful individuals.
From government networks to critical infrastructures
Initially, the overarching concern of the US was with the classified in- formation residing in government information systems. As computer networks grew and spread into more and more aspects of everyday life, this focus changed. A link was established in the strategic community between cyber threats and so-called ‘critical infrastructures’, which is the name given to assets whose incapacitation or destruction could have a debilitating impact on the national security and/ or economic and social welfare of the entire nation.
This threat perception was influenced by the larger strategic context that emerged for the US after the Cold War. It was characterised by more dynamic geostrategic conditions, more numerous areas and issues of concern, and smaller, more agile, and more diverse adversaries. As a result of the difficulties to locate and identify enemies, the focus of security policies partly shifted away from actors, capabilities, and motivations to general vulnerabilities of the entire society. In addition, the influence of globalisation on the complex interdependence of societies around the world and their growing technological sophistication led to a focus on security problems of a trans- national and/or technological nature. The combination of vulnerabilities, technology, and transnational issues brought critical infrastructures to centre stage, particularly because they were becoming increasingly dependent on the smooth functioning of all sorts of computer-related applications, such as software-based control systems.
The basic nature of the cyber threat
The networked information environment – or cyberspace – is pervasively insecure, because it was never built with security in mind. The dynamic globalisation of information services in connection with technological innovation led to a steady increase of connectivity and complexity. The more complex an IT system is, the more problems it contains and the harder it is to control or manage its security. The commercialisation of the Internet led to an even further security deficit, as there are significant market- driven obstacles to IT security.
These increasingly complex and global information networks seemed to make it much easier to attack the US asymmetrically: Potentially devastating attacks now only required a computer with an Internet connection and a handful of ‘hackers’, members of a distinct social group (or sub- culture) who are particularly skilled programmers or technical experts. In the borderless environment of cyber- space, hackers can exploit computer insecurities in various ways. In particular, digitally stored information can be delayed, disrupted, corrupted, destroyed, stolen, or modified.
Intruders can also leave ‘backdoors’ to come back at a later time, or use the hijacked machine for attacks on other machines. Though most individuals would be expected to lack the motivation to cause violence or severe economic or social harm, large sums of money might sway them to place their specialised knowledge at the disposal of actors with hostile intent like terrorists or foreign states. In addition, attackers have little to fear in terms of retribution. Sophisticated cyber attacks cannot be attributed to a particular perpetrator, particularly not within a short timespan. The main reasons are the often hidden nature of exploits and the general architecture of cyberspace, which allows online identities to be hidden.