By Joseph S. Nye, Project Syndicate from GPS website, April 10, 2012
Editor's Note: Joseph S. Nye, Jr., a former U.S. assistant secretary of defense in the Clinton Administration, is a professor at Harvard and the author of The Future of Power. For more on Nye, visit Project Syndicate or follow it on Facebook and Twitter.
By Joseph S. Nye, Project Syndicate
Two years ago, a piece of faulty computer code infected Iran’s nuclear program and destroyed many of the centrifuges used to enrich uranium. Some observers declared this apparent sabotage to be the harbinger of a new form of warfare, and United States Secretary of Defense Leon Panetta has warned Americans of the danger of a “cyber Pearl Harbor” attack on the US. But what do we really know about cyber conflict?
The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.
The costs of developing those vessels – multiple carrier task forces and submarine fleets – create enormous barriers to entry, enabling US naval dominance. But the barriers to entry in the cyber domain are so low that non-state actors and small states can play a significant role at low cost.
In my book The Future of Power, I argue that the diffusion of power away from governments is one of this century’s great political shifts. Cyberspace is a perfect example. Large countries like the US, Russia, Britain, France, and China have greater capacity than other states and non-state actors to control the sea, air, or space, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states that can be exploited by non-state actors.
Four decades ago, the US Department of Defense created the Internet; today, by most accounts, the US remains the leading country in terms of its military and societal use. But greater dependence on networked computers and communication leaves the US more vulnerable to attack than many other countries, and cyberspace has become a major source of insecurity, because, at this stage of technological development, offense prevails over defense there.
The term “cyber attack”covers a wide variety of actions, ranging from simple probes to defacing Web sites, denial of service, espionage, and destruction. Similarly, the term “cyber war” is used loosely to cover a wide range of behaviors, reflecting dictionary definitions of war that range from armed conflict to any hostile contest (for example, “war between the sexes” or “war on drugs”).
At the other extreme, some experts use a narrow definition of cyber war: a “bloodless war” among states that consists solely of electronic conflict in cyberspace. But this avoids the important interconnections between the physical and virtual layers of cyberspace. As the Stuxnet virus that infected Iran’s nuclear program showed, software attacks can have very real physical effects.
A more useful definition of cyber waris hostile action in cyberspace whose effects amplify or are equivalent to major physical violence. In the physical world, governments have a near-monopoly on large-scale use of force, the defender has an intimate knowledge of the terrain, and attacks end because of attrition or exhaustion. Both resources and mobility are costly.
In the cyber world, by contrast, actors are diverse (and sometimes anonymous), physical distance is immaterial, and some forms of offense are cheap. Because the Internet was designed for ease of use rather than security, attackers currently have the advantage over defenders. Technological evolution, including efforts to “reengineer” some systems for greater security, might eventually change that, but, for now, it remains the case. The larger party has limited ability to disarm or destroy the enemy, occupy territory, or use counterforce strategies effectively.
Cyber war, though only incipient at this stage, is the most dramatic of the potential threats. Major states with elaborate technical and human resources could, in principle, create massive disruption and physical destruction through cyber attacks on military and civilian targets. Responses to cyber war include a form of interstate deterrence through denial and entanglement, offensive capabilities, and designs for rapid network and infrastructure recovery if deterrence fails. At some point, it may be possible to reinforce these steps with certain rudimentary norms and arms control, but the world is at an early stage in this process.
If one treats so-called “hacktivism” by ideological groups as mostly a disruptive nuisance at this stage, there remain four major categories of cyber threats to national security, each with a different time horizon: cyber war and economic espionage are largely associated with states, and cyber crime and cyber terrorism are mostly associated with non-state actors. For the US, the highest costs currently stem from espionage and crime, but over the next decade or so, war and terrorism could become greater threats than they are today.
Moreover, as alliances and tactics evolve, the categories may increasingly overlap. In the view of Admiral Mike McConnell, America’s former director of national intelligence, “Sooner or later, terror groups will achieve cyber-sophistication. It’s like nuclear proliferation, only far easier.”
The world is only just beginning to see glimpses of cyber war – in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges. States have the greatest capabilities, but non-state actors are more likely to initiate a catastrophic attack. A “cyber 9/11” may be more likely than the often-mentioned “cyber Pearl Harbor.” It is time for states to sit down and discuss how to limit this threat to world peace.
The views expressed in this article are solely those of Joseph Nye.
It is very difficult to disagree with the Nye thesis of the decline of state power in the 21st century.
In my book The Future of Power, I argue that the diffusion of power away from governments is one of this century’s great political shifts. (from above).
It is also very difficult to disagree with Nye that states need to begin to discuss ways to limit the cyber threat to world peace.
However, first, political leaders of world states have to come to the public realization that increasingly they are losing their capacity to address problems such as cyber threats whether they be espionage and crime, or terrorism and war. And it is also clear that big ships and fighter jets and cluster bombs are not going to be the vocabulary or the agents of cyber warfare, no matter what form that takes. Huge military budgets for visible and dramatic "hollywood" examples of hard power will have to give way, to a considerable extent, to relatively invisible examples of digital power, both offensive and defensive, and the question of the public's trust of such a dramatic shift will depend to a great extent on the level of trust already established between political actors and citizens, currently not running at high or even acceptable levels.
It is not hard to envision a period during which billions are squirreled away for the development of cyber defences and cyber attack equipment without public knowledge or awareness, yet dramatically changing the landscape of potential conflict, whether it is between states or between non-states, or between non-states and states.
Public confidence, the sine qua non of all public decisions including all spending of public moneys, will be even more essential through this transition to cyber "competence" since mastery, something the U.S., for example, has considered necessary to its self-image on the world stage, will likely be beyond reach, given the difficulty of determining another's capacity to engage in cyber violence, sabotage, crime terrorism and war itself. We are going to need substantial evidence of both the nature of current and foreseen threats, and our attempts to provide the necessary security against those threats, in a world currently occupied by the most advanced doctoral 'geeks' everywhere.
If Dr. Khan was able to sell nuclear secrets to the enemy, just imagine the potential for similar profitable exchanges in the cyber world, where private enterprise has made galloping strides gaining near equivalency with both military and national security establishments, and thereby creating the potential for the private sale of cyber secrets to those willing and able to purchase them from a willing seller.
And how will governments, or the International Criminal Court, or the United Nations or any of our individual state governments even know what transactions have been conducted, with which actors, for what purposes?
Do we not have to discuss ways to enhance the capabilities of International Security Agencies, jointly formed by several state governments for the protection of all of humanity, under much firmer and more strict rules of both funding and compliance, in order to begin to address the potential threats that will emerge from the cyber "imaginations" of both individuals and military and terrorist groups everywhere.
If we were to rely on the current regime of both funding and compliance that applies to state participants in the United Nations, for example, to provide security and protection for governments and citizens of those governments, we would be placing our confidence on nothing more than a "pig and a poke" since even the United States does not pay its dues to the U.N. and refuses to join the International Criminal Court at the Hague.
Professor Nye has not opened a "can of worms" but rather has pointed to an open can (of worms) already sitting on the agenda for world leaders to come to grips with....and coming to grips with significant world issues has not been the hallmark of world leadership lately on the economy, on global warming and climate change, on child poverty, on human rights, and on such basic issues as access to health care, clean water and clean air and education for the world's people.
This issue of international co-operation, international governance, international compliance, and international security is a monumental issue of pressing concern to anyone interested in the kind of world we are leaving our grandchildren. And that group includes your scribe...let's hope it also includes those will actual clout, leverage and the foresight and courage to grapple and to begin to provide solutions for such issues as cyber threats, as well as the list of global issues above.