Cyber Weapons vs. Nuclear Weapons
By Jonah Friedman
Cyber security and cyber warfare are topics which have been much-discussed lately. Recent attacks on both corporate and government systems have brought the issue to the fore, as has a Pentagon statement which declares that a cyber attack could be considered an act of war – one which could provoke a physical retaliatory strike. Although perhaps not obvious, there are interesting comparisons to be drawn with the struggle to construct an effective nuclear strategy and declaratory policy.
A couple of articles which appeared in the past week have dealt with this issue either explicitly or implicitly. One, from Bloomberg Businessweek, gave an extensive overview of the emerging cyber warfare arena, many of the key players, and implications for the future. Another, from the Christian Science Monitor, was a shorter piece about the debate in Congress and the Pentagon on what U.S. cyber strategy should look like, including how much of it should be offensive vs. defensive, and what retaliatory options it should include.
The challenges of developing an effective cyber warfare strategy seem to share several similarities with the challenges of developing early nuclear strategies. Both were considered novel technologies with vast military applications, and both generated a great deal of fear and anxiety lest they be used indiscriminately. Both technologies promised to completely change how nations fought wars. At the beginning of the Cold War, there were few rules guiding how or when nuclear weapons should be used, and U.S. nuclear strategists had to grasp for new conceptual frameworks with which to think about these weapons and their relation to more traditional arms.
As Richard A. Clarke, former Assistant Secretary of State and special adviser to President George W. Bush on network security, has noted in reference to cyber warfare, “It’s like the early days of the American- Soviet nuclear balance. “We don’t know the rules of the road.” In its most nightmarish scenario, a cyber attack could cripple an advanced country such as the United States, and kill untold numbers of people. The Pentagon’s declaration that a cyber attack could constitute an act of war suggests how uncertain the military is as to what its cyber policy should be. It looks like a desperate attempt at deterring potential attackers, one which is unlikely to succeed given the difficulties of attributing the source of an attack.
The problem of attribution is, of course, common to both nuclear deterrence and cyber warfare. One can only retaliate against an attacker if the source of the attack is known. Although the United States’ ability to attribute nuclear attacks has improved considerably since the early Cold War, this capability was not always a given. Similarly, as Congressman Jim Langevin of the House Cybersecurity Caucus has said, an attack that “could be coming from a nation-state might appear to be coming from [an] individual in a remote location…A ‘botnet’ attack [referring to an infected group of computers] could be made to look like it was coming from some little old lady in Idaho, or someplace in Sweden.” Eventually, the United States acquired the capability to attribute the origin of a nuclear attack with confidence. It seems likely that in the future the same will be possible for cyber attacks.
The question of attribution raises another similarity between nuclear warfare and cyber warfare, namely the overwhelming advantage of offensive forces over defensive measures. Although to some extent ballistic missile defense may serve to mitigate the advantage of the offensive in the future when it comes to nuclear weapons, this was not true in the past. With the introduction of ICBMs during the Cold War, truly effective defenses became impossible. As a number of officials and experts in the area of cyber security have noted, the current emphasis on defense rather than proactive measures is misguided given the advantages which offensive cyber operations enjoy.
The effectiveness and relative ease of cyber attacks also raises the possibility that cyber weapons could produce their own version of the stability instability paradox which is familiar to us with regard to nuclear weapons. Gunter Ollmann, a computer security expert, has pointed out that cyber warfare may be able to provide an alternative to more conventional wars fought with physical weapons. The danger here is that if states feel like they can accomplish their military objectives while minimizing physical destruction (of either themselves or their enemy), they may be more likely to enter into conflicts in the first place. Once in a state of war, the murky lines and boundaries of cyber warfare may indeed escalate into a physical war.
The United States will therefore need an effective way of defending against, and deterring, cyber attacks, and this will require a realistic assessment of how cyber warfare differs from traditional warfare. Again, a comparison with nuclear warfare is useful in highlighting where they diverge. Perhaps the most obvious difference is the very fact that cyber warfare is already happening, whereas no state has used nuclear weapons in war since 1945. The lack of any sort of taboo regarding cyber warfare makes it more difficult to discern where the limits ought to be, and what a suitable response on the part of the United States should look like.
These difficulties are compounded by another aspect of cyber warfare which differs starkly from nuclear warfare and the Cold War, namely (as Michael Riley and Ashlee Vance point out), that “the Code War does not reward shows of force.” As they go on to explain, “Cyber weapons fall into the category of ‘brittle’ technology, susceptible to the swift development of countermeasures…The best weapon is one an enemy never knows exists.” This could make treaties governing the waging of cyber warfare extremely difficult to negotiate, and creates problems for any state wanting to signal escalation or issue assurances or declaratory policies for fear of making their cyber arsenals useless. Thus, it seems likely that, even as U.S. cyber strategy evolves, we will not see a significant level of detail regarding what a U.S. counterstrike might look like, despite clamors for more elaboration by members of Congress.
Moreover, while the Cold War was primarily a contest between the United States and the Soviet Union, today the myriad actual and potential cyber actors makes the creation of an effective policy more difficult. Any eventual U.S. strategy would have to be able to deter, defend against, and respond to attacks from a variety of state and non-state sources.
The non-state aspect of cyber warfare is another potential problem for the formulation of a cyber strategy, and raises a host of questions: What, if anything, should be done to third parties who sell cyber weapons to enemies of the United States who then use them in an attack? Should U.S. companies which develop such weapons be subject to export controls in the same way that other weapons or nuclear materials are? How would controls work with privacy and copyright laws, since the details of a given piece of software needed for an export control determination could also be used to negate the effects of that software?
Cyber warfare might also have direct implications for nuclear policy. For instance, if a cyber attack targeted a nuclear facility, what should the response be? If the effects of the attack were serious enough, could it be considered a nuclear attack, thereby inviting a nuclear strike in retaliation? These are the sorts of questions which an effective U.S. cyber strategy must seek to answer.
Developments in the cyber realm have been described variously by observers as a new arms race, as potential acts of war, and as a new “Code War” in place of the old Cold War. All of these epithets evoke the language of nuclear weapons and the rivalry between the two nuclear-armed superpowers. However, despite the similarities being drawn and the useful conceptual comparisons, the challenges posed by cyber warfare are quite different from those faced by the U.S. in the early years of the Cold War, and any cyber strategy should reflect this. One nevertheless does hope that the emerging realm of cyber warfare can be managed among the various participants as well as nuclear weapons have been for the past 60 years.