Invisible Trenches: the New Global Security Landscape

What’s more dangerous:

a nuclear weapon, or a computer virus?

The technologies that will shape international conflict in the 21st century aren’t as easy to see as a column of tanks or a mushroom cloud.

You can’t touch or feel or hear a malicious computer virus. They aren’t fired from the barrel of a gun, dropped from an aircraft, or launched from a missile silo. But they are just as dangerous as more traditional weapons – maybe more so. Read below to find out why.

Over the past 70 years , nuclear weapons have reduced the risk of major global conflict< by making the consequences too horrifying to contemplate. But cyber weapons, at least so far, appear to be having the opposite effect: they are making conflict between powerful countries more likely, not less.

There are three main reasons why. First, blurry lines: while the lines dividing traditional conflict from peacetime tend to be bright and clear – someone is either shooting at you or they are not – things are fuzzier in cyberspace. Hackers from one country can launch malicious code from servers in another, making it hard to pinpoint the true source of an attack until well after the fact. What’s more, there are many forms of cyber activity that do harm but which fall well short of what any reasonable person would consider an act of war – such as hacking banks or messing with election tallies. These grey areas make it possible for governments to engage in cyber-mischief without fear of severe punishment.

Second, no deterrence: unlike with nuclear weapons, where the terrifying logic of mutually assured destruction keeps a small number of nuclear powers from firing at each other, it’s a lot harder to establish deterrence in cyberspace. That’s partly because its hard to identify the sources of cyberattacks, but it’s also because cyberspace is a fluid place: access to targets comes and goes as software vulnerabilities are discovered and fixed. Because the opportunity to strike a fat cyber target may last only a very short period of time, it’s very tempting for countries to pull the trigger (or strike the key, if you will) rather than hold off.

Third, no rules of the road: unlike conventional warfare, which has codified international rules against things like targeting civilians, cyberwarfare doesn’t yet, because the world’s leading cyber powers don’t want to tie their own hands. China and Russia have balked at past attempts to establish basic rules of behavior that would limit their ability to act in the digital realm. The US, which has been trying to team up with like-minded allies to impose harsher consequences for cyberattacks, doesn’t want its freedom of action limited either.

Malicious code is prone to accidental release, and hard to control once it’s out in the wild.

Without a basic agreement on the line between cyber behavior that is merely bad and what is truly unacceptable – and without a consensus on what the consequences for violating basic norms should be – it will remain difficult to discourage hackers from acting, whether they are working for national governments or criminal organizations. A further reason to worry about a world in which cyberwar norms are weak is that cyberattacks often end up inflicting huge collateral damage on people and organizations well outside the intended targets of the attack.

The 2017 NotPetya malware attack, for example, showed how bad things can get: launched by suspected Russian hackers using stolen US National Security Agency computer code, the ransomware spread rapidly beyond its initial target in Ukraine, causing billions of dollars of economic damage in dozens of countries – including Russia itself.

In short, it’s the Wild West out there. Will that change? Here are three questions worth pondering:

Should stronger cyber protections be mandatory?

Despite the clear dangers outlined above, the US does not generally require companies to meet minimum cybersecurity standards. Instead, it relies on a voluntary system in which companies adopt best practices. As cyber threats multiply, pressure to make those practices mandatory will likely grow. But that could raise costs for business – a particular hardship for small companies that may not be able to afford to invest in top-notch security.

When it comes to global rules for cyberspace, can coalitions of the willing succeed where broader efforts have failed?

The US and like-minded allies have been giving it a shot. In the absence of any progress agreeing global norms for cyber behavior, the Trump administration has been partnering with other countries to impose stiffer consequences for malicious attacks. The US and leading allies like the UK and Australia have publicly named and in the case of the US, indicted, foreign nationals suspected of carrying out cyberattacks. The Trump administration has tweaked its sanctions rules and even threatened the use of military force in response to foreign hacking. Whether the perceived consequences will be enough to stop America’s adversaries from lashing out in cyberspace remains to be seen.

How much worse are things going to get?

Hackers are always uncovering new vulnerabilities or devising clever new ways to gain access to their targets. In the future, artificial intelligence is likely to greatly simplify these tasks by automating some of the work that online attackers have typically had to perform by hand. Network defenders are also likely to benefit from AI – though it’s not yet clear whether it will be enough to offset attackers’ traditional advantages: people who want to break into a network only have to find one flaw in its defenses, while network defenders have to cover every angle. Next-generation mobile networks will pose an additional challenge, as an explosion in both the number of internet-connected devices and the amount of data flying around creates new vulnerabilities.


Further Reading

  1. The Untold Story of NotPetya, The Most Devastating Cyberattack in History – A history of a 2017 cyberattack that initially targeted a small software company in Ukraine, but quickly spread around the world, causing billions of dollars in damage.

2. A Declaration of Cyber War – The story of Stuxnet, the malicious program, though to have been launched by the US and Israel, that destroyed portions of Iran’s covert nuclear program in 2009, ushering in the modern era of cyber conflict.

3. Why It’s So Hard to Stop a Cyberattack – And Even Harder to Fight Back – An article explaining some of the unique problems associated with cyberattacks that make defending against them so difficult.