Over the past 70 years , nuclear weapons have reduced the risk of major global conflict by making the consequences too horrifying to contemplate. But cyber weapons, at least so far, appear to be having the opposite effect: they are making conflict between powerful countries more likely, not less.
There are three main reasons why.
First, blurry lines: while the lines dividing traditional conflict from peacetime tend to be bright and clear – someone is either shooting at you or they are not – things are fuzzier in cyberspace. Hackers from one country can launch malicious code from servers in another, making it hard to pinpoint the true source of an attack until well after the fact. What’s more, there are many forms of cyber activity that do harm but which fall well short of what any reasonable person would consider an act of war – such as hacking banks or messing with election tallies. These grey areas make it possible for governments to engage in cyber-mischief without fear of severe punishment.
Second, no deterrence: unlike with nuclear weapons, where the terrifying logic of mutually assured destruction keeps a small number of nuclear powers from firing at each other, it’s a lot harder to establish deterrence in cyberspace. That’s partly because its hard to identify the sources of cyberattacks, but it’s also because cyberspace is a fluid place: access to targets comes and goes as software vulnerabilities are discovered and fixed. Because the opportunity to strike a fat cyber target may last only a very short period of time, it’s very tempting for countries to pull the trigger (or strike the key, if you will) rather than hold off.
Third, no rules of the road: unlike conventional warfare, which has codified international rules against things like targeting civilians, cyberwarfare doesn’t yet, because the world’s leading cyber powers don’t want to tie their own hands. China and Russia have balked at past attempts to establish basic rules of behavior that would limit their ability to act in the digital realm. The US, which has been trying to team up with like-minded allies to impose harsher consequences for cyberattacks, doesn’t want its freedom of action limited either.
Without a basic agreement on the line between cyber behavior that is merely bad and what is truly unacceptable – and without a consensus on what the consequences for violating basic norms should be – it will remain difficult to discourage hackers from acting, whether they are working for national governments or criminal organizations.
A further reason to worry about a world in which cyberwar norms are weak is that cyberattacks often end up inflicting huge collateral damage on people and organizations well outside the intended targets of the attack.
Malicious code is prone to accidental release, and hard to control once it’s out in the wild.
The 2017 NotPetya malware attack, for example, showed how bad things can get: launched by suspected Russian hackers using stolen US National Security Agency computer code, the ransomware spread rapidly beyond its initial target in Ukraine, causing billions of dollars of economic damage in dozens of countries – including Russia itself.