News reports describing the U.S. role in developing the Stuxnet computer virus, and similar allegations about the existence of a second computer virus, named Flame, have sparked a much-needed debate of cyberwarfare and cybersecurity. President Obama contributed to the discussion last week with a call for greater attention to the latter in the Wall Street Journal.
News of Stuxnet has also, however, generated its share of hysteria. Writing in the New York Times, Columbia University's Misha Glenny painted an alarming picture:
"The ... Stuxnet computer worm ... marked a significant and dangerous turning point in the gradual militarization of the Internet ... If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory ... Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet."
Glenny goes on to warn of the "frightening dangers of an uncontrolled arms race in cyberspace" where viruses "inevitably seek out and attack the networks of innocent parties." He worries that "Nobody can halt the worldwide rush to create cyberweapons" but calls for a treaty to regulate their use in peacetime.
Strong stuff. And certainly there is reason to harden U.S. infrastructure against cyber attack. In doing so, however, we should avoid cyber hysteria. Earlier this year, Thomas Rid of King's College London published an important article on cyberwarfare in The Journal of Strategic Studies (which, in the interests of full disclosure, I edit). Rid argues, persuasively in my view, that it is misleading to talk about "cyberwar" when, in fact, all politically motivated cyber attacks to date are merely more sophisticated versions of three traditional activities: sabotage, espionage, and subversion. Stuxnet clearly falls into the first category; Flame into the second.
I would take the argument a step further. Although many view cyber weapons as tools of the weak, they are likely to be most effective when wielded by the strong. That is because cyber means cannot compensate for weakness in other instruments of power. In other words, if a cyber attack by a weaker power on a stronger one fails to achieve its aim, the attacker is likely to face retaliation. In such a situation, the stronger power will possess more, and more lethal, options to retaliate -- what is known in nuclear deterrence terminology as escalation dominance. A weak power might be able to cause a stronger power some annoyance through cyber attack, but in seeking to compel an adversary through cyberwar, it would run the very real risk of devastating escalation.
In addition to escalation dominance, stronger powers, particularly stronger states, are likely to possess a greater ability to combine cyber means with other military instruments to conduct a combined-arms campaign. As a result, it may very well be that although weak powers may attempt to wage cyberwar, they are likely to face cyber weapons wielded by the strong
Because Glenny overestimates the effectiveness of cyber weapons, he also overestimates the speed and scope of their spread. There is a considerable body of work on the diffusion of innovations, and that research tends to show that new ways of war tend to spread more slowly, unevenly, and incompletely than one might think. Adam Liff of Princeton University has recently argued, again in The Journal of Strategic Studies, that the spread of cyber weapons is likely to have a relatively small influence on the frequency of war and that in some cases it may actually decrease its likelihood.