Until recently, cybersecurity has primarily interested computer geeks and cloak-and-dagger types. The Internet’s creators, part of a small, enclosed community, were very comfortable with an open system in which security was not a primary concern. But with some 3 billion or so users on the Web nowadays, that openness has become a vulnerability; indeed, it is endangering the vast economic opportunities that the Internet has opened for the world. A cyberattack can take any number of forms, including simple probes, defacement of Web sites, denial-of-service attacks, espionage and destruction of data. And the term “cyberwar,” though best defined as any hostile action in cyberspace that amplifies or is equivalent to major physical violence, remains equally protean, reflecting definitions of “war” that range from armed conflict to any concerted effort to solve a problem (such as “war on poverty”).
Cyberwar and cyberespionage are largely associated with states, while cybercrime and cyberterrorism are mostly associated with nonstate actors. The highest costs currently stem from espionage and crime; but, over the next decade or so, cyberwar and cyberterrorism may become greater threats than they are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap. Terrorists might buy malware from criminals, and governments might find it useful to hide behind both.
Some people argue that deterrence does not work in cyberspace, owing to the difficulties of attribution. But that is facile: Inadequate attribution affects interstate deterrence as well, yet it still operates. Even when the source of an attack can be disguised under a “false flag,” governments may find themselves sufficiently enmeshed in symmetrically interdependent relationships such that a major attack would be counterproductive. China, for example, would lose from an attack that severely damaged the American economy, and vice versa.
An unknown attacker may also be deterred by cybersecurity measures. If firewalls are strong, or redundancy and resilience allow quick recovery, or the prospect of a self-enforcing response (“an electric fence”) seems possible, an attack becomes less attractive.
While accurate attribution of the ultimate source of a cyberattack is sometimes difficult, the determination does not have to be airtight. To the extent that false flags are imperfect and rumors of the source of an attack are widely deemed credible (though not legally probative), reputational damage to an attacker’s soft power may contribute to deterrence.
Finally, a reputation for offensive capability and a declared policy that keeps open the means of retaliation can help to reinforce deterrence. Of course, nonstate actors are harder to deter, so improved defenses such as pre-emption and human intelligence become important in such cases.
Given its global nature, the Internet requires a degree of international cooperation to be able to function. Some people call for the online equivalent of formal arms-control treaties. But differences in cultural norms and the difficulty of verification would make such treaties hard to negotiate or implement. At the same time, it is important to pursue international efforts to develop rules of the road that can limit conflict.
Russia and China have sought to establish a treaty establishing broad international oversight of the Internet and “information security,” which would prohibit deception and embedding malicious code or circuitry that could be activated in the event of war. But the U.S. has argued that arms-control measures banning offensive capabilities could weaken defenses against attacks and would be impossible to verify or enforce.
Likewise, in terms of political values, the U.S. has resisted agreements that could legitimize authoritarian governments’ censorship of the Internet – for example, by the “great firewall of China.”
Nonetheless, it may be possible to identify behaviors like cybercrime that are illegal in many domestic jurisdictions. Trying to limit all intrusions would be impossible, but one could start with cybercrime and cyberterrorism involving nonstate parties. Here, major states would have an interest in limiting damage by agreeing to cooperate on forensics and controls.
The transnational cyberdomain poses new questions about the meaning of national security. Some of the most important responses must be national and unilateral, focused on hygiene, redundancy and resilience. It is likely, however, that major governments will soon discover that the insecurity created by nonstate cyber actors will require closer cooperation among governments.
Joseph S. Nye is a university professor at Harvard’s Kennedy School of Government, and the author of “The Future of Power.” THE DAILY STAR publishes this commentary in collaboration with Project Syndicate © (www.project-syndicate.org).