Russian and Ukrainian ground forces are keeping their conventional weapons holstered for now, but it's an escalating shooting war in cyberspace. Ukrainian government computers were hit with 42 separate cyberattacks during the Crimea referendum on March 16, according to media reports. The following day Russian websites were targeted by an even more muscular counterstrike.
It's new proof that the world is entering a dangerously unstable and suspicious era, all the more troubling because cyber conflicts can rage with no physical-world aspect apparent – at least until a power grid gets taken out. Yet only the United States has – accurately – ranked cyberattacks as its top national security issue for 2014, ahead of terrorism and weapons of mass destruction. In Europe, on the other hand, no nation has assigned cyberthreats Tier 1 priority.
As alarms go off in Ukraine and all over the world, the cybersecurity situation demands leadership that can only come from the US. Europe and the world must move beyond current qualms about US computer spying and accept a US leadership role on global cybersecurity. Just as critically, the US must claim that role.
Europe can sleep no longer
Why is Europe lagging behind the US in integrating cybersecurity into defense and national security policies? Why are offensive cybercapabilities and cyberdeterrence now discussed openly in Washington, but still such sensitive issues in most European countries?
Europe can sleep no longer. On the Korean Peninsula, Seoul is said to be developing offensive cyberweapons to disable North Korean nuclear facilities. South Korea's military cyber command has been operational for years, gaining experience and proficiency. President Vladimir Putin says Russian "cyber troops" carry out both military and political missions, and that their "striking force" may outweigh that of conventional weapons.
The very idea of conflict in cyberspace blurs the definition of "war," encompassing espionage, sabotage, and intellectual property theft. It gives nations new ways to pursue their political goals, and not just rogue nations; the US is said to be pondering its cyber options against Syria, though President Obama rightly worries about unintended ripple effects from a cyberattack. (Because a cyber offensive could touch off unpredictable results in our interconnected world, cyber command and control is a key, underaddressed concern.)
The future of cyberwar
Future international conflicts may be ever more vaguely defined, with no clear beginnings or ends, no declarations of victory or surrender. They may just burn on constantly beneath the surface. A participant may not even be aware of a cyber conflict in progress; software may do all the fighting.
War has traditionally been an armed contest for control of territory. Espionage has not usually been understood as an act of war, but cyberassaults can do real damage – not only pilfering information but disabling an enemy's energy, transport, financial, and communications systems and even compromising its ability to retaliate via conventional military means. Cyberweapons deployed with furious but invisible force will undoubtedly be an integral part of any major future conflict – and many more small ones.
A hard choice ahead
It is time to make a hard choice between marshaling a worldwide, organized response to cyber conflict, including widely understood protocols for defense, command and control, and aid among allies, or shrinking from the challenge and avoiding action. Picking the latter unfortunate course means risking not only inadequate responses to cyberattacks but the degeneration of international trust and fracturing of the open Internet.
Survey data shows that, thanks in part to cyberattacks on financial systems and retailers and rampant identity theft, the average citizen's trust in the Internet decreases each year. Now distrust is spreading to governments.
Angered by National Security Agency surveillance reports, Germany is said to want an "Internet of its own," built to shield local traffic from snooping by foreign intelligence. Brazil and Portugal are discussing building a private data link to bypass US-based network access points. And as for international trade, US technology companies are said to be suffering for the NSA's activities: "Suspicion of U.S. vendors is running at an all-time high," one cloud solution provider told USA Today.
Will ours be the first and last generation to know a barrier-free global Internet? Hopefully not. But its fragmentation is already starting – inspired by cyber fears and international mistrust.
Rebuild trust, save the Internet
Even though some of that mistrust is certainly due to American cyber-espionage initiatives, it is now up to the US to move the world in a different direction. The US has the most sober and realistic view of cyberthreats. It has more Internet infrastructure under its control. And US technology companies are enabling a new digital world largely dependent on an open Internet. But for it to work, people, businesses, and governments must all trust it.
Cyberwarfare is in an embryonic stage; strategic questions are manifold, and the US is best equipped to answer them. Europe and others must move past distrust over US spying and embrace America's vital leadership role in this arena.
The course the world chooses and the decisions countries make about cooperation in cyberspace will have far-reaching implications for humankind. The world is adopting digital technologies faster than it is mitigating potential risks. But the opportunities for safeguarding against cyberthreats are much better if the Internet's infrastructure is kept safe, open, and worthy of trust.
The US must show the way in cyberspace. Do that, and Europe – and the world – will follow.
Jarno Limnéll is director of cybersecurity for McAfee, a division of Intel Security. He has participated in NATO and United Nations working groups on cybersecurity and cyberwarfare. He also holds a Doctor of Military Science degree from Finland's National Defence University. Follow him on Twitter at @JarnoLim. The views expressed here are his own and do not necessarily reflect those of Intel Security.