The US and a spiral of cyberfear

In a newly revealed strategy, the Pentagon poses the threat of a digital counterattack on those who launch a cyberattack on the US. This offensive capability, however, might trigger a cyber arms race. Is the US fear well founded to justify a possible escalation of fear?

AP Photo
During a speech April 23 at Stanford University, Defense Secretary Ashton Carter holds a book entitled "Rewiring the Pentagon: Charting a New Path on Innovation and Cybersecurity."

With little fanfare, the Pentagon went public last month on how the United States might respond to a cyberattack, such as the digital shutdown of its electricity grid. The military would go on the offensive and disrupt an attacker’s own key networks.

Anyone whose personal computer has been hacked or credit-card numbers stolen might quickly agree with this strategy of deterrence. The aim is to threaten a major counterattack in hopes of preventing an attack in the first place. The idea is similar to mutual assured destruction – or MAD – the approach used by the US and Soviet Union during the cold war to justify building up their offensive nuclear weapons.

The Pentagon’s new transparency on its offensive capability was done on purpose. “We think it’s important that potential adversaries out there know that this is part of our strategy,” Adm. Michael Rogers, head of the US Cyber Command as well as the National Security Agency, said May 12. He describes the strategy’s warning as “you don’t want [to] go down this road and if you do, you need to know there is a price to pay.”

At the same time, however, the US has been on a diplomatic campaign to establish global norms among nations and companies about good cyber behavior. It seeks to promote self-restraint more than international regulations to prevent cyber conflicts. Unlike military weapons, the Internet and other digital domains are too complex and fluid for rigorous controls. A country might use a shadowy surrogate to launch an attack, for example, making it difficult to assign responsibility.

Yet in revealing the strategy, the US may be setting a new norm for cyberspace. Other countries might now build an offensive capability to match the US out of fear the US could strike first. In other words, to head off a cyberattack, the US may be escalating the very fear that drives such attacks.

A study by two American scholars, Brandon Valeriano and Ryan Maness, suggests the US is overreacting. They counted the actual number of cyber “incidents and disputes”  between rival states from 2001 to 2011 and found the number to be very small. In addition, the incidents are minor in their consequences compared to the harm of terrorist attacks or armed conflicts.

“This realm will only be as dangerous as we let it,” they write in a book coming out next week, “Cyber War Versus Cyber Realities.”

The book makes a case that the digital world by its very nature restrains aggressive behavior. “The evidence we present here suggests a digital peace, not cyber war,” they write.

In cyberspace, the norm is cooperation and trust. “Peaceful digital connections between states and individuals outweigh the negativity in cyberspace,” they state. And the many experts and media that specialize in cybersecurity purposely exaggerate threats and have discovered that “fear has been good for business.”

The two recommend a renewed focus on resilience to cyberattacks rather than building counterthreats. “Buying into the notion that we will be faced with a future of cyber conflict based on offensive technologies will only make this prophesy come true,” they write.

The real danger lies in letting fear impede the “natural progress” of cyberspace, which they say has “the ability to be the greatest force for peace, development, education, and research.”

Before the US triggers an arms race in cyberweapons, it ought to rethink this strategy and focus more on strictly defensive steps and on its effort to deepen peaceful norms in cyberspace. The digital world’s positive traits are a source of strength against those who would use it for an attack. Why start a spiral of fear, especially if the fear itself is inflated?

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.