With little fanfare, the Pentagon went public last month on how the United States might respond to a cyberattack, such as the digital shutdown of its electricity grid. The military would go on the offensive and disrupt an attacker’s own key networks.
Anyone whose personal computer has been hacked or credit-card numbers stolen might quickly agree with this strategy of deterrence. The aim is to threaten a major counterattack in hopes of preventing an attack in the first place. The idea is similar to mutual assured destruction – or MAD – the approach used by the US and Soviet Union during the cold war to justify building up their offensive nuclear weapons.
The Pentagon’s new transparency on its offensive capability was done on purpose. “We think it’s important that potential adversaries out there know that this is part of our strategy,” Adm. Michael Rogers, head of the US Cyber Command as well as the National Security Agency, said May 12. He describes the strategy’s warning as “you don’t want [to] go down this road and if you do, you need to know there is a price to pay.”
At the same time, however, the US has been on a diplomatic campaign to establish global norms among nations and companies about good cyber behavior. It seeks to promote self-restraint more than international regulations to prevent cyber conflicts. Unlike military weapons, the Internet and other digital domains are too complex and fluid for rigorous controls. A country might use a shadowy surrogate to launch an attack, for example, making it difficult to assign responsibility.
Yet in revealing the strategy, the US may be setting a new norm for cyberspace. Other countries might now build an offensive capability to match the US out of fear the US could strike first. In other words, to head off a cyberattack, the US may be escalating the very fear that drives such attacks.
A study by two American scholars, Brandon Valeriano and Ryan Maness, suggests the US is overreacting. They counted the actual number of cyber “incidents and disputes” between rival states from 2001 to 2011 and found the number to be very small. In addition, the incidents are minor in their consequences compared to the harm of terrorist attacks or armed conflicts.
“This realm will only be as dangerous as we let it,” they write in a book coming out next week, “Cyber War Versus Cyber Realities.”
The book makes a case that the digital world by its very nature restrains aggressive behavior. “The evidence we present here suggests a digital peace, not cyber war,” they write.
In cyberspace, the norm is cooperation and trust. “Peaceful digital connections between states and individuals outweigh the negativity in cyberspace,” they state. And the many experts and media that specialize in cybersecurity purposely exaggerate threats and have discovered that “fear has been good for business.”
The two recommend a renewed focus on resilience to cyberattacks rather than building counterthreats. “Buying into the notion that we will be faced with a future of cyber conflict based on offensive technologies will only make this prophesy come true,” they write.
The real danger lies in letting fear impede the “natural progress” of cyberspace, which they say has “the ability to be the greatest force for peace, development, education, and research.”
Before the US triggers an arms race in cyberweapons, it ought to rethink this strategy and focus more on strictly defensive steps and on its effort to deepen peaceful norms in cyberspace. The digital world’s positive traits are a source of strength against those who would use it for an attack. Why start a spiral of fear, especially if the fear itself is inflated?