Cyberwar, cyberespionage, cyberterrorism, cyberattacks. These words elicit an almost unseemly emotional response from everyone. The public, the government, the military, and academics are all concerned. The question is, is the concern real, or is it Y2K all over again?
In Foreign Affairs, one of the preeminent publications on international policy, Brandon Valeriano and Ryan Maness argue that our current concern for hacks, viruses, DDoS attacks, and other forms of online destruction and manipulation may be overblown.
The Fog of Cyberwar
In their article, “The Fog of Cyberwar: Why the Threat Doesn’t Live Up to the Hype,” the authors call out the high-profile Stuxnet attacks on Iranian uranium enrichment efforts and the Flame virus, which also seemed to target Iran. Both have been said to have been created by the United States and Israel. And both inspired a great deal of press coverage.
However, the Stuxnet attack, they said, slowed Iran’s weapons development much less than was first reported, and the Flame attack seemed to be strictly an information-gathering event. (Spying on other nations did not start with the development of the Internet.) Furthermore, there is no online vector for these sorts of viruses. They were delivered to Iranian computers on physical media, such as USB drives.
“The majority of cyberattacks worldwide have been minor: easily corrected annoyances such as website defacements or basic data theft — basically the least a state can do when challenged diplomatically.
“Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception.”
Given that “a state is 600 times more likely to be the target of a terrorist attack than a cyberattack,” such attention to cyberattacks borders on paranoia. And that paranoia is hardly relegated to the backwaters of the Internet. In October, U.S. Secretary of Defense Leon Panetta warned of a “cyber Pearl Harbor.”
This Pearl Harbor-level anxiety has more than just a psychological cost for the country. The Pentagon estimated it spent between $2.6 and $3.2 billion on cybersecurity in 2012, and according to Valeriano and Maness, the Air Force alone estimates it will spend $4.6 billion in the coming year.
That money doesn’t come from nowhere. It comes from you. Each dollar that goes into cybersecurity is one that doesn’t go to rebuild a road or the economy. If it’s money well spent, that’s one thing. If it’s unnecessary, that’s quite another. If the authors of the Foreign Affairs article are correct, the U.S. foreign policy establishment may be using an A-bomb where a mousetrap would do.
The Valeriano/Maness study identified 124 active rivals, “defined as conflict-prone pairs of states,” and evaluated attacks occurring between 2001 and 2011. To each attack, they assigned a “severity score” of between five (minimal damage) and one (“where death occurs as a direct result from cyberwarfare”).
“Of all 95 cyberattacks in our analysis, the highest score—that of Stuxnet and Flame—was only a three.”
The top “ongoing interstate rivals in their study” were the United States and China; Pakistan and India; and North Korea and South Korea.” The overwhelming majority of the attacks the authors catalogued would be more easily labeled cyberespionage and vandalism, not cyberwarfare.
“(T)his seldom-used tactic,” the authors conclude, “will not change foreign policy calculations anytime soon. Cyberwarfare poses a threat only if it is grossly overused or mismanaged, or if it diverts resources toward a mythical fear and away from real threats.”
The Fog of Reporting on Cyberwar
To put it mildly, not everyone buys Valeriano’s and Maness’s assessment of the situation. Those who don’t may include cyberChicken Littles who see the sky falling in every piece of errant code, but it also includes responsible, respected cybersecurity specialists, like Adam Shostack.
Shostack has a long list of credits as a security innovator, including currently working on member of Microsoft’s Security Development Lifecycle team, cofounding the International Financial Cryptography Association and coauthoring The New School of Information Security.
Shostack has written a response to the Foreign Affairs story. In “The Fog of Reporting on Cyberwar,” Shostack credits Valeriano’s and Maness with a “fascinating set of claims,” which obscure “a fundamental methodological question.”
“(W)hat counts as an incident, and how did the authors count those incidents? Did they use some database? Media queries? The article seems to imply that such things are trivial, and unworthy of distracting the reader… but I don’t agree.
“The question of what’s being measured is important for assessing if the argument is convincing.”
Shostack holds up the example of the hacking of Lockheed Martin in May, an act undertaken, many believe, by China.
“Is that a state on state attack which is included in their data? If Lockheed Martin counts as an incident, how about the hacking of RSA as a pre-cursor?”
Shostack further notes that the list of incidents in the Valeriano-Maness study is unlikely to be complete.
“As every security practitioner knows,” he wrote, “we sweep a lot of incidents under the rug.” If that’s the case, the study cannot be complete. And if it is not complete, what omissions might change the picture and how might that picture change? The underlying data does seem to be elusive. There is no link to the study itself and Valeriano’s personal website does not provide much illumination.
The Fog of Foggy Bottom
The sad thing about life, for those who would reduce it to apprehensible proportions, is its inherent irreducibility. The most apparently simple thing can prove to be fractal in its complexity if you observe it closely enough, as anyone who’s tried to return a sweater to Macy’s or make a piece of toast in an elderly toaster can attest.
The American literary critic Susan Sontag famously said, “By reducing the work of art to its content and then interpreting that, one tames the work of art. Interpretation makes art manageable, conformable.”
It is not art alone that one feels the impulse to reduce, nor is it art alone that, reduced, gives the impression of manageability, though seldom the reality.
When a topic is as complex as the use of computers and code by nations against other nations is broached, it is practically useless to investigate without as full a spread of data as is possible to assemble. By not explicitly defining processes and offering the data upon which their thesis is built, Valeriano and Maness do a disservice to their readers, their critics and the conversation as a whole.
If Shostack’s overriding concern is that this information is missing, he is correct. But the mere absence of proof is not the proof of absence. In other words, the study’s authors may well be correct about the overemphasis on state-to-state cyberattacks. But a great deal more information will need to be brought to the fore before they can be said to have made their case.
In the meantime, we must continue to attempt to understand this dynamic with full acknowledgement of its multiplicity: the technology itself, of machine and code; the psychology of the statesmen, spies, generals and diplomats involved; the relationships between allies and adversaries; the effects of non-governmental parties on the success of such attacks as well as on their desirability and likelihood; the history of both the individuals involved and their countries.
Even then, the best we can hope for is a sense of what is more and less likely in international cyberconflict and of how we might best prioritize our money, time and emotional currency given our dominant values.
Photo by Adrian R. Tan/Flickr