Cyberwar: A More Realistic Threat Assessment

By

Today’s global threat perception has been shaped by grave concerns about the vulnerability of ICT-connected critical infrastructures to attacks from nebulously defined enemies. Despite this potential for major disaster, however, reality has proven far less grim – demonstrating that more level-headed threat assessments should guide policy.

By Myriam Dunn Cavelty for ISN Insights

Information has always been a significant aspect of power, diplomacy and armed con­flict. Recently, however, the importance of information for political matters has spec­tacularly increased due to the triumphal proliferation of information and communi­cation technology (ICT) into all aspects of life. The ability to master the generation, management, use and also manipulation of information has become a much-desired power resource in international relations.

But where there is opportunity, there is threat.

The current threat paradigm

Today’s global threat perception has been influenced decisively by the larger strategic context that emerged after the Cold War, when the notion of asymmetric vulnerabili­ties, epitomized by the multiplication of ma­licious actors and their increasing capability to do harm, started to play a key role. Due to difficulties in locating and identifying en­emies, parts of the focus of security policies shifted away from actors, capabilities and motivations toward vulnerabilities more generally. Widespread fear took root in the strategic community that malevolent actors might try to bring the developed world to its knees by striking against vital points at home, namely, critical infrastructures (CIs). The concept of CI includes sectors such as information and telecommunica­tions, financial services, energy, utilities and transport and distribution, plus a list of additional elements that vary across coun­tries and over time. Most of these CIs rely nowadays on a spectrum of software-based control systems for their smooth, reliable and continuous operation.

There are two sides to the threat image: An inward-looking narrative equates complex­ity with vulnerability. The very connected­ness of infrastructures through ICT is what poses dangers, because perturbations with­in them can cascade into major disasters with immense speed and beyond our con­trol. The outward-looking narrative on the other hand sees an increasing willingness of malicious actors to exploit vulnerabilities without hesitation or restraint. Because CIs combine symbolic and instrumental values, attacking them becomes integral to a mod­ern logic of destruction that seeks maxi­mum impact. In other words, cyberspace becomes a force-multiplier by combining the risks to cyberspace with the possibility of risks through cyberspace.

This results in two significant and very pow­erful characteristics of the threat represen­tation: First, the protective capacity of space is obliterated; there is no place that is safe from an attack or from catastrophic break­down in general. The “enemy” becomes a faceless and remote entity, a great unknown that is almost impossible to track. Second, the threat becomes quasi-universal because it is now everywhere, creating a sense of imminent catastrophe – and prompting fears of unrestrained cyberwar.

Drawing a revised threat picture

However, despite this all-embracing poten­tial for major disaster, reality looks far less stark. In the entire history of computer net­works, there have been only very few exam­ples of severe attacks that had the potential to or did disrupt the activities of a nation-state in a major way. There are even fewer examples of cyberattacks that resulted in physical violence against persons or prop­erty: The most prominent example is Stux­net, a computer program apparently written to specifically attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial pro­cesses.

Therefore, despite the release and discovery of Stuxnet and the ruckus it has created in the international community, and despite the norm today that every political tension or conflict is accompanied by heightened activity in cyberspace, the huge majority of cyberattacks in the past and present are low level (though often costly for businesses) and cause inconveniences rather than seri­ous or long-term disruptions.

There is no evidence that this is likely to change in the future. What we are going to be confronted with is a diverse set of mildly disruptive CI occurrences due to cyber inci­dents, with some, but only very few, that will rattle the “collective” nation-state or society.

Three points can be made with regards to this threat picture.

First, throwing too much money at high im­pact, low probability events – and therefore having less resources for the low- to middle impact and high probability events – does not make sense, neither politically nor stra­tegically, and certainly not when applying a cost-benefit logic.

Second, preparing for and investing in ma­jor cyberwar-activities among state actors (clandestine or not) would fall within this category, too. Those experts expecting a coming age of unrestrained cyberwar seem to forget that careful threat assessments are a cornerstone of sensible planning in secu­rity and defense matters. And such assess­ments necessarily demand more than just naval-gazing and vulnerability spotting. Rather than just assuming the worst, the question that must be asked is: Who has the interest and the capability to attack us and why? Even if the most extreme case were assumed – that the majority of states have developed effective and powerful cyber­weapons – the mere existence and availabil­ity of such capabilities does not automati­cally mean that they will be used. Those democratic states that consider the risk of war, be it conventional or unconventional, to be very low should consider the risk of severe cyberattack just as unlikely. The strategic logic behind acts of war remains the same, even in the virtual world.

Third, government officials and politicians are well advised to focus not on ‘war’ and ‘defense’ but on ‘crime’ and ‘protection/resilience’. The more level headed they ap­proach the issue, the easier it will be to work together with the private sector, which plays the most crucial role in securing the infor­mation age. True enough, the publication of Stuxnet’s code has already led to many pig­gyback attacks. SCADA systems are there­fore likely going to be the target of choice in the near- to mid-term future. This comes with an inherent danger of intended and un­intended (side)effects, of course – but the CI community has been talking about the threat to SCADA systems for over a decade, while simultaneously, steadily improving the methods and tools available to counter cyberthreats across the board. This concerns information assurance measures for exam­ple, or the many diverse activities, concepts and processes subsumed under ‘critical in­frastructure protection’ (CIP) or the more recently applied concept of resilience.

None of these approaches are perfect. In fact, it is simply impossible to either “de­fend” against or “deter” all or even the ma­jority of cyber threats or make all critical networks “secure”. Cyberincidents are ex­pected to happen, some of them with severe consequences, simply because they cannot be avoided. But this does not mean that nothing should be done: Many attacks have already been avoided or their impacts re­duced. And for the rest, we will simply have to learn how to live with insecurity in prag­matic ways, if we want to continue reaping the benefits of the cyberage.

Dr Myriam Dunn Cavelty is Head of the New Risks Research Unit at the Center for Security Studies, ETH Zurich. Published by International Relations and Security Network (ISN)

ISN Security Watch

The ISN is one of the world's leading open access information and knowledge hubs on IR and security issues, based at ETH Zürich, Switzerland.

Leave a Reply

Your email address will not be published. Required fields are marked *