Perils of a full-blown cyberwar
Currently, these attacks are used for sowing confusion rather than physical destruction, but this may change soon
For years, political leaders such as former United States secretary of defence Leon Panetta have warned of the danger of a “cyber Pearl Harbor”. We have known for some time that potential adversaries have installed malicious software in America’s electricity grid. Suddenly the power could go out in large regions, causing economic disruption, havoc, and death. Russia used such an attack in December 2015 in its hybrid warfare against Ukraine, though for only a few hours.
Thus far, however, cyberweapons seem to be more useful for signalling or sowing confusion than for physical destruction — more a support weapon than a means to clinch victory. Millions of intrusions into other countries’ networks occur each year, but only a half-dozen or so have done significant physical (as opposed to economic and political) damage. As Robert Schmidle, Michael Sulmeyer, and Ben Buchanan put it: “No one has ever been killed by a cyber capability.”
US doctrine is to respond to a cyber attack with any weapon, in proportion to the physical damage caused, based on the insistence that international law — including the right to selfdefence — applies to cyber conflicts. Given that the lights have not gone out, maybe this deterrent posture has worked.
Russia’s cyber interference in the 2016 American presidential election was innovative. US intelligence agencies alerted the then US president Barack Obama of the Russian tactics, and he warned Putin of adverse consequences when the two met in September 2016. But Obama was reluctant to call out Russia publicly. After the election, Obama went public and expelled Russian spies and closed some diplomatic facilities, but the weakness of the US response undercut any deterrent effect. And because President Donald Trump has treated the issue as a political challenge to the legitimacy of his victory, his administration also failed to take strong steps.
Countering this new weapon requires a strategy to organise a broad national response that includes all government agencies and emphasises more effective deterrence. Punishment can be meted out within the cyber domain by tailored reprisals, and across domains by applying stronger economic and personal sanctions. We also need deterrence by denial — making the attacker’s work more costly than the value of the benefits to be reaped.
There are many ways to make the US a tougher and more resilient target. Steps include training state and local election officials; requiring a paper trail as a backup to electronic voting machines; encouraging campaigns and parties to improve basic cyber hygiene such as encryption and two-factor authentication; working with companies to exclude social media bots; requiring identification of the sources of political advertisements (as now occurs on television); outlawing foreign political advertising; promoting independent fact-checking; and improving the public’s media literacy. Such measures helped to limit the success of Russian intervention in the 2017 French presidential election.
Diplomacy might also play a role. During the Cold War, the US and the USSR did not kill each other’s spies, and the Incidents at Sea Agreement limited the level of harassment involved in close naval surveillance. Today, such agreements seem unlikely, but they are worth exploring in the future.
Above all, the West must demonstrate that cyberattacks and manipulation of social media will incur costs and thus not remain the perfect weapon for warfare below the level of armed conflict. ■ Joseph S. Nye is a professor at Harvard and the author of The Future of Power.
www.gulfnews.com/opinions