We’re in the early years of a cyberwar arms race. It’s expensive, it’s destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.
If you read the press and listen to government leaders, we’re already in the middle of a cyberwar. By any normal definition of the word “war,” this is ridiculous. But the definition of cyberwar has been expanded to include government-sponsored espionage, potential terrorist attacks in cyberspace, large-scale criminal fraud, and even hacker kids attacking government networks and critical infrastructure. This definition is being pushed both by the military and by government contractors, who are gaining power and making money on cyberwar fear.
The danger is that military problems beg for military solutions. We’re starting to see a power grab in cyberspace by the world’s militaries: large-scale monitoring of networks, military control of Internet standards, even military takeover of cyberspace. Last year’s debate over an “Internet kill switch” is an example of this; it’s the sort of measure that might be deployed in wartime but makes no sense in peacetime. At the same time, countries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame.
Arms races stem from ignorance and fear: ignorance of the other side’s capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.
The cyberwar arms race is destabilizing.
International cooperation and treaties are the only way to reverse this. Banning cyberweapons entirely is a good goal, but almost certainly unachievable. More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits.
Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier. But we’ve learned a lot from our Cold War experience in negotiating nuclear, chemical, and biological treaties. The very act of negotiating limits the arms race and paves the way to peace. And even if they’re breached, the world is safer because the treaties exist.
There’s a common belief within the U.S. military that cyberweapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That’s not true. We might have an offensive advantagealthough that’s debatablebut we certainly don’t have a defensive advantage. More importantly, as a heavily networked country, we are inherently vulnerable in cyberspace.
Cyberspace threats are real. Military threats might get the publicity, but the criminal threats are both more dangerous and more damaging. Militarizing cyberspace will do more harm than good. The value of a free and open Internet is enormous.
Stop cyberwar fear mongering. Ratchet down cyberspace saber rattling. Start negotiations on limiting the militarization of cyberspace and increasing international police cooperation. This won’t magically make us safe, but it will make us safer.
Mr. Schneier is without a doubt one of the experts in this field, and I have no desire to analyze his comments which I believe to be spot on. I do want to ponder, however on the impact that unmitigated cyberwar would have on modern society, which ties in neatly with my technophobe, luddite stance.
First off, in cyberwarfare, the entire Internet is potential battlefield. There is no Bull Run, there is no Flanders field, there is no Iwo Jima, there is no DMZ and there is no line of demarkation. The battle is anywhere and everywhere in nanoseconds. Cyberwarriors do not march for weeks or even days to an enemy’s digital citadel and lay siege. The enemy’s stronghold is simultaneously in the midst of its capital and on its borderland. The cyberwarriors emerge from the ether and disappear equally instantaneously. There are no signs of encampment, and only rarely do any of the individual combatants leave any footprints behind. On both sides, the most frail mage is the most powerful warrior.
Second, cyberwarfare is the most unhuman form of conflict yet invented by mankind. There is no adrenaline-charged rush toward an enemy that is just as real and scared as one’s self. There is only the anonymous clatter and click of the keyboard and mouse, with its own source of adrenaline, which can be felt when playing a first-person shooter, such as America’s Army. The same can be said of robot proxy (drone) warfare, a physical/cyber hybrid. One can engage and kill an enemy and the enemy can engage and kill the drone, but the enemy cannot engage and kill the pilot flying the drone from the other side of the planet. The enemy can smell the iron from the spilling blood of his comrade, but the pilot only sees a pixelated image on his screen, if he sees the dead at all. While this is advantageous as long as it is asymmetric, once hybrid warfare is conducted on mass scale by both sides, it will be the most horrific thing we have ever seen. Assume that drones are just as susceptible to compromise as any other computer system and then imagine a malware like Stuxnet that targets UAVs. As horrible as nuclear warfare is with its ability to wipe out entire cities in seconds, how much worse would be a squadron of drones flying slow and low picking off civilians and combatants alike?
Finally, our global society depends on a stable cyber infrastructure. Destroy cyberspace and you destroy Western civilization, or at least set it back a couple hundred years. We live in an electron-driven society. No Internet means no international commerce, which means no local commerce. If the entirety of cyberspace is a battlefield, since you can’t designate war zones in an abstract realm that has no borders, then you can’t keep the battle out of your front yard, and everyone who is resident in cyberspace is victim in cyberspace. Everything is intensified because it is omnipresent and instantaneous. The collective intelligence of mankind is weaponized and can be turned against anyone by a small set of bad actors. Since bots are set-and-forget, taking out the general, the lieutenant, the sergeant, or the private, does nothing to slow the tempo of battle. The conflict destroys reactors in the Middle East and in nanoseconds, turns across the ocean to down the electrical grid in New England. Insert your own catastrophe here.
What we end out with is societal collapse because of an over-reliance on tech. Many parts of the world may not be impacted at all, and those societies may rise over ours. Such is the cycle of human cultures. But the question I would pose is this: can we not re-cork this genie before he gets all the way out of the bottle? I don’t suggest we eschew all the wonderful advances we have made, but as a culture, we need a robust backup plan that depends a little less on what our grandparents didn’t have and a little more on what our great-great-grandparents did have.