Ever Evolving and Ever Changing: Where Do We Stand in the World of Cyber

From this week’s reading it is definitely evident that there is not one unified lens through which to view or understand cyber. Cyberwarfare, cyberesponiage, cyberattack, cyberdefense – the list is endless. Throughout the last few months we have been evaluating current issues but have had a framework to guide how we see each topic. In the world of cyber all bets are off and this makes it difficult to wrap one’s head around the realm.

To kick off the discussion I think it makes the most sense to talk about three topics in Cyberspace: (1) Who should we be scared of, (2) How could the US prepare to stop cyber threats and (3) Is cyberwar realistic?

1. Who should we actually be scared of?

A big topic in cyber surrounds the ability of non-state actors to easily and cheaply get involved in cyberwarfare. Without the need to spend billions creating bombs and nuclear weapons, non-state actors can easily wage attacks in cyberspace. According to McGraw in “Cyberwar is Inevitable” he says that most modern control systems are so poorly designed that they’re vulnerable to attacks devised over 15 years ago. Cited in Gartzke’s “Myth of Cyberwar,” Joseph Nye claims that non-state actors are a scary and real threat. Do you buy this? A non-state actor can definitely temporarily dislocate a country’s systems but Gartzke argues back that this might not actually create a lasting shift in the balance of power. To this end, is this cyberwar? Is this an effective attack? Look to the authors mentioned in Gartzke’s footnotes – Arquilla and Ronfeldt, for more nuance. Should the U.S. perceive a cyber threat as credible if it cannot be backed up with military force like Russia did with Georgia in 2007?

2. How could the US prepare to stop cyber threats?

McGraw offers a sobering reality in “Cyberwar is Inevitable” of the lack of technological expertise and security of legacy systems supporting our nation’s critical infrastructure. I personally worked in a technology capacity for the US government this past summer and was also dismayed at the lack of technical understanding by government employees. Employees themselves present one of the largest points of vulnerability for cyber attacks (look up “phishing” in which cyber attacks are administered when a government employee accidentally clinks on a sneaky malicious link). What were your thoughts on McGraw – are his arguments apt or is he just over hyping the lack of US cyber defense?

In “New Reality of Cyber War,” Farwall talks about the need for firewalls, cyber hygiene (training folks), detection technology, honey pots, and secure resilient networks. He claims that these methods are for obviously defensive purposes, but all of these mechanisms however could be portrayed to our adversaries as building offense capabilities – will this make countries like China and Russia build up their offensive capabilities in response? Will the US simply be causing an escalation and “cyber arms race.”

3. Is cyber war realistic?

Finally it is important to talk about whether cyber war is even something to be concerned about. In “There Will Never Be A Cyber War,” Rid claims that warfare relies on three criteria – violence, having a viable means to an end, and politically-motivated. He claims that in cyberspace, “no cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.” Now contrast this with McGraw in “Cyber War Is Inevitable.” He speaks to the technical vulnerabilities in our power grids and financial services systems. They include exploitable “zero days” which could knock out the entire system for weeks (realistically). What damage is done to the US economy if one or more of these systems were taken out? Gartzke cites a former secretary of defense saying that there will soon be a cyber Pearl Harbor attack. To contrast these points of view I recommend looking at past examples of cyber attacks – Stuxnet and the Estonia Botnet attacks. Each is different – do either constitute war under Rid’s criteria? Is cyber war realistic? — Max