The Wrong War
The insistence on applying Cold War metaphors to cybersecurity is misplaced and counterproductive.
For every big policy issue, there's usually a parallel that can be found in the past. As Mark Twain once put it, "History does not repeat itself, but it does rhyme."
The problem for policymakers, though, is identifying which tune it exactly is that they are hearing. While applying lessons from the past can be a useful analytic tool, we frequently unearth old analogies that may not be the right fit for the new problem we face. Indeed, most often we turn to the songs we know best, the ones we hummed in our youth, when others may be more apt. For instance, senior Air Force officers during the Vietnam War clung to a strategic bombing campaign more suited to their early experiences bombing Nazi Germany than a Third World insurgency, while in turn, the recent debate about Afghanistan keeps echoing back to baby boomer concerns about whether a 21st century war would be "Obama's Vietnam."
Today, the hit makers of Washington could be making a similar mistake when it comes to cybersecurity, trying to jam a new issue into the wrong historic framework. The new rhythms of online crime, spying and statecraft are unfamiliar. So, perhaps not surprising, they're turning to an old parallel that they spent most of their professional lives working on: the Cold War.
Cold War, Wrong War
Again and again in policy circles, cyber-security's dynamics, threats and responses are consistently compared to the technology of nuclear weapons and the standoff between the United States and Soviet Union. Former National Security Adviser Brent Scowcroft, for instance, describes the Cold War and cybersecurity as "eerily similar," while journalist David Ignatius summed up his meetings with top Pentagon officials in a 2010 article titled "Cold War Feeling on Cybersecurity."
Even the network security firm McAfee is susceptible to such talk. "We believe we're seeing something a little like a cyber Cold War," McAfee Vice President Dmitri Alperovitch says. This attitude culminated, perhaps, with what is reported to be in the classified version of the recent Defense Department cyber strategy, which announced a new doctrine of "equivalence," arguing that harmful action within the cyber domain can be met with parallel response in another domain. Swap in the words "conventional" and "nuclear" for "cyber" and "kinetic" and the new doctrine is actually revealed to essentially be the old 1960s deterrence doctrine of "flexible response," where a conventional attack might be met with either a conventional and/or nuclear response. The Pentagon's Cyber Command and Beijing's People's Liberation Army's Third Army Department now fill in for the old Strategic Air Command and the Red Army's Strategic Rocket Forces.
The problem is that the song is not the same and the historic fit to the Cold War is actually not so neat. Cyberspace is a man-made domain of technological commerce and communication, not a geographical chessboard of competing alliances. The Cold War was a competition primarily between two superpowers, with political leadership and decision-making clearly located in Washington and Moscow, each the center of a network of allied treaties and client states, and a Third World zone over which they competed. By contrast, the Internet isn't a network of governments, but the digital activities of 2 billion users, traveling across a network owned by an array of businesses, mostly 5,039 Internet service providers, that rely almost exclusively on handshake agreements to carry data from one side of the planet to the other, according to Bill Woodcock and Vijay Adhikari in their article "Survey of Characteristics of Internet Carrier Interconnection Agreements" from Packet Clearing House. The Cold War also was a war of ideas between two competing political ideologies. The majority of the Internet's infrastructure is in the hands of these ISPs and carrier networks, as is the expertise to secure that infrastructure. The ideas at play sometimes touch on ideology, but they also range from issues of privacy and human rights to Twitter posts about Justin Bieber's new haircut.
This disconnect goes much further. The barriers to entry for gaining the ultimate weapon in the Cold War, the nuclear bomb, were quite high. Only a few states could join the superpowers' atomic club-and never in numbers that made these second-tier nuclear powers comparable to U.S. and Soviet forces. By comparison, the actors in cyberspace might range from thrill-seeking teenagers to criminal gangs to government-sponsored "patriotic hacker communities" to the more than 100 nation states that have set up military and intelligence cyberwarfare units.
The issues in cybersecurity are more of forensics and attribution and subtle influence than old-fashioned deterrence. Thus, the idea of making old-school nuclear and cyberattacks equivalent may have a certain appeal, but in the cyber realm you may not know who attacked you-or even when and if you were attacked. Take the Stuxnet worm, which was allegedly designed to handicap the Iranian nuclear program. It took the Iranians (as well as most cybersecurity companies) several months to realize they were under attack, and even now the source of that attack is based more on forensic backtracking and deduction than on any obvious source, such as an intercontinental ballistic missile's launch plume.
There is one Cold War parallel that could hold true, however. Many of today's discussions of cybersecurity in Washington are reminiscent of the bizarre debates over nuclear weapons in the 1940s and '50s, in which hype and hysteria ranged freely, real-world versions of Dr. Strangelove were taken seriously, and horrible policy ideas like the Army's Pentomic division (which was organized to use nuclear artillery, as if it were just another weapon) were actually implemented. As "Loving the Cyber Bomb," a recent study by actual cyber experts at George Mason University's Mercatus Center (as opposed to the many Cold Warriors who now have rebranded themselves as cyber experts) found, there is a massive amount of threat inflation going on in Washington's discussion of online dangers, most frequently by those with political or profit motives in hyping the threats. It's a new version of the old "missile gap" hysteria.
Mind the Gap
The result of this fundamental misunderstanding is that in the press, a cyberattack could unquestioningly be portrayed as a massive pixilated mushroom cloud looming over every American city (as the cover of the Economist magazine had it). In Washington, malware could be described as "like a [weapon of mass destruction]" (Sen. Carl Levin, D-Mich.) able to "destroy our society" (Scowcroft), meaning it should be looked at as "an existential threat" (Adm. Mike Mullen, chairman of the Joint Chiefs of Staff). But the reality is that even an all-out cyber conflict wouldn't compare to a global thermonuclear war that truly did threaten to end life on Earth. Nor has there been a Hiroshima-sized prelude yet. For example, the much vaunted Russian attack on Estonia in 2007 was a concern to the country's government, which saw its websites blocked and defaced, but it barely affected the daily life of most Estonians.
In Georgia, Russian cyberattacks in 2008 took down some external-facing government websites for a few days, but these were peanuts compared with the actual damage caused by actual Russian missiles and bombs in the accompanying war. Indeed, the very next year, a 75-year-old woman was able to outdo the entire Russian cyberwarfare apparatus using a mere shovel. Out hunting for scrap metal, she accidentally cut a cable and took out all of neighboring Armenia's Internet service. Yet, no local or global catastrophe ensued from the far more effective physical actions of this so-called "spade hacker."
Similarly, the 2009 attacks against the United States and South Korea are repeatedly cited as examples of what a state government (North Korea is usually claimed in this instance) can do to the United States in this realm, but the actual result was that the websites of Nasdaq, the New York Stock Exchange and The Washington Post were intermittently inaccessible for a few hours. The websites recovered, and more important, these institutions and those that depend on them were not irrecoverably lost as if a real weapon of mass destruction had hit them.
The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War first strike or what Defense Secretary Leon Panetta has called the "next Pearl Harbor" (another overused and ill- suited analogy) would certainly have major consequences, but they also remain completely theoretical, and the nation would recover. In the meantime, a real national security danger is being ignored: the combination of online crime and espionage that's gradually undermining our finances, our know-how and our entrepreneurial edge. While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they're getting their wallets stolen and their offices robbed.
Roughly 7 million Americans reported that they suffered directly from cybercriminal activity last year, while according to the British government, online thieves, extortionists, scammers and industrial spies cost businesses an estimated $43.5 billion in the United Kingdom alone. Internationally, these numbers total in the hundreds of billions of dollars, creating a huge drag on the global economy. They also are slowly reducing trust in the IT and innovation industry that powered much of America's economic growth over the last two decades (all the more important during a manufacturing decline). These compromises of critical intellectual property threaten to undermine the long-term advantages the United States has enjoyed in economic trade. Take the so-called Night Dragon attacks, which lifted corporate secrets from Western energy companies just before they were to bid against the Chinese on major oil deposits. The result: billions of dollars' worth of business lost over the next few years. Such espionage even has struck small businesses all the way down to tiny furniture companies. The problem also hits national security. Look at the compromise of U.S. officials' email accounts by China-based hackers and diplomatic cables by WikiLeaks revealing internal secrets and jeopardizing external alliances. Or look at the repeated penetration of Lockheed Martin Corp., maker of the F-35 Joint Strike Fighter-the largest weapons program in Pentagon history. Terabytes of unclassified data related to the jet's design and electronics systems were stolen. These lost bytes represent billions of dollars in research and development and years of technologic advantage gone, making it easier to counter (or copy) our latest warplane. And as a sign of things to come, security tokens, allowing infiltrators to pass as company employees, later were taken as well.
The Pirate Code
If the most apt parallel is not the Cold War, then what are some alternatives we could turn to for guidance, especially when it comes to the problem of building up international cooperation in this space? Cybersecurity's parallels, and some of its solutions, lie more in the 1840s and '50s than they do in the 1940s and '50s.
Much like the Internet is becoming today, in centuries past the sea was a primary domain of commerce and communication upon which no one single actor could claim complete control. What is notable is that the actors that related to maritime security and war at sea back then parallel many of the situations on our networks today. They scaled from individual pirates to state fleets with a global presence like the British Navy. In between were state-sanctioned pirates, or privateers. Much like today's "patriotic hackers" (or NSA contractors), these forces were used both to augment traditional military forces and to add challenges of attribution to those trying to defend far-flung maritime assets. In the Golden Age of privateering, an attacker could quickly shift identity and locale, often taking advantage of third-party harbors with loose local laws. The actions that attacker might take ranged from trade blockades (akin to a denial of service) to theft and hijacking to actual assaults on military assets or underlying economic infrastructure to great effect.
During the War of 1812, for example, the American privateer fleet had more than 517 ships-compared with the U.S. Navy's 23-and, even though the British conquered and burned the American capital city, caused such damage to the British economy that they compelled negotiations.
If there are certain parallels, what then are the potential lessons we might adapt to the situation today, other than attempting to hang hackers from the yardarm?
Maritime piracy is still with us today. But it's confined to the shores of failed states and on a relatively minuscule scale (roughly 0.01 percent of global shipping is actually taken by modern-day pirates). Privateering, the parallel to the most egregious attacks we have seen in the cyber realm, has not only fallen out of favor as a military tactic, it long ago became taboo. While privateering may have won the War of 1812 for the United States, by 1856, 42 nations had agreed to the Declaration of Paris, which abolished privateering, and during the Civil War, President Lincoln not only refused to recruit plunderers for hire, but also blasted the Confederates as immoral for doing so themselves. Remember, two generations earlier, employing these hijackers had been a cornerstone of American naval strategy. By the 1860s, it wasn't something civilized governments did anymore.
The way this change came about is instructive for cybersecurity and global relations today. Much like the sea, cyberspace can be thought of as an ecosystem of actors with specific interests and capacities. Responsibility and accountability are by no means natural market outcomes, but incentives and legal frameworks can be created either to enable bad behavior or to support greater public order.
In clamping down on piracy and privateering a two-pronged approach was adopted, which went beyond just shoring up defenses or threatening massive attack as the Cold Warriors would have it. The first step was to go after the underlying markets and structures that put the profits into the practice and greased the wheels of bad behavior. London dismantled markets for trading pirate booty; pirate-friendly cities like Port Royal, Jamaica, were brought under heel, and blockades were launched on the potentates that harbored the corsairs of the southern Mediterranean and Southeast Asia. Today, there are modern equivalents to these pirate havens. For example, the networks of just 50 Internet service providers account for around half of all infected machines worldwide, according to a study prepared for the Organization for Economic Cooperation and Development. Just three firms process 95 percent of the credit card transactions for the bogus drugs advertised by spammers, according to research presented at the IEEE Symposium on Security and Privacy in May. When one particularly noxious hosting company-McColo Corp. of San Jose, Calif.-was taken down, the volume of spam worldwide dropped by 70 percent. Without the support of these companies, online criminal enterprises can't practice their illegal action, which not only cleans the seas, but also makes it easier to identify and defend against the more serious attacks on infrastructure. And, much like the pirate-friendly harbors of old, those companies and states that allow cybercrime a legal free pass are generally known.
This links to the second strategy: building networks or treaties and norms. As Janice Thompson recounts in her seminal study, Mercenaries, Pirates and Sovereigns (Princeton University Press, 1996), maritime hijackers (and their state-approved counterparts) became marginalized as nations asserted greater control over their borders, and established a monopoly on violence. Throughout this period, a web of bilateral and multilateral agreements was established that affirmed the principles of open trade over the open seas. Few of these documents explicitly abolished piracy; nor were they universally accepted. But they paved the way to a global code of conduct that eventually turned pirates from accepted actors into international pariahs, pursued by all the world's major powers. They also established that any respect for maritime sovereignty would come only when a nation took responsibility for attacks that emanated from within its borders.
The cyber parallel today again is more instructive than trying to repeat Cold War arms limitation talks, as proposed in a few recent think tank policy reports. (Good luck trying to count botnets as if they were ICBM sites!) Rather, what is needed is the gradual buildup of an international agenda that seeks to create a standard of online behavior that guarantees lawful commerce and holds accountable those who target the Web. The shared global expectation of freedom of the seas should be paralleled by a shared global expectation of freedom of Internet trade. If you knowingly host or abet maritime pirates or privateers, their actions reflect back on you. The same should be true online. Building those norms will motivate both states and big companies to keep a better check on individual hackers and criminals (the pirate equivalent). It also will weaken the value of outsourcing action to patriotic hackers and contractors (the latter-day privateers used so often by states like Russia and China). And it will help create a more distinct line between civilian and military conduct and targets, a major concern of U.S. cyber actors.
In addition to encouraging this new accountability, policymakers also can pursue confidence-building strategies that could have real payoffs. Back in the early 1800s, for example, the Royal Navy and nascent U.S. Navy constantly prepared to fight each other. But they also cooperated in anti-piracy and slave trading campaigns. That cooperation helped underscore global norms, as well as built greater trust between the two forces that helped mitigate the true danger of actual military conflict during several crises. Similarly, the United States and China will certainly continue to bolster our cyber defenses and even offenses. But this should not be a barrier to trying to build greater cooperation. In particular, we might launch an initiative to go after what the Chinese call "double crimes," those actions in cyberspace that both nations recognize as illegal.
The underlying point here is that in navigating the emerging issue of cybersecurity, policymakers are going to have to be more thoughtful than blindly trying to apply the lessons from their own personal past. While cybersecurity is a crucially growing issue of both economic and security importance, the tortured cyber Cold War parallels of their youth are not as fruitful as their widespread use would seem. Indeed, they are less useful than a lesser known maritime history of past centuries.
But for these and any other historic parallels, there is a limit. We should use such metaphors to open new horizons and perspectives, not create new barriers. Indeed, as Mark Twain also said in a corrective to his idea that history "rhymes," there is "but one solitary thing about the past worth remembering, and that was the fact that it is past." O
Peter Warren Singer is director of the 21st Century Defense Initiative at the Brookings Institution and author of Wired for War (Penguin Press, 2009). Noah Shachtman is a fellow at Brookings and editor of Wired magazine's national security blog, Danger Room.