Cyber capabilities carry an inherent contradiction: the development of digital infrastructure, while inescapable in today’s “wired” world, also results in greater vulnerability to offensive cyber attacks. The United States, one of the most digitalized countries on the planet, has been somewhat reluctant to engage in acts of offensive cyber warfare, or even to make a genuine attempt at spelling out its cyber policy. As a consequence, the balance of power in the cyber realm seems to have been tilting in favor of China and Russia.
Cyber capabilities are different from conventional military power in that they are relatively cheap to develop and deploy. This enables weaker states, through the use of offensive cyber warfare, to change the balance of power in their advantage. And cost is not the only benefit to cyber warfare. Plausible deniability is another one. Cyber attacks are typically carried out by government-funded hackers. Even if the source of an attack is uncovered, the government responsible can deny its involvement without any consequences.
“The strategic capability embedded in the lack of attribution of the source of an attack, the secretive aspect of information operations, and the fact that a large scale computer network attack can be launched from a small facility with the least amount of visibility,” explains a leading cyber security expert, would allow for cyber warfare to be a viable front for challenging rising hegemons. Potential adversaries of the US, such as China, Russia, Iran, and North Korea, are reportedly building up cyber capabilities in order to attack US civilian and military networks. Commentators are already talking about a “cool war,” fueled by anonymity, and how “that which most connects the world” – cyberspace – was turning into the battlefield of choice of many rising powers.
The number and sophistication of cyber attacks has soared in recent years. Since 2006, the number of incidents such as phishing attempts, malware attachments and unauthorized access by employees at federal agencies in the US rose 1,100 per cent to 67,168 in 2014. China and Russia are at the forefront of the cyber battlefield, as was recently illustrated once again by the Russian attacks on American banks and the Chinese hacks into the US Office of Personnel Management (OPM), the US government’s human resources arm. According to US officials, China gained access to the background records of 21.5m people in the second hack into the OPM. Not only do US agencies constitute high-level targets for cyber attacks, they are also struggling with outdated IT equipment, a multitude of different systems across institutions, far-flung operations, and a high degree of digitalization in general. “It’s an intelligence bonanza for the Chinese,” says Mike Rogers, the chairman of the intelligence committee and an advocate for improving cyber defenses. “Why there isn’t more outrage tells me how far we are from fixing the problem.”
The official policy stance of the United States on cyber warfare remains opaque, and when it comes to engaging in offensive cyber war, the US – with the notable exception of the Stuxnet attack on the Iranian nuclear program in 2010 – has been acting somewhat unassertive. There are several reasons for the defensive posture of the US. Above all, the US is superior to all other countries in terms of conventional military strength, which limits the need to engage in cyber warfare. However, adversaries could use cyber attacks as an asymmetric answer to US superiority.
The second reason for US wariness about offensive cyber war is its vulnerability. Official statements have consistently stressed that US goals concerning cyber war are defense and deterrence. The problem with that approach, one could argue, is that in the realm of cyber warfare, neither defense nor deterrence work. The target at risk may be any IT system across many different federal agencies or the private sector, which makes it almost impossible to anticipate when and where an attack is going to occur. Hacker groups now increasingly focus on so-called “zero day attacks” that exploit previously unknown vulnerabilities for which defenders are unprepared. There is even a black market now where researches offer their discoveries of unknown vulnerabilities for sale to cyber criminals or governments. Simply put, the characteristics of cyber warfare clearly favor the attacker, not the defender.
In conventional warfare, deterrence plays an important role. Fear of retaliation is one of the most important factors deterring an adversary from carrying out a kinetic attack. In the digital world, however, deterrence will only work if there is a clearly articulated and known capacity to back up the threat of retaliation should any cyber attack be launched. Given the problem of attribution of a cyber attack, deterrence becomes ineffective. It is typically a lot harder to find out that an act of cyber warfare has occurred and who is behind it than to determine the authorship of a conventional attack. Another reason why deterrence is often unsuccessful lies in countries’ unequal vulnerability to cyber attacks. The fact that over 20 to 30 nations have already established offensive cyber units also points to the fact that cyber warfare deterrence has largely failed.
Another, more philosophical reason for the defensive US cyber strategy lies in its infatuation with digital technology and a certain unwillingness to recognize its downsides. The United States is one of the most computerized countries, its governmental, economic, societal, and also military functions are highly dependent on IT infrastructure. Having benefitted enormously from the digitalization of the world, the United States regards cyber war as counter-revolutionary, threatening the fruits of its success.
Some US officials are beginning to recognize, however, that they will have to fight fire with fire. Speaking about the recent OPS hack, former NSA director Michael Hayden described the incident as “honorable espionage work,” and that he “wouldn’t have thought twice to grab the equivalent in the Chinese system.” Many are now calling for a more offensive approach or a tit for tat strategy in cyber warfare – something that has become commonly known as “hacking back”. A program launched in 2012 by the Pentagon is designed to do just that: dubbed “Plan X”, the program’s goal is to “create revolutionary technologies for understanding, planning, and managing cyber warfare.”[xv] This seems to underline a tendency in the cyber security field that shifts the focus from the defense to the offense. According to industry experts, US intelligence agencies were no longer looking for expertise in patching security flaws in one’s own computer network, but rather for expertise in finding those flaws in someone else’s network.[xvi]
Following the law of deterrence, the recent attacks would require the US to take such an offensive approach: the lower the odds of getting caught, the harsher the required punishment for potential attackers must be. While this stance might help put the US in a better position to deter cyber attacks in the future, it is also crucial to avoid an escalatory spiral or a cyber arms race. Because one thing is certain: the stakes in the cyber game – and the damages done – will continue to get higher.
The opinions expressed in this article are the author's own and do not reflect the views of their employer or Young Professionals in Foreign Policy.