States cannot control the digital realm – By Myriam Dunn Cavelty and Oliver Rolofs

Cyber war is a terrible metaphor. Even Barack Obama’s cyber security czar Howard Schmidt has admitted as much. But experts and state officials use it persistently and military terminology has infiltrated the cyber security debate.

Analogies are a useful way of explaining non-familiar concepts or complex ideas in terms of simpler and more commonplace ones. But if taken too far, the disadvantages start to outweigh the advantages.

Terms such as cyber offense, cyber defense and cyber deterrence suggest that cyberspace can and should be handled as a military-strategic domain like land, sea, air, and outer space. This assumption is problematic and wrong. It invokes enemies where there are none, favors outdated Cold War concepts over economic solutions and wrongly suggests that states can establish control over cyberspace. Internationally, the result is a detrimental atmosphere of insecurity and tension. It also severely misinterprets the reality of the threat and the possibilities for countermeasures.

Talking about cyber weapons does not change the fact that hacker tools are nothing like weapons. They are opportunistic and they are about outsmarting defenses, not about brute force. As a result, their effect is highly questionable and not controllable in a military sense.

Sophisticated cyber attacks cannot be attributed to the perpetrator due to the architecture of cyberspace. This attribution problem refers to the difficulty of clearly determining who is initially responsible for a cyber attack. Attacks and exploits that seemingly benefit states might well be the work of third-party actors operating under a variety of motives. At the same time, the challenges of clearly identifying perpetrators also allow state actors to officially distance themselves from attacks.

Deterrence works if one party is able to successfully convey to another that it is both capable and willing to use a set of available (often military) instruments if the other party steps over the line. This requires an opponent who is clearly identifiable as an attacker and has to fear retaliation – which is not the case in cyber security because of the attribution problem. On the other hand, apportioning blame according to the logic of  “cui bono” (“to whose benefit?”) does not offer sufficient proof for political action. Deterrence and retribution do not work in cyberspace.

Thinking in terms of attack and defense creates a wrong impression of immediacy of cause and effect. However, high-level cyber attacks against infrastructure targets, such as the Stuxnet computer worm that was used to sabotage the Iranian nuclear program, would likely be the culmination of long-term, subtle, systematic intrusions. The preparatory phase could extend over several years.

When – or rather if – an intrusion is detected, it is often impossible to determine whether it was an act of vandalism, computer crime, terrorism, foreign intelligence activity, or some form of strategic military attack. The only way to determine the source, nature, and scope of the incident is to investigate it. Which again might take years, with highly uncertain results. The military doctrine of retaliation is therefore useless in most cases.

Cyberspace is only partly controlled or controllable by state-actors. Power in this domain is in the hands of private actors, especially the business sector. Due to privatization and deregulation of many parts of the public sector, between 85 and 95 percent of the critical information infrastructure is now owned and operated by the private sector.

Therefore, much of the expertise and many of the resources required for taking better protective measures are located outside governments. The military – or any other state entity for that matter – does not own them and has no direct access to them.

Protecting them as a military mandate is an impossibility, and considering cyberspace an occupation zone is nonsense. The militaries cannot defend the cyberspace of their countries – it is not a sphere where troops and tanks can be deployed. The logic of national boundaries does not apply.

No one can ensure the security of cyberspace, because there is no such thing as true security in this realm. The information infrastructure is inherently insecure and there is no way to ever have secure networks – only networks with reduced levels of risk. In fact, cyber incidents, including those with severe effects on critical infrastructures, are bound to happen in the future, because they simply cannot be avoided.  

Regardless of how high we judge the risk of a large-scale cyber attack to be, military countermeasures can never play a substantial role in cyber security. Investing too much time talking about them or spending increasing amounts of money on them is not going to make cyberspace more secure.

The cyber war hype is inhibiting worldwide attempts to develop an appropriate response to cyber threats. The only thing that is going to work is the combination of establishing working public-private partnerships, high-trust collaboration between important business actors with the state, and building highly resilient networks.

Resilience is the ability of a system (any system) to quickly recover from a shock. Under a resilience paradigm, you rightly accept that disruptions are inevitable, even if your risk management is perfect.

– Myriam Dunn Cavelty is Head of the Risk & Resilience Research Group at the Center for Security Studies, ETH Zurich and 2010/11 Fellow at the stiftung neue verantwortung, Berlin.

Oliver Rolofs is the Press Spokesperson for the Munich Security Conference and Alumni Associate at the stiftung neue verantwortung, Berlin.