U.S. and World Politics

Don’t Believe Scare Stories about Cyber War

By John Horgan

For years, a friend I’ll call Chip, knowing my obsession with war, has been telling me: “Cyber War! That’s what you should be writing about! Real war is passé!” Chip keeps sending me stories about all the damage digital attacks do—or rather, might do, because as far as I can tell cyber war hasn’t claimed a single life. My admittedly glib response has been that if nations start waging war with 1s and 0s rather than bombs and bullets, that’s progress.

But Chip finally goaded me into writing about cyber war by alerting me to a May 31 Wall Street Journal article, “Cyber Combat: Act of War.”1 The Pentagon “has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force,” according to the article. It adds: “If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a ‘use of force’ consideration, which could merit retaliation.”

This report follows years of scare stories about cyber attacks. One of the best known involves a mysterious program called “Stuxnet,” which supposedly disrupted Iran’s nuclear program by infecting its computer systems; the Stuxnet attack may have been carried out by Israel, possibly with U.S. help. Other stories have alleged attacks by Russia and China on U.S. computers belonging to our defense agencies and contractors as well as civilian businesses, such as Google.

One obvious problem with the Pentagon’s new retaliation policy is that tracing cyber attacks to their sources can be difficult. Sophisticated hackers can concoct false trails, leading the targets to suspect and possibly retaliate against an innocent group. As one unnamed Pentagon official told The New York Times, “How do we know when it’s a hacker and when it’s the People’s Liberation Army?”

Here’s another question: How do we know whether cyber war poses a genuine threat to the U.S. and other nations? The military-industrial complex has a long history of exaggerating threats. Remember the “ missile gap,” the Soviet Union’s illusory superiority in nuclear missiles, which justified enormous investments in the U.S. nuclear arsenal?

U.S. security agencies today are trying to justify and even increase their already immense budgets by hyping the threat of cyber war, according to an article published in The New Yorker last November by the legendary investigative reporter Seymour Hersh. He quoted former U.S. security officials Richard Clarke and Michael McConnell, among others, warning that the U.S. could be vulnerable to “catastrophic” cyber attacks.

Hersh noted that cyber security, into which the U.S. already pours as much $14 billion a year, “is a major growth industry, and warnings from Clark, McConnell and others have helped to create what has become a military-cyber complex.” Both Clarke and McConnell, Hersh pointed out, work for consulting groups that have grabbed pieces of the cyber-security pie.

Hersh also cited “military, technical and intelligence experts” who contend that the danger of cyber attacks that shut down nuclear power plants, air-traffic control computers and other truly critical systems—as depicted in fictional TV shows such as 24—“have been exaggerated.” Privacy advocates also warn that the military-cyber complex is seeking more control over civilian information systems, so that it can eavesdrop on communications more readily. Of course, by boosting its cyber defensive—and, no doubt, offensive—capabilities, the U.S. may encourage other countries to do so, triggering a cyber arms race that makes us more rather than less vulnerable.

Here’s a bit more context for the cyber warfare debate: Over the past decade the U.S. defense budget has doubled, and it is now almost as large as the military budgets of all other nations combined. The vast, super-secret National Security Agency (NSA), which oversees U.S. digital security and intelligence-gathering, is “three times the size of the CIA and with a third of the U.S.’s entire intelligence budget,” Jane Mayer noted in the May 23 issue of The New Yorker.

Mayer reported that the U.S. Department of Justice is zealously prosecuting a former NSA employee and whistle-blower, Thomas Drake, who dared raise questions about the agency’s financial waste and illegal surveillance—even though President Barack Obama once praised whistleblowers as “often the best source of information about waste, fraud and abuse in government.” Mayer quoted a law professor at Yale University, Jack Balkin, who said of the Drake prosecution and similar cases, “We are witnessing the bipartisan normalization and legitimization of a national-surveillance state.”

Cyber fear mongering originated during the George W. Bush administration, but it has continued under Bush’s successor, who as a candidate criticized Bush’s warrantless wiretapping of Americans. I’m no longer surprised by the Obama administration’s hawkishness. Just disappointed.

Scientific American, June 3, 2011