The recent Mandiant report has spurred a lot of debate over whether the US and China are moving towards more confrontational relations over cybersecurity. In a recent paper, Erik Gartzke argues that any confrontations are likely to be very limited. Gartzke is pushing back against the prevalent claim that the US is unprepared to deal with hostile incursions into its information systems, and indeed faces a “Digital Pearl Harbor.” Gartzke argues that the Pearl Harbor analogy is indeed an apt one, but not in the ways that its proponents think.
Gartkze’s argument is that cyber incursions are far more likely to cause temporary disruptions than lasting damage. They can surely disrupt a country’s economy or communications, but probably not for very long. This means that they have a military role – but only in combination with other, more conventional forms of attack. He cites the example of Russian attacks on Georgia in their brief war (although his suggestion that these attacks were sponsored by the Russian government is contestable; see the recent article by Ron Deibert et al.) as an example of how this could work. Such attacks could make it easier for a military offensive to succeed, but absent such an offensive they are more likely to provoke than to seriously degrade the military abilities of any adversary. Here, they are indeed like Pearl Harbor, which was less a cunning master plan to destroy a supine America than a desperate throw of the dice by the Japanese, who saw themselves inexorably losing power, and needed to seriously damage the US carrier fleet to have much chance of military success (they failed). Cyberattacks on their own will not have serious military consequences.
Gartzke also argues that it will be extremely difficult for states to use their cyber attack capabilities as a threat to extract concessions from other states. Because cyber attacks rapidly degrade in usefulness (they rely on zero day exploits which can be patched against), and can indeed be countered if they are anticipated, it is hard to make threats that are both (a) credible and (b) not capable of being countered, once the threat is known.
This suggests that cybersecurity incursions are most likely either to accompany traditional attacks (increasing disruption) or to be covert attacks (a la Stuxnet) aimed at disrupting specific and limited systems, without trying to take down an entire economy. If Gartzke is right, much of the hysteria about cybersecurity problems in Washington DC policy debates is utterly misplaced. Cyber security poses some important questions for the US - but not ones that are likely to have grave security consequences.