The International Relations of Cybersecurity

The recent Mandiant report has spurred a lot of debate over whether the US and China are moving towards more confrontational relations over cybersecurity. In a recent paper, Erik Gartzke argues that any confrontations are likely to be very limited. Gartzke is pushing back against the prevalent claim that the US is unprepared to deal with hostile incursions into its information systems, and indeed faces a “Digital Pearl Harbor.” Gartzke argues that the Pearl Harbor analogy is indeed an apt one, but not in the ways that its proponents think.

Gartkze’s argument is that cyber incursions are far more likely to cause temporary disruptions than lasting damage. They can surely disrupt a country’s economy or communications, but probably not for very long. This means that they have a military role – but only in combination with other, more conventional forms of attack. He cites the example of Russian attacks on Georgia in their brief war (although his suggestion that these attacks were sponsored by the Russian government is contestable; see the recent article by Ron Deibert et al.) as an example of how this could work. Such attacks could make it easier for a military offensive to succeed, but absent such an offensive they are more likely to provoke than to seriously degrade the military abilities of any adversary. Here, they are indeed like Pearl Harbor, which was less a cunning master plan to destroy a supine America than a desperate throw of the dice by the Japanese, who saw themselves inexorably losing power, and needed to seriously damage the US carrier fleet to have much chance of military success (they failed). Cyberattacks on their own will not have serious military consequences.

Gartzke also argues that it will be extremely difficult for states to use their cyber attack capabilities as a threat to extract concessions from other states. Because cyber attacks rapidly degrade in usefulness (they rely on zero day exploits which can be patched against), and can indeed be countered if they are anticipated, it is hard to make threats that are both (a) credible and (b) not capable of being countered, once the threat is known.

This suggests that cybersecurity incursions are most likely either to accompany traditional attacks (increasing disruption) or to be covert attacks (a la Stuxnet) aimed at disrupting specific and limited systems, without trying to take down an entire economy. If Gartzke is right, much of the hysteria about cybersecurity problems in Washington DC policy debates is utterly misplaced. Cyber security poses some important questions for the US – but not ones that are likely to have grave security consequences.

3 Responses to The International Relations of Cybersecurity

  1. Chaz February 23, 2013 at 6:39 am #

    It seems that the main value of cyber infiltration is for espionage rather than directly causing damage.

    Didn’t Mandiant say most of the Chinese cyber-incursions against the U.S. were industrial espionage? I haven’t heard of any actual attacks other than Russia going after Estonia and Georgia and the U.S./Israel/whoever against Iran. Of course you could say three cases is a lot given that there aren’t many wars going on right now.

  2. JtheStudent February 25, 2013 at 4:45 pm #

    It’s good for the country to finally be taking more actions toward strengthening cybersecurity — but Gartzke is still caught up in the ’00 mentality.

    We’ve gone far from the days of “I hacked into your e-mail, MSN and sent virus links to everyone/I just hacked your website”


    “We hacked into your country’s power plant and just made it go out of control (remember Iranian centrifuges?). Your multimillion dollar factory machinery are all going haywire.”

    “Your UAVs are not only offline, but we gained remote-access to them, and they’re en-route to unloading payloads on your neighboring countries.”

    “Satellite communications are all jammed, corporate servers physically fried through overclocking and tweaking HD RPM, pipelines about to spew every drop of oil they can, and as a bonus we remotely set the thermostat of your mother-in-law’s house to 104 degrees…thank us.”

    We need to recognize that anything with remote-access can be potentially accessed by opponents, and that anything connected to a network (even intranet) are vulnerable. “Patches” and fixes are not instant — and are not as simple as just “closing the loophole.” Exploits can come in forms of legitimate functionality built into the program, and shutting such operation can potentially shut down the entire network.

    If your heads are spinning (or simply skipped down to here), great. The real “Pearl Harbor moment” is not about the actual damage — it’s about our fundamental shift in threat perception forced onto us after a crisis.

  3. StudentJ February 28, 2013 at 2:01 pm #

    Bumped into this FAS article on DARPA testifying on cybersecurity, and I think they summarized the biggest problem now — that “challenge of cybersecurity cannot be fully described in public.” The systems are so weak…listing all potential threats would basically give ideas to anyone capable to make those threats happen.

    Dr. Gabriel subtly notes how cybersecurity goes beyond abstracted “cyberspace” — and into “Physical systems…A smartphone hundreds of miles away took control of a car’s drive system through an exploit in a wireless interface.” In short, those “unspeakable” vulnerabilities are every piece of industrial machinery (from car plants to chemical plants) and data centers (imagine Google going offline, with added bonus of every Gmail accounts wiped clean).

    I wouldn’t be surprised if the recent shift toward Chinese hacking of power plants and other infrastructural targets arise from the fact that they’ve already stolen a good sum, and are looking for new frontiers.