Brandon Valeriano has a “working paper”:http://dl.dropbox.com/u/5471522/The%20Dynamics%20of%20Cyber%20Conflict%20between%20Rivals%20v2%20final.pdf which gathers some quantitative data to take a look at cybersecurity issues. Like “Gartzke”:http://tmc.local/blog/2013/02/21/the-international-relations-of-cybersecurity/, he finds that reports of cyber-war have been greatly exaggerated.
bq. even though there are 106 observed cyber incidents within 44 cyber disputes among 20 rivals, the intensity, duration, and level of attack remain low compared to the dire warnings one receives from the media. We hope that this research can return the debate on cyber conflict to a more nuanced examination of the threat.
One of the risks of this kind of research is that the data is very likely systematically biased. As Valeriano acknowledges, the set of publicly known cybersecurity incidents (Valeriano scrapes media reports to gather his data set) may only imperfectly reflect the actual universe of attacks that have been committed. David Sanger reports that one of the architects of the Stuxnet/Olympic Games attack told him that “The most elegant attacks are a lot like the most elegant bank frauds … They work best when the victim doesn’t even know he’s been robbed”(pp.190-191, _Confront and Conceal_). To the extent that this is true (which is again unknowable given publicly available information), many of the most interesting cybersecurity attacks will not be publicly known (and may, perhaps, never be known – e.g. attacks creating critical vulnerabilities to be used in the event of wars that never happen).