Commentary | September 21, 2016

Win Cyberwar by Playing It Safe

BY: NICOLAS ZAHN

Not so long after the now moot declaration of its independence, cyberspace is seen as the “fifth domain of warfare”. But who will be succeeding in this new domain? To identify winners and losers in cyberwar we first need to investigate what the key characteristics of confrontation in cyberspace are. 

Generally, new technologies widen the options for human activity, e.g. by making things possible that were previously unattainable or by facilitating them. This also applies to warfare. New technologies can be applied to enhance known techniques of warfare, e.g. through more efficient engines for tanks. But new technologies also add new possibilities of conducting warfare as well as new threats to (inter)national security. This is also true for the technologies underpinning cyberspace. 

However, there are several key characteristics of cyber-confrontation worth pointing out: first, the number of actors and their diversity increases. Non-state actors and even individuals can play in the fifth domain just as well as nation states. Second, the new tools of conflict, e.g. hacking infrastructure, differ in various ways from other categories of weapons. They are relatively easily available to and usable by actors with the needed know-how. As other goods of the digital economy, malicious software, once produced, is available at zero marginal cost and can thus be spread much more easily and renewed at a greater pace than traditional weapons. 

Cyberweapons are know-how intensive but not necessarily capital intensive. The interconnectedness of cyberspace, as beneficial for us as users as it may be, also means that attacks on this connected system also quickly lead to heavy damages through ripple effects. A third significant characteristic is that the new tools and technologies broaden the scope of warfare. Warfare used to be mostly about securing land, sea or air from clearly defined enemy forces. 

New technologies blur the lines: is it an act of war if a program sabotages a country’s critical infrastructure? Is it armed conflict if a news site gets taken down or if false information is spread to the masses? We have already seen the problems such actions create for our current understanding and the classification of acts, e.g. with the notorious attack on an Estonian government site. And as cyberspace itself keeps growing as new technologies bring connected technology to ever more aspects of life – think Internet of Things – the potential theater of cyberwar also grows. All these factors lead to the realization that the world of cyberwar is very messy: more actors can get their hands on more weapons more easily than is the case for other domains of warfare. 

Also, the rules for cyberwar are far from clear as international law and policymakers struggle to keep up with the high pace of changing realities shaped by technological progress. Hence, the first step to winning cyberwar is to ruthlessly identify one’s vulnerabilities and then move on in a second step to maximize resilience. Attacks are bound to happen, so resources are best invested in minimizing the effects of those attacks. Offensive cyberweapons as deterrence and retaliation against attacks are in contrast not a good idea given that attribution of cyber-attacks is very difficult to impossible. What good is retaliation if you do not know whom to hit or if you hit the wrong target? 

A better way to deter attacks would be to show that one’s cyberspace is resilient and hence an attack would not be worthwhile. With the ever-growing importance of cyberspace and our reliance on its services, providing a resilient cyberspace becomes a prime objective for every community. An additional bonus of the defensive strategy that focuses on resilience is that support from the private sector and academia is much more likely. 

Given the know-how intensity of cyberspace this private support for the public sector should not be underestimated. If governments declare to work towards a resilient cyberspace they are likely to gather support from a variety of actors: from the private sector, which profits directly from a resilient environment, to hacktivists, which value a safe, non-weaponized cyberspace as an ideal. In pursuing a resilient cyberspace private and public partnership can go a long way and include measures from state-sponsored education programs to privately created cyberinsurance policies. 

The sooner the relevant actors realize where their vulnerabilities lie in cyberspace and the sooner they start cooperating towards a resilient cyberspace, not only on a national but also an international level, the more likely they are to be winners in this new domain.

 

This essay was the second place winner in the 2016 Nextgen Essay Contest. Mr. Zahn, 27, studied political science and international affairs in Zurich, Geneva and Washington D.C. In his studies he focused on issues of global governance and regulatory affairs. Since completing his Master in International Affairs in late 2014, he works as a project consultant in the financial industry.

More information about Nextgen is available at www.ewinextgen.com