June 2, 2011
Today's global threat perception has been shaped by grave concerns about the vulnerability of ICT-connected critical infrastructures to attacks from nebulously defined enemies. Despite this potential for major disaster, however, reality has proven far less grim - demonstrating that more level-headed threat assessments should guide policy.
Information has always been a significant aspect of power, diplomacy and armed conflict. Recently, however, the importance of information for political matters has spectacularly increased due to the triumphal proliferation of information and communication technology (ICT) into all aspects of life. The ability to master the generation, management, use and also manipulation of information has become a much-desired power resource in international relations.
But where there is opportunity, there is threat.
The current threat paradigm
Today's global threat perception has been influenced decisively by the larger strategic context that emerged after the Cold War, when the notion of asymmetric vulnerabilities, epitomized by the multiplication of malicious actors and their increasing capability to do harm, started to play a key role. Due to difficulties in locating and identifying enemies, parts of the focus of security policies shifted away from actors, capabilities and motivations toward vulnerabilities more generally. Widespread fear took root in the strategic community that malevolent actors might try to bring the developed world to its knees by striking against vital points at home, namely, critical infrastructures (CIs). The concept of CI includes sectors such as information and telecommunications, financial services, energy, utilities and transport and distribution, plus a list of additional elements that vary across countries and over time. Most of these CIs rely nowadays on a spectrum of software-based control systems for their smooth, reliable and continuous operation.
There are two sides to the threat image: An inward-looking narrative equates complexity with vulnerability. The very connectedness of infrastructures through ICT is what poses dangers, because perturbations within them can cascade into major disasters with immense speed and beyond our control. The outward-looking narrative on the other hand sees an increasing willingness of malicious actors to exploit vulnerabilities without hesitation or restraint. Because CIs combine symbolic and instrumental values, attacking them becomes integral to a modern logic of destruction that seeks maximum impact. In other words, cyberspace becomes a force-multiplier by combining the risks to cyberspace with the possibility of risks through cyberspace.
This results in two significant and very powerful characteristics of the threat representation: First, the protective capacity of space is obliterated; there is no place that is safe from an attack or from catastrophic breakdown in general. The "enemy" becomes a faceless and remote entity, a great unknown that is almost impossible to track. Second, the threat becomes quasi-universal because it is now everywhere, creating a sense of imminent catastrophe - and prompting fears of unrestrained cyberwar.
Drawing a revised threat picture
However, despite this all-embracing potential for major disaster, reality looks far less stark. In the entire history of computer networks, there have been only very few examples of severe attacks that had the potential to or did disrupt the activities of a nation-state in a major way. There are even fewer examples of cyberattacks that resulted in physical violence against persons or property: The most prominent example is Stuxnet, a computer program apparently written to specifically attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.
Therefore, despite the release and discovery of Stuxnet and the ruckus it has created in the international community, and despite the norm today that every political tension or conflict is accompanied by heightened activity in cyberspace, the huge majority of cyberattacks in the past and present are low level (though often costly for businesses) and cause inconveniences rather than serious or long-term disruptions.
There is no evidence that this is likely to change in the future. What we are going to be confronted with is a diverse set of mildly disruptive CI occurrences due to cyber incidents, with some, but only very few, that will rattle the "collective" nation-state or society.
Three points can be made with regards to this threat picture.
First, throwing too much money at high impact, low probability events - and therefore having less resources for the low- to middle impact and high probability events - does not make sense, neither politically nor strategically, and certainly not when applying a cost-benefit logic.
Second, preparing for and investing in major cyberwar-activities among state actors (clandestine or not) would fall within this category, too. Those experts expecting a coming age of unrestrained cyberwar seem to forget that careful threat assessments are a cornerstone of sensible planning in security and defense matters. And such assessments necessarily demand more than just naval-gazing and vulnerability spotting. Rather than just assuming the worst, the question that must be asked is: Who has the interest and the capability to attack us and why? Even if the most extreme case were assumed - that the majority of states have developed effective and powerful cyberweapons - the mere existence and availability of such capabilities does not automatically mean that they will be used. Those democratic states that consider the risk of war, be it conventional or unconventional, to be very low should consider the risk of severe cyberattack just as unlikely. The strategic logic behind acts of war remains the same, even in the virtual world.
Third, government officials and politicians are well advised to focus not on 'war' and 'defense' but on 'crime' and 'protection/resilience'. The more level headed they approach the issue, the easier it will be to work together with the private sector, which plays the most crucial role in securing the information age. True enough, the publication of Stuxnet's code has already led to many piggyback attacks. SCADA systems are therefore likely going to be the target of choice in the near- to mid-term future. This comes with an inherent danger of intended and unintended (side)effects, of course - but the CI community has been talking about the threat to SCADA systems for over a decade, while simultaneously, steadily improving the methods and tools available to counter cyberthreats across the board. This concerns information assurance measures for example, or the many diverse activities, concepts and processes subsumed under 'critical infrastructure protection' (CIP) or the more recently applied concept of resilience.
None of these approaches are perfect. In fact, it is simply impossible to either "defend" against or "deter" all or even the majority of cyber threats or make all critical networks "secure". Cyberincidents are expected to happen, some of them with severe consequences, simply because they cannot be avoided. But this does not mean that nothing should be done: Many attacks have already been avoided or their impacts reduced. And for the rest, we will simply have to learn how to live with insecurity in pragmatic ways, if we want to continue reaping the benefits of the cyberage.