The Future of Cyber-Security

Are the latest cyber-attacks directed against South Korea and the United States — presumably from North Korea — a major threat, or not? The Wall Street Journal touted them as “among the broadest and longest-lasting assaults perpetrated on government and commercial Web sites in both countries.” The New York Times was more dismissive:

The latest bout of attacks, which affected service on one government and six commercial Web sites in South Korea, was relatively minor, and all but two of the sites were fully functional within a few hours, an official from the state-run Korea Communications Commission said….

Whatever the case, the attacks have focused attention on the issue of cyber security and that’s not a bad thing. Given how reliant the U.S. has become on computer networks, the ability to disrupt them represents a major vulnerability for our enemies to exploit. Both President Bush and President Obama recognized the problem and have been pouring more resources into the area. Cyber-warfare is now being elevated as a priority in the military and civilian bureaucracy.

That’s the easy part. The hard part is figuring out cyber-warfare intellectually.

When, for example, does hacking into computer networks constitute an act of war? And how should we respond? The answers are not at all obvious. We know what happens when hijackers ram aircraft into our buildings: We go to war. But would we send missiles flying and troops marching in response to a cyber attack? It sounds unlikely, but what if that attack brought down our electricity grid, paralyzed Wall Street, or incapacitated our air-traffic-control system?

Some kind of response would be called for, but what? The obvious answer is to hit the culprit’s own computer networks but what if they come from a country not as dependent on information systems as we are? What if we can’t even tell who they are or whether they are acting on their own as opposed to being sponsored by a foreign state? Should we hold suspected state sponsors of cyber-attacks responsible for the work of hackers the way we (sometimes) hold state sponsors of terrorism responsible for the actions of their proxies?

More questions: Should we have one set of responses for cyber-espionage and another for cyber-attacks designed to bring down our networks? And what should be our goal online: Should we strive for cyber-supremacy the same way we do in naval and aerial warfare? Or should we be satisfied with establishing a balance of terror with our enemies as we do in nuclear warfare?

I can’t claim to have good answers to any of these questions. Neither does anyone in the U.S. government that I’m aware of. When it comes to cyber-war, we are at the same stage, intellectually, as we were with nuclear warfare in the 1940’s: still waiting for bright thinkers to come along and propound doctrines such as Mutual Assured Destruction, counter-force targeting, and all the other ideas that governed American policy throughout the Cold War. We are waiting, in short, for the Albert Wohlstetters, Henry Kissingers, and Paul Nitzes of the cyber-age.