Becker identifies the principal issues presented by cyber warfare—the difficulty of prevention and the difficulty of identifying the attacker, which is essential to effective deterrence.
In assessing these issues, one needs to distinguish beetween hacking data and destroying data. The essential vulnerability of online data to hacking lies in the fact that, since the data are not physically enclosed (like documents in a steel safe), they can be secured against copying only by encryption, and any code designed to scramble a body of electronic data to make it unintelligible can be hacked from anywhere in the world. Unless the code is changed constantly (maybe every few seconds), the indispensable defensive response is to detect the hacking promptly and change the code.
But hacking is a relatively minor problem—more in the nature of an annoyance than a serious injury. In the national security setting, it is a form of espionage, and espionage rarely inflicts more than marginal harm, in part because it a too-way street. And this is true of hacking: foreign countries hack our national security computer communications and databases, but presumably we hack theirs.
The greater danger is the danger of destruction of online data (i.e., sabotage versus espionage). It could paralyze our conduct of cyber warfare and could also gravely disrupt the national electrical grid, the financial system, and communications generally. There have already been cases of successful cyber sabotage, notably of Iranian nuclear facilities.
So cyber warfare is a real danger. But in that respect it is no different from nuclear warfare, which the world has managed to avoid, mainly by deterrence (threat of retaliation) but also by the taboo status that nuclear warfare has attained in the imagination of most people, including national leaders, over the last three-quarters of a century despite the proliferation of nuclear weapons and the relative cheapness and simplicity of creating and deploying them.
The problem with deterring cyber warfare is partly the difficulty of identifying the source of a cyber attack, which need not even be a nation (it could be a terrorist group—though there is also a danger that such a group could procure and deliver nuclear or biological weapons), and partly the difficulty of a feasible, effective response. Suppose the United States is the victim of a very serious cyber attack by a nation that has nuclear arms. How do we retaliate? If we use nuclear weapons, we risk counter-retaliation by nuclear weapons. If we use cyber weapons to retaliate, they may prove to be relatively ineffectual, either because the enemy has better cyber security or because it simply is less dependent on online data and communications for the management of its economy than the United States. We are confident that no nation could defend itself against a U.S. nuclear attack, but we can’t be confident about our ability to devastate an enemy nation with a cyber attack.
What makes cyber warfare particularly insidious is that it is extremely cheap. It requires no raw materials, like uranium, no processing, like enriching uranium, and no delivery vehicles, like missiles carrying nuclear weapons. In these respects biological warfare is similar, but it is indiscriminate—it is difficult to shield the attackers from contagion. That is not the case with cyber warfare. And to prevent the proliferation of cyber warfare capabilities is impossible, because they are inexpensive, requiring basically nothing more in the way of inputs than software scientists and engineers. An international convention with inspections by an international agency analogous to the International Atomic Energy Agency would be unworkable because the cyber “warriors” would not work in identifiable facilities and because cyber weapons are immaterial rather than material entities. Of course the cyber warriors use computers but the computers are multi-purpose—they don’t identify themselves as weapons.
Although at present defense against cyber warfare is very difficult, and indeed seemingly ineffectual, a pooling of the civilized world’s computer expertise in an international effort to secure computer networks and databases against online espionage and (especially) sabotage, as well as to create redundancy in such networks and databases that would enable their essential functions to be maintained even after a large-scale cyber attack, would certainly be a worthwhile undertaking. There are indications of cooperation between the United States and close allies such as the United Kingdom and Israel. Let us hope that international cooperation in cyber defense is expanded and adequately financed.