Ben Buchanan is a postdoctoral fellow at Harvard University’s Cybersecurity Project. His first book, The Cybersecurity Dilemma, was published by Oxford University Press in 2017. You can follow him @BuchananBen.
The great Greek historian Thucydides wrote of the Peloponnesian War, “It was the rise of Athens, and the fear this inspired in Sparta, that caused war to be inevitable.” This statement hints at a broad pattern. As nations rise, and especially as they secure themselves, they in the process threaten other nations who have no choice but to take the threat very seriously. Often, this threatening behavior is unintentional. In the time since the ancient Greeks, international relations scholars have named this idea the “security dilemma” and found it occurring time and again, both in strategic matters and at the operational level of conflict.
What about in cybersecurity? My new book argues that we are fast approaching an era—if we’re not there already—in which the cybersecurity dilemma will pose serious concern. The argument rests on three ideas.
First, developing the capacity to do significant and targeted damage with a cyber operation requires a lot of preparation. In previous kinds of conflict, the development of weapons was done at home, and then the weapons were deployed overseas as needed. Cyber operations are a little more complicated. Developing and tailoring a cyber capability usually requires gaining access to the target system in advance, doing reconnaissance that informs the development, and sometimes refining the code in replica test environments. In this vein, NSA Director Michael Rogers alluded to other states conducting preparatory intrusions as they seek to “generate options and capabilities for themselves should they decide that they want to potentially do something.”
All of this is time-consuming, requires covert access to potential adversary networks, and results in capabilities that aren’t easily retargeted. In short, if a nation wants to be able to target, in a military way, the networks of another nation, it needs to start work on that well in advance. This is true even if the capability development is for the deterrence or contingency planning reasons.
The trouble comes when the nation suffering the intrusion detects it. It’s very difficult to know the intentions of another nation, and especially in the cyber domain, where obfuscation and deception are paramount. The nation’s policymakers could conclude that the intrusion is a prelude to a future attack, perhaps even an imminent attack. In that case, they might escalate or even try to pre-empt its adversary. Alternatively, they could conclude that it is a contingency operation and nothing to worry about. In making this determination, the decision-makers are likely to be swayed by how much they trust the intruding nation, the criticality of the network in which the intrusion took place, and the threat they perceive from network intrusions in general.
While one could stop the cybersecurity dilemma logic there—that which is meant merely for contingency operations can be misinterpreted and cause tension and perhaps conflict—a second idea makes the problem still harder: nations can break into one another’s networks for genuinely defensive reasons. It’s illegal for corporations and non-profits to hack back when they suffer a breach. This isn’t true for governments; in fact, governments can even hack first, pre-emptively looking around in the networks of potential adversaries to uncover operations in the planning and development stage. When successful, this is a big aid to the defensive mission. The outgoing United States cyber coordinator, Michael Daniel, alluded to the importance of maintaining operational secrecy when he said, “If you know much about it, [cyber is] very easy to defend against.”
The NSA will broadly acknowledge these kinds of defensive-minded intrusions. One former agency lawyer wrote that the United States could “gain information of critical importance to the defensive mission—say by intercepting the plans of a malicious actor against U.S. networks in advance.” Snowden documents provide a few specific examples, such as the time when the NSA was able to gain access to the computers Chinese operators were using to launch intrusions. By doing so, the agency was able to uncover data on past victims as well future targets, plus information on the Chinese operators carrying out the operations and the tools they used.
Defensive-minded intrusions complicate the cybersecurity dilemma further. Not only might an offensive contingency plan be misinterpreted, but something that is genuinely defensive in intent can be as well. The risk of misinterpretation yields a worrying possibility: greater tension, and perhaps escalation, even if neither state desires the other any harm.
A third point underscores the stakes: every intrusion into an important network is threatening. Intrusions oriented towards preparing attacks can have potent results, as the Stuxnet case and the 2015 blackout in Ukraine show. Intrusions oriented towards stealing secrets can yield a wealth of information, as incidents throughout American government networks demonstrate. Even intrusions that begin as genuinely defensive can quickly morph into something else; the basic wiper attacks suffered by Aramco, Sony, Sands Casino, and others are not as damaging as tailored operations, but they are nonetheless significant. Each of these wiping operations, however, required the same amount of access or less than a defensive-minded intrusion would.
In sum, all of this taken together poses a real dilemma for modern nations. They have an incentive to break in early either to conduct offense, to set up contingency plans and deterrents, and to aid their defenses. The inability for nations suffering an intrusion to divine its intentions creates the risk of misinterpretation and escalation, a possibility made more threatening by the fear of what the intrusion might enable. As more nations develop more potent cyber capabilities, the problem will get worse.
The security dilemma has been around in one form or another since the ancient Greeks. Time and again, scholars and practitioners have devised means of mitigating it. Overcoming the cybersecurity dilemma will require new approaches, as not all of the old methods apply. Doing so will not be easy, but it is vital to prevent cyber incidents from spinning out of control.