The news in recent weeks juxtaposed two arms races that are seemingly headed in different directions. President Trump’s Singapore meeting with President Kim Jong-un signaled a possible de-escalation of tension over North Korea’s effort to develop nuclear weapons that could target U.S. territory. But in the opposite direction, the Trump Administration has recently escalated its strategy of using malware as a preemptive weapon against future possible cyber and nuclear attacks.
Even if President Trump is ultimately successful on the Korean front, there are many reasons to worry about the wisdom of developing cyber tools as offensive weapons. Not the least of which is that the cyber and nuclear threats are sometimes linked. Cyber weapons can be used to weaken an opponent’s nuclear capability. And as a matter of fact, they have.
There is a basic similarity between nuclear and cyber arms races. They are races to the bottom. Both have the potential of uncontrolled escalation, as each side responds tit for tat to the other’s actions. Two competing states might be more secure collectively without more nuclear and cyber weapons, but the failure to respond to an opponent’s actions can create a fatal power asymmetry. Arms competition escalates when it seems to be the only way for a state to avoid losing to another.
Escalation in both cases can wreak extensive havoc and destruction. Cyber weapons are the opposite of a neutron bomb. A neutron bomb has the capacity to destroy people while leaving the buildings and infrastructure largely intact. An extensive cyber attack can leave the people intact, but disrupt the infrastructure and basic services in a target country, particularly as countries adopt smarter technologies that depend on internet services.
The risk of being severely damaged by a first strike fuels the incentive to have the capacity to undertake a pre-emptive strike. Waiting to absorb a first strike and then responding can be costly at best, and at worst, limit the ability to retaliate effectively. But the more a country prepares for preemption, the higher the risk that conflict could break out based on misinformation and misperception. And the risk is even greater with cyber tools, which unlike nuclear arms are used not only for destruction but also for intelligence, criminal activities, deception, and other strategic effects that can easily lead to misinterpretation.
The differences between nuclear and cyber arms races also matter. With the exception of dirty bombs, nuclear competition has been largely contained to states due to the high technological demands of developing and delivering nuclear weapons. Consequently most of the post-World War II arms control efforts were aimed at preventing additional states from developing nuclear weapons.
With cyber weapons, however, there are numerous non-state actors involved, tremendous challenges in attribution, and more ambiguities about responsibility when they are used harmfully. Individuals, criminal organizations, companies and other groups, not to mention countries with scant scientific capacity, can develop and deploy cyber weapons. And non-state actors can learn from states. Unlike nuclear bombs, cyber tools can be re-engineered and reused. New concepts of attacks can be copied.
Cyber tools can also be stolen more easily than nuclear missiles. For example, the destructive malwareWannaCry and NotPetya used the EternalBlue tool developed by the NSA that exploited a Mircrosoft vulnerability. EternalBlue had been stolen and made publicly available.
The diffusion problem around state-developed malware has raised thorny accountability and liability problems. Who is ultimately responsible for the security and stability of cyberspace? To be sure, those who steal tools from the government and those who use them are mainly to blame. But what is the responsibility of the NSA, the government agency that looked for and found a vulnerable flaw in Microsoft’s code, and then lost its exploit tool to thieves? Is a company that continues to have vulnerabilities in its code because it races to market to blame as well?
In the end, while states do not control cyber weapons as well as they do nuclear arms development, they still have enormous advantages in resources and expertise, and a strong obligation to look out for the public interest. This makes the decision to develop offensive weapons all the more problematic. If a nation’s nuclear capacity can survive any initial attack and retain an ample retaliatory capacity, then a would-be attacking state knows that it faces sure destruction and be deprived of any substantial first strike immunity. The balance of power is more complex in cyberspace: Countries with the most advanced capabilities are also the most connected and potentially the most vulnerable to counterattack. Attacks can backfire.
If we concentrate our efforts on defending against attack, disclosing vulnerabilities to software companies in order to better secure information systems, and protecting our critical infrastructure more effectively, then we will not unintentionally propagate more non-state cyber weapons and we will make it harder for any attack to incapacitate our economic and military weapons. If enough states enter into this agreement, then groups that want to develop these cyber weapons will need to amass the considerable resources and manpower necessary to do so.
The critical element of mutually assured destruction was that all those who had nuclear weapons realized that it was madness to use them. This is the position we need to achieve at the national level with respect to cyber weapons. Our societies are too dependent on the internet and technology to allow them to be under the threat of constant attack. This still leaves the threat of groups other than states that might want to hack critical systems and use malware for malicious intent and profit, but they will be more easily defeated if all responsible state and private partners work together, not if they compete in an escalating cyber war. Even in cyberspace, some roads lead to no place we really want to go.