Correspondence: A Cyber Disagreement
2014; The MIT Press; Volume: 39; Issue: 2 Linguagem: Inglês
10.1162/isec_c_00169
ISSN1531-4804
Autores Tópico(s)European and Russian Geopolitical Military Strategies
ResumoPolicymakers and pundits have been sounding alarms about internet insecurity for years, so the first appearance of anything in International Security (IS) on this topic is a welcomed development. In the fall 2013 issue, Lucas Kello takes the security studies community to task for ignoring cyber perils, while Erik Gartzke argues that cyberwar is of limited political utility.1 Kello writes that “[t]he Clausewitzian philosophical framework misses the essence of the cyber danger and conceals its true significance: the virtual weapon is expanding the range of possible harms between the concepts of war and peace, with important consequences for national and international security” (p. 22). Gartzke counters, “War is fundamentally a political process, as Carl von Clausewitz famously explained. … The internet is generally an inferior substitute for terrestrial force in performing the functions of coercion or conquest” (p. 42). If Kello is right, then the long silence in IS on cybersecurity suggests that scholars have neglected a major transformation in security affairs. If Gartzke is right, then scholars can be forgiven their bemusement with inflated cyber rhetoric.In my investigations of American and Chinese activities, I have found cyber interventions to be more complicated and less effective than generally believed.2 Arguments from technology are common in cybersecurity discourse and have excited policymakers, so they should be taken seriously. Yet Kello's characterization of the skeptical viewpoint as “more visceral than analytical” (p. 9) misrepresents the analytical literature that does exist. Kello insists that “scholarly inattention toward the cyber issue … must change” (ibid.), but he disparages the field while ignoring relevant scholarship. My commentary addresses the technological determinism of Kello's argument and his misrepresentation of the state of the field. I do not comment on Gartzke's article because I read earlier drafts of it, and we are collaborators on a related project.Kello's article asks, “Does the new technology require a revolution in how scholars and policymakers think about force and conflict?” (p. 7). In an important book published in 1977, Langdon Winner assesses a number of myths about technology: that it leads to domination by the state that possesses it or to revolutionary subversion, that its essential nature requires particular policies, that complex infrastructure leads to societal paralysis, and various other imperatives.3 Winner's critique is as relevant to the internet age as it was to Marxist expectations of the factory age. Military history, in particular, is littered with arguments from technology that failed in experience: the stirrup will transform the feudal order; the tank will sweep away infantry; the bomber will zip through defenses to cripple the enemy; and sensor-to-shooter networks will make war quick and decisive. Almost every study of technology and war finds that doctrine, organization, and the circumstances of employment matter as much as, or more than, the characteristics of weapons for military performance.4Kello instead argues that poor performance results from misunderstanding the true nature of new technology: “Historically, bad theories of new technology have been behind many a strategic blunder. In 1914, British commanders failed to grasp that the torpedo boat had rendered their magnificent surface fleet obsolescent. In 1940, French strategic doctrine misinterpreted the lessons of mechanized warfare and prescribed no response to the Nazi tank assault” (p. 14). These examples are unfortunate choices. It was not the battleship but the torpedo boat that became obsolete, despite the revolutionary expectations of the French Jeune École. The British adopted searchlights, close-range small-caliber guns, and thicker armor to defend their ships, and the Royal Navy successfully kept the High Seas Fleet bottled up after Jutland.5 Blitzkrieg played out quite differently against the French in 1940 and the Russians in 1941, and even the disaster of 1940 had as much to do with intelligence failures and bad luck on the battlefield as bad doctrine. By late 1944, moreover, the Nazi masters of blitzkrieg had resorted to static defenses along the very same Maginot Line to counter the Allied advance.6 In a violent political contest between determined adversaries, there are no technological silver bullets or vouchsafed doctrines for their use. The dialectical logic of strategy has a way of undermining simple extrapolations of any one factor. Why should the internet be any different?Kello reviews many of the supposedly revolutionary properties of cyberspace, such as the potency of virtual weapons to cause physical or economic harm, their unpredictability and undetectability, their wide affordability, and the high costs of cyber defense. Each of these claims can be disputed. If, for example, cyberspace is so offense dominant, then where are all the major cyberattacks? Indeed, there is only one known historical case of cyberattack that has damaged physical infrastructure: the Stuxnet attack on Iranian enrichment infrastructure discovered in late 2010. Kello describes this as “a case cherished by skeptics who challenge the common wisdom of offense dominance [in cyberspace]” (p. 30), even as he elsewhere cites Stuxnet as evidence for the cyber revolution (pp. 14, 19–20, 27–28). As one of said skeptics, I point out that “the [George W.] Bush administration reportedly authorized $300 million for ‘joint covert projects’ aimed at Iran's nuclear program … [yet] this pricetag … does not include the substantial infrastructure, expertise, and experience already paid for and embodied in agencies like the NSA, CIA, and Mossad.”7 There is little to suggest that the Iranians paid anything like, as Kello writes, the “enormous costs of defense against a cyberattack” (p. 27), and they seemed to have neglected numerous cheap and easy prophylactic measures, instead relying on default passwords and failing to patch publicly known vulnerabilities exploited by Stuxnet (in addition to its “zero days”). Once Stuxnet was discovered, moreover, Iran paid nothing for all of the free expertise and patches it received from the global open-source cybersecurity community. Far more importantly, the years of planning and reconnaissance that preceded the attack on Natanz, and the restraint shown in the design of the attack payload (which merely degraded enrichment efficiency rather than caused a catastrophic breakdown), suggests that American and Israeli planners were quite concerned about getting caught by Iranian defenses, such as they were. Kello writes, “Stealth was a genial feature of this multistage operation” (p. 28), but stealth also bounded the ambitions of the attack, which relied on secrecy to accomplish anything at all. Sensitivity to compromise is a common limitation of any covert action, cyber or otherwise. There is nothing categorically offense dominant about cyberspace.Even if one grants all of Kello's determinist claims about cyber capabilities, there is no reason that they would necessarily be useful for politics. There are myriad ways to cause harm in the world with everyday objects, such as box cutters, yet most of them never come to pass because perpetrators do not benefit from inflicting harm. Box cutters became lethal in the hands of al-Qaida because the terrorists were motivated to cause violence, but we do not need a theory of box cutter warfare to explain why. Terrorists use bombs to terrify, but there is little frightening about internet outages or even temporary drops in the stock market caused by computer glitches, which we have experienced aplenty. More dramatic cyber harm is possible, to be sure, such as the disruption of air traffic control or the release of dangerous chemicals via computer malfunction; most imagined cyber weapons are useless, however, for communicating threats because they depend on secrecy to be effective (and advertised computer vulnerabilities can be readily patched). Surprise attack can be useful for conquest, rather than coercion, but only as long as the attacker is able to exploit the temporary advantages that surprise creates by following through with kinetic attack. Otherwise the cyber sucker punch does not change the balance of power and may even invite retribution. Those who worry about a digital Pearl Harbor would do well to remember Japan's experience after the real Pearl Harbor.Kello counters that “the cyber revolution is influencing the tendencies of anarchical politics, rather than merely altering the strategic dealings of states; that is, the cyber domain exhibits both fundamental and instrumental forms of instability” (p. 39). Thus skeptics ignore “threats that appear to lack an overtly physical character or that do not rise to the level of interstate violence [and thus] are intellectually uninteresting” (p. 11). So what are these perils short of war? Naval blockades and economic sanctions were used to harass countries long before Estonia suffered distributed denial of service attacks on its web servers; yet while these economic harms produce civilian suffering, their political influence has proved more limited. There is no doubt that cyberspace enhances intelligence collection, but espionage is only one of many other inputs into a policy decision or industrial result, not a decisive advantage. Crowds, public fire-brands, and media outlets have been able to agitate noisily for ages, but their ability to influence elites through symbolic demonstration alone is questionable. Terrorism, insurgency, and population targeting have blurred the line between military and civilian affairs ever since Julius Caesar campaigned in Gaul. Kello never clearly spells out just what phenomena between peace and war he is most worried about and why cyberspace somehow makes them more worrisome. Escalation to kinetic warfare via cyberspace simply takes us back to the political question of cui bono.Kello's claim about the dangerous expansion of harms short of war can, in fact, be turned around. Precisely because cybersecurity is not very useful by itself for coercion or conquest, it is more useful for activities that fall well short of war, such as espionage, blockade, piracy, and protest. Cyberspace—or any technological means of influence—does not escape Clausewitzian logic; it is ruthlessly constrained by it. There are many interesting questions about how cyber operations short of war or in time of war might actually be employed, or about the strategic logic that constrains their combination with other forms of power, or the institutional arrangements best suited for their domestic and international management. These outstanding questions do not necessitate a departure from a realist paradigm, however, and they do not compel us to adopt Kello's rhetorical tactics, to which I now turn.Kello accuses security scholars of “theoretical stagnation” (p. 12) and an “unwillingness to break free from their preconceptions as to what constitutes a serious threat” (p. 22). As evidence for the seriousness of the threat, Kello approvingly quotes a number of statesmen, soldiers, and spies. Remarkably, he never takes seriously the possibility that such sources are exaggerating or simply wrong. There are good reasons to expect bureaucratically or industrially motivated threat inflation to increase, even as actual security risks decrease.Far more troublingly, Kello fails to mention literature by scholars who have undertaken serious evaluations of the cyber threat. An empirical study of cyberattacks between rivals from 2001 to 2011 found activity to be regionalized and restrained rather than global and disruptive.8 My study of Stuxnet finds that the facts of this important case actually undermine several key tenets of the cyber revolution thesis.9 Assessment of public response to historical disasters and bombings undermines expectations of panic and instability in the wake of cyberattack.10 Government agencies and the cybersecurity industry are found to have strong incentives to exaggerate cyber threats, using the language of national security rather than, say, public health and safety, industrial policy, or law enforcement.11 Other scholars question the strategic utility of cyber weapons even while envisioning some utility for support to battlefield operations.12 Kello's article even omits scholarship that is sympathetic to his viewpoint yet was published a decade ago,13 to say nothing of more recent academic offerings.14 It is true that “[t]he number of articles in academic international relations journals that focus on security aspects of the cyber revolution is small” (p. 8 n. 5), so it should not have been hard for Kello to adequately review the literature. He argues that scholars must “accept the existence of the cyber peril” or else “articulate theoretical and empirical challenges to the conventional policy wisdom” (p. 9). Yet skeptics have, in fact, done as Kello asks. Florid warnings from self-interested politicians make for poor counterargument. Indeed, Kello's rhetoric has something to offend everyone. He complains that “technologists are unequipped to address” international security because “technical virtuosity is not identical to strategic insight” (p. 16). However, leading computer security experts such as Ross Anderson and Bruce Schneier emphatically stress that security is a matter of political and economic incentives more than engineering design.15 Elsewhere Kello objects to “the overly technical tone” (p. 16 n. 27) of Martin Libicki's work, but in fact Libicki uses strategic and political considerations to debunk technological fears and to advocate for an alternative focus on international standards policy.16 Kello never engages the substance of Libicki's arguments or cites the rest of his substantial and cogent output on the topic.17Furthermore, Kello makes dubious technical claims throughout his article, all the while excoriating scholars for not understanding computers. Why is it that “not all threats propagated through the web can transmit via the internet” (p. 17), when anything that can propagate through the HTTP protocol, which defines the world wide web, can certainly transmit through the internet in principle? Whether a particular web server is connected to the global internet or stranded in Kello's “cyber archipelago” (p. 17) is quite another question. Kello insists that “the interesting segmentation of cyberattack effects lies at the logical, not the physical, boundary of cyberspace” (p. 20), but the distinction of programming semantics from engineering implementation in computer science, or the common vocabulary in a major National Research Council study of cyberattack,18 or the pragmatic value of rules of engagement that distinguish reversible damage to code versus irreversible damage to equipment, all imply that the physical boundary is very important to strategic and pragmatic analysis. Kello discusses Stuxnet's “intrusion into the Natanz PLC” and “six vulnerabilities in the PLC” (p. 27), but the programmable logic controller (PLC) was just one piece of equipment in the larger industrial control system at Natanz, which also included firewalls, Windows servers, operator stations, Siemens software, ersatz Iranian software, and peripherals besides PLCs. The vulnerabilities that facilitated Stuxnet's propagation were emphatically not in the PLCs, but in Windows and Siemens software. Kello's very definition of cyberspace as “all computer systems and networks in existence” (p. 17) omits all the technicians, network operators, vendors, regulators, and institutions that the internet studies field recognizes as essential to the “sociotechnical” fabric of cyberspace.19 So much for “common technical concepts” (p. 17). Even if one accepts the dubious claim that technology determines strategy, Kello's misrepresentation of “the features of the technology and its related phenomena that are most relevant to the field” does little to improve understanding (ibid.).The flaws in Kello's article make it hard to recommend even as representative of the cyber revolution side of the debate.20 Kello's conflation of technological possibility and political consequence hinders rather than helps inquiry into the complex issues that are sure to occupy scholars and practitioners well into the future. Many cybersecurity issues, moreover, will be better addressed in the domain of political economy rather than traditional security (i.e., the governance of internet protocols and international trade policy). Scholars in security studies are not compelled to retool themselves in order to examine various and sundry topics throughout the rest of political science if their main interests lie in the causes and consequences of serious political violence. At the same time, information technologies have long been useful in war and will continue to be indispensible for all types of belligerents. It is possible and desirable to clear away the hype and misconceptions about cybersecurity without dismissing new and interesting problems altogether. Neither Gartzke nor anyone else has yet had the final word on cybersecurity, so there remains much for future articles in IS to explore. Information technology provides new ways and means for actors in anarchy to pursue their interests, and networks may yet catalyze an increase in complexity of their interactions. Nevertheless, technology does not free actors from the political logic of strategy.—Jon R. Lindsay La Jolla, CaliforniaThe cyber revolution will not cease at the frontiers of the international system because theorists want it to. Some aspects of the cyber issue fit the frame of traditional notions of security. Others challenge the conventional models: the expansion of nonphysical threats to national security, the ability of nonstate players to instigate a diplomatic crisis, the erosion of the distinction between local and distant conflict, the deep penetration of the most basic infrastructures by unknown adversaries, and so on.Skeptics dismiss these peculiar features of security in our times. Their main interest is to bring the virtual weapon to the rule of conventional statecraft, a task for which they invoke that unfailing servant of intellectual reactionism in the field of international security studies: Carl von Clausewitz. A finer dean of the school of skepticism does not exist: Clausewitz routinely neglected the important role of technology in his own age.1 It is mistaken to suppose that his concepts can decipher the meaning of this new technology in ours.Jon Lindsay is an adherent of this school. His skepticism has in relation to my article a dual method.2 First, is a substantive challenge: he denies my claim that a revolution in security affairs is taking place. To support this view he invokes an arsenal of familiar concepts, principally, the Clausewitzian philosophical framework of interstate war—conceived for an age in which Thomas de Colmar's Arithmometer symbolized the quintessence of computing ability. Such disagreement is always welcome, for it reflects the heat of controversy that appropriately attaches to the strategic and moral conundrums arising from rapid technological change. Scholarly publications such as International Security will find in these contentions fertile soil for enriching debate.One of Lindsay's substantive criticisms concerns the question of technological determinism: new technology, he argues, does not singly determine strategy; instead, strategy is at least as much a product of “doctrine, organization, and the circumstances of employment.” As a proposition about states’ responses to technological change, the point is unassailable, but as a criticism it falls flat. Mine is not a deterministic view. Recall a central statement of the article: “[M]ore important than the nature of a new weapon are the nature of its possessor and the purposes that instigate its use” (p. 32). In other words, the formation of strategy is an endogenous process shaped and constrained by the political and organizational milieus in which players adopt a new weapon into their arsenals. Take, for example, the advent of mechanized warfare in the early twentieth century. Not the emergence of the tank per se but the strategic ends ascribed to it by Nazi Germany, and, crucially, the inability of French and British military planners to decipher the role of mechanized units in Germany's plan of conquest, produced the fiasco of 1940 (p. 14). So, too, with cyberweapons. The new capability shapes not strategy, but strategic realities. This nuance is simple; its consequences for the debate far-reaching: strategic blunders in the cyber domain can occur not because they are predestined, as Lindsay construes my argument, but because “threats and opportunities arising from a new class of weapon produce pressures to act before the laborious process of strategic adaptation is concluded” (ibid.).Technological revolution, in short, enables but does not foreordain strategic reversals. The contemporary cyber peril derives at least as much from the abiding lag in doctrinal adjustment to new realities as from the virtual weapon's intrinsic character. Readers may note the various references in my study to the multifactorial relationship among new technology, theory, and action, as well as the general caution that conclusions about this relationship are necessarily limited and provisional.Elsewhere, Lindsay continues the Clausewitzian technique that has become commonplace among cyber skeptics: he emphasizes that the new technology is not very useful for interstate coercion and does not alter the means of conquest; consequently, new concepts to analyze it are unnecessary. He makes a bizarre analogy to box-cutters in supporting his point. “Box-cutters became lethal in the hands of al-Qaida [on September 11] because the terrorists were motivated to cause violence,” he writes, “but we do not need a theory of box-cutter warfare to explain why.” The analogy is specious. Enormous civilian aircraft, not utility knives, inflicted mass casualties on September 11. Moreover, the social, economic, and physical consequences of cyberattack are plainly more potent than what is achievable with a blade. These include convulsion of a small nation's financial and government activities (Estonia cyberattack); paralysis of a country's central bank and communications infrastructure (Georgia attack); destruction of hundreds of nuclear centrifuges (Olympic Games operation); and incapacitation of tens of thousands of machines at the world's largest oil firm (Shamoon virus). These cases display an almost sequential accretion of harm that exposes the tenuity of skeptical thinking. Moreover, however alarming, they do not convey the limits of possibility of cyber conflict; scientists widely recognize the potential for graver consequences. The absence of more severe cyberattacks, therefore, does not prove the impotence of the new weapons. It may instead indicate their severity if fear of retaliation and blow-back are restraining factors. To the question: Where are all the catastrophic cyberattacks? The easy and obvious response is: Where are all the nuclear attacks?The trajectory of proven potency, in brief, has few clear limits; one should not seek to impose them on so novel and volatile a capability. We must not be complacent about the cyber phenomenon: it may yet produce devastating surprises. At any rate, physical catastrophe does not exhaust the spectrum of conceivable cyber conflict; although the gravest concern, it may be the least probable danger.Let us grant that—so far—the new capability has produced no fatalities or physical destruction equivalent to war. Concede, further, that weaponized code is an ineffective tool of coercion. There is still the problem of inadvertent cyber conflict. Accidental crises can occur even among rational state adversaries that seek to avert them; even in situations of non-offensive behavior, for example, if one player misinterprets cyber-exploitation as a prelude to attack. But that is not all. There are also the twin dangers of power diffusion and conflict escalation: nonstate actors can inflict alarming harm; they may do so in ways that propel a crisis beyond the ability of governments to control. All future cyber conflict will face this risk that civilian culprits will disturb the fragile political framework of interstate dealings. On this core concern of the article, Lindsay can answer only by conjuring Clausewitz's dictum that events will be “ruthlessly constrained” by state interests. This view ignores salient facts. In Estonia in 2007, the world witnessed the potential for nontraditional players to precipitate a major diplomatic showdown, one involving Russia and NATO's collective defense clause, which Estonian officials considered setting in motion as their essential infrastructures crashed.The cyber revolution's greatest dislocations, in the end, may be felt not in the balance of power but in the balance of players. The diffusion of cyber technology elevates to a higher order of significance what some traditionalists in security studies wish to expel from theoretical existence: the nonstate actor. By conscribing the problem of conflict escalation to state purposes—Clausewitz's holy notion—skeptics omit a central and peculiar feature of the new phenomenon. The cyber arena is an interlocking jigsaw of relations among diverse actors—states, corporations, militant groups, “hacktivists,” lone agents, and so on—in which the disturbance of a single piece can disrupt all others.A second set of challenges in Lindsay's letter is graver: he directs fire at the article's portrayal of existing scholarship and technical correctness. About every critic, a key question is: What drives the objection? Lindsay is more translucent in his methods than his motives; thus I can offer only a conjectural account of his more serious censure: it is a tactic to dispel the cyber danger by discrediting those who would call it real. It incites people to ask: Who else but a misconstruer of the new technology could affirm its transforming potential? The more searching question, however, is: Are we entering an epoch of change in security affairs? It is impossible here to provide a complete response to such criticism. What follows is a basic reply.Lindsay correctly notes that the article does not reference important works about cyber conflict; he denies there is a scholarship gap. For the avoidance of injury: each of the writings he cites makes an important contribution to the political, strategic, or tactical understanding of cyber issues. Yet these works barely (or not at all) integrate the virtual weapon into the theoretical matter of international relations. Therein lies the gap: very little of the prevailing scholarship systematically addresses how cyber activity affects foundational notions such as “anarchy,” “system,” “regimes,” “identity,” and “the balance of power,” which are the prime units of intellectual currency in international relations. Students in other disciplines hopefully will derive insights from my article. Its designated readership, however, is the international relations community, in which the impression exists that to discuss cyber questions is to risk confusion or—worse—boredom.Lindsay questions the observation that technologists are unfit to evaluate core aspects of international security. True, computer specialists have recognized that cybersecurity is not primarily a technical problem, but a challenge to political—even philosophical—understandings. But they frame this problem differently than do political scientists, to whom a technical criterion may not always seem appropriate. Well that such disciplinary divisions exist. So many professions—computer science, engineering, law, economics, political science, and so forth—gather at the congress of cyber studies that a distribution of competencies among them is vital. Interdisciplinarity is not the same as unidisciplinarity: it teaches by synthesis, not assimilation. Each delegation, therefore, must identify its strengths (and limits) and conserve its own conception; other forms are neither superior nor worse, merely different, to be judged according to the standards of their parent disciplines. For international relations scholars, this common form will be our theory—the body of concepts and orderly propositions that select and organize the complex phenomena we study. In this regard, our discipline has yet to fill its presence in the chamber. Evasion of the cyber issue by theorists and analysts only defers difficult questions and produces larger puzzles; hence the need to test our models against it. This crucial assignment belongs to us. We cannot relinquish it to other professions.Finally, Lindsay raises three technical objections. First, he asks: Why is it that not all threats propagating through the web can transmit via the internet? The web is a subset of the internet. Web-based cyberattacks cannot reach computer systems that do not run web servers—even if these systems are joined to the internet via other protocols (e.g., a virtual private network). To hit such targets, an attacker would have to employ an alternative attack mode, which may require a special development effort. In sum, the web is one of only many access vectors for cyberattack, but it is perhaps the most open form of internet connectivity and thus raises important security concerns.3Lindsay's second technical objection concerns the Olympic Games operation against Iran's Natanz nuclear facility. The vulnerabilities exploited by the Stuxnet worm “were emphatically not in the [plant's] PLCs [programmable logic controllers],” Lindsay observes. On pure definitional terms, he is correct, the vulnerabilities resided in the engineering station (i.e., the machines ordinarily used to access and configure PLCs). But that was hardly the point. More important, the engineering station (and its vulnerabilities) represented a weakness in the very design and operation of the PLCs—the manipulation of which was the attackers’ ultimate goal. The industrial controllers relied on it for their proper functioning and proved incapable of detecting or neutralizing threats in it.4 Lindsay's focus on the fine technical argot obscures this important point; it gives the impression the PLCs existed in isolation.Third, Lindsay challenges my study's treatment of cyberspace as all computer systems and networks in existence. He can be excused the desire to contest this definition: the meaning of cyberspace is disputed, as the article notes. It is not axiomatic, therefore, that the notion includes “technicians, network operators, vendors, regulators, and institutions.” If anything, the common working concept leaves out social agents.5 At any rate, there are strong reasons to reject Lindsay's definition. We already possess a suitable term for his expansive notion: “cyber domain,” which encompasses the bevy of human and institutional actors that operate and regulate cyberspace itself. The two notions, it is important to realize, are distinct. Cyberspace is a technical plane comprising machines and networks whose uniform feature is manipulability by code; in contrast, the cyber domain is primarily a political and social plane subject to wholly different interventions and behavioral rules. We require separate concepts to capture their separate essences.Cyber conflict has ceased to be tomorrow and has become today. This makes new demands on security studies scholars: the forces shaping the cyber peril can be reduced only if they are grasped. “The Meaning of the Cyber Revolution” represents an initial attempt to lay out conceptual guideposts for future analysis of the new phenomenon and for a post-Clausewitzian paradigm of security commensurate with it. Few thinkers in our field warn about this danger. Fewer still merge it into theory. The fewest who do both are a battered party; skeptics hurl old concepts at them. Ours is an arguing profession. For an author, instigating such debate in a rising area of study is always welcome. But if disbelievers are to dispose of the cyber revolution, they will have to focus on matters of real substance. Technical and definitional contrivances will not go far.—Lucas Kello Oxford, England
Referência(s)