Or so argues Eric Gartzke in an article in the newest issue of International Security (temporarily ungated). Over the last several years, both pundits and government officials have argued that the United States is unprotected against a major online attack aimed at taking down key communications systems. Billions of dollars have been spent on securing government and private sector networks. Gartzke is skeptical about the punditry. While he recognizes that many actors have an interest in penetrating U.S. networks to spy or to carry out covert actions, his argument suggests that Pearl Harbor-type cyberattacks don’t happen outside terrible Bruce Willis movies.
Gartzke argues that attackers don’t have much motive to stage a Pearl Harbor-type attack in cyberspace if they aren’t involved in an actual shooting war. It isn’t going to accomplish any very useful goal. Attackers cannot easily use the threat of a cyberattack to blackmail the U.S. (or other states) into doing something they don’t want to do. If they provide enough information to make the threat credible, they instantly make the threat far more difficult to carry out. For example, if an attacker threatens to take down the New York Stock Exchange through a cyberattack, and provides enough information to show that she can indeed carry out this attack, she is also providing enough information for the NYSE and the U.S. government to stop the attack. Cyberattacks usually involve hidden vulnerabilities — if you reveal the vulnerability you are attacking, you probably make it possible for your target to patch the vulnerability. Nor does it make sense to carry out a cyberattack on its own, since the damage done by nearly any plausible cyberattack is likely to be temporary. Cyberattacks disrupt communications and power systems, but they probably cannot take them down permanently.
Where cyberattacks can be very useful is in combination with more traditional physical attacks. For example, if you want to mount a massive airstrike against a target, it is obviously helpful to be able to take out their communications and radar systems. Here, the temporary chaos caused by a cyberattack can allow an attacker to sneak past traditional defenses and do real physical damage. However, this suggests that we are not likely to see large scale cyberattacks happen outside actual wars. Cyberattacks on their own are likely to annoy and aggravate their targets but not disable them.
Of course, cyberattacks can still be used for specific and limited goals. For example, the so-called Stuxnet/Olympic Games attack on the Iranian nuclear program was apparently mounted jointly by the United States and Israel. However, here too, military force is important. Gartzke argues that one of the reasons that the U.S. and Israel could carry out this attack is because they are militarily powerful in conventional terms, making it unattractive for Iran (or other adversaries) to attack them back directly.
More generally, Gartkze’s arguments imply that cyberwar isn’t a weapon of the weak. Instead, it’s a weapon of the strong — it will be most attractive to those who already have powerful conventional militaries. It works best in conjunction with traditional warfare, or, in a pinch, when deployed by states that no one else dares to attack in retaliation. The conventional wisdom among cybersecurity specialists is that cyberwar upsets the balance of traditional power by making it easier for weak states or non-state actors to deploy powerful attacks against countries such as the U.S. If Gartzke is right, this assumption is completely wrong — cyberwar is likely to strengthen the military predominance of the U.S. and other powerful countries rather than undermine them. Many people are strongly invested in the current wisdom — Gartzke’s piece is likely to stir up quite a bit of debate.