Myth No. 1
Cyberwar is overhyped and impossible.
One of the most common myths in cybersecurity is that destructive hacking is a wildly overblown threat, or nearly impossible, or incapable of shaping geopolitical conflicts. The cybersecurity expert Bruce Schneier, for example, has argued that we should eschew the vocabulary of statecraft for “the more measured language of cybercrime” when talking about such attacks. Others love to point out that squirrels cause more blackouts than hackers, suggesting, as the Guardian put it, that “cyberwarfare remains a slightly overblown fear.”
But while some may overstate the risks, careful investigation shows that cyberattacks can be very damaging and are only becoming more so. The Rubicon of cyberattack-caused blackouts was crossed in 2015 and 2016 when Russian hackers turned off the power in parts of Ukraine, with both incidents showcasing code that could do more extensive harm in future operations. NotPetya, another Russian cyberattack, ricocheted around the world in June 2017, bringing major corporations like Maersk to their knees and causing more than $10 billion in damage.
The list of harmful cyberattacks waged for geopolitical reasons goes on and on, from the Stuxnet operation that helped the United States and Israel slow the Iranian nuclear program to North Korea’s attack on Sony Pictures in retaliation for the movie “The Interview,” which damaged 70 percent of Sony’s computing infrastructure, according to one estimate. The majority of major destructive cyberattacks have taken place in the past few years, and with many militaries — led by the United States — racing to develop and integrate their own offensive hacking tools, the trend of geopolitical aggression seems set to grow.
Myth No. 2
Cyberwar is about crashing power grids and airplanes.
Even as some question the very feasibility of cyberwarfare, others insist that it will lead to spectacular catastrophes, an idea that has been around almost as long as the concept of cyberwar itself, with movies like “WarGames” depicting hackers taking the planet to the brink of nuclear conflict. In his book “Cyber War,” former State Department official Richard Clarke depicts a nationwide emergency in which refineries catch fire, classified networks go down, planes plummet from the sky, the financial system dissolves, 157 cities plunge into darkness and thousands of Americans die. Because of scenarios like these, terms like “Cyber Pearl Harbor” and “Cyber 9/11” have been widely used by lawmakers such as then-Sen. Joe Lieberman and top government officials such as then-Defense Secretary Leon Panetta.
In reality, looking for theatrical cyberattacks means missing the ones that matter most. Cyber-engagements between nations are daily competitions in which the United States, Russia, China and others continually struggle for advantage. Much more often than not, they take the form of espionage or information operations. Consider, for example, the extensive Chinese economic and military espionage campaign that has hit thousands of American firms and government agencies, prompting the Defense Science Board to warn that more than two dozen U.S. weapons systems have been compromised. Or take Russia’s activities in 2016. Those hacks did not do physical damage to a single computer yet injected themselves into the core of the American political debate.
Myth No. 3
The purpose of cyberattacks is readily apparent.
During the Cold War, opposing military commanders and national leaders spent decades figuring out how to posture and signal to one another so they could resolve disputes without fighting. In nearly every major depiction of an imagined cyberwar, the purpose of the attacks is obvious and usually involves cowing the United States into concessions. In his book “Glass Houses,” for example, former National Security Agency inspector general Joel Brenner imagines China using a series of devastating cyberattacks to force the United States to back down in a confrontation over Taiwan.
But effective signaling and coercion are a lot harder in cyberspace, and governments seem unwilling or incapable of doing them well. For example, the motivations behind the blackouts in Ukraine are still disputed years later, even though some commentators offer confident interpretations. Competing theories suggest that the attacks were part of Russia’s war against the country but fell short of their potential because of technical errors; “mafioso”-style retaliation for Ukrainians’ physical attacks on power systems in Crimea, a region annexed by Russia; tests of Moscow’s capabilities; or warnings to the United States. The motivations behind other very destructive cyberattacks, like 2017’s NotPetya and WannaCry operations, remain opaque. In still other cases, like Russia’s 2018 operation against the Olympics in South Korea, nations have seemed to try to disguise themselves with false flags — the opposite of clear signaling.
Myth No. 4
Cyberspace is borderless, with no geography.
Cellphone networks and WiFi communications are invisible, and the cloud seems ever-present but also someplace else. Data zips between countries easily, with no passport checks or customs inspection, nor any geographic hurdles. European Union law enforcement training refers to cyberspace as “borderless,” a term also used by senior Indian government officials and various academics. The American academic Anne-Marie Slaughter, a former government official, argues that a digitized world is best thought of as a map “at night, with the lit-up bursts of cities and the dark swaths of wilderness” — but with no borders in sight.
But borders, legal jurisdictions and geography still matter a lot. Under the Foreign Intelligence Surveillance Act, the United States can compel cooperation on national security matters from telecommunications companies that operate within its borders. These companies process a gigantic amount of the world’s data, including data from overseas that only transits through American cables on its way elsewhere, a result of the country’s place on the globe. In addition, under U.S. law, the government can access some foreign intelligence data from Internet companies like Google, Apple and Facebook because they, too, are within American borders. China and Russia also use their sovereignty to study and block Internet traffic as it enters and exits their countries.
Myth No. 5
It's impossible to know who conducted a cyberattack.
Donald Trump famously said that the Russian election interference in 2016 could have been conducted by the Democratic National Committee, China, a 400-pound hacker, someone in New Jersey or one of the many “people out there.” Attribution — figuring out who is responsible for a cyberattack — is a fraught issue, and many senior government officials and academics have argued that it is impossible or at least very, very difficult. Two well-known cybersecurity experts, P.W. Singer and Allan Friedman, called it “perhaps the most difficult problem.”
In reality, governments like the United States are very good at figuring out who conducted cyberattacks, in part because they use their own hacking capabilities to spy proactively on other nations’ hackers. Even outside of classified settings, there is a robust private sector of industry analysts who study cyberattacks and piece together clues about who perpetrated them and how; examples include studies of Russian information operations, Chinese economic espionage, North Korean bank hacking, Iranian attacks on Middle East rivals, and U.S. espionage and counterterrorism hacking. From these sources, it’s possible to put together clear, convincing and compelling narratives of the past 20 years of cyber-conflict — and to find some great stories of spy vs. spy competition in the digital age.
Correction: An earlier version of this story misidentified the organization for which Joel Brenner, the National Security Agency’s former inspector general, worked.