In 1948, Hans Morgenthau wrote that national security depends on the integrity of a nation's borders and its institutions. In that same year, Alan Turing – another giant of the 20th century – left wartime service for the University of Manchester, where he would help design the information technology that would, by the end of the century, call into question the very existence of international borders.
The internet has changed everything, whether you are a student, a spy, or a soldier. Academics instantly search through millions of digitized information resources. Secret agents steal not books, but entire libraries of classified information. And soldiers can destroy physical infrastructure at a keystroke.
Cyber skeptics, many of whom have immaculate technical credentials, have been less good at strategic thinking. They fail to see what computer hacking can do for a Leviathan like the modern nation-state. The potential for information technology is profound – the Estonian "paperless" government leads the world in free Wi-Fi, e-voting, e-finance, e-residency, and end-to-end encryption – but our chief risk arises from a growing dependence upon it.
Allow me to quote the February 2014 U.S. Army Field Manual 3-38: Electromagnetic Cyber Activities: "Offensive cyberspace operations" are designed to "project power by the application of force in or through cyberspace." Cyber electromagnetic activities (CEMA) "provide the commander with capabilities that can be employed to deceive, degrade, disrupt, deny, destroy, or manipulate across the continuum."
The U.S. is the most advanced player in this game, but some other countries are not far behind. The Israel Defense Forcesdescribe cyberspace as a "platform to improve operational effectiveness," where the IDF is "relentlessly … thwarting and disrupting enemy projects … at all fronts and in every kind of conflict." Cyberattacks are "used to maintain Israel’s quality advantage over its enemies" and to "influence public opinion … both during war and peace." I am not sure what more the skeptics want.
And should we be surprised at Russia’s recent cyber activities? In a country where the default remedy for dealing with political dissent is murder, we should not be surprised that most of the countries on the Russian periphery, including Estoniaand Ukraine, have been hit by politically-motivated cyberattacks. And don’t forget that the astronomer who virtually invented the discipline of cyber defense in the 1980s, Cliff Stoll, was chasing Kremlin-sponsored hackers.
The sky is not falling, and teenage hackers will not destroy Western civilization. But that observation misses the point. The danger stems from targeted cyberattacks designed to take down a person, a company, or a government capability – even temporarily – and such computer network operations have already been successful on countless occasions. And today, the stakes are higher than ever, with someone – probably Vladimir Putin – trying to coerce the United States to do something we-don’t-know-what by doxingthe National Security Agencyand trying to manipulate our election by doxing the Democratic Party.
The central challenge is that vulnerable information technology manages all of our critical infrastructures – even our nuclear weaponsprogram. Law enforcement and counterintelligence agencies have a hard time with cyber defense because the internet is a worldwide infrastructure through which hackers can change their attack profile and vector every time. This " attribution problem" creates sovereignty and jurisdictional headaches, diminishes deterrence, and complicates the prospect of cyber arms control. Traditional geopolitical might has not gone away, but there are now digital caveats. And if a nation fails to invest in the internet, its political and military security will erode over time.
Ultimately, solutions will be found through improved international collaboration. Let’s start with technology. Modern computers and cryptographywere born in World War II, when prototype computers such as Colossus and ENIAC received huge Allied military investments. But in the 21
century, no one actually owns or controls the internet. Nearly two hundred governments belong to the International Telecommunication Union, but the ITU has political rifts that make it unsuitable for scientific progress. More effective will be to support groups like the Internet Engineering Task Force(IETF), which publishes the evolving library of technical documents that actually make the internet work.
At the political level, the best places to invest in international cybersecurity are Planet Earth’s strongest political and military alliances: The European Union and NATO. Through the Budapest Convention on Cybercrime, dozens of countries are aligning their legal regimes in ways that will aid joint investigations. In the military sphere, NATO recently announcedthat cyberattacks pose a "clear challenge" to the security of the Alliance and recognized cyberspace as a "domain of operations" similar to land, air, and sea. My guess is that the Allies will soon agree to voluntary limits on digital espionage.
Whatever the skeptics say, the world’s leaders have made their choice. But that is not the end of the discussion. I suspect that the skeptics are not just disbelieving, but also worried about government control. Here, I completely agree with them. The internet is not just an information sharing mechanism; it is also the ideal surveillance tool. It promises e-government and digital society, but in a way that can simultaneously rob citizens of their privacy and freedom. In the Internet of Things, every atom in your body could have an Internet Protocol (IP) address, and eventually, the line between "physical" and "cyber" systems will melt away – which will bring cyber wars into clear human focus.
In the end, I think that the democratic side of the internet is stronger, due to its inherent dynamism and superior strategic depth. But for the moment, cyber wars are all around us. Unknown hackers regularly expose government corruption. Democratic states threaten authoritarian regimes with online anonymity tools like Tor. And militaries prep the battlefieldfor future wars that may never happen. This is why more democratic governments must follow Estonia’s path, and choose to conquer information technology – before it conquers them.
Kenneth Geers (PhD, CISSP) is a senior research scientist at Comodo, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) ambassador, a non-resident senior fellow at the Atlantic Council, an affiliate at the Digital Society Institute of Berlin, a visiting professor at Taras Shevchenko National University of Kyiv in Ukraine, and an accomplished author.
Kenneth spent 20 years in the U.S. government, with time in the U.S. Army, NSA, NCIS, and NATO, and was a Senior Global Threat Analyst at FireEye.