Cyberspace is rapidly becoming a domain of conflict. Lack of a nuclear-type deterrent and an offense-dominated environment are breeding fear, distrust and over-reaction. Cyberspace is left relatively ungoverned, calling out for a similarly new type of revolution in global e-governance.
It has almost become a cliché to say that more and more of our critical infrastructure systems around the globe are controlled through the Internet which increasingly represents the foundation of practically every service, transaction, communication and exchange required for the steady functioning of the global economy, security and individual well-being.
Network availability, reliability and safety have thus developed into services that we are taking for granted, at a time when a serious incident could have a severe impact as we are going through a critical transition in the global economy and as technological systems represent a progressively more decisive factor underlying future growth, development and security.
The flip side of this remarkable transformation is vulnerability as cyberspace is increasingly being used to steal, spy and wage war. Business leaders, politicians and intelligence services are warning that the Internet has become the gateway for espionage, subversion and warfare: governments are haemorrhaging secrets, individuals are losing privacy, and businesses are losing millions.
The game changers: Estonia and Stuxnet
Until recently, the risks associated with cyberspace have been of commercial and social, but not of political nature. Two factors have changed that: first, the fast-moving convergence of systems on the internet providing plenty of new targets and entry points, and secondly the fact that governments are fast moving into cyberspace, resulting in considerable tensions between international politics and cybersecurity issues.
A first red line was crossed in 2007 when the removal of a Russian war memorial in Estonia caused a row with Russia that ended in a massive Distributed-Denial of Service (DDoS) attack on Estonia’s financial system, paralyzing all major banks as hundreds of websites went offline. Although the Russian government’s responsibility or involvement could never be unequivocally established it was the first time that an entire nation was being targeted by offensive cyber-weaponry.
Another critical milestone came in 2010 when Stuxnet, the first major ‘cybermissile’, targeted the Iranian nuclear enrichment site in Natanz, causing its centrifuges to spin out of control. With an estimated budget of at least $10m to develop such a sophisticated cyberweapon this was not the work of ordinary hackers but clearly a coordinated effort of one or more governments with a critical interest in sabotaging the development of an Iranian nuclear bomb.
Perhaps ironically, just as in August 1945 when the nuclear bomb was invented, an entire new class of weaponry was created with Stuxnet. And as with nuclear weapons, cyberweapons create a highly asymmetric environment as attackers have to hit a target only once to create enormous damage.
The Estonia and Stuxnet incidents indicate that offensive cyberweapons are beginning to outpace defensive cybercapabilities. Today, more than 30 countries are thought to be actively developing offensive cyber weapons.
Meanwhile, defensive efforts of the world’s major cyber powers have also been going on for quite some time. US President Clinton appointed Richard Clark as the country’s cyber tsar in 1996 to look at the protection of critical infrastructure, highlighting its software vulnerability as its systems started going online. Since 2010 the US National Security Agency (NSA) is home to the US Cybercommand, and in his Senate confirmation hearing in June 2011, Defense Secretary Leon Panetta said that a cyberattack would be the next Pearl Harbour for the USA. Indeed, according to the Stockholm International Peace Research Institute (SIPRI) US government offices suffer about 60 million cyberattacks… per day!
A first superpower showdown
In February 2013 the Mandiant Intelligence Center released an explosive report tracing highly sophisticated cyber attacks against some 140 major Western companies to the doorstep of a single building in Shanghai…which also happened to be housing Unit 61398 of China’s Peoples Liberation Army (PLA), a military unit cover designator of a secretive advanced persistent threat unit. Never before had the finger been pointed so publicly and directly at a government involved in industrial espionage, an allegation vigourously denied by the Chinese government.
General Michael Hayden, who presided over the NSA for years, commented about the findings of the report: “I stand back in awe as a professional, at the breadth, depth, sophistication, and persistence of the Chinese espionage effort against the USA. As a professional: it’s awesome. I don’t know how they handle all the data they steal.”
For China, however, growth – and thus stability – is a matter of national security, and many were in fact not surprised about the revelation that the State was so blatantly pursuing industrial espionage for economic purposes. In the US, economic espionage is a crime whilst military espionage is a heroic act. In China, however, the line is not so clear…and in response to US complaints about China’s large-scale industrial cyber espionage China accuses the US of militarizing cyberspace, abusing its right to self-defence – with the continuing and embarrassing revelations of Assange, Snowden, Manning and the like providing plenty of ammunition supporting this accusation.
Conclusion: stumbling towards cyberWW III?
We are standing at a geopolitical turning point as the world’s superpowers are developing a formidable defensive and offensive cyber weaponry that can only be paralleled to the frenetic Cold War military build-up. Cyberspace is indeed an under-debated and underrated arena for potential future conflict between nations and without effective deterrence like a cyber equivalent of the nuclear bomb, an offense-dominated environment, which cyberspace is clearly and rapidly evolving into, will breed fear, distrust and overreaction.
There is an urgent need for improved governance and cooperation in cyber-space, however imperfect global governance efforts often become. There could, for instance, be a sunset clause at the end of each decade, to ensure that renewal and cooperation become embedded into the development of cyber-space going forward. So far however, all efforts to develop treaties or codes of conduct have produced limited results. As a result, a new class of weapons remains at high risk of causing continuously escalating inter-state tensions. More open debate and awareness of these risks may help to push international consensus in the direction of cooperation.
 What is perhaps less known is that Iran may have retaliated to the Stuxnet missile. In August 2012, some 30,000 computers of Saudi Aramco, Saudi Arabia’s national oil and natural gas company, were wiped out in a massive DDoS attack as their files were overwritten with a burning US flag…did Iran sent a message to the US after Stuxnet?