The well-heeled International Institute for Strategic Studies (IISS) just released its report Cyber Capabilities and National Power. IISS put the United States alone in the “Top Tier”—in a class by itself. The United Kingdom and other “Five Eyes” are in Tier Two, along with Russia and China. Japan is in Tier Three, along with Iran, India, and North Korea.
For cyber aficionados in the U.S., this is a feel-good document. Some analysts might even engage in a bit of cyber jingoism a la Albert Von Tilzer’s 1919 hit: “We don’t want to fight but by Jingo if we do, we’ve got the chips, we’ve got the brains, we’ve got the firewall too.”
Should the U.S. rest on its laurels? No. IISS warned that China could “catch up” to the U.S. within ten years. Well, China is always “catching up.” But there’s a bigger problem. We must distinguish between “Cyber Power” and “Cyber Warfare Capability.” One does not lead automatically to the other.
IISS has studied national cyber power along several dimensions such as the intensity of the digital economy, the influence on international cyber public policy, the manufacturing base for information technology. For Cyberwar fighting, the most important factors covered were “cybersecurity and resilience” and “offensive cyber capability.” Here, IISS assessed that Russia and China “have greater experience of achieving strategic effect” using cyber against America. The U.S. is seen as more “constrained” but is believed to have better cyberweapons.
Of course, without engaging in espionage, it is impossible to know the offensive cyber capabilities of the United States. IISS is speculating.
Defense is the problem. IISS does note that “states are developing whole-of-society responses that involve close partnership between the private and public sectors … and between the military and civil sectors.” It rates the U.S. highly, but therein is the error.
For the U.S., this is the Achilles Heel. Imagine an intense conflict in which cyber plays a major part, or even the outbreak of a “cyber-only” war. How would this really work when the Pentagon calls up and starts barking commands to the social media companies or network providers?
Does our federal government have the power to deputize the private cyber industry and turn them into cyber warriors? Since when is the private sector in the habit of taking orders? Will they listen? What if they disagree? And even worse, how would the government even know the details of what to do? It certainly will have conducted cyber espionage outside the U.S., but how would it know the required level of detail to craft a response for the American private sector? Who will pay the bill? What are the liabilities?
There is no such gap between government power and the private sector in Russia or China. If the Kremlin orders a private sector cyber company to do something, they do it. Lawyers are not involved. The same in China, which already has built the Great Firewall, and has CCP members placed in each major company.
Of course, the U.S. would be able to attack. But defend? The U.S. may have strong offensive cyber power, but defensively, it is alarmingly weak. That is the essence of the problem. The advanced technology infrastructure in the U.S. has magnified its vulnerability. And the defense is crucial because cyberweapons are asymmetric in nature—they always are cheaper to produce than to defend against. That perhaps is a paradox of cyberwar; the most advanced are the weakest.
There are slop buckets full of armchair strategists who discount cyber. “It’s not real war.” But it is.
Cyberweapons have crept up on us all. If subjected to a massive surprise attack, the economy would be crippled within minutes. The electrical power grid would go down. Food and energy distribution, as well as other logistics systems, would collapse. There would be chaos and death.
Following the logic of the IISS report leads to fool’s gold. The natural inclination is to keep building up cyber power. In other words, a cyber arms race. And like all arms races, there is no end in sight—the long-term solution: Cyber Arms Control.
But in the meantime, enemies have a cyber “first strike” capability against the U.S. We need the equivalent of a National Civil Cyber Defense Program and an order of magnitude increase in research and development investment for cybersecurity.
• Edward M. Roche was an affiliate researcher at the Columbia Institute for Tele-Information at Columbia Business School and a program evaluator for e-Government and the Internet Governance Forum at the United Nations. He is working on a study of the Cyber Arms Race at the Institute for Cyber Arms Control.