On Tuesday, July 10, the Atlantic Council’s Cyber Statecraft Initiative and the Cyber Conflict Studies Association held another excellent event on “Addressing Cyber Instability“. The event marked the launch of CCSA’s new capstone report, Addressing Cyber Instability, which previews and discusses the CCSA’s upcoming monograph on the subject. The first speaker to discuss the topics covered in the report was James Mulvenon, Chairman of the Cyber Conflict Studies Association and Vice President of Defense Group, Inc.
Mulvenon discussed whether recent developments in cyberspace are pushing us into a new age of national security. It’s always hard to tell when you are on the precipice of a new era, and security and technology thinkers have been hypothesizing on the impact of cyber for years now. The “Richard Clarke” type catastrophe some analysts have been predicting still hasn’t happened, suggesting a possible tacit global deterrence in cyberspace has been maintaining the status quo.
Recently, as General Michael Hayden, former head of the NSA, noted, Stuxnet “crossed the rubicon” as a major, physically destructive cyber attack by a state actor. Mulvenon compared Stuxnet to the nuclear bombing of Hiroshima, not by damage done, but as the first use of a weapon ushering in a new era of warfare. Before Hiroshima, nuclear arms were known to be possible, and had even had limited demonstrations, but only when the United States bombed Japan, showing both a willingness to use nuclear arms and their true destructive potential, did a new age of warfare begin.
Deterrence , norms, and international agreements have prevented nuclear war, but those were developed ad hoc basis during the Cold War. The international community is still trying to arrange similar stability in cyberspace. Mulvenon remarked that cyberspace is naturally unstable and insecure, making this process more difficult. The Internet was built for resilience and convenience, not security, which is therefore not part of the infrastructure. As a result, Mulvenon characterized cyberspace as offensive dominant and with little escalation control in conflict. Information technology also changes rapidly, outpacing the regulatory and legal process. Lastly, there are low barriers to entry, meaning that many non-state actors can become involved in conflict and politics online.
All is not lost, however. Despite claims of a “global commons” and the difficulty of attribution, most of the Internet architecture falls under Westphalian norms. Servers, computers, cables, and networks all have physical locations within a country’s borders. A stable cyberspace is then possible but requires both a national and global cybersecurity strategy based around resilience, as well as an effort to clean up the ecosystem of malicious actors and widespread vulnerabilities. Other speakers and panelists went into more detail as to what that might looks like, which we will cover in later posts about the event and the Cyber Conflict Studies Association monograph.