Cyber disruption is an unpleasant fact, but not the end of the world. But the sort of bad, unexamined and unaccountable thinking our planning involves, presents every risk of making our bullets land in the wrong places, when or if we reach the disaster on which our hawks are so bent.
Seven years ago, the Cato Institute in the US held a conference on dangers to American national security, from nuclear proliferation to terrorism and climate change. It would be fair to say that speakers at the conference were deeply sceptical about whether America was greatly at risk from cyberwarfare. Lest anyone, from ignorance assume that the institute is a typical left-wing think tank, I should add that it is largely funded by the Koch Brothers, and is of libertarian small-government bent.
Those who talked up the threats had plenty of practical and theoretical examples of the risks that cyber-warfare, or cyber-crime posed. There had been attacks on businesses and agencies, hacks by “state players” and by sophisticated independents. Indeed one of those who spoke at the conference, Martin Libicki, the Keyser chair of cyber-security studies at the US Naval Academy, recently remarked that there had been little change in what was happening since the conference. Fresh cases tended to reinforce what many speakers had said seven years ago: “cyberspace is unlikely to be a national security problem. As with much of life, what has started as an acute problem (rare but intolerable) has continued to evolve into a chronic one (common but tolerable).”
There were some new abuses. North Korea had started out using cyber-attacks to destabilise South Korea but later concluded that stealing money produced more tangible results, hence its $US 81 million from the Bank of Bangladesh. China had professionalised its operations into a ministry, trimming its ranks of rogue and noisy hackers. Iran still did mischief, mostly in its region.
“Russia’s hackers, by contrast, which in 2013 were rarely heard from but considered highly talented, are now heard from a lot. Its cyberspace operations in 2016 against the integrity of the US election were politically if not necessarily technically sophisticated…
“Rarely does a newsworthy cyberattack take place without one or more private cyberspace security companies jumping in to let us know which country — and often which group in which country — is responsible. And, while mistakes were made — many operations initially blamed on ISIS, North Korea or Iran were later found to be Russian false flag operations — the notion of impunity through invisibility has seen better days.”
Libiki also demolished the idea that Stuxnet attacks by Israeli and US intelligence on Iran’s uranium centrifuges was an example of success in cyber-warfare. The attacks had failed to impose lasting damage, much less to sabotage, Iran’s nuclear enrichment program, he said.
Some notes from other participants or other commentators:
· Even the idea of cyber-warfare as putting an extra dimension of war has been doubted. Thomas Rid, writing in Foreign Policy magazine in 2012 said that cyber attacks never fitted all three characteristics necessary for an act of war: violence, instrumentality and a political goal. Cyber war had never happened and was unlikely to happen, he thought.
· Several commentators have spoken of the risks of threat inflation, and deliberate attempts to create general alarm about the risks involved. Exaggerating the threat was often used to justify ever-increasing expenditure to counter the risk. In fact a good deal of the “cost” of cyberwar and cyber-crime came from the attempts to protect against it: resources now being used to protect systems against cyber criminals might be better spent finding and arresting them.
· Many assertions of the cost of cyber-crime came from surveys that were poorly designed and likely to be inaccurate. Losses tended to be extremely concentrated, so that surveys were rarely representative. Estimates of losses were usually based on unverified self-reported numbers. Outliers — even single ones — could massively distort estimates, because those using the surveys tended to extrapolate their results across the whole population. Thus if just one person in an American survey of 1000 people estimates losses of $50,000, that is all it takes to generate a $10 billion loss over the population. One unverified claim of $7500 in phishing losses translates into $1.5 billion.
It is not something that will be always resolved by mere public debate. Government, for example, has quarantined defence spending from other cuts to the size of government agencies, and is engaged in unprecedented increases of expenditure, without rigorous analysis. The defence and intelligence establishment have no reason to complain; for politicians the payback is not only a claim of good stewardship of the nation’s safety, but the capacity to accuse the other side of being a risk.
The Director General of ASIO, Mike Burgess, has many irons in the cyber fire, not least from his former role in the Australian Signals Directorate, the establishment of new cyber warfare agencies and systems, largely on his advice, and from the way resources and staff are flooding into the area. Nor is there a steadying hand from the bureaucracy. The head of Home Affairs, Mike Pezzullo, has already cobbled together a security agency of his own (supposedly so as to analyse risks to border security, but with the effect of getting himself a place at the national security table.) He is also putting resources into “coordinating” the activities of ASIO, AFP and cyber agencies in an effort to get just what we do not want — a pre-agreed politically-arrived at decision, with everyone singing from the same song-sheet — rather than genuine debate from players with different responsibilities and perspectives.
The key problem indeed is that none of the big players have much time for dissent, for argument and debate, or the wisdom that comes from critical analysis of a proposition. It’s a formula for stampede at just the wrong moment, for missing signals because everyone wants to avoid duplication, and for ignoring evidence staring at one in the face because it opposes the apocalyptic vision of some player or another.
In the cyber-sphere, this may not matter, whether in regard to defence or crime, as much as its champions claim. Cyber disruption is an unpleasant fact, but not the end of the world. But the sort of bad, unexamined and unaccountable thinking ourplanning involves it involves, presents every risk of making our bullets land in the wrong places, when or if we reach the disaster on which our hawks are so bent.