The New Cyber Normal

Closing the gap between the ideal of international order and the reality of global chaos

By Scott Malcomson June 21, 2018

Emerging Global Order

The Virtual Weapon and International Order
Lucas Kello
Yale University Press. 319 pp. 2017.

The Cybersecurity Dilemma: Hacking, Trust, and Fear Between Nations
Ben Buchanan
Hurst & Company. 290 pp. 2016.

Cyber Mercenaries: The State, Hackers, and Power
Tim Maurer
Cambridge University Press. 246 pp. 2018.

The cyber wing of the international relations academy, a creature of just the last decade, seems to be undergoing a generational sorting out. The central question is whether cyber — encompassing offensive and defensive practices, weapons development, espionage, and surveillance — is so revolutionary as to necessitate change in existing concepts of conflict. Three new books by young scholars address this question and, while they don’t resolve it, they do show why it is important and (through reporting more than analysis) why it is not going away.

The most Oedipal of the three authors is Lucas Kello, who maintains that the poli-sci establishment is in denial. Cyberwar (or, previously, netwar), information warfare, and electronic warfare were regular preoccupations of military planners in the United States, Russia, China, and elsewhere from the early 1980s. Cyberspace as an anti-state, libertarian utopia ran strongly alongside, though its geography was more limited to the U.S. Yet, as Mary Manjikian wrote in 2010, “despite the Internet’s undeniable presence in contemporary international society, international relations analysts have devoted remarkably little ink to pondering its evolution, its meaning, or its significance.” No less a figure than Harvard’s Joseph Nye gave his measured assessment the same year that, while cyber was significantly transformative, “States will remain the dominant actor on the world stage, but they will find the stage far more crowded and difficult to control.”

By 2012 a brace of scholars began the first great offensive: Thomas Rid with his essay “Cyber War Will Not Take Place,” Brandon Valeriano and Ryan C. Maness with “The Fog of Cyberwar: Why the Threat Doesn’t Live Up to the Hype,” and Erik Gartzke with a mop-up operation in 2013, “The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth.” Valeriano and Maness later summed up the arguments in their 2015 book, Cyber War Versus Cyber Realities: Cyber Conflict in the International System, which included the magnificently weary line: “cyber conflict is pretty much the least a state can do to challenge a rival.”

Kello, on a postdoctoral fellowship at Harvard, hit back in fall 2013 with an essay in International Security, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft.” His new book, The Virtual Weapon and International Order, is meant to “add new theoretical content to the view — derided by traditionalists — that the contemporary world confronts an enormous cyber danger.” The “cyber revolution,” he writes, “may be the first technological revolution of the first order in the international system.... Vanished is the secure belief in the state as both the supreme source of threats to national security and the supreme protector against them.... Deniers of the revolution are troubled by these incomplete but notable trends of systems change. They are more adept at devising new formulas to mask weaknesses in old concepts than they are proficient at closing the gap between the statist ideal of international order and the fluid reality of global chaos.” He’s not holding back.

Kello’s strongest arguments are that non-state third parties can play a significant role in cyber conflict — leading to a “sovereignty gap” and thus undermining the state-based system and the conventional theories that support it — and that cyber conflict creates a novel condition of chronic confrontation among states, which he calls “unpeace.” Political science has a rich history of semi-successful neologisms, Thomas Schelling’s “compellence” from 1966 being among the better known. (A companion to deterrence, it connotes actions that compel an opponent to give something up.) “Unpeace” may not enjoy wide- spread adoption, but Kello is right to extract cyber conflict from the dyad of cyber peace and cyberwar. Cyber conflict has become an everyday aggression among states, particularly (though not exclusively) larger ones. It might not be “pretty much the least a state can do,” but it is something that states so inclined do constantly.

Leaving aside states’ motivations, the chief reason for this ubiquity is that cyber conflict of the serious kind begins in network intrusions. These can involve finding your way into the network of an actual enemy; they can also involve, as Ben Buchanan astutely points out in The Cybersecurity Dilemma: Hacking, Trust, and Fear Between Nations, infiltrating other, nonthreatening networks to see what your actual enemies are up to next door. Network intrusions are neither offensive nor defensive. They are an exploratory presence that then creates the possibility for offense, defense, or simple information gathering — not least the gathering of information about what cyber capabilities a rival might have and what it might intend to do with them. Network intrusion is, up to a point, like espionage, which is why states are allergic to regulating or even acknowledging it. But unlike most spies, intrusion code is weaponizable, sometimes to devastating effect. Creating and deploying the Stuxnet virus took years and a lot of work; ultimately it succeeded in disabling Iran’s uranium production.

It is worth pausing to consider how deep and wide these network intrusions are and have been for some years. Stuxnet had a successor called Nitro Zeus. “The victims included power plants, transport infrastructure, and air defenses all over Iran,” Buchanan writes. “Planners describe it as the largest combined cyber and kinetic effort the United States — and almost certainly the world — has ever conceived. The plan required extensive unauthorized access to Iranian systems. The United States obtained this access through the efforts of thousands of American military and intelligence community personnel. It invested tens of millions of dollars and intruded into vital networks all across Iran.” The Iran nuclear deal of 2015 put Nitro Zeus on the shelf, though who knows for how long. Buchanan further writes that the U.S. was able (as early as 2007) to infiltrate the Basic Input/Output System (BIOS) that is underneath a computer’s operating system, and even the firmware that runs individual hardware components.

In Cyber Mercenaries: The State, Hackers, and Power — a book about much more than its title suggests — author Tim Maurer quotes the China cyber authority Nigel Inkster’s claim that “more than 80 percent of the industrial control systems in China use foreign technologies, and this use is increasing.” These are very real vulnerabilities, and it would be foolish to imagine the U.S. does not have a share of them too, although the country and its partners (Australia, Canada, New Zealand, the United Kingdom) in the Five Eyes intelligence alliance have, as Maurer shows, the advantage of access to the most basic internet plumbing. Perhaps there hasn’t been a cyberwar yet because there hasn’t been a real war between cyber-competent states. By all accounts, Iran learned fast after Stuxnet. Given the potential of Nitro Zeus, any “kinetic” conflict between the U.S. and Iran might be assumed to have a significant cyber component. This possibility puts the importance of the 2015 agreement in a different light. It is not difficult to imagine the state of unpeace getting even more unpeaceful.

Kello stresses the escalatory potential of cyber: for example, cyber moves interpreted as preparatory to physical war might receive a physical response, which would then cause an escalatory spiral. Since most network intrusions don’t have an intention beyond exploration — the payload, if there is one, would come later — the possibilities for bad strategic decision-making seem infinite. The culminating disaster has been foreshadowed for some time. In 2013 the U.S. Defense Science Board recommended that “existential cyber attacks” be included within the scope of nuclear deterrence policy. A similar assertion in the Trump administration’s draft Nuclear Posture Review made headlines earlier this year. It’s unclear what this amounts to. Existential attacks can be expected to meet existential responses. Meanwhile, other attacks continue, yet it’s hard to say by whom or why, and, as Michael Warner (official historian of U.S. Cyber Command) has written, “every year since 1998, cyber attacks have been misattributed, but so far such mistakes have not caused any wars. One wonders how many years it takes to notice a pattern here.”

Kello also emphasizes the malign power of third parties. Barriers to entry are indeed relatively low. In 1998, during the Iraq war, American military systems came under attack, triggering deep alarm that an enemy state might disrupt U.S. command and control. As it happened, the intruders were three teenagers — two Americans and an Israeli. In 2015 and again in 2016, an intruder breached the email accounts of the director of the CIA, among others; the culprit turned out to be a 15-year-old in Britain. There is never a good time for major militaries to act in a hysterical fashion. That was true before the Internet. Much depends on how you define “third party.” Tim Maurer usefully adopts a broad definition that reaches from snooping teens through terrorists and criminals to state-sponsored cyber militias and private-security contractors, including very large companies like CACI and SAIC. This enables him to construct what amounts to a partial military-industrial sociology of cyberspace. He positions third parties relative to the states that use them, depend on them, and fear them. The analogy is to the mercenaries and condottieri of yesteryear, a comparison that leads him to the intriguing proposition that hackers are most like pirates, in that a state will engage them up until it has built itself a proper navy.

Maurer devotes individual chapters to showcasing his excellent reporting on how major nuclear countries have handled cyber third parties. Iran mobilized the student networks that had been so central to solidifying (and shaping) the 1979 Islamic revolution. Russia and Ukraine made a virtue out of the underemployed surplus of Soviet- trained computer scientists and engineers; these cyber ronin could be pressed into state service when they weren’t financing themselves through cyber crime. Maurer emphasizes the rule that hackers were “free” to hack as long as their victims were located outside the ex-Soviet sphere of the Commonwealth of Independent States. Those who argue that territory is irrelevant to cyber conflict haven’t tried hacking from Russia. Maurer finds a similar dispensation in China. Playing cyber catch-up in the early 2000s, China mobilized a militia tradition that dated back to imperial times. Eventually it brought cyber militias more firmly under state control and imposed draconian penalties on those who dared to hack within China.

Most originally, with creative use of documents released by Edward Snowden, Maurer demonstrates the profound dependence of the U.S. on private players to develop and extend its cyber capabilities. This is often seen as a vindication of American industry and entrepreneurism: our cyber capabilities are better because our tech sector is simply superior to any other. Maurer takes a more comparative view. The vast hinterland of security-related tech firms is the American equivalent of Russia’s weekend-warrior patriotic hackers, Iran’s students, and China’s militias.

The American approach is not without problems. The dominance of the profit motive makes American technologists difficult for governments to hire, retain, and manage. (Government will never be able to outbid private companies for talent.) Snowden himself was a contractor. American tech companies with global ambitions face the challenge of divided loyalties, just as many of their products are dual use. One person’s social network is another’s surveillance apparatus; Client A’s weather satellite is Client B’s targeting system. When representatives of Google, Twitter, and Facebook were asked at a Senate hearing whether or not they were American companies, they didn’t have a very convincing answer. In the latest National Security Strategy, the Trump administration has expressed its desire to corral U.S. tech into an ill-defined National Security Innovation Base, perhaps analogous to China’s declared goal of “civil-military fusion.” Yet to transform Silicon Valley into a club of patriotic hackers would hinder American economic prosperity.

Where this leads is not hard to see, and it doesn’t only concern the U.S. (or China). Australia recently premiered a defense plan that stressed the export of high-tech security capabilities; the domestic market is not big enough for Australia’s ambitions. For now it aims at the Five Eyes markets, but, as Gregory Colton of the Lowy Institute has pointed out, those are already the most competitive tech markets in the world. The likely result will be expansion into nearby Asian markets where Australian companies should have a better chance of success. In order to thrive in a highly technological era, national defense-industrial bases will reach outside the boundaries of their respective states, which places them, willy-nilly, at odds with the priorities of their own defense departments.

Does this mean that existing international-relations models of state conflict need to be revised? Not necessarily. Ben Buchanan writes penetratingly of the “cybersecurity dilemma,” a variation on the classical security dilemma: states cannot be certain of the capabilities or intentions of rivals and so develop counter-forces, which in turn inspire rivals to yet more countering, and so on. This process is the status quo in what mainstream international relations defines as the basic condition of “international anarchy”: a world in which states are the one irreducible unit in the eternal turmoil of interstate competition. “At some point in the future,” Buchanan writes, “cyber operations might be so joined [to traditional military operations] that the cybersecurity dilemma will be so mainstream as to be called just the security dilemma.” That day does not seem far away.