Editor’s Note: We are happy to introduce “Agent Provocateur,” a new column by Joshua Rovner (@joshrovner1) on intelligence, strategy, and statecraft.
The novelist Kurt Vonnegut once imagined a fictional substance called “ice-nine” that could turn any liquid into ice. This was supposed to serve a narrow and practical military purpose: allowing land forces to cross rivers and streams by making them solid. But walking on water — a brilliant tactical innovation — had catastrophic potential. If ice-nine could freeze rivers, it could also freeze oceans.
Vonnegut was satirizing the nuclear arms race in the aftermath of the Cuban Missile Crisis, a time when observers were wondering aloud whether states could control their own technologies, or whether their capacity for invention would lead to disaster. Had weapons designed to ensure national security become a risk to the global good?
Today, critics are asking the same question about cyberspace. Over the last two decades, states have developed increasingly sophisticated tools for conducting espionage and sabotage online. Cyber spying allows intelligence agencies to gain information without putting human sources in danger. Offensive cyber operations go further, offering the hope of destroying enemy capabilities without the need for military force. It’s easy to see why these tools are so seductive to policymakers.
The best-known offensive cyber operation remains the Stuxnet attack on Iran’s nuclear facility at Natanz in 2009. The attack was clever and sophisticated. It caused uranium centrifuges to slowly fail by modulating their speed, all the while hiding the effects from Iranian engineers. The problem, however, was that the Stuxnet worm did not die at Natanz. Instead, it quickly spread outside Iran, ultimately infecting over 100,000 computers in India, Indonesia, and elsewhere. That Stuxnet — a carefully designed cyber weapon that targeted a specific industrial control system at one plant — spread so far and so fast suggested that offensive cyber operations are difficult, if not impossible, to control. “We will rue Stuxnet’s cavalier deployment,” warned an observer in the Financial Times.
Such concerns have increased this year, after reports that the WannaCry and NotPetya attacks, which spread worldwide with astonishing speed, used tools that might have been stolen from the National Security Agency. At first glance, the attacks appeared to be designed to force targets to pay to have their machines unlocked, but analysts quickly speculated that some other motive was involved. Indeed, some cybersecurity scholars believe the attacks herald a new era of online political warfare, as attackers use cyberspace as a domain for breaking up rival alliances and undermining public faith in political institutions.
It’s not an accident that all these incidents allegedly began life as tools developed by the U.S. government at National Security Agency headquarters. Effective cyber capabilities are complex, and building them often requires enormous financial and organizational investment. For a variety of reasons, the United States is in the best position to develop and deploy these tools. This raises the question of whether it should try in the first place. If the United States cannot control its own creations, as critics fear, it may inadvertently cause enormous collateral damage. Organizations like the National Security Agency and U.S. Cyber Command benefit from espionage and offensive cyber operations, but they are likely to hit a lot of unintended targets.
The more this happens, the more these operations risk eroding faith in cybersecurity. Ordinary internet users may be less willing to log on. Businesses could be increasingly wary of operating online. Computer scientists and engineers may become less enthusiastic about volunteering their time and expertise to sustain the internet. And if states believe their rivals are actively undermining cybersecurity for their own purposes, they will be less likely to cooperate on shared issues like cybercrime.
Policymakers thus face a dilemma. Should they stay on the offensive in cyberspace, even if it puts everyone’s cybersecurity at risk? Should they pursue parochial national interests like espionage and sabotage at the expense of a global public good?
Answering these questions requires evaluating the effect of cyber shocks. It may be that offensive cyber operations gone awry cause widespread and lasting damage, or create a copycat problem leading to a proliferation of malware from states and criminals alike. Worse yet, revelations of NSA culpability from would-be whistleblowers inspired by Edward Snowden could undermine the transnational trust needed to sustain the global internet. But concerns about the unintended consequences of cyberattacks may be exaggerated, and the effects may be temporary. Novel technologies often create outsize fears. If this is the case, then the policy dilemma is much less stark, and it is possible that the United States can continue to invest in offensive cyber operations without undermining cybersecurity writ large.
In an article in the current Journal of Global Security Studies, computer scientist Tyler Moore and I attempt to assess the risks of offensive cyber operations by looking at the political and technical responses to major incidents. The question is not simply what happens during a cyberattack, but how people and organizations behave in the aftermath.
Our research focused on the fallout from Stuxnet and Snowden, though we could apply the same framework to any major cyber incident. The political response includes the behavior of individual users, firms, and states. Individual internet users, for example, can respond to shocks by sharply reducing their online activities or opting out entirely. Businesses can likewise take steps to reduce their exposure to cyberspace, even if that means sacrificing profit. Finally, states can decide to forgo cooperation and move towards bolstering national intranets at the expense of a global network. Indeed, fears of such “balkanization” have increased over the last several years, as states have spoken more bluntly about protecting their sovereignty over their own little slice of cyberspace. We also discuss the technical effects of cyberattacks by measuring the quality and speed of responses (e.g., how long does it take to get systems back online after a shock?), along with the actions of those charged with maintaining the internet’s infrastructure.
This framework is useful for assessing the effects of well-known attacks like Stuxnet, along with Snowden’s revelations about the scope and complexity of National Security Agency activities. Both cases highlighted the United States’ ability to go on the offensive in cyberspace, but also led to warnings that intelligence agencies were acting in ways that would undermine cybersecurity for everyone. What was particularly noteworthy wasn’t the actual damage caused, but the fear they inspired about the danger of going online.
Surprisingly, we find that the effects of high-profile attacks have been quite limited. In the aftermath of both Stuxnet and the Snowden revelations, users continued to log on in record numbers, and most do not seem to have taken additional steps to reduce their exposure. Although the data is still somewhat patchy — ours go from 2015 to 2016 — it appears that a small minority reduced the scope of their online activities and engaged in self-censorship. Meanwhile, the vast majority continued to communicate, share photos and videos, buy Christmas gifts, and so on. Firms acted similarly, even though business leaders were some of the fiercest critics of the National Security Agency’s actions. Their responses have not been uniform, but the general trend has been continued engagement online with increased investment in cyber defenses. Finally, states have not noticeably reduced cooperation with the United States on cybersecurity. This is true of states like India, which were third-party victims of Stuxnet, along with states like Brazil, whose leaders were allegedly targets of U.S. surveillance. The major exception is China, which suspended nascent cooperative efforts with the United States in 2014. But given the broader turmoil in U.S.-China relations, it’s unclear whether this was a result of either Stuxnet or Snowden.
The technical responses also suggest that the internet is resilient. The frequency, severity, and duration of attacks have not increased in the aftermath of the dual shock of Stuxnet and Snowden. And the broader adoption of measures like encrypted web traffic suggests the internet’s infrastructure is becoming more robust.
Some caveats are in order, because the data we use to assess the response to Stuxnet and Snowden is immature and incomplete. We will surely learn more, and it is possible that additional information will lead to a different assessment. It is also possible that new kinds of cyberattacks may lead to wider and longer-lasting destruction. Stuxnet, for instance, contained target verification checks to prevent collateral damage to machines it inadvertently affected. NotPetya notably did not, and caused real damage to third-party victims. One reason the attack propagated so quickly was that it used stolen credentials to pose as an administrator, allowing it to avoid detection. Moreover, NotPetya seems to have been designed to maximize confusion about its origin by raising the specter of states, criminals, and cyber-exploits run amok.
If we learn that consumer, firm, or state behavior changes as a result of generalized fears stemming from NotPetya or its offspring, then we will have more doubts about internet resilience. So far, however, we do not have evidence that this is the case.
The upshot is that it is possible for states to go on the offensive in cyberspace without undermining cybersecurity. Unlike ice-nine, the tools the United States creates to fight in this realm do not appear, at least so far, to be uncontrollable. There may be good reasons to eschew offensive cyber operations, and the United States already has a process to determine whether to act in any specific case, but officials need not be deterred by the fear of extensive and lasting collateral damage.