Cyber war meets nuclear war

The world is heading into a less rules-based order, in which bad actors will have more influence. Cyber space helps the bad actors to undermine the rules. These bad actors achieve in cyber space what would be too risky in any other space. Cyber is the least rules-based space available, so it naturally favours the vicious over the virtuous, and is riskiest for the most exposed societies – the most developed and open societies.

These questions tend to get answered in fiction, which is problematic. (I always advise students to discount fictional depictions, but I doubt most students sacrifice their popular culture. Theresa May doesn’t: this week she answered a question about what she does to relax, by saying she watches the American TV series “ NCIS,” which helps to explain her feeble engagement with security despite six years as Home Secretary and two years as premier.)

Fiction about cyber risks will leave you between hysteria and complacency, but the dominant tendency is complacency. Make no mistake: at the interstate level, cyber war has been routine for decades, sometimes overlapping conventional kinetic wars. During the invasion of Iraq in 1991 and 2003, the US used malware to disrupt Iraqi communications and energy supplies. In 2009, Russia disrupted Georgian communications during the war over South Ossetia; in 2014, Russia did the same in Ukraine. In 2012, Saudi Arabia accused Iran of cyber sabotage of its state oil company, which was participating in an embargo. In 2013, South Korea blamed North Korea for cyber sabotage of South Korean banks, following international censure of North Korea’s latest nuclear weapons test. In April 2018, Britain and the US accused Russia of cyber attacks on government networks in retaliation for their airstrikes against Syrian chemical weapons sites.

Poor sourcing, superficiality, and haste are persistent problems. Chapter 3 offers no empirical basis for assessing the risks. It has a section entitled “Notable cases from the 1980s to today,” which pass by without application. Consequently, no risk is assessed; and no theory is offered, except the fact that downloading documents on to a USB drive is easier than carrying the equivalent information on paper, and that thefts “may” be directed at plans, procedures, decision-makers, and designs.

Chapter 4 is no better: most of it is a series of anecdotes about how states have disabled each other’s (non-nuclear) systems through cyberspace, but no risk is assessed, and no theory is offered, other than the conclusion “that it is becoming increasingly possible to attack systems, and perhaps nuclear systems, directly through cyber means” (page 84).

Chapter 5 is just platitudinous, asking questions such as “Is there a role for nuclear weapons in deterring cyber threats?” US policy already answers “yes,” with complex legal, theoretical, and practical arguments, but the book under review gives them only a paragraph, reviews no other policy, and concludes one page later (page 107) that “it seems highly likely that the relationship between cyber operations, cyberwarfare, and nuclear weapons will become more acute and more important rather than less.”

A dead giveaway is on page 44, where a paragraph begins: “Although nuclear weapons clearly represent the biggest risks.” The mistake is to reduce risk to the capacity for destruction. In fact, risk is a product of both outcome and probability. Nuclear weapons have the capacity for tremendous destruction, but nuclear explosions are incredibly infrequent. By contrast, cyber attacks are incredibly frequent, such as to be more harmful in aggregate. In 2011, the British government estimated the annual cost of cyber crime at one trillion US dollars.

That’s before we consider unprecedented outcomes (imagine that a remote controller causes toxic changes to drinking water, redirects air traffic control, shuts down energy supplies in mid-winter). Last week, the US Director of National Intelligence said that Russia, China, Iran, and North Korea (in order) are launching daily cyber attacks on America, with a growing chance of a “crippling cyber attack on our critical infrastructure.”

The book’s weakness is on cyber more than nukes. The introduction and first chapter complain frequently that the concept of “cyber” is confused, but doesn’t set its own standard. I thought I had missed the definition, but no definition is indexed. The “concept” of cyber is indexed to the pages I had just read, so I re-read them, but still found no preferred definition. Instead, the section concludes (page 23) that “[t]he conception favoured here is the broad model and an amalgam of the definitions noted above.” That’s not helpful.

Consider the separation between “computer” and “network”: if you disable any of the hardware by which any of your devices could network with any other devices (and you prevent anybody else restoring such connectivity) you would never have another cyber risk. You would have computer risks (such as direct access through a physical interface), but not cyber risks. This distinction is ignored by the book under review, but it matters, such that some governments are operating computers without networks; some governments have even replaced computers with electronic typewriters for the most secret work, so as to be sure that the typing cannot be exposed to cyber.

A human who chooses never to interact with cyber space is not exposed to cyber risks. However, a human without cyber risks could still leak the information that you’ve taken offline. Imagine that the typists reveal the nuclear launch codes that are typed on those electronic typewriters, or the couriers deliver the codes where they shouldn’t. These are not cyber risks, but the outcome is the same whether you intercept the same information on paper or online.

For instance, the taxonomy of cyber activities (page 25) has only four items, each of which in turn is a list of undefined things, whose placement make little sense. For instance, North Korean “vandalism” appears in the first item, but “sabotage” appears in the third item, and “existential attacks” appear in the fourth item. These four items don’t come from any standard: they are cited to newspaper articles. You don’t need an obscure or complicated standard to be more helpful. For instance, the US Department of Justice categorizes five malicious cyber activities (hacktivism; crime; espionage; terrorism; war), but it doesn’t appear in the book.

The chapters on nukes are more informed but also explode with unhelpful taxonomies. The second chapter answers its titular question (“How and why might nuclear systems be vulnerable?”) by differentiating “negative control” from “positive control,” which are useful in the practice of controlled experiments but useless in the theory of nuclear vulnerability. In chapter 2, “positive control” is interpreted as a lot of things that are essentially either protective or sustaining, whereas “negative control” is protective, but protective against certain things or in certain ways that “positive control” is not, for no discernible reason. In whole or part, this section is too confusing to expose to students or policy-makers. Worse, the table (page 39) that is supposed to summarize the text doesn’t match the text; and its rows have no key.