A moderate and measured take on cyber security is a bit out of place among the recent flood of research and policy positions in the cyber security field. The general tone of the debate suggests that cyber war is here, it is our present, and will be our future. One gets millions of hits if ‘Cyber Pearl Harbor’ is Googled. The basic assumption is that our future military, diplomatic, and conflict history will involve the use of computers as the main avenue of attack and defense. Our perspective challenges this view and does so with the tools of social science, a necessary turn given the general tone of the debate.
In our research we were able to marshal a massive amount of evidence useful in dissecting the actual trends of the cyber battlefield. We demonstrate that while cyber-attacks are increasing in frequency, they are limited in severity, are directly connected to traditional territorial disagreements, and mostly take the shape of espionage campaigns rather than outright warfare. Given this evidence, we question the dynamics of the cyber security debate and offer a countering theory where states are restrained from using cyber actions due to the limited nature of the weapons, the possibility of blowback, the connection between the digital world and civilian infrastructure, and the reality that any cyber weapon launched can be used right back against the attacker. Given all these reasons and our data, we must be skeptical of the tone of the cyber security debate.
Cyber strategies and tactics are like any other technological development. At first it offers immense possibilities and promises to give states an edge, yet the reality is that technological advances rarely change the face of the battlefield, either diplomatic or military. New technologies can be used to defeat specific threats or defenses, such as the tank and the stalemate of the trenches in World War I, but are often limited in other contexts. Tanks need to be supported by infantry and logistical teams constantly supplying gas or towing the machines, limiting their effectiveness and reach. Cyber strategies will be no different; they will be just another piece in the arsenal but not game-changing on their own.
These sorts of claims of revolutionary importance are easy to make, and persuasive given certain examples, but there are always counter examples. For instance, nuclear weapons and the ending of World War II call into question the idea that technology does not change international interactions. Yet, the important point is that no one example or story tells the complete picture – for that we need evidence and data.
This is where our research can make an important and lasting statement. We examine all cyber actions between rival states to understand how this new technology is used by the most disputatious members of the international system. By looking at the complete picture, we get a different view of the evidence and data. No longer does one attack stand out, but the total picture emerges and it is a picture of a restrained international system developing a norm against the use of cyber weaponry.
Social science matters and it is important, and this book really owes an intellectual debt to J. David Singer, who started the effort to quantify war at the University of Michigan with the Correlates of War project. Our project builds on this methodology and uses many of the same coding strategies. We recognize that data is a work in progress and seek to build more and more knowledge through subsequent updates. By gathering the full picture, we can gain the perspective that really matters in these emerging policy debates.
The problem with collecting data where it does not exist already is the obvious trouble that comes with starting such an endeavor. Often it was claimed it would be impossible to collect cyber conflict data, that such data would present a skewed picture of the scope of the field. Yet the theoretical impossibility of collecting data should never be the barrier in starting such an undertaking, the only real barrier should be the literal impossibility of collecting such information. As we went along collecting data we found that official leaks to the media were helpful, but more importantly for the cyber security field was the obvious impetus by cyber security firms to demonstrate their ability to identify attacks and release reports forensically accounting for the process behind the attacks. This sort of information was exactly what we were looking for and it continues to be available to this day as the ultimate calling card to drum up business, to protect companies and states, but also as a source of information in our investigation.
Of course, data is always biased by the person collecting the data and interpreting the evidence. This is also a strength of data: others can come along and use it for their own ends. We are excited about the emerging work that takes our data to build different perspectives. The basic point is that we need to stop engaging important policy questions through prognostication that would be more suitable on a 2 a.m. television advertisement. Political scientists and policy makers should not be fortune tellers who make guesses about the future without reference to what we know now. We have evidence from the recent past and emerging contemporary situations, so let’s use it to engage critical policy questions. That is what we do with our research and I encourage others to not be daunted by the effort required to build a dataset; it is an important step needed for all critical policy questions.
The statement “One gets millions of hits if ‘Cyber Pearl Harbor’ is Googled.” is misleading. One would get “millions” of hits on any three-word phrase. If you enter this phrase enclosed in quotation marks, which means “only return sites where all terms are included”, only 55,000 hits are returned. Even then, a large proportion of the sites are a) different versions of the same site or b) have nothing to do with the phrase as used in the context of this article. Poor journalism.