A recent OECD report [PDF], “Reducing Systemic Cybersecurity Risk,” has concluded, in part, that governments “need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters.” One would think that the cybersecurity community would welcome such a conclusion. Instead, the report has come under fire.
But why? The reason is that the report’s authors, Peter Sommer and Ian Brown, scholars from the London School of Economics (LSE) and Oxford University, respectively, refused to engage in cyber-doom fear mongering. In the first sentence of their report we find the source of the controversy: “[V]ery few single cyber-related events have the capacity to cause a global shock.” And what do they mean by a “global shock?” They mean something akin to “a further failure of the global financial system, large-scale pandemics, escape of toxic substances resulting in wide-spread long-term pollution, and long-term weather or volcanic conditions inhibiting transport links across key intercontinental routes.” So, think of a global depression, a repeat of the 1918 global flu pandemic that killed 3% of the world’s population, unchecked climate change, a repeat of the Krakatoa or Eyjafjallajökull volcanic eruptions, or even the 2004 Indian Ocean tsunami that killed a quarter million people.
Sommer and Brown’s conclusion? Cyberattack is not likely to cause a global shock on the scale of any of those events, but it is still a serious threat in need of attention by governments worldwide.
For that, Charles Jester of ESET Internet Security accused the report’s authors of being dismissive of cyberwarfare. But it is (or should be) hard to read phrases like “significant and growing risks of localised misery and loss” and conclude that the authors are dismissive. If rejecting the most extreme predictions of cyber-doom can get the work of scholars from prestigious institutions like LSE and Oxford dismissed as being dismissive, then the prospects for a rational discussion of cybersecurity policy seem dim.
The Firewall’s own Jeffrey Carr recently provided his own critical response to Sommer and Brown’s report. I have usually found him a voice of moderation in the ongoing debate about cybersecurity, which is why I was so disappointed with his criticism in this case. Carr’s reading and criticism of the report is unfair and at times internally inconsistent.
One of Carr’s main criticisms is the authors’ focus on what they call “pure” cyberwar and/or single cyberattack incidents. Instead, Carr believes that they should have examined cyberwar as one aspect of “hybrid or multi-modal warfare.” Because they didn’t, he implies that the authors wasted OECD money and didn’t answer the question assigned to them. But it is Carr who seems to have missed the point of their project, which was precisely to assess whether “pure” cyberwar or single cyberattack incidents could cause “global shock” on par with some of the worst man-made and natural disasters that we have witnessed. We already know that a large-scale war, with or without the use of cyberattack, can cause global shock. What we don’t know is whether cyberwar apart from traditional, kinetic conflict, or even a single incident of cyberattack, can cause a “global shock.” Again, the authors’ conclusion is, in a nutshell, “No, but cyber threats are still serious enough to require action.”
But after criticizing Sommer and Brown for focusing only on pure cyberwar, Carr then criticizes them for not taking the prospect of pure cyberwar seriously enough because they concluded that “there is no strategic reason why any aggressor would limit themselves to only one class of weaponry.” In essence, they concluded that pure cyberwar was unlikely because it is more likely that cyberwar would accompany the use of kinetic force. In short, they agreed with Carr(!) that “the evolving nature of cyber warfare” is that “cyber is one component of a kinetic attack” (Carr’s words).
Next, Carr equivocates between the goals of a military operation and the weaponry employed. Quoting Sun Tzu–“The skillful leader subdues the enemy’s troops without any fighting”– Carr argues that
“There are many strategic reasons for achieving the objectives of a war without the enormous costs incurred through massive destruction of the enemy’s infrastructure, work force, and economic base. Operations against an adversary state conducted in cyberspace may be one of the few ways to achieve that goal.”
There are three problems. First, the authors did not say that military leaders would not seek to achieve victory without fighting or at lower cost. They said that military leaders were unlikely to “limit themselves to only one class of weaponry.” For that, Carr “wonder[s] if the authors consulted with any military strategists in writing this report, particularly Western military officers.” But the use of forces by Western militaries in recent conflicts, and by the U.S. in particular, demonstrates that the authors are correct: Instead of seeing a reliance upon the deployment a single, war-winning weapon system, we see the use of multiple systems in combination. From combined arms warfare, to AirLand Battle, to maneuver, to network-centric warfare, this has been the trend.
Second, the promises made by twentieth century airpower theorists should lead us to greet with a healthy dose of skepticism any promise of low-cost, even bloodless victories achieved via the deployment of a single new weapon system. If Western military professionals are tempted to embrace cyberweaponry as a bloodless wonder weapon, then maybe it is they who should consult Sommer and Brown–as well as some history books and perhaps this essay too.
Third, Carr claims that cyberspace-based operations might be able to deliver victory without “massive destruction of the enemy’s infrastructure, work force, and economic base.” But if the massive destruction of infrastructures, lives, and economies delivered from the air in the last century was generally not sufficient on its own to cause adversaries to surrender, it seems doubtful that non-destructive cyberattacks would achieve these elusive results. It also seems that non-destructive cyberattacks would not rise to the level of a “global shock” as defined in by the OECD research project to which Sommer and Brown were contributing.
Finally, after claiming that cyberattacks might allow for achieving victory without massive destruction of infrastructure, Carr nonetheless criticizes Sommer and Brown for concluding that the “potential for global impact” of “large scale failure of electricity supply” is “low.” He writes,
“It made me wonder if the authors had ever personally experienced living in a region without power for two days or more. “Low impact” is not what immediately comes to mind for those times when my neighbors and I have endured that experience.”
I am not sure what horrors Mr. Carr and his neighbors have endured when the lights have gone out, but whatever they were, we need not extrapolate from such a limited set of experiences. A recent history of blackouts written by David Nye, a well respected historian of technology who has written extensively on the history of electrification in the West, generally supports Sommer and Brown’s conclusion. The loss of electricity has not generally resulted in panic, terror, or the collapse of societies or economies. Instead, modern societies have proven time and again to be remarkably resilient in the face of shocks of various kinds, both technological and natural.
Taken together, Jester and Carr’s responses lead one to wonder if it is possible to find a middle ground in this debate, if it is possible to find a rational, reasonable space between head-in-the-sand dismissal of cyber threats on one hand and hysterical doomsday scenarios on the other. In a working paper that I have written for the Mercatus Center at George Mason University, I draw from the history of technology, military history, and disaster sociology to address this issue of cyber-doom scenarios. My own conclusions are in line with those advanced by Sommer and Brown. Though the threat of worst-case cyber-doom scenarios seems exaggerated, policymakers must address very serious cybersecurity risks and critical infrastructure vulnerabilities nonetheless. Our choices are not between preparing for cyber-doom or doing nothing at all. I can only hope that my own work will receive a more generous reading than what Sommer and Brown have received.