In the coming months, a policy decision will be made on whether a strategic cyber attack will be used against North Korea. The choice of using a cyber attack at that scale, for the first time, is a difficult one to make due to its potential strategic implications.
These implications include potentially losing the ability to use these cyber capabilities in the future, the increasing risk of being the target of such attacks, the beginning of an asymmetrical arms race, and the loss of deterrence. Let's explore each of these considerations.
Cyber attacks directed by policy are not a new phenomenon. Some examples include an attack on a country’s Internet infrastructure (Estonia in 2007), disruption of communication and distribution of propaganda before engagement (Georgia in 2008), as well as election tampering attempts (the 2017 French election). We have also seen limited attacks against critical infrastructure (Ukraine in 2016).
What we haven’t yet seen is a strategic or unlimited engagement against a nation’s critical infrastructure. We did come close though.
In the film Zero Day (on the Stuxnet attack against an Iranian nuclear facility), an anonymous US source stated: “In comparison … Stuxnet was a back alley operation. (Natanz) ... was the plan for a full scale (attack) … with no attribution."
In 2011 the Obama administration intensely debated whether to open the Libya strike with a cyber offensive to disrupt the government’s air-defense system.
With rising international tensions over North Korea’s "nuclear games" and the increasing use of offensive cyber capabilities by various nations to achieve policy goals in general, a debate on such a plan, whether by the United States or one of its allies, could go the other way. This is not to say surgical cyber attacks are not being employed right now. For example, is it possible that three recent launch test failures in North Korea could have been caused by cyber operations?
A decade ago surgical cyber attacks were common, and yet the world at large did not acknowledge the reality of the threat. Hence, it was much easier to succeed in cyber operations. Today, while vulnerability to cyber attacks is still high, defender awareness, and thus attacker costs, are increasing.
When discussing the country-wide impact of devastating cyber attacks, this defender awareness is still relatively theoretical. Many countries around the world are not defended, and those that are defended are struggling with the complexity and scale of the challenge, and the dismissal of the threat by many.
The decision to launch such an attack by a nation will tip their hand and increase their (and others’) cost of success in future operations. Eventually, they risk losing some of these capabilities altogether.
Other potential repercussions are related to advanced nations’ own vulnerabilities. Such an attack may encourage others to develop similar capabilities, leading to an asymmetrical arms race, where less developed nations invest more in developing their own capabilities, and where they can potentially hold a deterrent disproportional to their normal influence.
Further, by the very use of such an action one legitimizes its use by others. International law on cyber attacks is a patchwork of guesswork at best, and is formulated mostly by precedents.
Lastly, once the capabilities are deployed, whatever deterrent their potential use may have originally held is now at risk of dissolving.
On the awareness aspect, the United States is very experienced with the concept of the half-life of such capabilities, having fought to maintain strategic ambiguity around intelligence capabilities for decades, all the way back to the “code wars” in the 70s with encryption. Signals intelligence (SIGINT) for example, has in fact become weaker due to the proliferation of encryption, often requiring the use of more active intelligence gathering means, such as cyber attacks.
Have you read?
While fighting to maintain the half-life is a losing battle once equilibrium is gone, up to that point every day where the capabilities are secretly held in reserve, is valuable.
That is not to say the overall policy decision won't overrule such considerations, but weighing the strategic damage of losing such capabilities (as has been observed with the damage following the unveiling of reports of operations such as APT1 and Stuxnet before), it is not to be dismissed easily.
It is our opinion that the tipping point in threat awareness for strategic cyber attacks has not yet been reached. That said, strategic ambiguity preventing others from developing their own capabilities has long been irrelevant.
However, by the nature of the asymmetry of cyber attacks, establishing a precedent of their actual use will result in such actions becoming more commonplace, will accelerate the evolution of an arms race at the strategic level, as well as encourage smaller threat actors such as organizations and individuals to develop similar capabilities.
It is easy to belittle or ignore the consequences of bits and bytes when considering events of international importance. For example, it is common place in tabletop exercizes in cyber security for decision makers to ignore cyber once a diversion such as a missile or some other kinetic attack is introduced into the game. Or, for the misuse of cyber capabilities by officials to not carry personal consequences such as with other, equivalent capabilities.
Cyber capabilities are strategic, and need to be treated with the same consequences in mind as when employing any other such capability.