Cyber Weapons 4
I’ll take some time to address the points brought up in the previous post, although my remarks will be rather brief, as there are some interesting case studies about which I’ll be posting later today. We’ve presented two different conceptions of the proper usage and development of cyberweapons: one that focuses on strengthening our defensive capabilities, the other that sees value in developing broader offensive cyberweapons. Cyber Weapons 3 made some interesting points, which I’ll address briefly here.
1. We would not learn anything of significance about our own weaknesses through the development of offensive capabilities.
While it is strictly speaking true that the structure of our defenses will not necessarily resemble that of another country or organization, it goes too far to say that there isn’t utility in developing offensive capabilities, even if they are designed to bring down another entity. In the general sense, developing offensive capabilities for other targets gives insight into strategies that might be used to exploit our own weaknesses. While there are obvious differences between sneaking a computer virus into a nuclear enrichment facility in Natanz, Iran, and sneaking spyware onto corporate servers to steal potentially proprietary information, developing our offensive capabilities can certainly lend insight into the strengths and weaknesses of certain malware vectors, for example.
In the particular, although the structural properties of computer networks may vary from target to target, much of the hardware being used today is limited to a very small number of operating systems. Microsoft, unsurprisingly, has the lion’s share of the world’s personal computer market; likewise, Siemens products (like the programmable logic controllers that were the target of Stuxnet and are the target of many corporate espionage viruses) are nearly ubiquitous in infrastructure and manufacturing the world over. While developing offensive capabilities for one target does not necessarily mean an explicit knowledge of how to structure our cyber defense, the degree of transferability of this knowledge is much higher than one would expect.
2. Our focus should be on the attribution of attacks, not on increasing the arsenal of possible responses.
While it is absolutely true that attribution of attacks is of paramount importance in properly responding to cyberattacks on the United States, having a broader arsenal of possible responses to attacks, cyber or physical, allows us more leverage in our diplomatic actions. Israel, for example, has made immense efforts to expand its defense programs on both fronts and historically has not been hesitant to launch unilateral attacks on foreign entities—especially Iran. The recent attacks on the Iranian oil industry “apparently caught its American partners off guard,” despite the overlapping policy goals of both nations. Greater cyber capabilities were instrumental in preventing Israel from taking physical action against Iran in 2009 and 2010, and developing sufficient cyber capabilities such that our allies do not take ill-advised action against their enemies furthers our interest in forestalling unilateral actions that might upset truces and/or negotiations.
While having a more varied offensive arsenal is no guarantee of the preservation of America’s national security interests, increased cyber capability can be a useful tool in leveraging with our allies as well.