<p> “This may be the first time,” the president of a small European nation noted to the high-powered assembly, more accustomed to dealing with armies and alliances than with worms and denial-of-service attacks, “but it will not be the last.”<br /><br />Until now, the issue of cybersecurity has largely been the domain of computer geeks. When the internet was created 40 years ago, this small community was like a virtual village of people who knew each other, and they designed a system with little attention to security.<br /><br />Even the commercial web is only two decades old, but as British foreign secretary William Hague reminded the Munich conference: It has exploded from 16 million users in 1995 to more than 1.7 billion users today.<br /><br />This burgeoning interdependence has created great opportunities and great vulnerabilities. Security experts wrestling with cyber-issues are at about the same stage in understanding the implications of this new technology as nuclear experts were in the early years after the first nuclear explosions.<br /><br />Volatile environment<br /><br />The cyber-domain is a volatile manmade environment. As an advisory panel of defence scientists explained, “people built all the pieces,” but “the cyber-universe is complex well beyond anyone’s understanding and exhibits behaviour that no one predicted and sometimes can’t even be explained well.”<br /><br />Unlike atoms, human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off at the click of a mouse. It is cheaper and quicker to move electrons across the globe than to move large ships long distances through the friction of salt water.<br /><br />The costs of developing multiple carrier taskforces and submarine fleets create enormous barriers to entry and make it possible to speak of US naval dominance. In contrast, the barriers to entry in the cyber-domain are so low that nonstate actors and small states can play significant roles at low levels of cost.<br /><br />In my book, ‘The Future of Power,’ I describe diffusion of power away from governments as one of the great power shifts in this century. Cyberspace is a perfect example of the broader trend. The largest powers are unlikely to be able to dominate this domain as much as they have others like sea, air or space.<br /><br />While they have greater resources, they also have greater vulnerabilities, and at this stage, offence dominates defence in cyberspace. The United States, Russia, Britain, France and China have greater capacity than other state and nonstate actors, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cybersystems for support of military and economic activities creates vulnerabilities in large states that can be exploited.<br /><br />There is much loose talk about ‘cyberwar.’ But if we restrict the term to cyber-actions that have effects outside cyberspace that amplify or are equivalent to physical violence, we are only just beginning to see glimpses of cyberwar — for instance in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges by the Stuxnet worm.<br /><br />If one treats most hacktivism as mostly a nuisance, there are four major categories of cyberthreats to national security, each with a different time horizon and with different (in principle) solutions: 1) cyberwar and 2) economic espionage, both largely associated with states, and 3) cybercrime and 4) cyberterrorism, mostly associated with nonstate actors.<br />Security experts are far from certain what terms such as “offence, defence, deterrence, or the laws of war” mean in the cyber-realm. We are only at the early stages of developing a strategy.</p>
<p> “This may be the first time,” the president of a small European nation noted to the high-powered assembly, more accustomed to dealing with armies and alliances than with worms and denial-of-service attacks, “but it will not be the last.”<br /><br />Until now, the issue of cybersecurity has largely been the domain of computer geeks. When the internet was created 40 years ago, this small community was like a virtual village of people who knew each other, and they designed a system with little attention to security.<br /><br />Even the commercial web is only two decades old, but as British foreign secretary William Hague reminded the Munich conference: It has exploded from 16 million users in 1995 to more than 1.7 billion users today.<br /><br />This burgeoning interdependence has created great opportunities and great vulnerabilities. Security experts wrestling with cyber-issues are at about the same stage in understanding the implications of this new technology as nuclear experts were in the early years after the first nuclear explosions.<br /><br />Volatile environment<br /><br />The cyber-domain is a volatile manmade environment. As an advisory panel of defence scientists explained, “people built all the pieces,” but “the cyber-universe is complex well beyond anyone’s understanding and exhibits behaviour that no one predicted and sometimes can’t even be explained well.”<br /><br />Unlike atoms, human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off at the click of a mouse. It is cheaper and quicker to move electrons across the globe than to move large ships long distances through the friction of salt water.<br /><br />The costs of developing multiple carrier taskforces and submarine fleets create enormous barriers to entry and make it possible to speak of US naval dominance. In contrast, the barriers to entry in the cyber-domain are so low that nonstate actors and small states can play significant roles at low levels of cost.<br /><br />In my book, ‘The Future of Power,’ I describe diffusion of power away from governments as one of the great power shifts in this century. Cyberspace is a perfect example of the broader trend. The largest powers are unlikely to be able to dominate this domain as much as they have others like sea, air or space.<br /><br />While they have greater resources, they also have greater vulnerabilities, and at this stage, offence dominates defence in cyberspace. The United States, Russia, Britain, France and China have greater capacity than other state and nonstate actors, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cybersystems for support of military and economic activities creates vulnerabilities in large states that can be exploited.<br /><br />There is much loose talk about ‘cyberwar.’ But if we restrict the term to cyber-actions that have effects outside cyberspace that amplify or are equivalent to physical violence, we are only just beginning to see glimpses of cyberwar — for instance in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges by the Stuxnet worm.<br /><br />If one treats most hacktivism as mostly a nuisance, there are four major categories of cyberthreats to national security, each with a different time horizon and with different (in principle) solutions: 1) cyberwar and 2) economic espionage, both largely associated with states, and 3) cybercrime and 4) cyberterrorism, mostly associated with nonstate actors.<br />Security experts are far from certain what terms such as “offence, defence, deterrence, or the laws of war” mean in the cyber-realm. We are only at the early stages of developing a strategy.</p>