CAMBRIDGE – Two
years ago, a piece of faulty computer code infected Iran’s
nuclear program and destroyed many of the centrifuges used to enrich uranium.
Some observers declared this apparent sabotage to be the harbinger of a new form of warfare, and United States Secretary of Defense Leon
Panetta has warned Americans of the danger of a “cyber Pearl Harbor”
attack on the US.
But what do we really know about cyber conflict?
The costs
of developing those vessels – multiple carrier task forces and submarine fleets
– create enormous barriers to entry, enabling US
naval dominance. But the barriers to entry in the cyber domain are so low that
non-state actors and small states can play a significant role at low cost.
In my book
The Future of Power, I argue that the diffusion of power away from
governments is one of this century’s great political shifts. & Cyberspace
is a perfect example. Large countries like the US, Russia, Britain, France, and
China have greater capacity than other states and non-state actors to control
the sea, air, or space, but it makes little sense to speak of dominance in
cyberspace. If anything, dependence on complex cyber systems for support of military and economic activities creates new
vulnerabilities in large states that can be exploited by non-state actors.
Four
decades ago, the US Department of Defense created the Internet; today, by most accounts, the US
remains the leading country in terms of its military and societal use. But
greater dependence on networked computers and communication leaves the US
more vulnerable to attack than many other countries, and cyberspace has become
a major source of insecurity, because, at this stage of technological
development, offense prevails over defense there.
The term
“cyber attack”covers a wide variety of actions, ranging from simple probes to
defacing Web sites, denial of service, espionage, and destruction. Similarly,
the term “cyber war” is used loosely to cover a wide range of behaviors,
reflecting dictionary definitions of war that range from armed conflict to any
hostile contest (for example, “war between the sexes” or “war on
drugs”).
At the
other extreme, some experts use a narrow definition of cyber war: a “bloodless
war” among states that consists solely of electronic conflict in cyberspace.
But this avoids the important interconnections between the physical and virtual
layers of cyberspace. As the Stuxnet virus that infected Iran’s
nuclear program showed, software attacks can have very real physical effects.
A more
useful definition of cyber waris hostile action in cyberspace whose effects
amplify or are equivalent to major physical violence. In the physical world,
governments have a near-monopoly on large-scale use of force, the defender has
an intimate knowledge of the terrain, and attacks end because of attrition or
exhaustion. Both resources and mobility are costly.
In the
cyber world, by contrast, actors are diverse (and sometimes anonymous),
physical distance is immaterial, and some forms of offense are cheap. Because
the Internet was designed for ease of use rather than security, attackers
currently have the advantage over defenders. Technological evolution, including
efforts to “reengineer” some systems for greater security, might eventually
change that, but, for now, it remains the case. The larger party has limited
ability to disarm or destroy the enemy, occupy territory, or use counterforce
strategies effectively.
Cyber war,
though only incipient at this stage, is the most dramatic of the potential
threats. Major states with elaborate technical and human resources could, in
principle, create massive disruption and physical destruction through cyber
attacks on military and civilian targets. Responses to cyber war include a form
of interstate deterrence through denial and entanglement, offensive
capabilities, and designs for rapid network and infrastructure recovery if
deterrence fails. At some point, it may be possible to reinforce these steps
with certain rudimentary norms and arms control, but the world is at an early
stage in this process.
If one
treats so-called “hacktivism” by ideological groups as mostly a disruptive
nuisance at this stage, there remain four major categories of cyber threats to
national security, each with a different time horizon: cyber war and economic
espionage are largely associated with states, and cyber crime and cyber
terrorism are mostly associated with non-state actors. For the US,
the highest costs currently stem from espionage and crime, but over the next
decade or so, war and terrorism could become greater threats than they are
today.
Moreover,
as alliances and tactics evolve, the categories may increasingly overlap. In
the view of Admiral Mike McConnell, America’s
former director of national intelligence, “Sooner or later, terror groups will
achieve cyber-sophistication. It’s like nuclear proliferation, only far
easier.”
The world
is only just beginning to see glimpses of cyber war – in the denial-of-service
attacks that accompanied the conventional war in Georgia
in 2008, or the recent sabotage of Iranian centrifuges. States have the
greatest capabilities, but non-state actors are more likely to initiate a
catastrophic attack. & A “cyber 9/11” may be more likely than the
often-mentioned “cyber Pearl Harbor.” It is time for
states to sit down and discuss how to limit this threat to world peace.
Joseph S. Nye, a former US assistant secretary of defense and chairman
of the US National Intelligence Council, is a professor at Harvard University and one of the world’s foremost
scholars of international relations. He co-founded the important liberal
institutionalist approach to international relations, and introduced the idea
that states and other international actors possess more or less “soft power.”
網絡戰爭與和平
劍橋——兩年前,一條有缺陷的計算機代碼感染了伊朗核計劃,並摧毀了許多用於鈾濃縮的離心機。有些觀察家稱這種明顯的蓄意破壞預示著一種新的戰爭形式,美國國防部長萊昂·帕內塔警告美國人可能會受到“網絡珍珠港”襲擊。但我們對網絡沖突究竟有多少認識?
電腦及相關電子活動的網絡域名構成了純粹人造的復雜環境,上述環境中的人類對手高度智能化而且有針對性。山脈和海洋很難移動,但網絡空間卻可以借助開關關上和打開。電子的全球移動遠比大型船舶的遠距離移動更為廉價和快速。
多航母特遣部隊和潛艇艦隊的艦船研發成本創造出巨大的進入壁壘,確保了美國的海上優勢。但網絡領域的進入壁壘極其低廉,即使非國家參與者和小國也能以低廉的成本發揮重要的作用。
在一本名叫《權力未來》的著作中,我提出政府權力的擴散是本世紀最偉大的政治轉折。網絡空間就是一個絕佳的例子。美國、俄羅斯、英國、法國和中國等大國較之其他國家和非國家參與者擁有更強的海洋、天空或太空控制力,但談論在網絡空間佔據霸權地位並沒有多大意義。如果一定要說有什麼影響,那麼大國依賴復雜網絡系統支持軍事和經濟活動造成了可以被非國家參與者利用的全新漏洞。
四十年前,美國國防部創造了互聯網,而今天,按照多數人的說法,美國仍然在網絡的軍事和社會應用方面佔據領先地位。但對聯網計算機和通訊的更多依賴致使美國比其他許多國家更容易受到攻擊,且網絡空間已成為不安全的主要發源地,因為在目前的技術發展階段,進攻顯然比防守更具優勢。
“網絡攻擊”一詞涵蓋的行為多種多樣,包括從簡單刺探、醜化網站、拒絕提供服務到從事間諜和破壞活動。同樣,“網絡戰爭”一詞被用來鬆散地指代一系列行為,反映出從武裝沖突到敵對較量等各式各樣的字典涵義(如“兩性戰爭”或“禁毒戰爭”)。
另一種極端情況是,有些專家對網絡戰爭適用狹義定義:即國與國之間一場“不流血的戰爭”,局限在網絡空間的電子沖突。但這回避了網絡空間物理和虛擬層面間重要的彼此聯系。正像感染伊朗核計劃的Stuxnet病毒表明的那樣,軟件攻擊也可以產生非常真實的物理效果。
網絡戰爭更為有用的定義是網絡空間中發生的敵對行動,其所產生的影響放大或者等同於嚴重身體暴力。現實世界中,政府近乎壟斷了大規模的武力使用,防守方更加熟悉地形,而進攻則可能因為消耗或疲勞而結束。資源和流動性都非常昂貴。
相比之下,網絡世界的參與者多種多樣(有時還可以匿名參與),實際距離變得無關緊要,而且某些形式的犯罪成本很低。因為互聯網設計是為了方便使用、而不是安全,進攻方目前相對於防守方仍佔據一定的優勢。技術進步,包括提高系統安全性的某些“再造”工作最終可能會改變這種狀況,但至少到目前為止情況依然如此。規模大的一方解除對方武裝或消滅敵人、佔據領土或有效使用的反擊策略的能力都受到限制。
網絡戰爭雖然現階段只是剛剛開始,但卻成為最富戲劇性的潛在威脅。總的來講,擁有復雜技術和人力資源的大國可以通過對軍事和民用目標發起網絡攻擊造成大規模中斷和實際破壞。網絡戰爭的應對之策包括通過拒絕和糾纏實施某種形式的國際威懾、進攻能力、以及在威懾失效的情況下快速網絡和基礎設施恢復設計。某些時候或許可以通過某些基本規則和軍備控制來強化上述步驟,但世界仍處於這一進程的早期階段。
如果您認為現階段意識形態組織所謂的“黑客行動主義”多半屬於破壞性滋擾,依然有四類主要危險因素對國家安全構成威脅。每種危險因素涉及不同的時間跨度:網絡戰爭和經濟諜報活動大多與國家相關,而網絡犯罪和網絡恐怖主義則大多涉及非國家參與者。美國目前的最大的損失源於間諜和犯罪活動,但在未來十年左右的時間裡,戰爭和恐怖主義可能造成比今天更大的威脅。
此外,隨著聯盟和策略的不斷發展,威脅種類可能出現越來越多的重疊。在美國前國家情報總監、海軍上將邁克·麥康奈爾看來,“恐怖組織遲早將掌握復雜的網絡技術。這有些類似於核擴散,隻是比核擴散要容易得多。”
世界只是剛剛開始看到網絡戰爭的影子——伴隨2008年格魯吉亞常規戰爭的拒絕服務攻擊,或者是近期對伊朗離心機的破壞。國家擁有最強的力量,但非國家參與者更有可能發起災難性的攻擊。“網絡911”的可能性要大於經常被提及的“網絡珍珠港”。各國現在應該坐下來,討論如何限制網絡戰爭對世界和平的威脅。
