2012年4月11日星期三

Joseph S. Nye: Cyber War and Peace / 網絡戰爭與和平



CAMBRIDGE – Two years ago, a piece of faulty computer code infected Iran’s nuclear program and destroyed many of the centrifuges used to enrich uranium. Some observers declared this apparent sabotage to be the harbinger of a new form of warfare, and United States Secretary of Defense Leon Panetta has warned Americans of the danger of a “cyber Pearl Harbor” attack on the US. But what do we really know about cyber conflict?

The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.

The costs of developing those vessels – multiple carrier task forces and submarine fleets – create enormous barriers to entry, enabling US naval dominance. But the barriers to entry in the cyber domain are so low that non-state actors and small states can play a significant role at low cost. 

In my book The Future of Power, I argue that the diffusion of power away from governments is one of this century’s great political shifts. & Cyberspace is a perfect example. Large countries like the US, Russia, Britain, France, and China have greater capacity than other states and non-state actors to control the sea, air, or space, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states that can be exploited by non-state actors.

Four decades ago, the US Department of Defense created the Internet; today, by most accounts, the US remains the leading country in terms of its military and societal use. But greater dependence on networked computers and communication leaves the US more vulnerable to attack than many other countries, and cyberspace has become a major source of insecurity, because, at this stage of technological development, offense prevails over defense there.

The term “cyber attack”covers a wide variety of actions, ranging from simple probes to defacing Web sites, denial of service, espionage, and destruction. Similarly, the term “cyber war” is used loosely to cover a wide range of behaviors, reflecting dictionary definitions of war that range from armed conflict to any hostile contest (for example, “war between the sexes” or “war on drugs”).

At the other extreme, some experts use a narrow definition of cyber war: a “bloodless war” among states that consists solely of electronic conflict in cyberspace. But this avoids the important interconnections between the physical and virtual layers of cyberspace. As the Stuxnet virus that infected Iran’s nuclear program showed, software attacks can have very real physical effects.

A more useful definition of cyber waris hostile action in cyberspace whose effects amplify or are equivalent to major physical violence. In the physical world, governments have a near-monopoly on large-scale use of force, the defender has an intimate knowledge of the terrain, and attacks end because of attrition or exhaustion. Both resources and mobility are costly.

In the cyber world, by contrast, actors are diverse (and sometimes anonymous), physical distance is immaterial, and some forms of offense are cheap. Because the Internet was designed for ease of use rather than security, attackers currently have the advantage over defenders. Technological evolution, including efforts to “reengineer” some systems for greater security, might eventually change that, but, for now, it remains the case. The larger party has limited ability to disarm or destroy the enemy, occupy territory, or use counterforce strategies effectively.

Cyber war, though only incipient at this stage, is the most dramatic of the potential threats. Major states with elaborate technical and human resources could, in principle, create massive disruption and physical destruction through cyber attacks on military and civilian targets. Responses to cyber war include a form of interstate deterrence through denial and entanglement, offensive capabilities, and designs for rapid network and infrastructure recovery if deterrence fails. At some point, it may be possible to reinforce these steps with certain rudimentary norms and arms control, but the world is at an early stage in this process.

If one treats so-called “hacktivism” by ideological groups as mostly a disruptive nuisance at this stage, there remain four major categories of cyber threats to national security, each with a different time horizon: cyber war and economic espionage are largely associated with states, and cyber crime and cyber terrorism are mostly associated with non-state actors. For the US, the highest costs currently stem from espionage and crime, but over the next decade or so, war and terrorism could become greater threats than they are today. 

Moreover, as alliances and tactics evolve, the categories may increasingly overlap. In the view of Admiral Mike McConnell, America’s former director of national intelligence, “Sooner or later, terror groups will achieve cyber-sophistication. It’s like nuclear proliferation, only far easier.”
The world is only just beginning to see glimpses of cyber war – in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges. States have the greatest capabilities, but non-state actors are more likely to initiate a catastrophic attack. & A “cyber 9/11” may be more likely than the often-mentioned “cyber Pearl Harbor.” It is time for states to sit down and discuss how to limit this threat to world peace.

Joseph S. Nye, a former US assistant secretary of defense and chairman of the US National Intelligence Council, is a professor at Harvard University and one of the world’s foremost scholars of international relations. He co-founded the important liberal institutionalist approach to international relations, and introduced the idea that states and other international actors possess more or less “soft power.”


網絡戰爭與和平

劍橋——兩年前,一條有缺陷的計算機代碼感染了伊朗核計劃,並摧毀了許多用於鈾濃縮的離心機。有些觀察家稱這種明顯的蓄意破壞預示著一種新的戰爭形式,美國國防部長萊昂·帕內塔警告美國人可能會受到“網絡珍珠港”襲擊。但我們對網絡沖突究竟有多少認識?

電腦及相關電子活動的網絡域名構成了純粹人造的復雜環境,上述環境中的人類對手高度智能化而且有針對性。山脈和海洋很難移動,但網絡空間卻可以借助開關關上和打開。電子的全球移動遠比大型船舶的遠距離移動更為廉價和快速。

多航母特遣部隊和潛艇艦隊的艦船研發成本創造出巨大的進入壁壘,確保了美國的海上優勢。但網絡領域的進入壁壘極其低廉,即使非國家參與者和小國也能以低廉的成本發揮重要的作用。

在一本名叫《權力未來》的著作中,我提出政府權力的擴散是本世紀最偉大的政治轉折。網絡空間就是一個絕佳的例子。美國、俄羅斯、英國、法國和中國等大國較之其他國家和非國家參與者擁有更強的海洋、天空或太空控制力,但談論在網絡空間佔據霸權地位並沒有多大意義。如果一定要說有什麼影響,那麼大國依賴復雜網絡系統支持軍事和經濟活動造成了可以被非國家參與者利用的全新漏洞。

四十年前,美國國防部創造了互聯網,而今天,按照多數人的說法,美國仍然在網絡的軍事和社會應用方面佔據領先地位。但對聯網計算機和通訊的更多依賴致使美國比其他許多國家更容易受到攻擊,且網絡空間已成為不安全的主要發源地,因為在目前的技術發展階段,進攻顯然比防守更具優勢。

“網絡攻擊”一詞涵蓋的行為多種多樣,包括從簡單刺探、醜化網站、拒絕提供服務到從事間諜和破壞活動。同樣,“網絡戰爭”一詞被用來鬆散地指代一系列行為,反映出從武裝沖突到敵對較量等各式各樣的字典涵義(如“兩性戰爭”或“禁毒戰爭”)。

另一種極端情況是,有些專家對網絡戰爭適用狹義定義:即國與國之間一場“不流血的戰爭”,局限在網絡空間的電子沖突。但這回避了網絡空間物理和虛擬層面間重要的彼此聯系。正像感染伊朗核計劃的Stuxnet病毒表明的那樣,軟件攻擊也可以產生非常真實的物理效果。

網絡戰爭更為有用的定義是網絡空間中發生的敵對行動,其所產生的影響放大或者等同於嚴重身體暴力。現實世界中,政府近乎壟斷了大規模的武力使用,防守方更加熟悉地形,而進攻則可能因為消耗或疲勞而結束。資源和流動性都非常昂貴。

相比之下,網絡世界的參與者多種多樣(有時還可以匿名參與),實際距離變得無關緊要,而且某些形式的犯罪成本很低。因為互聯網設計是為了方便使用、而不是安全,進攻方目前相對於防守方仍佔據一定的優勢。技術進步,包括提高系統安全性的某些“再造”工作最終可能會改變這種狀況,但至少到目前為止情況依然如此。規模大的一方解除對方武裝或消滅敵人、佔據領土或有效使用的反擊策略的能力都受到限制。

網絡戰爭雖然現階段只是剛剛開始,但卻成為最富戲劇性的潛在威脅。總的來講,擁有復雜技術和人力資源的大國可以通過對軍事和民用目標發起網絡攻擊造成大規模中斷和實際破壞。網絡戰爭的應對之策包括通過拒絕和糾纏實施某種形式的國際威懾、進攻能力、以及在威懾失效的情況下快速網絡和基礎設施恢復設計。某些時候或許可以通過某些基本規則和軍備控制來強化上述步驟,但世界仍處於這一進程的早期階段。

如果您認為現階段意識形態組織所謂的“黑客行動主義”多半屬於破壞性滋擾,依然有四類主要危險因素對國家安全構成威脅。每種危險因素涉及不同的時間跨度:網絡戰爭和經濟諜報活動大多與國家相關,而網絡犯罪和網絡恐怖主義則大多涉及非國家參與者。美國目前的最大的損失源於間諜和犯罪活動,但在未來十年左右的時間裡,戰爭和恐怖主義可能造成比今天更大的威脅。

此外,隨著聯盟和策略的不斷發展,威脅種類可能出現越來越多的重疊。在美國前國家情報總監、海軍上將邁克·麥康奈爾看來,“恐怖組織遲早將掌握復雜的網絡技術。這有些類似於核擴散,隻是比核擴散要容易得多。”

世界只是剛剛開始看到網絡戰爭的影子——伴隨2008年格魯吉亞常規戰爭的拒絕服務攻擊,或者是近期對伊朗離心機的破壞。國家擁有最強的力量,但非國家參與者更有可能發起災難性的攻擊。“網絡911”的可能性要大於經常被提及的“網絡珍珠港”。各國現在應該坐下來,討論如何限制網絡戰爭對世界和平的威脅。