This week we’re heading to Colorado for the Aspen Institute’s annual Aspen Security Forum. I’ll be speaking on a Friday panel entitled “WMD: The Nightmare Scenario,” discussing the application of cyber-attacks against critical infrastructure such as water systems, power plants, the electric grid, and industrial systems such as chemical plants.
Cyberspace is now widely acknowledged as the fifth domain of warfare joining land, sea, air, and outer space. But while cyber warfare is now acknowledged as a serious national security threat, we still don’t think of cyber-attacks in the context of weapons of mass destruction (WMD).
The WMD is a defined term by US Law (18 USC §2332a) and on the FBI web page, it states that the “WMD is often referred to by the collection of modalities that make up the set of weapons: chemical, biological, radiological, nuclear, and explosive (CBRNE). These are weapons that have a relatively large-scale impact on people, property, and/or infrastructure.”
Although a cyber-attack is digital, not physical, it is a threat that could physically harm thousands or tens of thousands of people. It’s likely that we will confront more cyber-attacks than chemical or dirty bomb attacks given the ease of which rogue states and non-state malicious parties can engage and given the difficulty of deterrence.
Results-Centric versus Device-Centric Threats
Physical harm is physical harm, regardless of the attack vector. We must therefore think of WMD in results-centric terms, not device-centric terms.
We saw Stuxnet destroy Iranian centrifuges through an attack on and manipulation of control systems. Such an attack on a water system could lead to the poisoning of a region’s water system very much along the lines of the recent Elk River incident in West Virginia. Physical, life-threatening harm, at scale, should be taken seriously regardless of the attack vector.
Ease of Engagement
Cyber-attacks of any nature are more likely than their chemical, biological, or nuclear peers because the ease of engaging in this kind of conflict makes such clashes more likely.
Earlier this week, I talked about the Cybercrime-as-a-Service Economy that enables “Pay-to-Prey”, the dynamic where the cyber skills available for hire online are allowing any number of criminal groups to get into cybercrime. The fact is the availability of these skills and capabilities for hire is also a dynamic in play in the area of cyber conflict. Smaller players can now wage cyber war with credit cards, a few smart people, some servers and aninternet connection.
And while we have protocols in place to monitor the transfer of nuclear materials and govern the development and use of chemical weapons, there are no such protocols in the case of cyber weapons.
Unreliable Deterrence
Traditional strategies of deterrence don’t apply in cyber. The stock piling of weapons and the threat of retaliation lack their deterrent quality present in other fields of conflict.
In the physical realm, major powers deter attackers by building insurmountable arsenals of bombs, tanks, and battleships. In the digital realm, a cyber-threat used by one is a cyber-threat shared by all. The moment it is used and discovered, it belongs to the digital commons. When nations lack the deterrent advantage stockpiles normally afford, deterrence becomes tricky if not impossible.
Add to this the challenges of attribution. When the power grid goes down, or water systems don’t work as the result of a cyber-attack, it’s hard to prove who did it. This makes it more difficult for nations to retaliate, and without the threat of retaliation, aggressors are less effectively deterred.
Let’s Have the Conversation
If you think of WMD in results-centric terms, the relative ease by which players can engage in cyber-attacks, and the challenges of deterrence in a digital context, you can’t avoid the conclusion that cyber weapons must be very much in the WMD conversation.
The good news is the national security community understands the WMD potential of cyber, and the conversation today is more about agreeing on solutions, partnerships, and contingencies than it is about inevitability and despair.
Public-private partnerships provide the opportunity for targeted organizations to strengthen defenses by learning from each other, including threat intelligence sharing and incentives for stronger defenses.
In my next post, I’ll outline how we can address this digital WMD threat if governments and private sector players take action together in a variety of areas.