Militarizing Cyberspace Will Do More Harm Than Good

By Bruce Schneier
The Irish Times
November 29, 2012

We're in the early years of a cyberwar arms race. It's expensive, it's destabilising and it threatens the very fabric of the internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.

If you read the press and listen to government leaders, we're already in the middle of a cyberwar. By any normal definition of the word 'war', this is ridiculous. But the definition of cyberwar has been expanded to include government-sponsored espionage, potential terrorist attacks in cyberspace, large-scale criminal fraud and even hacker kids attacking government networks and critical infrastructure. This definition is being pushed by the military and government contractors, both of which are gaining power and making money from cyberwar fears.

The main problem is that there are no good definitions of war in cyberspace. Also, we are increasingly seeing war-like tactics used in broader cyber conflicts. Technology is spreading capability, and the same 'weaponry' is being used by everyone, from hackers to criminals to national militaries. It used to be that you could figure out whether you were at war by the weaponry deployed -- but that is no longer the case.

This is important. When you're being attacked, there are a variety of organisations you can call on to defend yourself: the police, the military, whoever does anti-terrorism security in your country, your corporate lawyers.

The legal regime in which that defence operates depends on two things: who's attacking you, and why. Unfortunately, when you're being attacked in cyberspace, the two things you don't know are who's attacking you, and why. That makes defence, and national cyber defence policy, difficult.

The easy reaction is to lump all of these unknown attacks into 'cyberwar'. The corresponding danger is that military problems beg for military solutions.

We're starting to see a power grab in cyberspace by the world's militaries: large-scale monitoring of networks, military control of internet standards, even military takeover of cyberspace.

The debate in the US over an 'internet kill switch' is another example; it's the sort of measure that might be deployed in wartime but makes no sense in peacetime. At the same time, countries are increasingly engaging in offensive actions in cyberspace, with tools such as Ghostnet (China), Stuxnet (US and Israel) and Flame (origin unknown).

A lot of what is being called cyberwar is little more than hacktivism -- what I think of as kids playing politics -- or criminal activity. Yes, it causes damage. Yes, we need to more effectively police cyberspace. But 'police' is the operative word here. These are not threats that require a military response.

Arms races stem from ignorance and fear: ignorance of the other side's capabilities and fear that its capabilities are greater than one's own. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in internet systems make us more vulnerable to criminals and hackers.

It is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. If the target nation retaliates, we could find ourselves in a real cyberwar.

The cyberwar arms race is destabilising. International co-operation and treaties are the only way to reverse this. Banning cyberweapons entirely is a good goal, but almost certainly unachievable.

More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could also prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits.

Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier. But we have learnt a lot from our cold war experience in negotiating nuclear, chemical and biological treaties. The very act of negotiating limits the arms race and paves the way to peace. Even if they're breached, the world is safer because the treaties exist.

There's a common belief within the US military that cyberweapons treaties are not in the nation's best interest: that Americans have a military advantage in cyberspace that it should not squander. That's not true.

The US might have an offensive advantage -- although that's debatable -- but it certainly doesn't have a defensive advantage. More importantly, any heavily networked country such as the US is inherently vulnerable in cyberspace.

Cyberspace threats are real but militarising cyberspace will do more harm than good. The value of a free and open internet is enormous.

earlier essay: When It Comes to Security, We're Back to Feudalism
later essay: Our New Regimes of Trust
categories: Cyberwar and Cyberterrorism, Computer and Information Security, National Security Policy
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..