27 August 2020

Dismissing Cyber Catastrophe


A catastrophic cyberattack was first predicted in the mid-1990s. Since then, predictions of a catastrophe have appeared regularly and have entered the popular consciousness. As a trope, a cyber catastrophe captures our imagination, but as analysis, it remains entirely imaginary and is of dubious value as a basis for policymaking. There has never been a catastrophic cyberattack.

To qualify as a catastrophe, an event must produce damaging mass effect, including casualties and destruction. The fires that swept across California last summer were a catastrophe. Covid-19 has been a catastrophe, especially in countries with inadequate responses. With man-made actions, however, a catastrophe is harder to produce than it may seem, and for cyberattacks a catastrophe requires organizational and technical skills most actors still do not possess. It requires planning, reconnaissance to find vulnerabilities, and then acquiring or building attack tools—things that require resources and experience. To achieve mass effect, either a few central targets (like an electrical grid) need to be hit or multiple targets would have to be hit simultaneously (as is the case with urban water systems), something that is itself an operational challenge.

It is easier to imagine a catastrophe than to produce it. The 2003 East Coast blackout is the archetype for an attack on the U.S. electrical grid. No one died in this blackout, and services were restored in a few days. As electric production is digitized, vulnerability increases, but many electrical companies have made cybersecurity a priority. Similarly, at water treatment plants, the chemicals used to purify water are controlled in ways that make mass releases difficult. In any case, it would take a massive amount of chemicals to poison large rivers or lakes, more than most companies keep on hand, and any release would quickly be diluted.


More importantly, there are powerful strategic constraints on those who have the ability to launch catastrophe attacks. We have more than two decades of experience with the use of cyber techniques and operations for coercive and criminal purposes and have a clear understanding of motives, capabilities, and intentions. We can be guided by the methods of the Strategic Bombing Survey, which used interviews and observation (rather than hypotheses) to determine effect. These methods apply equally to cyberattacks. The conclusions we can draw from this are:

Nonstate actors and most states lack the capability to launch attacks that cause physical damage at any level, much less a catastrophe. There have been regular predictions every year for over a decade that nonstate actors will acquire these high-end cyber capabilities in two or three years in what has become a cycle of repetition. The monetary return is negligible, which dissuades the skilled cybercriminals (mostly Russian speaking) who might have the necessary skills. One mystery is why these groups have not been used as mercenaries, and this may reflect either a degree of control by the Russian state (if it has forbidden mercenary acts) or a degree of caution by criminals.

There is enough uncertainty among potential attackers about the United States’ ability to attribute that they are unwilling to risk massive retaliation in response to a catastrophic attack. (They are perfectly willing to take the risk of attribution for espionage and coercive cyber actions.)

No one has ever died from a cyberattack, and only a handful of these attacks have produced physical damage. A cyberattack is not a nuclear weapon, and it is intellectually lazy to equate them to nuclear weapons. Using a tactical nuclear weapon against an urban center would produce several hundred thousand casualties, while a strategic nuclear exchange would cause tens of millions of casualties and immense physical destruction. These are catastrophes that some hack cannot duplicate. The shadow of nuclear war distorts discussion of cyber warfare.

State use of cyber operations is consistent with their broad national strategies and interests. Their primary emphasis is on espionage and political coercion. The United States has opponents and is in conflict with them, but they have no interest in launching a catastrophic cyberattack since it would certainly produce an equally catastrophic retaliation. Their goal is to stay below the “use-of-force” threshold and undertake damaging cyber actions against the United States, not start a war.

This has implications for the discussion of inadvertent escalation, something that has also never occurred. The concern over escalation deserves a longer discussion, as there are both technological and strategic constraints that shape and limit risk in cyber operations, and the absence of inadvertent escalation suggests a high degree of control for cyber capabilities by advanced states. Attackers, particularly among the United States’ major opponents for whom cyber is just one of the tools for confrontation, seek to avoid actions that could trigger escalation.

The United States has two opponents (China and Russia) who are capable of damaging cyberattacks. Russia has demonstrated its attack skills on the Ukrainian power grid, but neither Russia nor China would be well served by a similar attack on the United States. Iran is improving and may reach the point where it could use cyberattacks to cause major damage, but it would only do so when it has decided to engage in a major armed conflict with the United States. Iran might attack targets outside the United States and its allies with less risk and continues to experiment with cyberattacks against Israeli critical infrastructure. North Korea has not yet developed this kind of capability.

One major failing of catastrophe scenarios is that they discount the robustness and resilience of modern economies. These economies present multiple targets and configurations; they are harder to damage through cyberattack than they look, given the growing (albeit incomplete) attention to cybersecurity; and experience shows that people compensate for damage and quickly repair or rebuild. This was one of the counterintuitive lessons of the Strategic Bombing Survey. Pre-war planning assumed that civilian morale and production would crumple under aerial bombardment. In fact, the opposite occurred. Resistance hardened and production was restored.1

This is a short overview of why catastrophe is unlikely. Several longer CSIS reports go into the reasons in some detail. Past performance may not necessarily predict the future, but after 25 years without a single catastrophic cyberattack, we should invoke the concept cautiously, if at all. Why then, it is raised so often?

Some of the explanation for the emphasis on cyber catastrophe is hortatory. When the author of one of the first reports (in the 1990s) to sound the alarm over cyber catastrophe was asked later why he had warned of a cyber Pearl Harbor when it was clear this was not going to happen, his reply was that he hoped to scare people into action. "Catastrophe is nigh; we must act" was possibly a reasonable strategy 22 years ago, but no longer.

The resilience of historical events to remain culturally significant must be taken into account for an objective assessment of cyber warfare, and this will require the United States to discard some hypothetical scenarios. The long experience of living under the shadow of nuclear annihilation still shapes American thinking and conditions the United States to expect extreme outcomes. American thinking is also shaped by the experience of 9/11, a wrenching attack that caught the United States by surprise. Fears of another 9/11 reinforce the memory of nuclear war in driving the catastrophe trope, but when applied to cyberattack, these scenarios do not track with operational requirements or the nature of opponent strategy and planning. The contours of cyber warfare are emerging, but they are not always what we discuss. Better policy will require greater objectivity.

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2020 by the Center for Strategic and International Studies. All rights reserved.

1 An excellent discussion of this can be found in Stephen McFarland and Wesley Phillips Newton’s To Command the Sky: The Battle for Air Superiority over Germany, 1942-1944 (University of Alabama Press, 1991). See in particular page 245.

No comments: