16 September 2022

THE INSIDIOUS POLITICAL CONSEQUENCES OF CYBERATTACKS

RYAN SHANDLER, GAL DOR, AND DAPHNA CANETTI

In the summer of 2022, the FBI proudly announced that it had thwarted a cyberattack against a hospital in Boston. The announcement was a cause for celebration. The attack had failed to elicit any meaningful consequences. Equipment and networks were not damaged. Neither health data nor funds were stolen. Lives were not lost. By every metric, the attack caused no damage. Or so it seemed.

Like a predictable twist in an action movie, the real danger remained unseen. A fixation on a subset of high visibility consequences—degraded hardware, pilfered funds, stolen data, and fatalities—obscured a more insidious threat. If you look beyond the first order consequences, the hidden threat of cyberattacks is that they can undermine societal cohesion, diminish trust in government, traumatize the public, and encourage violent and isolationist worldviews. Even with the strongest cybersecurity software, democratic societies remain vulnerable.

Our research group has been exploring the subtle political effects of cyberattacks by running dozens of experiments that directly expose people to cyber operations under strictly controlled settings. The studies involved some 10,000 respondents in four countries—the US, England, Israel, and Germany.

In one study, we surveyed the public after a seemingly “failed” ransomware attack on a Dusseldorf hospital in Germany. Similar to the Boston attack, the authorities congratulated themselves on a job well done due to the absence of any lasting physical damage. Yet we found a precipitous and enduring reduction in the public’s trust in government. The authorities’ preoccupation with physical consequences obscured the fact that the attack had provoked a deep anxiety among voters at the authorities’ inability to protect them.

In another study, we ran an experiment that exposed participants to vivid media coverage of cyberattacks against railway services. We discovered that the news reports triggered overwhelming public demands for military retaliation. Even if authorities weren’t certain about the attacker’s identity, the public demanded strikes in an attempt to regain a sense of security.

In still another study that exposed people to frightening cyberattacks by terrorist groups, we tracked how cyber operations raised people’s perceptions of threat to extreme levels. As a result of the threatening environment, respondents agreed to sacrifice a broad swathe of civil liberties in a desperate pursuit for security. A short-term focus on the attack’s immediate effects disguises a subtler outcome: a stark shift in attitudes about surveillance that can upend the delicate balance between liberty and security.

These cases reveal an underlying threat that runs far deeper than any short-term financial or network harm. Even seemingly minor attacks can cause significant consequences by roiling public confidence, spurring demands for retaliation, and upending policy preferences. The cumulative effect of frequent minor attacks can inflame chaos as voters lose faith in the digitally mediated institutions at the heart of modern society. Our findings recur across countries, across partisan lines, and even in the face of seemingly minor cyberattacks. Social upheaval may not be the foremost intent of attackers, but it is certainly the most politically explosive consequence.

Why do cyber operations sway political preferences in such a meaningful way? The answer, we discovered, stems from the deep psychological distress that the attacks arouse. The public view cyber operations as tremendously threatening—more even than COVID-19, Russian militarism, or North Korean nuclear weapons. Cyberattackers are viewed as near-omniscient actors who can seamlessly avoid detection and strike from the shadows. In fact, when collecting cortisol samples after orchestrating exposure to cyber and conventional terrorism, we discovered that cyberattacks elicit physiological stress at levels equivalent to terror attacks that kill scores of innocents.

Everyone responds to threats in their own way, and distinct emotional reactions correspond with different outcomes. One particularly politically potent emotional response is anger. Following cyber operations, people experience a swell of anger—at their perceived impotence, at the inability of the government to protect them, and at the gall of the attackers. Such anger needs an outlet, and we show, through all our studies, that the widespread anger translates to forceful demands for vengeance. Another common response is dread, which undercuts voters’ trust that authorities can protect them. Emotional responses, in short, are the keys to unlocking the political repercussions.

Can cyberattacks manifest such consequential effects among policy officials and trained decision makers? The initial results of our simulations that expose senior decision makers to cyber threats reveal that even with all their training and expertise, experts are still influenced by the erstwhile perception of cyberspace as an irresistible threat. We find that officials are buffeted by biases that prevent them from clearly responding to cyber threats with the strategic restraint that they deserve.

While public attention has been concentrated on exaggerated cyber threats to critical infrastructure, a more insidious and politically consequential threat has emerged. This threat requires both scholars and policymakers to reimagine how they conceptualize the effects of cyber operations. The effectiveness of a cyberattack should not only be measured by its ability to degrade infrastructure and manipulate data, but by its second-order societal and political consequences. In the aftermath of cyberattacks, we must be sensitive to reductions in societal cohesion, the diminution of public trust in institutions, and the emotional distress experienced by civilians—the forgotten human consequences of cyber warfare.

No comments: