Back to top

Cybersecurity

From pipeline hacks leading to gasoline shortages to disinformation campaigns during elections, cyberattacks are becoming a more frequent source of disruption in people’s lives.

Finding the right responses to these attacks isn’t obvious. Can we take lessons from traditional warfare, or do cyberattacks demand an entirely different response?

How are cyberattacks different from traditional warfare?

In might seem surprising, but traditional warfare has not changed much throughout human history. Of course, the weapons have changed. Swords and arrows have been replaced by tanks and ICBMs. Yet the objectives and strategies of traditional warfare remain consistent.

But cyberwarfare differs from traditional warfare in a few key areas.

First and most importantly, it is rarely kinetic, meaning there is no physical damage one can see. Some of the most successful cyber espionage and cyberwarfare attacks have been clandestine and hidden in their effects. When a targeted network is hacked but its compromised status is unknown, the consequences can be as devastating as a physical attack.

Contrast cyberwarfare’s cloak-and-dagger approach with most traditional warfare: bombing or invading is hard to hide. It is normally quite clear who attacked whom and when. Physical attacks also often have longer warning times. Counterintelligence operations can much more easily identify the physical capacity an adversary might have as opposed to their digital capabilities.

That leads to important differences in how we respond to an attack. When you know who attacked you, you can quick strike back quickly. But since cyberwarfare is often clandestine, gathering evidence and identifying the attackers isn’t easy, and that means retaliation isn’t always a viable response. 

For more, watch “What Makes Cyber Different,” based on research by Amy Zegart:

What do cyberattacks look like?

Since cyberattacks are generally nonkinetic and only require access to software or a connected system, their range of available targets is much wider than that of traditional attacks. That means that instead of states being the primary threat, threats from nonstate actors become more of a possibility. A bad actor in a faraway country, for example, can’t threaten the United States with a conventional attack. But the same person or group may be able to inflict considerable harm on the nation by disrupting networks that control utilities or stealing personal data from sensitive databases.

Unlike traditional warfare, cyberattacks often render the most powerful countries the most susceptible because of the greater connectedness of their societies. Further, more of their critical infrastructure is owned and operated by the private sector. Coordinating cyber defenses among the government and private companies is difficult, so security gaps can arise that are readily exploited by cyberattackers.

Since many targets of cyberattacks are private, or simply nonmilitary, in nature, there is a number of methods that states or individuals can use to wage cyberwarfare. One key component not often appreciated is the use of disinformation campaigns to achieve political goals. Many fake accounts on Twitter, Facebook, and other social-media platforms originate in Russia, China, or other countries whose governments attempt to undermine the legitimacy of American elections.

In “Parrying Putin’s Playbook,” H. R. McMaster explains how Russian president Vladimir Putin has used disinformation campaigns designed to destroy trust in democratic principles, institutions, and processes:

Theft of intellectual property from American businesses is another cyberoperation aimed at degrading our economic competitiveness. Targeting critical systems like financial networks is equally disruptive to civilian life.

For more, watch “How Cyberattacks Threaten Our Security,” featuring the work of Amy Zegart:

How likely are cyberattacks to lead us into war?

Luckily, the damage that cyberattacks have done thus far has not led to immediate or extensive casualties, either in the military or among civilians. As a result, retaliation by states or nonstate actors has not escalated too far. As Jacquelyn Schneider points out, “Cyberattacks create a threshold that restrains escalation. Americans are significantly less likely to support retaliation against a cyberattack, even if it causes as much financial damage as an airstrike.”

What is more likely is that cyberwarfare will be used to complement existing conventional operations. Wide-scale active cyber operations are therefore not likely to be visible to the public unless a march larger conflict is occurring.

Jacquelyn Schneider talks more about how to think about cyberattacks in her Perspectives on Policy video:

How Do We Defend against Cyberattacks?

One might think that the wide variety of public and private targets spread across the country demands a centralized, federal defense against cyberattacks.

Yet as Herb Lin explains in the statement for his congressional testimony, the nature of cyberwarfare is better characterized as “adversarial psychological Internet-based manipulation of the target audience.” Since it is labeled “warfare,” many people assume that all counter-cyberoperations should be headquartered in the Department of Defense (DOD). But Lin argues that DOD is not well positioned to address the threat comprehensively:

At the highest level of abstraction, the reason is that the information warfare threat requires not only a whole-of government-response but rather a whole-of-society response, and DOD—as broad as its legal purview is—cannot orchestrate either one. More specifically, the answer is that DOD is constrained by policy and by culture from doing so effectively.

What about cyberwarfare actions that are militaristic in nature? How best to deter them?

As Jacquelyn Schneider points out, cyber operations are not great at deterring subsequent attacks. That is because “for deterrence to work, there have to be clearly communicated consequences. But virtual attacks often aren’t tangible or permanent. And since they are covert, they are less likely to deter precisely because they are unknown.”

Fortunately, the United States military is developing other methods to deal with big cyber threats. The Department of Defense, for example, has shifted its efforts toward pre-emptively degrading the cyber capabilities of our adversaries.

As both Lin and Schneider point out, there is much more to do in both the private and government sectors. The Department of Defense will continue to prioritize military threats, but the government more widely must work to share information with the private sector about existing threats. And due to the nature of cyberattacks, the public must be better educated about the risk of foreign influence.

Conclusion

Cyberwarfare is early in its development, use, and effectiveness. It will continue to evolve as states and nonstate actors alike develop their capabilities and test their adversaries’ limits, and as international norms are established.

As Jacquelyn Schneider points out in this episode of Office Hours, it won’t always be the case that cyberattacks fail to inflict physical damage:

Further developing private-public partnerships, informing the public of foreign cyber operations aimed at undermining our democratic institutions, and creating preventive military measures to degrade our adversaries’ cyber capabilities are all part of a national cybersecurity strategy.

To learn more, explore the series of discussions “A Decade of US Cyber Strategy: A Hoover Chat Series with Cyber Experts and Defense Leaders.”

Hoover Fellow
Davies Family Senior Fellow
Fouad and Michelle Ajami Senior Fellow
Hank J. Holland Fellow in Cyber Policy and Security, Hoover Institution
Research Fellow