Get ready for 'cyber 9/11' or 'cyber Pearl Harbour'

FUTURE WARFARE THREAT: Greater dependence on complex computers and communications leaves many nations vulnerable

TWO years ago, a piece of faulty computer code infected Iran's nuclear programme and destroyed many of the centrifuges used to enrich uranium.  United States Secretary of Defence Leon Panetta has warned Americans of the danger of a "cyber Pearl Harbour" attack on the US.

The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.

The costs of developing those vessels -- multiple carrier task forces and submarine fleets -- create enormous barriers to entry, enabling US naval dominance. But the barriers to entry in the cyber domain are so low that non-state actors and small states can play a significant role at low cost.

In my book, The Future of Power, I argue that the diffusion of power away from governments is one of this century's great political shifts. Large countries like the US, Russia, Britain, France, and China have greater capacity than other states and non-state actors to control the sea, air or space, but it makes little sense to speak of dominance in cyberspace.

If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states that can be exploited by non-state actors.

Four decades ago, the US Department of Defence created the Internet; today, by most accounts, the US remains the leading country in terms of its military and societal use. But greater dependence on networked computers and communication leaves the US more vulnerable to attack than many other countries.

Some experts use a narrow definition of cyber war: a "bloodless war" among states that consists solely of electronic conflict in cyberspace. But this avoids the important interconnections between the physical and virtual layers of cyberspace. As the Stuxnet virus that infected Iran's nuclear program showed, software attacks can have very real physical effects.

A more useful definition of cyber war is hostile action in cyberspace whose effects amplify or are equivalent to major physical violence. In the cyber world, actors are diverse (and sometimes anonymous), physical distance is immaterial, and some forms of offence are cheap.

Because the Internet was designed for ease of use rather than security, attackers currently have the advantage over defenders. Technological evolution, including efforts to "reengineer" some systems for greater security, might eventually change that, but, for now, it remains the case.

Cyber war, though only incipient at this stage, is the most dramatic of the potential threats. Major states with elaborate technical and human resources could, in principle, create massive disruption and physical destruction through cyber attacks on military and civilian targets.

Responses to cyber war include a form of interstate deterrence through denial and entanglement, offensive capabilities, and designs for rapid network and infrastructure recovery if deterrence fails. At some point, it may be possible to reinforce these steps with certain rudimentary norms and arms control, but the world is at an early stage in this process.

If one treats so-called "hacktivism" by ideological groups as mostly a disruptive nuisance at this stage, there remain four major categories of cyber threats to national security, each with a different time horizon: cyber war and economic espionage are largely associated with states, and cyber crime and cyber terrorism are mostly associated with non-state actors.

For the US, the highest costs currently stem from espionage and crime, but over the next decade or so, war and terrorism could become greater threats than they are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap.

In the view of Admiral Mike McConnell, America's former director of national intelligence, "Sooner or later, terror groups will achieve cyber-sophistication. It's like nuclear proliferation, only far easier."

The world is only just beginning to see glimpses of cyber war -- in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges. States have the greatest capabilities, but non-state actors are more likely to initiate a catastrophic attack.

A "cyber 9/11" may be more likely than the often-mentioned "cyber Pearl Harbour". It is time for states to sit down and discuss how to limit this threat to world peace.