PART I
The Nature
of the Challenge
1
What Exactly Do We Mean
by the Cyber Challenge?
âCYBERâ IS A NEBULOUS and contested concept that means different things to different people. This is a central reason why the cyber debate lacks coherence, and why there is such disagreement about the nature and extent of the cyber challenge and cyber threat. Indeed, it has become commonplace to use the prefix or adjective âcyberâ as a one-size-fits-all descriptor for the challenges posed by the numerous new tools and dynamics associated with computer systems, complex technologies, and the latest information revolution. As a result, it often is not clear what is and is not new, what is at risk, in what ways and to whom when we talk about cyber. At least part of this is because the cyber revolution is âstill incipient,â and because we cannot yet be fully sure with any confidence what it means for theory and practice.1 But a failure to be clear what is meant by the term has often led to overhyping and a general misunderstanding of the cyber challenge, which in turn has made it far harder to devise and agree to a set of responses, frameworks, and protections. This has also left the concept dangerously devoid of strategic meaning, which has meant that âcyberâ is too often used as a catchall that means whatever the user wants (consciously or not).
Despite a tendency for conflation in both the academic literature and policy debates, there are many different types of cyber challengesâsome that are intrinsic and are the product of the emergent digital context, some that involve cyber operations, and some that might even include strategic attacks or cyber weapons. But perhaps the most important distinction when seeking to conceptualize âcyberâ is between the challenges derived from the pervasively computerized global context in which we all live, where complex technology forms an ever-increasing part of everyday life, and those challenges emanating specifically from cyber operations and new methods of exploitation and attack. Cyber threats vary considerably across a cyber spectrumâwhich ranges from the use of capabilities for nuisance, crime, and hacktivism; through espionage; to denial-of-service attacks and the infiltration of systems; to activities that cause damage, involve weapons, or might even be considered warfare. Depending on the use of the term âcyberattack,â it could therefore be argued that nations and critical infrastructure are constantly under attack or that such attacks are a minor concern and are very unlikely to materialize. For example, when Adam Segal warned in 2012 that US nuclear weapons face âup to 10 million significant cyberattacks every day,â this did not necessarily mean defending against millions of versions of Stuxnet, cyber-terrorists trying to cause a nuclear explosion, or some other highly sophisticated piece of malware that could destroy these systems, but rather âautomated bots, constantly scanning for vulnerabilities,â or even just curious, would-be hackers.2 The difference is distinct, and the lack of clarity often drives hyperbole, leads to confusion, and complicates issues of cyber security, cyber defense, and cyberdeterrence. Such semantics also often obfuscate what is new and what is not when we talk about the cyber challenge, and particularly how this emerging suite of new and inchoate dynamics interacts, builds on, or transforms the current nuclear threat landscape. As a result, there is a strong case for treating the cyber challenge as both context as well as a set of new tools, operations, and weapons, and therefore for viewing it as both a societal development and a technological transformation in military operations and international security.
Accordingly, this chapter proceeds in three sections. The first explains the complex and complicated cultural heritage and the etymological development of the âcyberâ concept, and the problems of agreeing on a single definition that this has caused; the second introduces the notion of a cyber threat spectrum and outlines the very different and differentiated nature of the challenge; and the third section looks at the new range of tools, mechanisms, and dynamics that have emerged as part of the transition from an analogue to a digital nuclear world. The conclusion makes the case for treating the cyber challenge as both a context and a set of specific threats, operations, and tools when we assess the challenge posed to the nuclear weapons enterprise and the nuclear order more broadly.
A Complicated Heritage: Genesis and Definition
The complicated and diverse background of âcyberâ is a fundamental reason why its nature and definitionâand, therefore, its implications for security thinking and practiceâremain such a contested subject. This is because cyber challenges are both new and novelâand, broadly viewed as a phenomenon that is synonymous with the digital computer, the internet, and the latest information revolution or ageâand at the same time are the most recent iteration in how information is used, communicated, and stored that can be traced back through history.3 Consequently, it is often difficult to outline exactly what the cyber challenge includes and what is and is not new, issues made even more complicated by the relationship with the Revolution in Military Affairs, electronic warfare (EW), and the broader field of information warfare (IW) or information operations. Thus, there are three often-competing and co-constitutive aspects of how we understand the cyber challenge: (1) the evolution, use, and etymology of the term itself in popular culture; (2) its status as the latest iteration in the role of information in warfare; and (3) its relationship with the broader notions and established traditions of IW and EW. It is this mixed heritage between recognized military traditions, cultural movement, and new societal dynamics that have made âcyberâ such a difficult concept to define, and why the debate on the nature and seriousness of the cyber threat is still opaque, diverse, and divided.
The word âcyberâ began life with nothing to do with computers, hackers, or the internetâor, for that matter, anything to do with warfare. Its etymology can probably be traced back to Ancient Greece and the phrase kybernetesâwhich translates roughly as âhelmsmanâ or âthe art of steering.â4 But the word as we know it did not emerge until the 1940s and the publication of Cybernetics by Norbert Weiner; Cybernetics was the study of the importance of systems in both living beings and artificial machines.5 The term then became popularized in the 1980s as part of the âcyberpunkâ movement (a subgenre of science fiction), and most notably with the novel Neuromancer by the science fiction writer William Gibson.6 Neither of these developments had much to do with security or politics. In fact, âcyberâ did not really become part of the national security lexicon until the 1990s, with the development of SIMNET (the first virtual battlefield) by the US military,7 and the publication of the seminal article âCyberwar Is Coming!â by John Arquilla and David Ronfeldt in 1993.8
âCyberâ and particularly the notion of âcyberwarâ did not start being used within US policymaking circles until about 1995, when an interagency task force investigating the weaknesses of the United Statesâ critical national infrastructure needed a phrase to capture the challenges posed by the new computer vulnerabilities within these systems. According to Fred Kaplan, âcyberâ was the name advocated by Michael Vatis, a Justice Department lawyer in the task force who had just read Neuromancer.9 Since then, âcyberâ has become one of the most utilized words in existence and has emerged as something of a catchall prefix or adjective referring to almost every aspect of modern life. Some estimates suggest that as many as 150 words now contain the prefix or adjective âcyber.â10 It is primarily due to this unusual evolution that the term âcyberâ is often seen as referring to broader societal and even cultural development and the technological transformation of society, as well as a discrete set of new and novel capabilities, vulnerabilities, and threats.
At the same time, the cyber phenomenon is also the latest iteration in the centrality of information and the nature of the so-called infosphere (where information is created, stored, shared, and used) in warfare and strategy.11 The security, safe storage, secure communication, and reliability of information have been intrinsic to national security and warfare throughout history. Equally, stealing, altering, and destroying key information; attacking, sabotaging, and compromising the means of storing and sharing this information; and seeking to alter perceptions and policies through deception and psychological operations have also always been a central part of warfare too. But though the methods, skills, and technologies used to achieve this have undoubtedly changed over timeâfrom messengers, semaphore, and telegraphs to wireless networks, satellite communications, and network-centric warfareâthe central principles and importance of information to and within warfare and strategy have remained relatively constant. If anything, they have become more important. This is particularly the case in the last two hundred years, as states have come to rely more on electronics and telecommunications for military operations.12 Thus, many cyber challenges can actually be traced to âclassical military and intelligence fields.â13
In this way, we can think of the cyber challenge as not fundamentally altering the nature or the importance of information but rather as creating new ways of managing and targeting this information and therefore new problems for defense, assurance, and security. Or, as David Lonsdale puts it: âThe information age has raised our awareness of information.â14 Therefore, the cyber phenomenon, the proliferation of complex software and networked computers, ever-increasing real-time interconnectivity, and particularly the wholesale transition from an analo...