Jon R. Lindsay

Stuxnet and the Limits of Cyber Warfare

Stuxnet, the computer worm which disrupted Iranian nuclear enrichment in 2010, is the first instance of a computer network attack known to cause physical damage across international boundaries. Some have described Stuxnet as the harbinger of a new form of warfare that threatens even the strongest military powers. The influential but largely untested Cyber Revolution thesis holds that the internet gives militarily weaker actors asymmetric advantages, that offense is becoming easier while defense is growing harder, and that the attackers anonymity undermines deterrence. However, the empirical facts of Stuxnet support an opposite interpretation; cyber capabilities can marginally enhance the power of stronger over weaker actors, the complexity of weaponization makes cyber offense less easy and defense more feasible than generally appreciated, and cyber options are most attractive when deterrence is intact. Stuxnet suggests that considerable social and technical uncertainties associated with cyber operations may significantly blunt their revolutionary potential.

The Impact of China on Cybersecurity: Fiction and Friction

Exaggerated fears about the paralysis of digital infrastructure and the loss of competitive advantage contribute to a spiral of mistrust in U.S.-China relations. In every category of putative Chinese cyber threat, there are also considerable Chinese vulnerabilities and Western advantages. China has inadvertently degraded the economic efficiency of its networks and exposed them to foreign infiltration by prioritizing political information control over technical cyber defense. Although China also actively infiltrates foreign targets, its ability to absorb stolen data is questionable, especially at the most competitive end of the value chain, where the United States dominates. Similarly, Chinas military cyber capacity cannot live up to its aggressive doctrinal aspirations, even as its efforts to guide national information technology development create vulnerabilities that more experienced U.S. cyber operators can attack. Outmatched by the West, China is resorting to a strategy of international institutional reform, but it benefits too much from multistakeholder governance to pose a credible alternative. A cyber version of the stability-instability paradox constrains the intensity of cyber interaction in the U.S.-China relationship—and in international relations more broadly—even as lesser irritants continue to proliferate.

Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace

It is widely believed that cyberspace is offense dominant because of technical characteristics that undermine deterrence and defense. This argument mistakes the ease of deception on the Internet for a categorical ease of attack. As intelligence agencies have long known, deception is a double-edged sword. Covert attackers must exercise restraint against complex targets in order to avoid compromises resulting in mission failure or retaliation. More importantly, defenders can also employ deceptive concealment and ruses to confuse or ensnare aggressors. Indeed, deception can reinvigorate traditional strategies of deterrence and defense against cyber threats, as computer security practitioners have already discovered. The strategy of deception has other important implications: as deterrence became foundational in the nuclear era, deception should rise in prominence in a world that increasingly depends on technology to mediate interaction.

Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack

Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic about cyber deterrence. The attribution problem appears to make retaliatory punishment, contrasted with defensive denial, particularly ineffective. Yet observable deterrence failures against targets of lower value tell us little about the ability to deter attacks against higher value targets, where defenders may be more willing and able to pay the costs of attribution and punishment. Counterintuitively, costs of attribution and response may decline with scale. Reliance on deception is a double-edged sword that provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders. Many of the properties of cybersecurity assumed to be determined by technology, such as the advantage of offense over defense, the difficulty of attribution, and the inefficacy of deterrence, are in fact consequences of political factors like the value of the target and the scale-dependent costs of exploitation and retaliation. Assumptions about attribution can be incorporated into traditional international relations concepts of uncertainty and credibility, even as attribution involves uncertainty about the identity of the opponent, not just interests and capabilities. This article uses a formal model to explain why there are many low-value anonymous attacks but few high-value ones, showing how different assumptions about the scaling of exploitation and retaliation costs lead to different degrees of coverage and effectiveness for deterrence by denial and punishment. Deterrence works where it is needed most, yet it usually fails everywhere else.

Correspondence: Assessing the Synergy Thesis in Iraq

Americans are inclined to remember their nation’s wars victoriously. “Let it be remembered,” President Barack Obama told the Minneapolis American Legion veterans of the Vietnam War on August 30, 2011, “that you won every major battle of that war.”1 He repeated this message on May 28, 2012, during the commemoration ceremony of the aftieth anniversary of this war at the Vietnam Veterans Memorial.2 How soon might we hear talk of winning the major battles in Iraq? Stephen Biddle, Jeffrey Friedman, and Jacob Shapiro (hereafter Biddle et al.) caution that “[t]he decline of violence in Iraq in 2007 does not mean that the war was necessarily a success.”3 Their implication, however, is that the war was not necessarily a failure either. Biddle et al. write that the 2007 drop in violence from 2006 was a “remarkable reversal.” They ask, “What caused this turnaround?” (p. 7). Their answer is that the United States devised a strategy that stopped the violence in Iraq with a “synergistic” combination of the U.S. troop surge and the U.S. subsidized Sunni Awakening that “stood up” the Sons of Iraq (SOI). Correspondence: Assessing the Synergy Thesis in Iraq

Correspondence: A Cyber Disagreement

Policymakers and pundits have been sounding alarms about internet insecurity for years, so the arst appearance of anything in International Security (IS) on this topic is a welcomed development. In the fall 2013 issue, Lucas Kello takes the security studies community to task for ignoring cyber perils, while Erik Gartzke argues that cyberwar is of limited political utility.1 Kello writes that “[t]he Clausewitzian philosophical framework misses the essence of the cyber danger and conceals its true signiacance: the virtual weapon is expanding the range of possible harms between the concepts of war and peace, with important consequences for national and international security” (p. 22). Gartzke counters, “War is fundamentally a political process, as Carl von Clausewitz famously explained. . . . The internet is generally an inferior substitute for terrestrial force in performing the functions of coercion or conquest” (p. 42). If Kello is right, then the long silence in IS on cybersecurity suggests that scholars have neglected a major transformation in security affairs. If Gartzke is right, then scholars can be forgiven their bemusement with inoated cyber rhetoric. In my investigations of American and Chinese activities, I have found cyber interventions to be more complicated and less effective than generally believed.2 Arguments from technology are common in cybersecurity discourse and have excited policymakers, so they should be taken seriously. Yet Kello’s characterization of the skeptical viewpoint as “more visceral than analytical” (p. 9) misrepresents the analytical literature that does exist. Kello insists that “scholarly inattention toward the cyber issue . . . must change” (ibid.), but he disparages the aeld while ignoring relevant scholarship. My commentary addresses the technological determinism of Kello’s argument and his Correspondence: A Cyber Disagreement

Target Practice: Counterterrorism and the Amplification of Data Friction

The nineteenth-century strategist Carl von Clausewitz describes “fog” and “friction” as fundamental features of war. Military leverage of sophisticated information technology in the twenty-first century has improved some tactical operations but has not lifted the fog of war, in part, because the means for reducing uncertainty create new forms of it. Drawing on active duty experience with an American special operations task force in Western Iraq from 2007 to 2008, this article traces the targeting processes used to “find, fix, and finish” alleged insurgents. In this case they did not clarify the political reality of Anbar province but rather reinforced a parochial worldview informed by the Naval Special Warfare community. The unit focused on the performance of “direct action” raids during a period in which “indirect action” engagement with the local population was arguably more appropriate for the strategic circumstances. The concept of “data friction”, therefore, can be understood not simply as a form of resistance within a sociotechnical system but also as a form of traction that enables practitioners to construct representations of the world that amplify their own biases.

Correspondence: Debating the Chinese Cyber Threat

In “The Impact of China on Cybersecurity: Fiction and Friction,” Jon Lindsay asserts that the threat of Chinese cyber operations, though “relentlessly irritating,” is greatly exaggerated; that China has more to fear from U.S. cyber operations than the United States does from China; and that U.S.-China relations are reasonably stable.1 He claims that “[o]verlap across political, intelligence, military, and institutional threat narratives . . . can lead to theoretical confusion” (p. 44). In focusing almost exclusively on militaryto-military operations, however, where he persuasively argues that the United States retains a signiacant qualitative advantage, Lindsay underemphasizes the signiacance of vulnerabilities in U.S. civilian networks to the exercise of national power, and he draws broad conclusions that have doubtful application in circumstances short of a full-out armed conoict with China. In addition, he does not discuss subthreshold conoicts that characterize, and are likely to continue to characterize, this symbiotic but strife-ridden relationship. To begin, Lindsay argues that American infrastructure is safe from nation-state cyberattack. For support, he cites a similar conclusion by Desmond Ball, who touts the supposed “sophistication of the anti-virus and network security programs available” in advanced Western countries.2 The notion that Western-made anti-virus and network security programs are effective against sophisticated cyberattacks would astonish any group of corporate security ofacers. Anti-virus programs are oimsy alters designed to catch only some of the malware that their designers know about. They miss a great deal. New malware enters the market at the rate of about 160,000 per day.3 Filters, whether employed by the military or not, are unable to keep up. “Network security programs” vary in quality, are insufaciently staffed, and are often not implemented at all across the economy. The Pentagon is expending huge sums to build its own power grids, even as its budget shrinks, precisely because the civilian grid cannot be relied

Why Quantum Computing Will Not Destabilize International Security: The Political Logic of Cryptology

The implications of quantum information technology for cybersecurity and strategic stability seem worrisome. In theory, an adversary with a quantum computer could defeat the asymmetric encryption protocols that underwrite internet security, while an adversary using quantum communications guaranteed secure by the laws of physics could deny intelligence warning of surprise attack. To assess these claims, this article first develops a general political logic of cryptology grounded in the bargaining model of war, which understands uncertainty as an important cause of war and institutions as an important source of information. Cryptology of any technological vintage is shaped by both aspects of this logic, with ambiguous implications for strategic stability. In practice, strategic interaction between intelligence competitors using real quantum systems implemented in fallible human organizations will mitigate the impact of quantum computing. The upshot is that the revolutionary scientific innovation of quantum computing will probably have only marginal political impact, in part because the fields of cryptology and computing have already undergone important transformations in recent decades.