News - The Atlantic

Writing the Rules of Cyberwar

  • Alyza Sebenius
| June 28, 2017

"The Washington Post’s report last week on Russian cyber efforts to disrupt the 2016 election—and the Obama administration’s months-long debate over how to respond—ended on a foreboding note. Among the measures apparently adopted in response to the hack was “a cyber operation that was designed to be detected by Moscow but not cause significant damage,” involving “implanting computer code in sensitive computer systems,” according to anonymous officials who spoke to the paper. The code could be used to trigger a cyberattack on Russia in response to another Russian cyberattack on America, whether that targeted elections or infrastructure. The paper characterized the operation as currently being “in its early stages.”

From an American perspective, the operation as described could look defensive—if it was “designed to be detected,” it would serve as a warning and potential deterrent against further offensive actions by Russia. Or it could be used purely in retaliation for aggression of some kind. On the other hand, though, once the implants are operational, what’s to stop an American leader from using them for offensive purposes, simply to weaken, undermine, or otherwise mess with Russia? From the Russian perspective, this potential would make the implants look like an offensive cyberoperation—and prompt “defensive” measures on Russia’s part, that would in turn threaten the United States. The cycle could escalate from there.

This dynamic is an example of the “security dilemma”: When a state takes defensive measures, other states can perceive such behavior as threatening, and respond accordingly. Underlying this dilemma is the difficulty of distinguishing “offensive” from “defensive” moves when trying to evaluate another state’s intentions. Ben Buchanan, a postdoctoral fellow at the Cyber Security Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, argues in his recent book, The Cybersecurity Dilemma, that the line between offense and defense is even blurrier in cyberspace. “To assure their own cybersecurity, states will sometimes intrude into the strategically important networks of other states and will threaten—often unintentionally—the security of those other states, risking escalation and undermining stability,” Buchanan writes. Meanwhile, a ransomware attack believed to be using stolen NSA tools spread across the globe on Tuesday for the second time in as many months, showing another way cyber tools can undermine stability: The technologies states develop to protect themselves can be stolen by criminal hackers and turned against their inventors.

I recently caught up with Buchanan at the Belfer Center's Cyber Security Project, which supports my research as well, to better understand the cybersecurity dilemma and its risks. Our conversation, condensed and edited for clarity, follows..."

For more information on this publication: Please contact Cyber Project
For Academic Citation: Sebanius, Alyza. “Writing the Rules of Cyberwar.” News, The Atlantic, June 28, 2017.

The Author