Developed States’ Vulnerability to Economic Disruption Online

Developed States’ Vulnerability to Economic Disruption Online May 15, 2016

By Christopher Whyte Christopher Whyte is a Ph.D. candidate in the Schar School of Policy and Government at George Mason University, adjunct professor at American University’s School of International Service, and a non-resident fellow with Pacific Forum CSIS. His research focuses on the intersection of technology, political behavior, and international security issues.

Abstract: Much of the literature on cyberspace and national security has backed away from the idea that cyberwar presents an imminent threat in world politics. However, there remains great concern about the potential for broad-scoped economic disruption prosecuted through digital means. How vulnerable are developed states to cyber economic warfare? Could either a concentrated cyber economic warfare initiative or a scalable disruption effect prove crippling on a large scale? And, most importantly, what are the implications for state policy and international interactions? This article contends that large, advanced industrial states are only superficially more vulnerable to disruption than are other types of systems.

D

igital security is now one of the foremost issues in research on international security.1 Cyberspace presents new threats that generate unprecedented challenges to political cooperation and technical coordination in states’ efforts to secure and ensure national security. Today, top military planners, government officials and civilian researchers debate how digital interconnectedness makes governments, industry and society vulnerable. For years now, experts have recognized the need to answer broad-scoped questions about the nature of digital dangers and the consequences of certain policies for international security. Recent efforts have tried to link the developmental dynamics of network technologies with policy analyses and academic discussions of 1

For early work on cyberspace and national security, see Ronald J. Deibert, “Black Code: Censorship, Surveillance, and Militarization of Cyberspace,” Millennium Journal of International Studies, Dec. 2003, pp. 501–530; Emily O. Goldman, “Introduction: Information Resources and Military Performance,” Journal of Strategic Studies 27.2 (2004), pp. 195-219; and Johan Eriksson and Giampiero Giacomello, “The Information Revolution, Security, and International Relations: The (IR)relevant Theory?” International Political Science Review, pp. 221– 244.

© 2016 Published for the Foreign Policy Research Institute by Elsevier Ltd.

Summer 2016 | 1 doi: 10.1016/j.orbis.2016.05.008

WHYTE

international politics.2 In one vein, research in the security studies field focuses on how cyber attacks can be used to prosecute interstate conflict.3 Here, there is a growing consensus that the idea of large-scale cyberwar is both alarmist and not reflective of strategic realities in international affairs.4 A limited ability to cause physical disruption relegates cyber assault to a secondary consideration, at least when discussed in the context of major international conflict.5 In another vein, some scholars are concerned about the space between political intrusion—meaning intentional sabotage, espionage, etc.—and asymmetric challenges with a digital component, including: criminal operations, non-state and state-sponsored subversive activities, and “hactivism.”6 This focus rightly reflects the reality that most cyber intrusions occur as widespread low-level efforts—i.e., not aimed at major military or national targets, like critical infrastructure—undertaken by a myriad of actors to target a diverse range of social, economic and political functions. Though scholars have increasingly moved to consider the cyber phenomenon in the past several years, relatively few attempts have been made to apply theories from security studies—or more broadly from political science—to assess the strategic implications of “cyber economic warfare,” in which digital dynamics are linked to the social and economic foundations of international political order.7 This lack encourages rhetoric that is based on premature assumptions. For See among others, Bryan Krekel et al., Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage (Falls Church, VA: Northrop Grumman Corporation for the U.S.-China Economic and Security Review Commission, March 2012; Dale Peterson, “Offensive Cyber Weapons: Construction, Development, and Employment,” Journal of Strategic Studies, Feb. 2013, pp. 120-124; Mary M. Manjikian, “From Global Village to Virtual Battlespace: The Colonizing of the Internet and the Extension of Realpolitik,” International Studies Quarterly, June 2010, pp. 381–401; Lucas Kello, "The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,”, International Security, Fall 2013, pp. 7-40; and Timothy Junio, “How Probable is Cyber War? Bringing IR Theory Back In to the Cyber Conflict Debate,” Journal of Strategic Studies, Vol. 36, No. 1 (2013) pp. 125–133. 3 See, for instance, Matthew C Waxman, Cyber-Attacks and the Use of Force: Back to the Future, 2(4), 36 (2011); and Thomas G. Mahnken, “Cyber War and Cyber Warfare,” in Kristin M. Lord and Travis Sharp, eds., America’s Cyber Future: Security and Prosperity in the Information Age (Washington, D.C.: Center for a New American Security, 2011). 4 See Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies, Feb. 2012, pp. 5–32; and Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth,” International Security, Fall 2013, pp. 41-73. 5 Gartzke, “The Myth of Cyberwar.” 6 See, for example, Paul Cornish, David Livingstone, Dave Clemente, and Claire York, “On Cyber Warfare,” Chatham House, Nov. 2010; Chintan Vaishnav, and Nazli Choucri, and David D. Clark, Cyber International Relations as an Integrated System, June 14, 2012, MIT Political Science Department Research Paper No. 2012-16; Brandon Valeriano, and Ryan Maness, “A Theory of Cyber Espionage for the Intelligence Community,” EMC Conference Paper; and James Lewis, James and Baker, Stewart, The Economic Impact of Cybercrime and Cyber Espionage (Washington, DC: Center for Strategic and International Studies, July 22, 2013). 7 See Cornish et al. (2010); Lewis & Baker (2013); and Christopher, Whyte, “Power and Predation in Cyberspace,” Strategic Studies Quarterly, Spring 2015, pp. 100-118. 2

2 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

instance, academics and policymakers routinely confuse the idea that developed states are more vulnerable to cyber disruption than less developed states.

(Photo of Cyber Crimes Center, U.S. Government)

This article questions a common conclusion in the burgeoning literature on cyberspace and international security that nations that rely more heavily on computerization are more economically vulnerable than those that do not.8 By focusing on cyber-espionage, I argue that this conclusion is untrue. High reliance on computerization and network integration increases technical vulnerabilities, but this fact alone is insufficient as a basis for strategic analysis. In reality, the more developed a national cyber-system, the more obstacles exist to prevent high-level and long-term disruptions that might alter the state’s strategic behavior. Economic Warfare According to a number of scholarly traditions, a state’s operational capacity in international affairs derives directly from the underlying economic conditions that determine its military potential.9 In essence, a state’s wealth and the sources of that In this article, I refer to strategic consequences for states in the sense that high-level behavior might be altered by a given effect. Though cyber intrusion has arguably produced results with strategic significance in the particular sense, such as the theft of fifth generation fighter data in 2007, this is taken to be a more generic example of conventional espionage resulting in situation-specific benefits. 9 Perhaps most prominently, Mearsheimer’s detailing of the offensive realist theoretical perspective differentiates between actionable manifestations of power and the undergirding 8

Summer 2016 | 3

WHYTE

wealth both have a great impact on the shape of potential military power. Disruption to those underlying economic conditions can impact a state’s ability to prosecute wars, to engage in effective bargaining, and, beyond military affairs, to present as a culturally attractive and economically stable element in the international system.10 For scholars, the phrase “economic warfare” often conjures military measures undertaken in conflict to bring about a logistical advantage.11 Paul Cornish, in discussing cybersecurity and new threats to economic processes, points to the “scorched earth” tactics employed by the Soviet Union as example in part.12 Soviet forces burned the land behind them and razed resources that could not be relocated to ensure minimal advantage was ceded to advancing German forces in available terrestrial resources. Related measures undertaken across a variety of military campaigns speak to the use of “economic warfare” as a phrase for describing the ancillary and logistical aspects of warfighting, emphasizing the relationship between military capabilities, industrial support, and supply lines. Bombing campaigns in World War II, Korea, Vietnam, Iraq, Libya, Syria, and more have seen the widespread targeting not only of service assets and support facilities, but also of oil production infrastructure and non-military communications networks. Such targeting serves campaign goals beyond the tactical objectives of particular warfighting efforts, as it has a net effect on the capacity of an enemy to cope effectively with threats in the long run. Along these lines, it is preliminarily important to note that “economic disruption” is perhaps a more appropriate phrase than “economic warfare” in any effort to describe economic threats from cyber activities. After all, disruption related to state capacity, in any format, can result both from a variety of strategic efforts and from the consequential environmental effects thereof, not only those that are commonly labeled as conflict mechanisms. Economic disruption that affects state capacity in strategic terms occurs much more commonly outside of a particular conflict. “Warfare” is a misnomer in this regard, as the term implies a narrow set of operational actions but—in practical usage—actually describes a broad range of possible mechanisms through which security potential might be diminished. Targeted economic disruption can result from a variety of actions—including traditional military assault, espionage, sabotage, asymmetric operations and more. And it is intended typically to either alter the balance of capabilities between states or compel behavior through the threat of such alteration. Economic sanctions are perhaps the most commonly discussed example of a strategic attempt at targeted economic disruption that is labeled as “warfare” but is

role that economic capacity plays in determining future power possibilities. See John J. Mearsheimer, The Tragedy of Great Power Politics (New York: WW Norton & Company, 2001). 10 Mearsheimer, The Tragedy of Great Power, chapter 3. 11 For perhaps the most interesting survey of economic warfare in history, see Tor Egil Førland, “The History of Economic Warfare: International Law, Effectiveness, Strategies,” Journal of Peace Research, May 1993, pp. 51-162. 12 Paul Cornish, “The Vulnerabilities of Developed States to Economic Cyber Warfare,” Working Paper, Chatham House, June 2011.

4 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

(Photo of Stalin’s scorched earth policy at end of WWII)

not warfighting.13 That said, espionage, industrial sabotage and the explicit manipulation of resources in the global economy – for example, the U.S. embargo of Japanese resource imports in the early 1940s or encouraging increased Saudi oil production in the 1980s14—each provide states with an ability to achieve measurable strategic gains in the underlying economic foundation of global power politics. In short, there is a diverse toolset with which strategic attempts to deny access to resources or political capital might be enabled. Additionally, economic disruption often occurs beyond the scope of targeted efforts by states. The economic foundations of state power potential are vulnerable to systematic inputs, intentional and otherwise. The power of resource-rich states, for example, is often linked with the price of commodities and the global availability of resources. Other states with industrial dependencies have suffered historically from uncertainty borne of challenges related to international economic trends. Naturally, it would be imprecise to treat economic fluctuation as directly related to the security affairs of states. But economic disruption might be extended to include Discussion of economic sanctions in the broad body of literature on politics and coercion in international affairs appears as early as Thucydides’ discussion of the Athenian boycott of Megara during the Peloponnesian War. At various points, theorists like Hirshman, Axelrod, Keohane, Nye, Ellings and Schlesinger have considered the role of economic coercion in the maintenance of international regimes. For perhaps the most concise discussion of this literature, see Daniel Drezner, The Sanctions Paradox: Economic Statecraft and International Relations (Cambridge: Cambridge University Press, 1999). 14 See Gary Clyde Hufbauer, Jeffrey J. Schott and Kimberly Ann Elliott, Economic Sanctions Reconsidered (Peterson Institute for International Economics, 3rd ed., June 15, 2009). 13

Summer 2016 | 5

WHYTE

systematic deviations brought on by related disruptions causing unusual variation in the economic prospects of a state. Examples range from the rise of organized crime from India, China, Nigeria and elsewhere to the transnational operation of groups based in Russia and beyond, where the states involved suffered from internal issues that demanded a redistribution of military and related resources.15 This view of economic fluctuation as a high-level consideration is important for any strategic discussion of cybersecurity and economic disruption. True, these deviations are the unintended side effects of the changing nature of political conditions around international security dynamics. But they can, at times, scale to measurably alter the foundations of state capacity. Systemic Disruption and Economic Warfare Online Though the literature is quite developed on the economic impact of cyber attacks, it remains distinctly descriptive in nature. To date, there is little academic or policy-oriented work attempting to generalize about political behavior and security dynamics from studying the relationship between cyberspace and economic issues.16 What impact does cyber economic disruption have on state power? And what determines greater or lesser effect? What we know about disruptions to the U.S. national innovation economy and the likely distribution of actors engaged in subversive digital efforts online is certainly significant. Theft of intellectual property reduces the nation’s comparative advantage in international trade and finance and moreover might, if effective, reduce the overall impact of innovations in technology, military assets and more. This produces higher costs for private industry and government in undertaking innovative research and development, reducing incentives to be a first mover and reducing national economic prospects. Thus, in broad terms, cyber disruption leads to reduced latent power potential. The Literature on Cybersecurity and Economic Disruption Before moving on, it is first useful to briefly describe different types of digital attacks that can cause cyber disruptions. Four types of digital attacks can cause cyber disruption. First, disruption can emerge from using code to vandalize information systems. Second, an attacker might aim to disrupt the service to one or many computer systems via the use of denial of service methods. Third, an attacker G.C. Moura, Internet Bad Neighbourhoods (The Netherlands: Centre for Telematics and Information Technology, 2013). 16 Exceptions to this include a range of recent works on systemic resiliency and infrastructure/economy management. However, while these works do discuss various aspects of the global impact of ICT integration for national economies and national security, they largely do not attempt to generalize on the sources or possible effects of new digital processes at the level of the international system. For an overview of this literature, see Chris Demchak, “Resilience and Cyberspace: Recognizing the Challenges of a Global Socio-Cyber Infrastructure,” Journal of Comparative Policy Analysis, June 2012, pp. 254–269. 15

6 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

might intrude to manipulate a particular computer system through the alteration of a system’s design functions. This includes the use of backdoors, trapdoors and Trojans to modify the conditions for entry into a system where access should be otherwise impossible. Finally, an attacker might infiltrate a system through brute force or intentionally subversive means via the use of logic bombs, viruses, worms and other similar tools. While the two former types of digital attack are most often linked with the efforts of hacktivists or attackers seeking to cause sociopolitical turmoil, the latter two are often attempts to subvert economic and security processes through activities like intellectual property theft or information deletion. The literature on cyberspace and the possibility of cyber economic disruption from using cyber instruments focuses on three areas. First, there is work that describes how computer systems might experience disruption during specific conflict episodes. Several scholarly contributions have described the way in which cyber weapons might be used as a tactical component of a broader campaign designed to achieve secondary or ancillary objectives.17 One example would be the disruption of a control system, such as when Israel disrupted part of Syria’s air defense network in 2007 to allow air force bombers to cross the border. In addition to the work written on escalation and conflict dynamics that focuses directly on military support infrastructure and systems,18 however, there is writing on the use of cyber weaponry to affect broader societal disruption. This work outlines potential vulnerabilities and deterrence dynamics centered on energy grids and related national networked systems, in particular, has provided the analytic community with significant data—though almost no theoretical treatments—for understanding the degree to which the targeted use of cyber weapons of mass effect (CWME)—i.e., cyber weapons that can be employed to achieve far-reaching effects over time through the use of backdoors, intrusions, etc.—might be effective aids to broader strategic security campaigns. This scholarship contends that widespread disruption to societally important functions via assault on network systems—including disruption of energy grids or the theft of intellectual property—might mitigate the abilities of a state to effectively use its power to fend off potential crises. The premise that widespread disruption on a continual basis might affect latent state processes has also gained significant traction in recently. Constant low-level agitation and intrusion leads to broader disruption to innovative processes and organizational effectiveness in government. A clear proposition has emerged that widespread low-level disruption from foreign espionage and corporate conflict online invariably mean spillover effects for industry, government and private society that can lead to reduced capacity to produce state power potential.

17 Among others, Gartzke, “The Myth of Cyberwar,” and Rid, “Cyber War Will Not Take Place.” 18 For example, David C. Gombert and Martin Libicki, “Cyber Warfare and Sino-American Crisis Instability,” Survival, Aug.-Sept. 2014, pp. 7-22.

Summer 2016 | 7

WHYTE

Finally, a diverse body of work from policy, industry and academic sources has described strategic disruption as the result of decentralized efforts to use digital means for criminal and political purposes. Though this literature has not linked directly to those strategic considerations common in the study of world politics and international conflict, there appears to be a consensus that widespread low-level criminal or similar intrusions across public and private sector formats portends significant potential for lost efficiency and major policy obstacles to the effectiveness of both public sector programming and the legal-regulatory framework guiding market processes. Higher levels of cyber crime, for instance, lead to diminished innovation and increased systemic costs for national marketplace operation. How Cyber Economic Disruption Might Affect Power Dynamics. These categories of threat vectors cover the full gamut of anti-state scenarios involving online actors and different approaches to disruption. At the highest level, considering the behavior of foreign states, these cyber threat classifications invite engagement with several mainstream traditions in the IR field. Foremost among them is the idea that latent power is located in a state’s economic and societal processes. Latent power dynamics play a considerable role in both determining future capacity for certain capabilities in world affairs and, perhaps more importantly, allowing states to signal intent and credibly ensure foreign commitment to certain status quo arrangements.19 Thus, regarding the impact of digital weapons on state power, scholars might link issues that would otherwise arise purely in policy environs to topics in international organization and interstate relations—including interstate bargaining, the mediating power of international institutions and the problem of intention deduction among peer competitors. One thesis that links IR with information technologies is that the diversification and fragmentation of a category of technological systems adds an additional dimension to the challenge of mitigating security risks. Simply put, a system’s diversity—such as computer systems and related network technology— causes more issues that must be addressed to obtain security goals. Whether looking at policy work on cyber threat vectors or extant academic scholarship on how cyberspace accommodates new types of interaction between international actors, it is clear that, for government agencies, municipal authorities, private firms and the like, technological fragmentation presents an ever-growing set of challenges for the goal of comprehensive cyber security. Particularly for governments, a large part of a state’s power and influence in world politics, is its economy. 20 Many argue that the more technologically advanced For a fuller discussion, see Kenneth Waltz, Theory of International Politics (Addison-Wesley Pub. Co., 1979); Robert O. Keohane, Neorealism and its Critics (New York: Columbia University Press, 1986); and, particularly, Mearsheimer, The Tragedy of Great Power. 20 See Joseph Nye, “Cyber Power,” (Cambridge, MA.: Belfer Center for Science and International Affairs, Harvard Kennedy School, May 2010); Jayson M. Spade, Information as Power: China’s Cyber Power and America’s National Security, (Carlisle Barracks, PA: U.S. Army War College, 2012); David J. Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for 19

8 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

and integrated a state, the more vulnerable it will be to the threat of online disruption. If true, there are significant implications for analysis of interstate relations, particularly regarding international regimes on security cooperation and the dynamics of episodic bargaining between competitors. The Problem in Equating Empirical and Conceptual Underpinnings This author contends that focusing on the technical prospects of increased integration of network technologies in advanced societies produces an inappropriate emphasis on the strategic vulnerabilities of states. While technical vulnerabilities might abound to enable commonplace intrusion, diversifying complex systems across market and public sectors presents major obstacles to the precipitation of a nationally debilitating disruption. Some of these obstacles are the result of strategic conditions brought about by ever more complex network-enabled systems. Others are the result of technical conditions that prevent virulent domino-style intrusions. In both cases, the strategic implications of cyber threat vectors for economic disruption are generally less alarming than contemporary scholarship and analytic work suggests. Too Big to Fail This article contends that increased vulnerabilities from greater technical diversity are often inappropriately used to proxy for strategic vulnerabilities. Arguments regarding the scalability of cyber threats from espionage and sabotage activities to the point where there are serious strategic implications for states ignore the functional reality of using cyber means for broad-scoped power gains. Organized theft of information and sabotage of systems against targets in a specific country implies serious logistical challenges for an attacker. Moreover, for a foreign power to use such information consistently to its advantage would not only be difficult, but would require a restructuring of operational priorities that would harm more traditional processes of economic and innovative progress. Thus, ultimately, it is more likely that the more advanced and integrated a state is, the less likely it is to experience significant disruption in the context of meaningful strategic relationships, as peer competitors cannot afford to commit wholesale to a strategy of massive economic cyber disruption.

Cyber-power (The International Institute for Strategic Studies, Dec. 1, 2011); David J. Betz, “Cyberpower and International Security,” Foreign Policy Research Institute, E-Notes, June 2012; Billy Pope, “Cyber Power: A Personal Theory of Power,” Center for International Maritime Security, May 2014, http://cimsec.org/cyber-power-personal-theory-power/11436; and Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” in Franklin D. Kramer, Stuart H. Starr and Larry K. Wentz, eds, Cyberpower and National Security (Washington DC: National Defense University Press and Potomac Books, Inc., 2009).

Summer 2016 | 9

WHYTE

Rising Tide or False Alarm? Maintaining an increasing number of digitally integrated systems adds complexity to the infrastructure of any national social and economic environment. More systems and a complex marketplace of both developers and users create vulnerabilities in several ways. First, environmental sophistication is often taken to mean the diversification of development. Greater innovation potential in an advanced economic marketplace means accelerated development for a relatively more diverse number of digital tools and platforms. As outlined above, this has implications for strategic assessments of disruptive capacity between states. However, technological sophistication in a marketplace usually is paralleled by industrial and organizational sophistication. The diffusion of many dissimilar systems among increasing private and public sectors entities creates both regulatory difficulties for cybersecurity initiatives and opportunities for intrusion across a broader range of targets. In short, diversification in this way makes it harder to coordinate meaningful national cyber security. This is the point, perhaps, most emphasized by industry and policy researchers in support of the broader thesis. In addition, the proliferation and sophistication of functional entities in given state (i.e., the institutions built or modified in order to deal with the implications of the proliferation of information technologies), creates new opportunities for exploitation from new human vectors. After all, different institutions have different administrative processes and more fragmentation of institutions to match technological diversification means more points of possible vulnerability for cyber tools that take advantage of human error. It also challenges government authorities in dealing with regulatory strain between public agencies and in public-private relations. An important takeaway here is that much explanatory power stems from a conflation of terms. Though scholars like Nye tend to use the term “powerful” or “advanced” states,21 it is more accurate that economic and technical diversity is what constitutes the foundations of the thesis. This is important precisely because not all states are similar in this regard. Espionage and Sabotage Of the three categories leading to economic disruption linked to state power, two are non-episodic—meaning outside the scope of a particular episode of conflict between countries. This is defined as a cyber intrusion, capable of altering the latent capacity of a given national system. Cyber espionage—essentially the theft of information and observing otherwise private system functions—comes in many forms. It affects state prospects either via subversive aggression by peer competitors, such as China or Russia in the case of the United States, or the cumulative effect of market failures. The presence of subversive intent—whether or not espionage attempts are directed or not (i.e., criminal actions)—is critical in understanding how large-scale technical vulnerabilities might pose strategic threats to a state. 21

Nye, Cyber Power.

10 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

The strategic threat to states from direct efforts at broad-scoped cyber espionage might stem from the nature of competition between states in economic affairs. The act of linking strategic strength to latent power potential is a common one for analysts trying to describe the particulars of foreign policymaking. States care about the economic prowess and prospects of peer competitors because they are indicators of capacity to achieve strategic outcomes in world politics, both now and in the future. Economic prowess also relates to a national system’s attractiveness. It has an observable impact on how potential partners might be disposed towards constructive engagement. Moreover, economic prospects, particularly in the innovation economy, are critical for states in constructing long-term evaluations of both strategic capabilities and, given the right political and situational inputs, intentions. History, from the Nazi’s strategic planning prior to World War I, to contemporary assessments of nuclear proliferation potential from infrastructural factors, is replete with examples of such evaluations playing a significant role in determining the near-term motivations of policymakers in engaging on the world stage. In addition, a series of inter-related research programs in international relations reference latent capacity and assessments as being critically important to understanding interstate bargaining, cooperation and defection. Robert Powell’s work is especially relevant for discussion of broad-scoped disruption from digital means, as he emphasizes the manner in which non-crisis maneuvering sets the parameters of engagement for the future.22 So what might the strategic threat to states from cyber espionage actually look like? As some recent literature has pointed out,23 deployed cyber vehicles for intrusion most often take the form of weapons of mass effect, rather than weapons of mass destruction. The distinction is important, as massive effect describes the form of intrusive delivery, as opposed to the eventual outcome of an assault. Cyber weapons of mass effect (CWME) describe a broad category of instruments that make use of generic design to affect systems broadly and with a singular objective, but not a singular outcome (at least in the sense of a disruptive event). The narrative of widespread theft of intellectual property is a common one in contemporary discussions of cyberspace and national security. And it is easy to see why analysts and policymakers express concern that directed attempts to disrupt informational and innovative processes portend redistribution of latent power potential. And potential sources of long-term geo-strategic vulnerability don’t stop there. The argument that undirected cyber espionage (i.e., not organized as part of a broad-scoped counter-political strategic effort by foreign state or major non-state actors) might be the cause of significant strategic threats to states relates to such a redistributive argument, though less clearly. Cyber espionage outside the context of strategic interactions between states (and their agents) in world politics largely falls into the category of criminal behavior. This is an accurate classification, with some 22 Robert Powell, In the Shadow of Power: States and Strategies in International Politics (Princeton, NJ: Princeton University Press, 1999). 23 Whyte, “Power and Predation in Cyberspace.”

Summer 2016 | 11

WHYTE

allowed variation for different types of anti-political and economic criminal agendas. Theft of intellectual property occurs in the criminal setting as much, if not more so, than it does as espionage under the direction of a state. But just because much intellectual property theft is criminal does not mean that there are not also strategic implications for states. Systemic vulnerabilities might reasonably—lead to near-term loss of market confidence and an overall reduction in national innovative capacity stemming from private sector protectionism, the redistribution of R&D budgets if enabled by pathological failures to institute effective regulatory mechanisms for dealing with a changing technical environment. Legal loopholes in a country, for instance, might encourage a massive proliferation of criminal activity aimed at data exfiltration, as might government regulations that prevent private industry from pursuing cutting edge systems protection. The question that emerges from such analysis is a simple one: to what degree are such threat outcomes realistic possibilities in interstate affairs? The idea that significant strategic pitfalls exist for states possessed of sophisticated digital and economic infrastructure drives the thesis that more complex equals more vulnerable. This article contends that the great diversity in technical, infrastructural and organizational affairs actually helps insulate a state from the onset of such drastic crises. At the most basic level, of course, there are significant technical challenges for any peer competitor with strategic designs on using cyber espionage to disrupt and redistribution innovative and information processes in world politics. Just because there are more threat vectors and human defense gaps to consider in advanced states does not mean that CWME become universally easier to employ. If anything, decentralizing systems and modifying weapons to be effective across a broad range of situations—from automobile factories and nuclear power plants to military control systems—requires a more deft approach to deploying CWME than most states are presently capable of producing. Moreover, there is massive cost involved in developing and deploying weapons that are so effective. As attacks like those associated with GhostNet or Stuxnet in 2010 demonstrated, effective sabotage and information disruption efforts can require significant tailoring of attack tools and serious utilization of both supply chain and personnel connections. Thus, while generic code means that such tools might be easily deployed against targets as diverse as automobile factories or research organizations, the task gets measurably more difficult and resource intensive as target protection becomes more sophisticated.24 This argument has received broad support across a recent set of scholarly works on the seeming offense-dominant environment of cyberspace and on concepts such as coercion, deterrence and deception. See, variously, Jon R. Lindsay, and Erik Gartzke, “Weaving Tangled Webs: Offense, Defense and Deception in Cyberspace,” Security Studies, Vol. 24, No. 2 (2015), pp. 316-348; Christopher Whyte, “Ending Cyber Coercion: Computer Attack, Exploitation and the Case of North Korea,” Comparative Strategy; and Lindsay, Jon R., Tai Ming Cheung and Derek Reveron, China and Cybersecurity:Espionage, Strategy, and Politics in the Digital Domain (Oxford: Oxford University Press, 2015). 24

12 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

Perhaps more importantly, there are also significant redistributive challenges bound up in the idea that a major state competitor—such as, for the United States, the People’s Republic of China—might successfully utilize a massive program of espionage to achieve power political ends. Certainly, added technological complexity in a state has the potential to enable high-level intrusion and theft of information to great effect. The theft of vital military intelligence from the Pentagon in recent years is proof of this. But effectively using stolen information for developmental benefit requires an institutional ability to absorb and adapt to new developmental imperatives. Such an organizational setup is, of course, possible by some government agencies. But the organizational flexibility required to take advantage of information and competitor disruption on a massive scale across the levels of private and public operation implicated in any serious national-level redistribution is difficult to maintain. Moreover, such an operational realignment of processes would have serious consequences for the domestic innovative capacity of any potential strategic competitor. Supporting a broad-scoped effort to disrupt and redistribute the latent capacity of a peer competitor would be to self-inflict opportunity costs for innovative potential. Thus, while greater sophistication of digital processes does imply the proliferation of technical vulnerabilities along a number of lines, the prospects for massive disruption and strategic fallout from directed, subversive cyber interference vary depending on the power of competitors in international affairs. In particular, it seems logical to say that, as the sophistication of a potential “target”-competitor state increases, the number of barriers to affecting significant redistributive disruption also increases. Yet, the main problem with the idea that undirected cyber espionage and informational disruption might affect national processes in a naturally redistributive sense is that increased marketplace and infrastructural complexities produce challenges to asymmetric actors on a number of fronts. First, the threshold for strategic consequence to states from undirected cyber espionage and intrusion campaigns is somewhat lower than might be the case in considering interstate competition. While there is a particular relative context within which analysis of disruption in international affairs might be nested, with asymmetric threats to national processes we have to stop short of considering the strategic and logistical constraints facing an organized opponent. The principal threat from espionage and sabotage is loss of market confidence, as well as the disruption caused by broadscoped intrusion in particular sectors. It would be a mistake to rely on the constraining hand of an organized strategic opponent in considering prospects for substantial redistributive disruption in this regard. Nevertheless, most likely sophistication does breed logistical issues for non-state militant and criminal attackers. Additionally, in considering a directed attempt to subvert national processes, one must consider undirected disruptive efforts as faced with the issue of increased barriers to entry on a massive scale. Implementing large-scale operations takes resources and skill, and the requirement for these things increases as does the sophistication and diversity of the national marketplace. Moreover, the prospect of

Summer 2016 | 13

WHYTE

creating a confidence panic beyond a certain point risks an effective reorganization of cybersecurity priorities not favorable to non-state criminal entities.

Familiar Disguise for Anonymous Members.

There is also a threat of systemic disruption in a strategic setting from sabotage conducted online. Sabotage is the disruption or the damaging of a system that is not long-lasting.25 Thus, it is unlikely as a form of strategic action beyond broader security maneuvering. Nevertheless, it is feasible to imagine sabotage that leads to non-episodic strategic consequences. Anonymous’s counter-political sabotage of particular digital systems over the past several years is a good example of the kind of actions that might affect confidence among private industry and civil society.26 Counter-political sabotage might, at the outside, affect major political outcomes via the disruption of, for example, election processes. That said, sabotage faces the same logistical issues as do asymmetric attempts to extract or manipulate information systems, making such an outcome unlikely in general and less probable as national systems see greater technical sophistication and sectoral diversification. Policy Implications and Pathologies of Cyber Disruption Though the subject of cyberspace in national and international security has received significant attention in academic and analytic circles recently, there is still a barrier to strategic contextualization bound up in the secrecy and technicalities that characterize digital developments. It is important to remember that conceptual treatments and rigorous empirical analysis of cybersecurity issues depend on a broad Rid, “Cyber War Will Not Take Place”; Gartzke, “The Myth of Cyberwar.” For perhaps the best recount of the Anonymous organization and its workings, see Olson, Parmy, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (New York: Little, Brown and Company, 2012). See also David Kushner, “The Masked Avengers: How Anonymous Incited Online Vigilantism from Tunisia to Ferguson,” The New Yorker, Sept. 8, 2014, pp. 48-59; and Michael Kenney, “Cyber Terrorism in a PostStuxnet World,” Orbis, Winter 2015. 25 26

14 | Orbis

Developed States’ Vulnerability to Economic Disruption Online

understanding of the dynamics of world politics. Any consideration of the variety of modes of interaction online in interstate or transnational affairs requires interface with the assumptions and mechanical explanations of political organization and behavior in the international system. For the budding cybersecurity field, this means starting with established analytic building blocks when examining far-reaching digital developments, and not just technical assessments.27 Critics and advocates of this argument will both quickly note that significant insecurity stems from intrusive interactions between states and in public-private affairs regardless of the prospects for strategic consequence from low-level cyber assault and disruption. This speaks to recent work in the field that identifies certain characteristics of cybersecurity issues and relationships as inherently amenable to endemic misperception in strategic interactions. As Jon Lindsay notes, regarding U.S.-China relations, the inherent secrecy and problems with attribution of actions bound up in evaluation of cyber operations engenders significant fictitious analysis on top of practical research.28 This is an important point. Pathological tendencies in analytic and logistical processes have the potential to skew strategic consequences and, more probably, perception of potential strategic consequences for cybersecurity issues. Secrecy and difficulty in interpreting information in international affairs in this regard portends errant signaling to policymakers and between interacting policymakers in world politics. The enduring probability that cybersecurity issue analysis will be fraught with perceptual issues borne of technical and institutional complexities, suggests several takeaways. First, policymakers should recognize that additional ecosystem diversity lends itself to security in the strategic aggregate. While governments should continue to attempt to employ broad-scoped security measures to safeguard industry, society and public sector operation, we must realize that there are marketplace-like effects that naturally extend from the diffusion of technology across national sectors. This suggests that more emphasis should be put on the standardization of methods of communication and response on issues related to digital intrusion and disruption. More than standardization of system architecture or instruments for digital security, uniform response processes promises rapid mitigation of threats that have the potential to scale towards strategically consequential. Second, in designing institutional response capabilities for cybersecurity at various levels, governments should make sure to draw a distinct doctrinal line between strategic priorities and logistical imperatives. The purpose in doing so is the avoidance of miscommunication and any adoption of a strategic culture that focuses

Some works offering solid initial steps across various areas of focus and at different levels of analysis include Nazli Choucri, Cyberpolitics in International Relations (Cambridge, MA: MIT Press, 2012); Valeriano, Brandon and Ryan Maness, “The dynamics of cyber conflict between rival antagonists, 2001–11,” Journal of Peace Research, May 2014, pp. 347-360; Lindsay and Gartzke, Weaving Tangled Webs”; and Rid, “Cyber War Will Not Take Place.” 28 Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, Winter 2014/15, pp. 7-47. 27

Summer 2016 | 15

WHYTE

on the intensification of technical threat vectors and the logistical challenges that emerge therefrom. Third, and perhaps most importantly, policymakers and researchers in both the analytic and academic communities should diversify their efforts to conceptualize and problematize threats from online by considering the interplay of global information technology adoption and the structural dynamics of the international system more broadly. In particular, assessment of different transnational systems, including pathologies of organizational traits and situations stakes, is necessary if appropriate strategic postures are to be adopted. State vulnerabilities and the propensity to adopt a particular position with regards to the use of cybersecurity capabilities both stem from a combination of strategic prospects, which this article has attempted to advance understanding of, and structural disposition. Political scientists might specifically move forward by exploring how different technical and organizational affect alternative behavioral outcomes. Doing so is important if the establishment in the United States and the broader Western world is to come to a better understanding of why actors are disposed towards different modes of interaction when it comes to potential cooperation on cybersecurity issues in world affair. Conclusion Threats to national and international security from online are of significant concern to policymakers now. These threats will be the focus of significant analysis on the part of researchers for years to come. Contemporary work, however, must reconsider the conceptual assumptions that undergird some common theses of cybersecurity. Technical developments do not mean the parallel development of strategic consequences in all instances. Consideration of the structural characteristics and dispositional tendencies of political entities in both international and transnational affairs is critical if appropriate understanding of the future trajectory of potential national insecurities is to be gained. The stakes are no less than unnecessary risk of misperception in international politics and obstacles to effective foreign policymaking. Yes, in general terms, the more technically advanced and industrially diverse an economic marketplace is, the less likely it is to suffer the effects of massive, coordinated economic disruption from online. But economic “warfare” online is much more likely to occur as a widespread set of minimally coordinated activities than it is to substitute for alternative means to shaping power dynamics in the international system, and broad-scoped vulnerabilities are likely to emerge from organizational pathologies of vulnerabilities.

16 | Orbis