What Will Cyber Conflict Look Like?

There is much to admire in Erik Gartzke’s recent Lawfare essay, Fear and War in Cyberspace.  Indeed, I find myself in substantial agreement with it as a proposition reflecting the reality of today.  But I wonder if Gartzke does not, too easily, dismiss the possibility of irrational actors in the cyber domain.  His thesis, after all, is that threats of cyber war are overblown, precisely because rational actors will see that there is little benefit to initiating a conflict.  He maybe right as a matter of risk assessment as of today (though I do wonder about disruptions that are tied to physical attacks) – but what happens when irrational actors get increased capabilities? The honest answer is that we don’t know – and the reason we don’t know is that we have no actual experience with large scale cyber attacks.  The two closest analogies we’ve seen (in Georgia and Estonia) were, as Gartzke says, properly classified as annoyances rather than large scale operational threats.  We’ve seen Stuxnet destroy components of a single installation – but we’ve never seen what mass destruction might entail (or if it is even possible). And so we are left with our imaginations – and they run wild at times.  Thankfully, some are trying to more systematically game out what a cyber conflict might look like.  How seriously you take the threat depends on how realistic you think more catastrophic scenarios are. With that in mind, I was fascinated by two recent cyber war games – GridExII and an Israeli game.  Their results may or may not be representative, but they certainly are worthwhile data points. In early November, the US government ran an exercise it called, GridEx II.  As the New York Times reported, the exercise simulated a large-scale cyber attack on the American electric grid.  Of course an exercises is just a test, not the real thing.  But even so, the results from GridEx II appear to be challenging:

By late Thursday morning, in this unprecedented continental-scale war game to determine how prepared the nation is for a cyberattack, tens of millions of Americans were in simulated darkness. Hundreds of transmission lines and transformers were declared damaged or destroyed, and the engineers were rushing to assess computers that were, for the purposes of the drill, tearing their system apart.

The Israeli exercise which also took place in November was  even more apocalyptic.  As reported in Defense News during the exercise a cyber-enabled conflict between terrorists and Israel almost brought the US and Russia to the point of war.  The entire summary of the exercise is worth reading, for its detail on how a small attack can escalate.  But this small excerpt gives you a taste:

In an interview with Defense News, which observed the simulation, Assa [an Israeli official] said the scenario was based on extreme, yet realistic events, reflecting cyber capabilities that exist or are projected to materialize by state and non-state actors in the coming years. “What we all learned was how quickly localized cyber events can turn dangerously kinetic when leaders are ill-prepared to deal in the cyber domain,” Assa said.

As I said, I don’t know how much of this is likely.  But I do know, having sat through a number of similar exercises, that the planners try to make the vulnerability exploitation as realistic as possible.  Whether the motivation will exist is another question – and Gartzke is right to focus on that as the critical question.  I only hope he is also right in his confidence that ill-motivated actors will not have an incentive to use their capabilities.