The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger

And while the intelligence agencies would insist on secrecy, that would defeat the point: for our response to deter attackers, it needs to be very public—as public as an American airstrike on a chemical-weapons plant in Syria, or an Israeli strike on a nuclear reactor. Every time we respond quietly—or not at all—to an attack because we are worried about revealing the quality of our detection systems or the capability of our weapons, we only encourage escalation and further cyber strikes from our adversaries.

Most important, just as the United States must show other nations there is a price to pay for truly serious cyberattacks, we must also show that some things are off-limits. And until America discusses publicly—at the presidential level—what we will not do in cyberspace, we have no hope of getting other countries to limit themselves as well.

Fourth, we need to rethink the wisdom of reflexive secrecy around our cyber capabilities. Certainly, some secrecy about how our cyberweapons work is necessary—though by now, after Snowden and Shadow Brokers, there is not much mystery left. America’s adversaries have a pretty complete picture of how the United States breaks into the darkest corners of cyberspace.

No country likes giving up military or intelligence capabilities. But we have done it before. America swore off chemical and biological weapons when we determined that the cost to civilians of legitimizing them was greater than any military advantage they offered. We limited the kinds of nuclear weapons we would build, and banned some. We can do the same in cyberspace, but only if we are willing to openly discuss our capabilities and to help monitor cyberspace for violators.

Fifth, the world needs to move ahead with setting these norms of behavior even if governments are not yet ready. Classic arms-control treaties won’t work: they take years to negotiate and more to ratify. With the blistering pace of technological change in cyber, they would be outdated before they ever went into effect. The best hope is to reach a consensus on principles that begins with minimizing the danger to ordinary civilians, the fundamental political goal of most rules of warfare. There are several ways to accomplish that goal, all of them with significant drawbacks. But the most intriguing, to my mind, has emerged under the rubric of a “Digital Geneva Convention,” in which companies—not countries—take the lead in the short term. But countries must then step up their games too.

The lesson of the past decade is that, unless shooting breaks out, it will always be unclear if we are at peace or war. Governments that cannot stand up to far larger powers with conventional armies will have little incentive to give up the advantages that cyberweapons offer. We are living in a gray zone, one of constant digital conflict. That is not a pleasant prospect, but it is the world we have created for ourselves. To survive it, we must make some fundamental decisions, akin to ones we made after the invention of the airplane and the atomic bomb—decisions that enabled us to navigate a constant state of peril.

Now, as then, we have to think more broadly about where our security will be found. Clearly, it is not in an unending cyber arms race where victories over adversaries are fleeting, and where the greatest objective is to break another nation’s encryption or turn off its factories. We need to remember that we built these technologies to enrich our societies and our lives, and not to find yet another way to plunge our adversaries into darkness. The good news is that because we created the technology, we have a chance of controlling it—if we concentrate on how to manage the risks. It has worked in other realms. It can work in cyberspace as well.