CSIS has published an eponymous paper (PDF) by James Lewis that came to my attention via Threatpost. It is surprisingly good and pleasantly brief, if a bit muddled in places. Early on, Lewis points out the characteristic uncertainties (attribution, scope, and effect) associated with cyber attacks, and mentions the familiar fact that the calculi of deterrence, proportionality, etc have not been properly formulated for cyber. And like most people that have taken a serious look, he thinks that
Cyber conflict will be part of warfare in the future and advanced militaries now have the capability to launch cyber attacks not only against data and networks, but also against the critical infrastructure that depend on these networks.
Sounds about right to me. But Lewis fumbles the ball a bit later:
The alternative to the conclusion that terrorist groups currently lack the capabilities to launch a cyber attack is that they have these capabilities but have chosen not to use them. This alternative is nonsensical.
This is only partially true. There is a very simple reason why terrorists wouldn’t launch cyber attacks. They may not have the capabilities, but on the other hand, they could probably get them. But they can already get more bang for their buck with bombs. Terrorists want to cause terror. Cyber attacks can’t do that unless they’re very large and sophisticated. And the resources such an attack would require don’t provide the same ROI as something like dispersed and coordinated bombs would.
To some extent this argument applies to states as well: a tactical physical attack isn’t worth using a strategic cyber attack to complement it. Conversely, because the cyber capability is strategic and only worth exercising in concert with physical attacks, the physical attack should have a strategic aim. (The purported cyber aspect of Israel’s strike against a purported Syrian nuclear facility would fit this bill nicely.) At the same time, attribution will be easy to get for the physical attack, which removes a lot of the attractive features that non-attribution nominally confers upon cyber attacks. That means that there is already a pretty clear threshold below which a nation-state will not launch a serious cyber attack.
Lewis actually articulates the more commonly acknowledged elements of this argument, though like most analysts he seems to have missed the fact that attribution will be easiest precisely when it matters most:
Serious cyber attack independent of some larger conflict is unlikely…The political threshold for serious cyber attack (as opposed to espionage) by a nation-state is very high, likely as high as the threshold for conventional military action. At a minimum, this suggests that a serious cyber attack is a precursor, a warning, that some more serious conflict is about to begin.
Absent such larger conflict, however, a nation-state is no more likely to launch a serious cyber attack than they are to shoot a random missile at an opponent. The risk is too great and the benefits of a cyber attack by itself too small for political leaders to authorize the use of this capability in anything short of a situation where they had already decided on military action. Cyber weapons are not decisive; cyber attack by itself will not win a conflict, particularly against a large and powerful opponent. It is striking that to date; no cyber “attack” that rises above the level of espionage or crime has been launched outside of a military conflict.
The last real nugget relates to cyberterrorism:
[Host state tolerance] provides a degree of constraint on support for cyber terrorism…The political environment in which the most advanced cybercriminals exist militates against them becoming mercenaries for many terrorist groups without the consent of their host….Even if we accept this political constraint on mercenary support for cyber terror, other trends suggests [sic] that terrorist use of advanced cyber weapons (if current trends remain unchanged) is inevitable…in less than a decade, perhaps much less, a terrorist group could enter the cybercrime black market and acquire the capabilities needed for a serious cyber attack.
This actually may be true. At present, and as I’ve mentioned here, there is basically no such thing as cyberterrorism. But that doesn’t mean that there won’t be in the future. I’d keep my eyes on outfits like the Russian Business Network. If terrorists or organized cybercriminals can achieve their aims more effectively with cyber, they’ll use it. It’s up to folks like us to keep the barriers to entry high.