Lawfare Research Paper Series

An Addendum from Nathan Myhrvold on Cyber

By Benjamin Wittes
Saturday, July 6, 2013, 12:14 PM

Nathan Myhrvold writes in with the following addendum to his paper, "Strategic Terrorism: A Call to Action," which we published the other day:

In the days since Ben posted my paper, I've been asked a fair bit why my treatment of strategic terrorism does not mention cyber terrorism, or other forms of cyber-attack. It's a fair question, to which there are several answers:

First, the world seems to already be focused on cyber operations---by which I mean cyber terrorism, warfare, espionage and other national security level activities.  I don’t need to write a long call to action---events are making the point more clearly than I could. Indeed, one of the points in the essay is that, as a nation, the US tends to respond well to repeated challenges over a period of time that prevent us from becoming complacent.  My concern about strategic terrorism is that it may produce infrequent, but extremely serious, attacks. Those are intrinsically hard to prepare for, as the essay discusses in detail. Conversely, the world of cyber operations is exploding at the moment, so we won’t have any lack of new incidents to spur us to action. In that sphere of activity, we will be doggedly pursued by all manner of actors, at every scale, from everyday password phishing and credit card fraud to elaborate attacks done by nation states. This constant stream of provocations will give us ample reason to take the area seriously, and rise to the challenges it represents.

Second, cyber operations are a means to an end, and that end is generally not causing a million deaths. While it is surely possible to kill people with cyber terror, it is difficult to kill anywhere near as many people with a cyber attack as with a nuclear or biological attack. To the degree that cyber terror could be a means to strategic levels of death and destruction, then by all means it should be included as a means to perpetrate strategic terrorism. One could also argue that a sufficiently high level of economic impact could be called “strategic.” For example, if you zeroed out every bank balance in the US, it would be harmful enough to the economy that one might consider that a strategic threat. I believe that these issues must be considered as part of strategic terrorism, but they are exceptions in the context of the overall cyber security problem. Cyber terrorism is, at the moment at least, primarily a tactical problem. That doesn’t mean it is unimportant, but one of the themes of the essay is that one must separate strategic and tactical threats.    

Third, cyber operations occur in cyberspace---a very different territory than other sorts of terrorism. It will require law enforcement, intelligence and military agencies to develop new skills and capabilities. These will become standard tools that are used at every level of law enforcement. As an example from popular culture, virtually every cop show on TV features nerd cop who helps solve the crime with a dizzying array of cyber tools (if only it worked that way in real life!). That is a fictional representation of the fact that cyber skills will be incredibly important for all law enforcement, intelligence and military operations in the future. It will doubtless also be important as a topic unto itself.  But that doesn’t make for the same problem as we have strategic terrorism---at least for me. It’s a bit like asking if you should be more worried about cancer or heart disease. Statistically they both kill a lot of people, so as a society we need doctors in both areas.  But they are usually different doctors, because the skills and methods necessary to address the problems are so different that specialization makes sense.

Forth and finally, the essay was plenty long enough without adding more to it!  I have thoughts about cyber, but they’ll have to wait for another day.