Prof. Jon Lindsay, digital media and global affairs, University of Toronto, examined the implications of cybersecurity threats for the stability of international world order in a lecture last week.
While acknowledging that states will find it difficult to maintain cybersecurity in an increasingly porous cyberspace, Lindsay began by asserting that the threat to essential state infrastructures cyber-experts perceive is exaggerated.
“Deception [using cyber security] on a large scale are very rare, because you need to manage all the information channels … these kinds of large scale gambits are more likely to fail,” he explained. “When we focus on the low end of the attacks, we do see a great deal … But when we look at the most worrisome scenarios, cyber 9/11, digital pearl harbor, we see strategic disincentives and operational barriers in actually getting something done.”
Exclusively considering the technological weaknesses of state infrastructure leads to an over-evaluation of cyber-threat, according to Lindsay. He advocated a more nuanced approach to cybersecurity, one which considers “technological plausibility along with political utility.”
“It’s not enough to say, ‘Given the present infrastructure with these vulnerabilities, X might happen.’ That’s the realm of technological plausibility,” he said. “You need to be able to take that plausibility and be able to weaponize it. There’s got to be a story of what kind of political or economic gain is going to be realized from that particular attack.”
Lindsay cited the attribution of cyberattacks to highlight the importance of considering technology and politics side by side. While it can be difficult to determine who is responsible for a cyber-attack, he said technological vulnerability does not translate into political weakness, because attacks do not necessarily threaten the most critical government infrastructure.
“Ironically, while attribution is difficult in the low end, where people are not motivated to work through vast number of potential attackers, at the high end there is a limited number of perpetrators and more motivation on the political side to do it,” he said. “And if attribution is feasible, so is deterrence.”
Furthermore, Lindsay said an interdisciplinary approach to cybersecurity creates a paradox — the current international order, which disincentivizes the use of military force, has encouraged states to instead wage low intensity, high frequency conflicts in cyberspace. In other words, the historical stability and peacefulness of the current international order can be said to have contributed to the proliferation of cyber attacks.
“The increasing perplexity and danger of the cyber domain is happening in a world … that is becoming less dangerous, where war is less likely,” he said. “The half empty glass part is, yes, cyber security is dangerous. It is going to be a problem difficult to solve. But the half full part is, it’s predicated on things going pretty well on a civilizational time scale. We got conflict looking more complex but not necessarily more dangerous.”
Several audience members pointed out that cyber attacks may end up undermining the stability and peacefulness of the world that created it.
“I asked whether [Lindsay’s] conception on stability at the nuclear level, and the instability at the cyber level is distinct, or if the line between cyber and nuclear escalation is more blurry,” said Debak Das grad, who studies government. “Escalation on the cyber level, could in fact lead to the nuclear stage, which is what the current Pentagon cyber doctrine, from 2013, suggests”
Naomi Egels grad added that public opinion could potentially drive such escalation.
“I think [Lindsay] and I agree disagree on this point, but from where I was sitting during the SONY attacks, there was serious pressure on public leaders to act,” Egels said. “The public may pressure the U.S. government to act in a way that is escalatory.”
The lecture was hosted by the Cybersecurity Working Group of the Mario Einaudi Center for International Studies.