The Sisyphean Struggle of Cyber Conflict

The Hacker and the State offers an accessible yet comprehensive history of cyber conflict. By 2010, America’s adversaries acquired tools and talent to attack and pilfer digitized information—a reality that Reagan’s White House anticipated back in September 1984, two years before the 1986 infiltration of the Pentagon by the KGB-sponsored “Cuckoo’s Egg”—though cyber remained a subordinate domain till Sec. Robert Gates created Cyber Command in 2009.

The book’s core premise holds that “[t]he chaotic arena of cyber operations that this book portrays is not what scholars and military planners had long imagined.” Though planners predicted “a kind of digital equivalent to nuclear war: devastating but rare,” the modern world is instead plagued with “low-grade yet persistent” operations by hostile actors. As early as 1999, when Dep. Sec. of Defense Hamre declared “we’re in the middle of a cyberwar,” events attest to Buchanan’s recounting.

The death of distance makes daily life vulnerable to both spies and criminals alike. Assailants in the past could never have dreamt of constant access to targets without the internet. But today, networked computing and constant connectivity broaden the range of possible targets and extend their vulnerability across time, as devices tend be mutually and continuously online. This dynamic disfavors defense as hackers see devices not only as potential targets but also as vectors through which to attack other devices.

While the book excels at explaining how cyber attacks have become ever more prevalent, its prescriptions for how to respond are less compelling.

The main constriction Buchanan places on cyber centers on how ill-suited this form of combat is to signaling a state’s broader posture and objectives: “[W]hile cyber capabilities are increasingly versatile tools for shaping geopolitics and seizing the advantage, they are comparatively ill-suited for signaling a State’s positions and intentions,” as cyber operations “lack calibration, credibility, and clarity.”

Yet the book’s recapitulation of cyber operations against Iran, a marquee policy under Bush and Obama, does not fit this description. These operations worked well in buttressing American signaling of interests and resolve. Cyber operations are by definition calibrated “to the specifications of the systems” a government wants to attack. Secondly, credibility and clarity are easily inferable from past performance. For instance, the anonymous and covert deployment of Wiper, a virus tailored to Iranian petroleum operations shortly after Stuxnet, prompted a spokesman for Khamenei to publicly claim that Western powers conducted the operation to covertly constrict production of Iranian oil in tandem with overt sanctions that targeted its consumption. That assessment, however paranoid, was correct. Moreover, Iranian recognition of this did not stop their government from signing the JCPOA, which was the West’s aim.

Secondly, Buchanan is also mistaken that a lack of visibility on the part of the attacker is a major obstacle to signaling in cyber operations. In reality, many examples of cyber warfare meet this need. Brinksmanship defines “the art of modern statecraft” for Buchanan. It’s easy to imagine an American President advising an adversarial leader to concede some policy objective to avoid an internet-connected service or device being disrupted or taken offline (ideally one that directly relates to the objective), when the target is known to be imminently vulnerable to attack or has already been successfully attacked (such that the attack can be discontinued or drawn down).

The book’s detraction from signaling via cyber is more defensible yet difficult to rebut definitively since the nature of signaling is per se variable. It is “always easier to send signals than it is to interpret them.” While the vagaries of diplomacy are real, signaling via cyber can cut through the noise.

For example. if nation A consistently violates the Exclusive Economic Zone (EEZ) of nation B, reaping unjust economic gain and causing ecological damage with an armada of fishing boats, would it not send a clear message if nation C covertly interfered with the fleet’s navigation at-sea or re-fueling in port in tandem with diplomatic overtures with nation A vis-à-vis nation B? Even the most hard-headed Wolf Warrior would get the message. This demonstration would attest to nation C’s commitment to the law of the sea and the integrity of EEZs, especially nation B’s. The same operation could, at the invitation of nation B, be done overtly to counter via cyber what might not be preventable by nation B’s navy.

Buchanan also provides a real example that undercuts this aspect of his thesis. Intrusion Truth, an anonymous group of hackers, published the tools and methods of Chinese state-backed hackers and announced “We are directly challenging this illegal and unfair activity by exposing those responsible, naming the hackers themselves and identifying the agencies that hide behind them.” This maneuver combines excellent infiltration with the clear signaling of a démarche.

Thirdly, the book makes an unsound generalization when it asserts “cyber operations are poor for signaling [as they] do not lend themselves to predictable and easily calibrated force.” Cyber operations target particular sets of a device(s) in a defined area running given programming for a certain period of time. This means a mission’s parameters are predictable and yield as much force as the coders are instructed to inflict. While some actors may make an indiscriminately infectious virus, that does not preclude precise targeting from more scrupulous technicians. One White House official remarked that Stuxnet, one of the most powerful cyber campaigns yet in terms of physical damage and political effect, had so many built-in self-restraints that it “looked like a team of Washington lawyers wrote the code.”

Buchanan argues that “conventional tools of statecraft are much better at inflicting carefully chosen amounts of harm.” Events have overtaken this contention: In 2021, a group of hackers known as Predatory Sparrow advised ambulance drivers to fill up their vehicle’s tanks while they still could; not long thereafter, Iran’s gas stations would not recognize the Iranian government-issued coupon necessary for subsidized fuel. While this operation’s signaling is fuzzy beyond demonstrating cyber dominance and desire for regime change, the restraint shown by the hackers demonstrates a high level of calibrated harm. The hackers could have disabled any number of gas stations by blocking all transactions—which would ruin any economy and threaten mass harm in the affected areas—but instead opted to merely block the subsidy card so access to fuel became more expensive and inconvenient.

The book’s final reservation on cyber signaling hinges on not just the clarity of one’s signal, but one’s “credible commitment” that underlies it which requires determination to meet it and demonstration of capacity to effectuate it. This claim does not cohere with Buchanan’s understanding of cyber conflict as a daily “digital melee” that forms a fundamental element for geopolitical standing and success, such that “hackers reshape the world,” since fighting this melee signals consistent commitment to an unending battle.

Recognition of the continual and iterative nature of cyber conflict impelled a shift in strategy in 2018 to favor proactive action rather than reliance on defense. Buchanan wrongly characterizes this shift in emphasis as “aggressive,” as aggression denotes attack, whereas the logic of persistent engagement in the 2018 NCS is rooted in the imposition of “consequences” like negating unlawful gain.

The Bible charges us to be “shrewd as serpents and innocent as doves.” In the cyber realm, this duty obliges policymakers to protect our most immediate neighbors, one’s fellow citizens and their data first. Such an approach also demands the United States must be ruthless yet prudent in its pursuit for reciprocity, protection, and aim to narrow the confines of what targets are acceptable for civilized nations to hack during peacetime.

To achieve this mission, the United States will need not mere cooperation from Silicon Valley, but loyalty. The US ought to remind Silicon Valley that they are American companies with a global presence, not cosmopolitan firms based in North America, and their existence stems from investment made by American taxpayers into ARPANET, the first draft of the internet. Silicon Valley is disloyal in that it only cooperates when it must and betray the US when convenient (e.g., according to a Reuters report, Amazon facilitated access to technology that certain Chinese firms are prohibited from; Since 2023, Nvidia has been in a cat-and-mouse game with US export controls on chips that not only aid China, but also their partners, Russia and North Korea). They must be made to render unto Ceaser; that is, American firms ought to see service to American citizens—their civic duty, something more than mere reciprocation for State protection—as prerequisite and complementary to their fiduciary duty to shareholders.

The Sisyphean Struggle of Cyber Conflict

John C. Calhoun, Ayatollah Khamenei, and the Geopolitics of Middle Powers

Is There a Right to Immigrate? Review of “Migrant God: A Christian Vision for Immigrant Justice”

Losing Taiwan Would End US Hegemony – Losing Eastern Ukraine Would Not

Foreign Policy ProvCast, Episode 85 | Early America: Christian Republic—or Republic of Christians?

The Technological Republic