The chances are that you read or heard some stories like this one from Google's CISO and other fantaseurs. You'd normally be fed some blend of fear, hope (good guys from the government will protect you) and some sort of self-congratulation for something or more-than-subtle ask for money. Think-tanks love this subject (we'll discuss why).
Whether there is ask for money or not, the motivation behind these posts from high-profile people is often rather simple. Idea number one here is at a very minimum to create some buzz and when someone comes to you about what can we do about these risks, you sell them Google Cloud or something like that. Longer term play is to build an "influencer voice" while sitting on some good private sector job, then when the time comes, go or create some think-tank which then will solicit money from your former big-tech employer and its competition to lobby the government for money or regulations which suite the bidders. Needless to say that if you can solicit some few dozens of millions from just a handful of big companies who will not even see this money affecting their bottom line, you can set yourself for a very luxurious life without having to endure a lot of stress or responsibility, even if you fail to deliver any public policy influence at all.
What's not to like? AI people seem to be catching up to this, infosec people have been at it for a while.
Then there are always jurnos who'll amplify these story peddlers with articles like "Why the world needs a NATO for cyber warfare?". Then there are Senate hearings often times starting like an election campaign of some senator who's very concerned about "China challenging the US in cyberspace", whatever this even means.
Here's how you know that just about all of it is a bunch of nonsense.
Needless to say that the Internet is a scary place. There is a lot of software out there underpinning important moving parts of modern society. However, what these actors are trying to do is to scare you into believing that some bad guys are building some sort of lasting overwhelming advantage or trying to sell you a bridge to building some sort of cyber warfare forces which will turn the table in geopolitical struggles. And none of that is possible.
Here are a few simple reasons why:
1. Countries and companies around the world are constantly dealing with information security threats. Just about all of them. The idea that some government hackers somehow can make a huge difference in the big picture is naive. There are too few of them, they are probably underpaid and these are probably the least talented of the kind, otherwise they'd find how to make more money in the "private sector". There are plenty of opportunities, including completely legal ones (bug bounties, offensive security jobs and more). There are also a bunch of illegal ones.
2. It's a rather plain field. Some people think that people from the government definitely have some sort of cache of exploits or access to backdoors and because of that they just go and bring down some electrical grids in foreign countries when they feel to do that. Here is a problem though: if you have access such a backdoor or exploit, how anyone can prevent you from selling it on a black market and making some money in days which you'd otherwise make in 10 years sitting at the desk of some .gov office? There is a vibrant market out there, zero-day RCE in Android might instantly land you on million(s) of dollars. See prices here. And since then, building some sort of strategic advantage in the area is incredibly difficult if possible at all. Also once an exploit is used over and over again, it eventually gets detected and the vulnerability would be fixed. You see, unlike a real weapon, which can be used completely in the open and remain effective, cyber warfare quickly ceases to be effective once someone goes on an offensive at scale.
3. The idea that there are some backdoors uniquely available to the government is not new, but imagine it's true and everyone believes it to be true. Immediately this means that governments which believe that they can get on the receiving end of the attack will pursue (they do it anyway already) more aggressive sovereign standardization, certification and domestic technology routes which will make it incredibly difficult to universally apply such backdoors against critical infrastructure. So unlike a real warfare, more such muscle is flexed, weaker it becomes.
4. Cyber attacks are actually quite difficult to direct at specific targets. It's simply not about entering coordinates of something detected by a satellite. Sure, one can try, but the majority of successful attacks come from probing just about everything and eventually finding some sort of vulnerability somewhere, but not necessarily where you looked. For instance, a determined attacker will likely to find some vulnerabilities, but it's more likely to be in a convenience store computers rather than Department of Defense computers. It's basically a game of numbers and breaking through the weakest or even unlocked doors rather than a determined penetration into a pre-sighted target (often only seen in Hollywood hacker movies). Can it happen that some high value target is purposely attacked and hacked? Yes, absolutely, but that hasn't been demonstrated to be a deciding factor in any conflict to this date. Surely it has never been a predictable business where one can plan certain amount of force to achieve certain goals, it is basically a crapshoot.
5. Due to the plausible deniability and relative impunity which state-sponsored attackers enjoy, if cyber warfare was so effective, it would be used by just about all players all the time to a great effect. For instance, we have a multiple serious conflicts in the world right now. Billions of dollars go to build weapons. It stands to reason that the US in its constant pursuit of superiority, would go and show the "bad guys" how powerful they are. Yet, nothing of note happened. Do you think the US cyber actors would simply pass on an opportunity to damage some lucrative strategic infrastructure in let's say Russia these days? It seems though that they believe more in their ability to do so with ballistic missiles rather than cyber warfare. But why if a few government agents armed with a few exploits could let's say turn off Sberbank for a few days, or Russian railways? That would resonate! Will Russia nuke the US because no one can pay with their MIR card? No. So it's quite safe for the US to do that. The only problem is that they cannot do it and never could. If they could, they would, but since they can't, they won't. However, no one is about to admit it and when asked, we'd likely hear about some unique far-fetched self-restraints which keep cyber warfare actors from "unleashing hell".
6. Finally, even if someone believes a self-restraint argument on a part of big players (they are keeping their ammo dry for 'the real thing'), one cannot deny that active parties involved in conflicts (Gaza, Iran, Israel, Ukraine, Russia, India, Pakistan) won't hesitate to exploit everything they possibly can for a "psyop effect". The argument that somehow China or US can do real cyber warfare and let's say Ukraine or Russia cannot is basically a racial argument that these countries are hopelessly incapable of such warfare because lack of resources or knowledge. Interestingly enough, Chinese, Russian / Ukrainian and Indian are the most prevalent etnicities in IT sphere. What have we seen so far? Not much beyond some laughable episodes of local TV broadcasts in Ukraine replaced with Putin's New Year address and reciprocal responses by the other side. How can one be convinced that cyber warfare is real and that none of these folks can really do it is beyond me.
Where does it lead us? Well, I think it leads to the following conclusion. If we try taking cyber warfare as seriously as possible, it is an umbrella term for a few activities: signal intelligence, hooliganism and shit-posting on Twitter. It is not a suitable military discipline as it cannot be relied upon to produce any results which are part of military or political strategy. Sometimes some opportunities show up to do some harm to the other side of the conflict, but it's likely not the most promising area to invest time and effort when working towards political outcome. Basically it's a form of civilian game which interested players can participate in a context of an interstate conflict. As for the signal intelligence, it existed since a long time ago, there is no need to use outdated vocabulary word 'cyber' to describe it.
Whether there is ask for money or not, the motivation behind these posts from high-profile people is often rather simple. Idea number one here is at a very minimum to create some buzz and when someone comes to you about what can we do about these risks, you sell them Google Cloud or something like that. Longer term play is to build an "influencer voice" while sitting on some good private sector job, then when the time comes, go or create some think-tank which then will solicit money from your former big-tech employer and its competition to lobby the government for money or regulations which suite the bidders. Needless to say that if you can solicit some few dozens of millions from just a handful of big companies who will not even see this money affecting their bottom line, you can set yourself for a very luxurious life without having to endure a lot of stress or responsibility, even if you fail to deliver any public policy influence at all.
What's not to like? AI people seem to be catching up to this, infosec people have been at it for a while.
Then there are always jurnos who'll amplify these story peddlers with articles like "Why the world needs a NATO for cyber warfare?". Then there are Senate hearings often times starting like an election campaign of some senator who's very concerned about "China challenging the US in cyberspace", whatever this even means.
Here's how you know that just about all of it is a bunch of nonsense.
Needless to say that the Internet is a scary place. There is a lot of software out there underpinning important moving parts of modern society. However, what these actors are trying to do is to scare you into believing that some bad guys are building some sort of lasting overwhelming advantage or trying to sell you a bridge to building some sort of cyber warfare forces which will turn the table in geopolitical struggles. And none of that is possible.
Here are a few simple reasons why:
1. Countries and companies around the world are constantly dealing with information security threats. Just about all of them. The idea that some government hackers somehow can make a huge difference in the big picture is naive. There are too few of them, they are probably underpaid and these are probably the least talented of the kind, otherwise they'd find how to make more money in the "private sector". There are plenty of opportunities, including completely legal ones (bug bounties, offensive security jobs and more). There are also a bunch of illegal ones.
2. It's a rather plain field. Some people think that people from the government definitely have some sort of cache of exploits or access to backdoors and because of that they just go and bring down some electrical grids in foreign countries when they feel to do that. Here is a problem though: if you have access such a backdoor or exploit, how anyone can prevent you from selling it on a black market and making some money in days which you'd otherwise make in 10 years sitting at the desk of some .gov office? There is a vibrant market out there, zero-day RCE in Android might instantly land you on million(s) of dollars. See prices here. And since then, building some sort of strategic advantage in the area is incredibly difficult if possible at all. Also once an exploit is used over and over again, it eventually gets detected and the vulnerability would be fixed. You see, unlike a real weapon, which can be used completely in the open and remain effective, cyber warfare quickly ceases to be effective once someone goes on an offensive at scale.
3. The idea that there are some backdoors uniquely available to the government is not new, but imagine it's true and everyone believes it to be true. Immediately this means that governments which believe that they can get on the receiving end of the attack will pursue (they do it anyway already) more aggressive sovereign standardization, certification and domestic technology routes which will make it incredibly difficult to universally apply such backdoors against critical infrastructure. So unlike a real warfare, more such muscle is flexed, weaker it becomes.
4. Cyber attacks are actually quite difficult to direct at specific targets. It's simply not about entering coordinates of something detected by a satellite. Sure, one can try, but the majority of successful attacks come from probing just about everything and eventually finding some sort of vulnerability somewhere, but not necessarily where you looked. For instance, a determined attacker will likely to find some vulnerabilities, but it's more likely to be in a convenience store computers rather than Department of Defense computers. It's basically a game of numbers and breaking through the weakest or even unlocked doors rather than a determined penetration into a pre-sighted target (often only seen in Hollywood hacker movies). Can it happen that some high value target is purposely attacked and hacked? Yes, absolutely, but that hasn't been demonstrated to be a deciding factor in any conflict to this date. Surely it has never been a predictable business where one can plan certain amount of force to achieve certain goals, it is basically a crapshoot.
5. Due to the plausible deniability and relative impunity which state-sponsored attackers enjoy, if cyber warfare was so effective, it would be used by just about all players all the time to a great effect. For instance, we have a multiple serious conflicts in the world right now. Billions of dollars go to build weapons. It stands to reason that the US in its constant pursuit of superiority, would go and show the "bad guys" how powerful they are. Yet, nothing of note happened. Do you think the US cyber actors would simply pass on an opportunity to damage some lucrative strategic infrastructure in let's say Russia these days? It seems though that they believe more in their ability to do so with ballistic missiles rather than cyber warfare. But why if a few government agents armed with a few exploits could let's say turn off Sberbank for a few days, or Russian railways? That would resonate! Will Russia nuke the US because no one can pay with their MIR card? No. So it's quite safe for the US to do that. The only problem is that they cannot do it and never could. If they could, they would, but since they can't, they won't. However, no one is about to admit it and when asked, we'd likely hear about some unique far-fetched self-restraints which keep cyber warfare actors from "unleashing hell".
6. Finally, even if someone believes a self-restraint argument on a part of big players (they are keeping their ammo dry for 'the real thing'), one cannot deny that active parties involved in conflicts (Gaza, Iran, Israel, Ukraine, Russia, India, Pakistan) won't hesitate to exploit everything they possibly can for a "psyop effect". The argument that somehow China or US can do real cyber warfare and let's say Ukraine or Russia cannot is basically a racial argument that these countries are hopelessly incapable of such warfare because lack of resources or knowledge. Interestingly enough, Chinese, Russian / Ukrainian and Indian are the most prevalent etnicities in IT sphere. What have we seen so far? Not much beyond some laughable episodes of local TV broadcasts in Ukraine replaced with Putin's New Year address and reciprocal responses by the other side. How can one be convinced that cyber warfare is real and that none of these folks can really do it is beyond me.
Where does it lead us? Well, I think it leads to the following conclusion. If we try taking cyber warfare as seriously as possible, it is an umbrella term for a few activities: signal intelligence, hooliganism and shit-posting on Twitter. It is not a suitable military discipline as it cannot be relied upon to produce any results which are part of military or political strategy. Sometimes some opportunities show up to do some harm to the other side of the conflict, but it's likely not the most promising area to invest time and effort when working towards political outcome. Basically it's a form of civilian game which interested players can participate in a context of an interstate conflict. As for the signal intelligence, it existed since a long time ago, there is no need to use outdated vocabulary word 'cyber' to describe it.