At the dawn of the digital age, when cybersecurity became a top-level concern, predictions of catastrophic harm were common. The Economist in 2010 featured a mock-up Manhattan-type skyline suffering a 9/11 style atrocity under the headline Cyber War: The Threat from the Internet. US Defense Secretary, Leon Panetta warned of Cyber Pearl Harbor, one of many such warnings from world leaders.
Professor Ciaran Martin
But while there have been many damaging events, these catastrophic predictions have not come to pass. In the course of a six-week period in 2017, reckless activity by North Korea (the Wannacry virus) and Russia (the NotPetya operation) caused north of $10 billion of economic harm and disrupted critical services all over the world; but the damage was not truly catastrophic. Official statistics in most developed countries tend not to attribute any fatalities to cyber attacks.
The Digital Security Equilibrium
Why is this? I attribute it to the three different components:
1. By and large, we do not subcontract human safety entirely to computers.
Security and safety are not the same. Take aviation. Security can be poor – there have been multiple hacks, and many more accidental IT failures that have grounded fleets and caused chaos. But safety has a good 21st-century record.
At the dawn of the digital age, when cybersecurity became a top-level concern, predictions of catastrophic harm were common…. But while there have been many damaging events, these catastrophic predictions have not come to pass.
Professor Ciaran Martin, Blavatnik School of Government
In August 2023 there was a comprehensive failure of Britain’s Air Traffic Control system. It was hugely socially disruptive and economically damaging, with mass cancellations and diversions. But planes already in the air all landed safely, using backup communications and manual flying. No-one suffered so much as a nosebleed.
The same is true in railway systems: if signals fail, for whatever reason, trains should stop, rather than crash into each other.
So hackers can easily cause mayhem, but not mass casualties, in transportation. The same holds true of most sectors. (Healthcare, where network disruption can impact the scheduling of life-saving operations, is the glaring exception).
2. Only a small number of highly capable actors have access to the most devastating tools
The US assesses that China has capability to launch devastating attacks on US critical infrastructure, but the same assessment says these operations are unlikely outside a serious US/China escalation.
Professor Ciaran Martin, Blavatnik School of Government
Carrying out high-impact cyber operations is extremely complicated. Young criminals acting alone can – and have – undertaken data and cash theft, and damaged networks. But highly sophisticated operations – think the Olympic Games/Stuxnet operation against the Iranian nuclear programme in 2010, or Russia’s sabotage of France’s TV5 Monde station in 2015 – take years of preparation. They require skilled people, top-of-the-range covert infrastructure, organisational strategy, and a slice of luck. Only serious cyber players have, to date, had the capability to undertake them.
This is a reason in itself as to why such attacks have been rare, but it also gives rise to an additional reason: the few in possession of the necessary capabilities are those who will be calculated about using them. For example, the US assesses that China has capability to launch devastating attacks on US critical infrastructure, but the same assessment says these operations are unlikely outside a serious US/China escalation.
Just because China or Russia can hurt America domestically via cyber attacks, doesn’t mean they will, any more than they would suddenly take on the US militarily without major consideration of the consequences.
There are plenty of occasions where defences have ‘lost’. But there has never been a comprehensive superiority of offence over defence.
Professor Ciaran Martin, Blavatnik School of Government
3. The same tools that can be developed for malicious use can be developed to equal or greater good for our own security.
The final part of the equilibrium is a straightforward, continuous, attritional struggle for superiority between the use of capabilities for good and their use for ill.
Cyber operations rely on maths and engineering – they have no agency or moral compass of their own. Malicious code or vulnerabilities that are detected can be ameliorated, and it is common practice for the cyber security industry to release these fixes publicly so that everyone can defend against them. ‘Vulnerability scanning’, which scans swathes of the online world to work out which networks are patched – protected – against known weaknesses, and which aren’t, is undertaken by both malicious hackers and cyber defenders.
Of course, there are plenty of occasions where defences have ‘lost’. But there has never been a comprehensive superiority of offence over defence. In other words, it has been broadly in equilibrium.
AI and the Digital Security Equilibrium
Will this uneasy equilibrium hold in the age of AI? It is, of course, too early to tell, but there are some pointers on each of the three pillars:
A decade ago, predictions abounded that by now there would be no drivers on any public highways. That is transparently not yet the case. Societies are taking time to undertake the extensive and detailed technical and communications work to gain expert and public confidence.
Professor Ciaran Martin, Blavatnik School of Government
1. By and large, we do not subcontract human safety entirely to computers.
Preserving this aspect of the equilibrium is a straightforward choice. It is up to us. And so far, the signs are encouraging.
Again, transportation provides a good example. A decade ago, predictions abounded that by now there would be no drivers on any public highways. That is transparently not yet the case. Societies are taking time to undertake the extensive and detailed technical and communications work to gain expert and public confidence.
2. Only a small number of highly capable actors have access to the most devastating tools
This is the most worrying and fraying part of the equilibrium. AI does not create magical new weapons, but it significantly enhances the quality of some malicious capabilities. It also reduces the cost and difficulty of generating attacks.
AI does not create magical new weapons, but it significantly enhances the quality of some malicious capabilities. It also reduces the cost and difficulty of generating attacks.
Professor Ciaran Martin, Blavatnik School of Government
The geopolitical calculation that the likes of China, Iran and Russia will make before being overtly and overly aggressive in the use of potent cyber capabilities is unlikely to extend to newer actors. Non-state terrorist groups with nihilistic tendencies have long craved powerful cyber capabilities but have never been able to acquire them. That may change.
3. The same tools that can be developed for malicious use can be developed to equal or greater good for our own security.
The concern above means it is essential that this final aspect of the equilibrium holds. There is no automatic reason why cyber defenders should lose the capability arms race, but cyber security innovators working in free societies must keep up with or outpace those who wish to misuse the new technologies.
That is why it’s important for governments to retain highly specialised in-house capabilities in their security agencies, and why it is imperative that the West’s private sector cyber security industry continues to thrive.
Conclusion
The Digital Security Equilibrium is a useful concept if we wish to understand why cyberspace had remained a place of harm, contestation, but not catastrophe to date. It can remain that way, but it requires a sustained effort and smart policymaking over many years. And for now, the most worrying part is the growing accessibility of potent cyber capabilities to new actors.
Read an extended version of this article on the Blavatnik School of Government website.
University of Oxford "The University of Oxford is a collegiate research university in Oxford, England. There is evidence of teaching as early as 1096, making it the oldest university in the English-speaking world and the world's second-oldest university in continuous operation."Please visit the firm link to site