When the internet was created 40 years ago, this small community was like a virtual village of people who knew each other, and they designed a system with little attention to security. Until recently, the issue of cyber security was the domain of computer specialists. But in the last decade and a half, the commercial web has created a burgeoning interdependence with great economic opportunities and national security vulnerabilities.
The cyber domain is unique in that low barriers to entry contribute to the diffusion of power. It is cheaper and quicker to send signals through cyberspace around the globe than move large ships across oceans.
The costs of developing multiple-carrier task forces and submarine fleets create enormous barriers to entry and make it possible to speak of NATO’s naval dominance. In contrast, the barriers to entry in the cyber domain are so low that non-state actors and small states can play significant roles at relatively little cost.
While a few states, like the United States, Russia, Britain, France, and China have a greater capacity than others, it makes little sense to speak of dominance in cyber space as in the case of naval or air power. If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states – ones that can be exploited by other states and non state actors.
If one treats most amateur hacktivism as mostly a nuisance, there are four major categories of cyber threats to national security, each with a different time horizon and with different (in principle) solutions: cyber war and economic espionage are largely associated with states, and cyber crime and cyber terrorism are mostly associated with non-state actors.
At present, the highest costs come from the espionage and crime, but over the next decade or so, war and terrorism may become greater threats. Moreover, as alliances and tactics evolve among different actors, the categories may increasingly overlap.
Looking ahead, as other states develop their capacities for cyber attack on critical infrastructures and are able to deprive NATO military forces of their information advantages, the costs to our hard power could be significant. And as terrorist groups wishing to wreak havoc develop their capacity to do so, their actions could impose dramatic costs as well.
The cyber domain is both new and volatile, and the threats to security are bound to evolve. As I argue in 'The Future of Power', the characteristics of cyberspace reduce some of the power differentials among actors, and thus provide a good example of the diffusion of power that typifies global politics in this century. But the diffusion of power does not mean equality of power or the replacement of governments as the most powerful actors in world politics. The United States, for example, has greater vulnerabilities, but also greater capabilities for exploiting the vulnerabilities of other states.
Security experts wrestling with cyber issues are now at about the same stage in understanding the full implications of this new technology as nuclear experts were in the early years after the first nuclear explosions.
At some point, but not soon, states may progress far enough along a learning curve to design cooperative measures that limit such threats from non-state actors. But we are still a long way from such norms.