May 24, 2018

Cyber Détente Part I: A Security Dilemma?

Late last year the Obama administration reopened talks with Russia over the militarization of cyberspace and assented to cybersecurity discussion in the United Nations First Committee (Disarmament and National Security). My intention in this three-part series is to probe Russian and American foreign policy on cyberwarfare and advance the thesis that the Russians are negotiating for specific strategic or diplomatic gains, while the Americans are primarily procedurally invested owing to the “reset” in Russian relations and changing perceptions of cyberwarfare.

This first post rebuts the Russians’ purported rationale for talks: avoiding a security dilemma.

——————————

The Russians seek a cyberwarfare arms control instrument ostensibly to avoid a security dilemma and arms race, in the vein of past arrangements for nuclear weapons (i.e. SALT I/II, START I/II, and SORT) and anti-ballistic missile technology (ABM), among others. This basis for negotiations does not withstand scrutiny.

A security dilemma may arise where a state has the opportunity to develop a game-changing new weapons system, even if for purely defensive purposes. For fear of strategic disadvantage other powers may elect to develop the weapon – an arms race – resulting in none gaining a strategic advantage and all bearing a significant cost. Alternatively, technologically incapable of matching or unable to afford the development, other states may take destabilizing offensive steps. Arms control treaties resolve this form of security dilemma by committing states to not developing certain weapons.

Cyberwarfare lacks necessary elements of a security dilemma. First and foremost, cyberwarfare capabilities defy quantifiability. Consider the Cold War nuclear arms race, for example, and the strategic fixation on differences in the number and type of nuclear warheads and delivery systems (the “missile gap”). In the absence of such a metric the two powers have no means of calibrating their activities, and there is no persistent pressure to match or surpass some specific capability the other side maintains.

Intelligence might give each power a rough indication of the other’s cyberwarfare capabilities, but it will be harder to come by than for other military operations. Unlike with other weapons systems, cyberwarfare does not require special installations or resources. There are no centrifuge sites to inspect or uranium shipments to track – just talented programmers and generic computer hardware.

A related issue is that a successful arms control agreement on cyberwarfare would require monitoring and enforcement provisions (“trust but verify”). But as discussed above intelligence on cyberwar capabilities will be harder to come by than for other weapons systems. The Biological Weapons Convention is illustrative of how ineffective an arms control treaty may be without effective monitoring: until a 1989 defection the West was unaware of the scope of Russia’s secret biological weapons program.

Supposing, arguendo, that cyberwarfare capabilities did form an avoidable security dilemma, the negative results that make a security dilemma worth avoiding – excessive expenditures and destabilization – do not arise.

Cyberwarfare is cheap. Developing the F-22 aircraft, for example, cost roughly $65 billion; the annual Air Force cyberspace budget, on the other hand, appears in the low billions and consists primarily of personnel and basing expenditures (Strategic Command Press Release; FY2010 budget).

As for destabilization, there is minimal marginal strategic gain from cyberwarfare capabilities. In the Cold War nuclear arms race there was a perception that if the other side achieved even a slight advantage the bipolar strategic equilibrium would collapse. Cyberwarfare is neither perceived to be – nor is it, in actuality – so effective on the margin. While specific capabilities are not public, it is difficult to imagine cyberattacks will be consistently more effective than conventional strikes. Moreover, given the United States’ enormous strategic advantages in the whole, even significant marginal strategic gains would do little to tip the balance of power to Russia.

Having deconstructed the alleged Russian rationale for talks, the next post in this series will explore alternate viable Russian rationales.

Comments

  1. “the negative results that make a security dilemma worth avoiding….do not arise”

    It’s easy to say that something as virtual as cybersecurity can’t have alot of physical impact, but consider if a country’s power grid or nuclear reactors were hacked into. A huge part of a developed country’s infrastructure is susceptible to cyberwarfare.

    http://www.thaindian.com/newsportal/world-news/chinese-and-russian-cyber-spies-hack-us-power-grid_100176886.html

  2. Agree with Stan that cyber attacks are capable of mass disruption and possibly destruction under the right circumstances. I think Jonathan’s point is that these types of attacks are very rare. However, its worth pointing out that use of nuclear weapons is pretty rare too. Use of conventional weapons (e.g. heavy munitions) outside of declared war is also pretty rare too.

    In my opinion, we are witnessing the dawn of a new era and its difficult to say with certainty what the future holds in regards to cyber warfare.