One of the more popular case areas this year deals with cybersecurity. The plans vary, but largely focus on one of three things: securing networks against foreign attack; deterring attacks on the networks of Western countries through threats of retaliation; and using offensive measures to probe (at a minimum) the networks of other countries and (potentially) disable their cyber weapons.
The basic plans will be discussed in other essays. For now, we discuss debating the various risks of a cyber attacks.
The basic idea behind the case is that US and its Western allies are vulnerable to cyber attacks and that failure to prevent those attacks could lead to significant societal disruptions and escalate to kinetic (physical) warfare, including the use of nuclear weapons.
Types of Attacks
The basic affirmative claim is that malicious foreign actors, be they government or terrorist groups, will engage in one of three types of attacks on Western (US, Western Europe and/or East Asian Allies (Japan, South Korea, etc). The attacks generally involve penetrating a country’s computer systems and engaging in illicit activity.
Disabling attacks. Disabling attacks are aimed at shutting down particular entities. The common example is that a country or terrorist group may shut-down part of a country’s electrical power grid or any industry, threatening the economy. The operability of a country’s military forces, including space forces, could also be targeted. They could also destroy the world’s global food supply and engage in criminal activity.
(Re)directed attacks. Redirected attacks consist of using computers to engage in an activity that causes harm. For example, in an attempted attack in Florida, computer systems were directed to pump dangerous levels of fluoride into a country’s water supply, threatening the health of those consuming the water.
Espionage. Espionage simply involves penetrating the computer networks to steal defense and industry secrets for military and economic advantageInformation warfare. Information warfare simply consists of trying to persuade another country’s population of the correctness of the cause. For example, it might involve China convincing people in the US that it has a legitimate claim to Taiwan or it might involve Putin convincing people in Europe that the invasion of the Ukraine is justified. If that information warfare is accomplished by illegally posting information on networks then it involves questions of cyber security. Countries, could of course, simply post information favorable to their cause on US networks legally. In this instance, it would be less of a question of cybersecurity and more generally of information warfare. There are separate camp cases on this and it arguably needs to be addressed separately from cybersecurity, including by having the US adopt its own information warfare campaigns.
While it will be tempting for teams to focus arguments on Russia since the topic is about NATO and the original purpose of NATO is to provide security vis-à-vis Russia, cooperating with NATO will lead to tools that will improve cyber security overall and will strengthen defenses against any actors.
In July of 2022, the Council on Foreign Relations published a report indicating that these threats are increasing, that norms and arms control agreements will not limit them and that automated cyber attacks will break defenses.
Although Russia has not engaged in significant cyber attacks in the Ukraine yet, they arguably may choose to use more in the future. The continued sanctions could increase the risk. So could failure in the war. Karadeglija (July 22) argues the significance of current attacks is underreported. Konkel (June 22) reports that Russia has already engaged in attacks against 42 countries.
Cyber threats are arguably growing globally and are probably underreported.
Significant attacks that result in major disruption could trigger kinetic warfare and even result in nuclear escalation. Healy (January 22) reaches a similar conclusion. See also: Dumbacher, Levite, Klare, Dongxiao, Whyte, Scheider, Kello
Responding to Basic Defense
Although countries have begun to construct basic cyber defenses, these could be overwhelmed by automated cyber attacks.
Some will argue Russian cyber attacks have been limited, but it arguably has chosen not to engage in significant attacks so far.
Others will argue that cyber attackers lack the means to attack, but that ability is becoming more apparent.
Norms and arms control agreements have failed to prevent attacks.
Even though many defensive measures have been put in to protect nuclear weapons, including “air gaping,” those measures have severe limitations.
Conventional deterrence and threats of retaliation fail because we can’t always determine who committed the attack.
Many measures have been adopted to increase cyber security, but more needs to be done.
While the negative will never be able to reduce the risks of cyber attacks to zero, there are a number of arguments that can be made to substantially reduce the risk.
Status quo measures. Companies have been doing a lot to strengthen cyber security on their own.
The risk is low. All existing cyber attacks have been small and there is limited risk of escalation.
The impact is small. Cyber conflict impacts are trivial and no significant attacks have been launched. Why? Probably because such attacks have limited utility and countries fear retaliation. Even the fear of retaliation will prevent attacks. See also: Kirkpatrick; Gomez; Veleriano; Dyer; Kirkpatrick
Russia. Despite claims about Russia’s “amazing” cyberwarfare capabilities, Russia has not enjoyed any cyber warfare advantage in the Ukraine. Russia has not significantly disabled any important parts of Ukraine’s internet or connected entities, arguably because Russia needs it and the information supplied through it to conduct the war. Generally, it has not engaged in any meaningful cyber attacks. The attacks it has launched have failed.
Cyberwarfare isn’t the best approach. If countries really wanted to destroy each other’s power grids, they could do so with regular kinetic weapons.
No escalation. While there are always cyber conflicts, the risk of escalation is low. There really hasn’t even been any other tangible impact. See also: Schulze.
Nuclear systems (Nuclear Command, Control Communications (NC3)). The problem with this impact is that it is very difficult to penetrate the US nuclear weapons security system and many US nuclear weapons are disconnected from the internet. , which makes it impossible to hack the nukes.
Cybercrime. Cyber criminals are just too weak to penetrate the networks.
Election hacking. Election hacking doesn’t really disrupt elections.
It is hard to generate offense against cyber security advantages, but there are two arguments you can choose from.
War causes cyber attacks. Cyberwarfare, at least that with a large impact, is unlikely unless two countries are actually at war. If the negative wins the plan causes a war, cyberwarfare becomes substantially more likely.
Maness & Valeriano, 2015, Ryan C. Maness, Northeastern University, Department of Political Science, Brandon Valeriano, University of Glasglow, Cyber War versus Cyber Realities: Cyber Conflict in the International System, Kindle Edition, page number at end of card
This leads to another issue that we raise throughout this volume: the need for the settlement of the root causes of conflict. Cyber conflicts are not disconnected from the normal international relations policy sphere. International cyber operations are directly connected to the long history of interactions between states. Traditional security rivals extend to cyberspace. Ignoring this process misses the root causes of cyber conflicts and instead commits the error of focusing on the tactic rather than the fundamental issues of disagreement between states. Valeriano, Brandon; Maness, Ryan C. (2015-04-27). Cyber War versus Cyber Realities: Cyber Conflict in the International System (p. 210). Oxford University Press. Kindle Edition.
Cyber conflict is an alternative to war. It is arguably better for countries to attack with cyber weapons than weapons that kill. Cyberwarfare has relatively trivial impacts compared to conventional warfare.
There are a number of basic counterplans that focus on self-restraint, developing norms and potentially entering into some agreements with other countries to lesson the risk.
Council on Foreign Relations Task Force Report, July 2022, Confronting Reality in Cyberspace, https://www.cfr.org/report/confronting-reality-in-cyberspace/download/pdf/2022-07/CFR_TFR80_Cyberspace_Full_SinglePages_06212022_Final.pdf
Norms are difficult to perpetuate and easily abandoned. Nonetheless, as this American-driven coalition develops, Washington and its partners should declare a set of norms that they will allow to constrain their cyber operations. The United States should also discuss a set of understandings with potential adversaries, China and Russia in particular. These restraints are motivated in part by self-interest, as they could help prevent unintended and catastrophic outcomes. U.S. policymakers should, however, make clear that this self-restraint will guide U.S. operations above the threshold for the use of force or armed attack, and that for operations below the threshold, the United States will continue to adopt a more proactive, initiative-seizing posture. After consultation with allies and friends, Washington should announce an initial set of standards for self-restraint in cyberspace. Along with repeating commitments to abide by international law— including international humanitarian law and the laws of armed conflict—officials should state that the United States will refrain from destructive attacks on election infrastructure and the international financial system. Across the world, more countries are relying on digital infrastructure to manage elections. During the 2016 election, according to U.S. intelligence reports, the Russian government directed cyber activit targeted at state election infrastructure, though there was no evidence that any votes were changed. Scanning election infrastructure was the most widespread activity, and Russian hackers successfully gained access to and removed data from infrastructure in two states. Russian operators also conducted operations against a widely used vendor of election systems. In January 2017, the U.S. Department of Homeland Security designated election systems as critical infrastructure, bringing them under the protection of the federal government.107 The United States and its partners should promote a norm regarding disruptive attacks against election infrastructure, banning efforts to disrupt voter registration, voting machines, vote counting, and election announcements. It should work with coalition partners to prevent, mitigate, and, when necessary, respond to destructive attacks on election infrastructure. The global financial system is highly interconnected and depends on trust. Cyber operations directed at the integrity of any one part of the system could cascade into others, threatening the entire system and international stability. Washington should declare that it will not conduct operations against the integrity of the data of financial institutions and the availability of critical financial systems.108 Given that norms exert a weak limit on state actions in cyberspace, the United States and its partners should be prepared for their violation by increasing the resilience and redundancy of these critical systems. Financial institutions should regularly run exercises to restore the integrity of data after a cyberattack. The declaration of these norms, however, signals that these types of attacks will be considered off limits and mobilize coalition partners quickly to respond if the norm is violated. Although bilateral and multilateral discussion on norms have so far been of limited use, the United States has a strong shared interest in working with potential adversaries to prevent cyberattacks from worsening or creating a nuclear crisis. During a conventional conflict, states could be tempted to use cyberattacks to try to neutralize nuclear threats. These actions, however, would be highly destabilizing. Cyberattacks on NC3 systems could lead to incentives for states to launch nuclear weapons preemptively if they feared that they could lose their second-strike capability. Intelligence gathering could be interpreted by the defender as efforts to degrade nuclear capabilities. Cyberattacks on nuclear systems could produce false warnings or miscalculations, interfere with communications or access to information vital to decisions about the use of nuclear weapons, and increase the risk of unauthorized use of a weapon.109 Cyberattacks on space assets involved in command and control would be equally destabilizing because of their close connections to assured second-strike capabilities. These risks are rising as modern NC3 systems come to depend more heavily on digital infrastructure. In a 2020 report, the Nuclear Threat Initiative found that “almost 9 out of 10 planned nuclear modernization programs involve at least some new digital components or upgrades.”110 The United States should enter into discussions with China and Russia about limiting all types of cyber operations against NC3 systems on land and in space. In addition, participants in these discussions should commit to separating conventional from nuclear command and control systems as much as possible. Given that a cyber intrusion designed for espionage could look identical to an offensive operation, all sides have a strong interest in prohibiting all types of operations to prevent miscalculation that could lead to a nuclear strike. In the wake of the Russian invasion of Ukraine and the growing geopolitical competition between the United States and China, the spaces for cooperation between Washington and Moscow and Washington and Beijing are extremely narrow. Declarations of selfrestraint can function as confidence-building measures, perhaps bridging the trust gap. However, previous instances of cooperation in cyberspace—the 2015 U.S.-China cyber espionage agreement or the joint Russian-U.S. investigations of online credit card theft in the mid-1990s—coincided with more amicable periods in the larger bilateral relationship.111 U.S. policymakers should make clear that they are entering discussions with their Chinese and Russian counterparts because understandings on cyber operations and nuclear command and control are a shared interest among the three powers in preventing catastrophic outcomes. U.S. policymakers should also be prepared to fail in bilateral negotiations and to continue unilateral measures of risk reduction. These include making NC3 structures less subject to incidental cyberattacks and more resilient if they are attacked, as well as preparing NC3 systems for information warfare and the authentication of good information. Policymakers will also need to ensure that the internal processes to decide whether to proceed with a potentially escalatory cyber operation are robust enough to clearly weigh the strategic risks against the intelligence and military benefits.