I used to fear that America faced a "digital Pearl Harbor." I didn't think that senior American defense officials were exaggerating the threat. Now I do.
The most comprehensive set of arguments on this comes in an article by Professor Eric Gartzke of UC San Diego. It's temporarily available, free of the normal paywall, from International Security. Like King's College London Professor Thomas Rid, Gartzke argues that cyber operations are unlikely to be violent by themselves and thus not likely to be widely accepted as an act of war. Cyber effects are temporary and less likely to be decisive in a conflict, he argues. Gartzke also believes that cyber attacks are most likely to be used, if at all, in conjunction with kinetic military attacks. Thus they are most likely to be a tool of the militarily strong, not the weak.
What this means for the United States is that we need resilience in the case of cyber attacks, and should be doing everything possible to secure our critical infrastructure. In fact, however, our military seems to be
resources into offensive cyber operations and neglecting the more
important challenge of cyber defenses.
That was certainly the take David Sanger took the
other day when reporting the release of a new congressionally mandated
review of intelligence community R&D efforts. Here's a link to the
commission's unclassified report.
The U.S. military has a long history of preferring offense to defense, of wanting to match a presumed enemy's offensive capabilities before it concentrates on defenses against them. That's a part of military culture that's helpful in some cases, but quite risky in others, including cyber operations.
I see that Henry Farrell of The Monkey Cage has a similar discussion of Gartzke's paper.