How Dangerous Are Cyberattacks?

Any time tensions flare up across the world, there are alarming reports about our adversaries’ cyber capabilities.

 

For example, as Iran and the U.S. increasingly spar in the Middle East with drone strikes and missile salvos, the threat of cyber attacks tipping the crisis into full on war is an ongoing concern. 

 

After all, Iran has a history of using cyberattacks against financial systems, oil companies, and key infrastructure. And the U.S. is credited with creating the Stuxnet worm, one of the only known cyber attacks that caused actual physical damage. It caused Iranian centrifuges to spin out of control, temporarily halting Iranian nuclear enrichment.

 

Iran and the United States have engaged in cyberattacks against one another in the past and will continue to do so in the future.

 

But does that mean that these cyber attacks will escalate into a conventional war?

 

Fortunately, cyberattacks operate differently than conventional attacks. Here’s what you need to know.

 

The destructive effects of cyberattacks are nowhere near as violent as conventional warfare, like airstrikes or missile attacks.

 

So far, cyberattacks have not led to immediate and extensive casualties - civilian or military. It turns out that it is hard to use cyberattacks to achieve any physical consequences, much less serious physical harm.

 

Even Iran’s most successful cyberattack, when it erased data from the world’s largest oil company, had limited impact on oil prices or global oil supply.

 

My own research finds that cyberattacks create a threshold that restrains escalation. Americans are significantly less likely to support retaliation against a cyberattack, even if it causes as much financial damage as an airstrike.

 

The damage that cyberattacks can do is subtler and more long-term than say, a missile strike. Russia has used its cyber-capabilities to increase distrust in institutions like our elections and the media, for example.

 

They can also be used as part of asymmetric warfare to complement conventional operations. Daily attacks and probes can be an irritant and a distraction, drawing attention and resources away from more serious challenges.

 

The question is how should the United States deal with the threat of cyberattack?

 

Deterrence is unlikely to work for all but the most significant cyber attacks. Cyber operations themselves can’t really deter other attacks—whether in cyberspace or other more conventional domains of warfare. Why is this?

 

For deterrence to work, there have to be clearly communicated consequences. But virtual attacks often aren’t tangible or permanent. And since they are covert, they are less likely to deter precisely because they are unknown.

 

The good news is that the United States is finding better methods to deal with long-term cyber-threats. Instead of trying to deter most cyber attacks, the Department of Defense has shifted its efforts to pre-emptively degrading the cyber-capabilities of our adversaries.

 

But there is more to do. The government must work with the private sector to share information about existing threats. And due to the nature of cyberattacks, the public must be better educated when they are exposed to foreign influence.

 

Cyberattacks are not likely to have devastating short-term consequences, but they can gradually erode the foundations of social, political, and economic stability over time. Tackling this challenge will require the U.S. to harness all of its power across the federal government, the private sector, and its citizens.