In the lead-up to possible airstrikes against Syria, a contradiction has emerged in the U.S. public policy debate about the prospective uses and impacts of cyber weapons. The use of such weapons against the United States is portrayed as potentially catastrophic and as an act of war. Used against a potential adversary, the same weapons are portrayed as a bloodless alternative to traditional airstrikes. But years of cyber-doom scare stories undermine the case for cyber weapons as a humanitarian alternative to traditional airstrikes.
For years, policy makers and cyber security experts have warned of a growing cyber threat to the United States from any number of foreign actors. Such warnings are often accompanied by cyber-doom scenarios describing the potential impacts of cyber attacks in frightening terms. In these scenarios, cyber attacks on critical military and civilian infrastructures are predicted to have catastrophic results on par with natural disasters or the use of weapons of mass destruction. Images of 9/11, Hurricane Katrina, the Indian Ocean Tsunami, Super Storm Sandy, Pearl Harbor, and nuclear detonations are used to raise the alarm and motivate a response.
With the potential effects of cyber attacks framed in this way, it is unsurprising that the United States has said it would consider such attacks an act of war justifying the use of military force in response. Indeed, U.S. policy even seems to indicate that nuclear weapons remain on the table as a possible response to a particularly damaging cyber attack.
Recently, however, some commentators have argued that cyber attacks could provide a bloodless, non-military alternative to the airstrikes being considered in response to the Assad regime’s use of chemical weapons. Cyber attacks, they argue, can and should be used to take down Syrian civilian and military critical infrastructures, such as the electrical grid, military command and control, and air defense systems.
Others have gone so far as to argue that the use of offensive cyber attacks against Syria could help to repair the United States’ image in the wake of almost daily revelations about its efforts to surveil and militarize cyberspace. Jason Healey of the Atlantic Council, for example, has argued, “The world is increasingly seeing U.S. cyber power as a force for evil in the world. A cyber operation against Syria might help to reverse this view.”
This possibility seems doubtful at best. Secretary of State John Kerry has already been criticized–and rightly so–for his assertion that asking for permission to bomb Syria “is not asking you [Congress] to go to war.” By any definition of war, from Clausewitz to international law, what Kerry and the President propose is war. What’s more, we can be certain that if another nation struck the United States with the kind of strikes being proposed for Syria, U.S. political leaders would not hesitate to call them an act of war. They would be right to do so.
Similarly, a cyber attack launched by U.S. military personnel of precisely the kind that the United States has said it would consider an act of war is unlikely to be seen as a humanitarian, non-military alternative to war. Instead, it will be seen as a contradiction at best, hypocrisy at worst.
This is not to say that cyber attacks would not be less damaging than a traditional airstrike. They most likely would be. Indeed, I have argued that the cyber-doom scenarios so prominent in U.S. cyber security discourse are unrealistic representations of what can reasonably be achieved with cyber attacks.
But I have also argued that this overheated rhetoric is potentially dangerous in and of itself. It narrows the scope of our thinking about the cyber security challenges we face, limits the range of possible responses, and instills unrealistic expectations of what can be achieved via the use of cyber attack.
The United States’ overheated cyber rhetoric might yet come back to haunt it. After years of framing cyber attack in terms of war and large-scale natural disaster, policy makers might find it difficult to authorize such an attack and then be disappointed when the results do not live up to the hype. A summer of revelations about NSA surveillance and militarization of the Internet have angered many around the world. In this context, the use of the very cyber attack techniques that the United States has described as acts of war, and in a military strike that is wildly unpopular among Americans and Europeans, is likely to do more harm than good when it comes to repairing the image of U.S. cyber power at home and abroad.
(This post also appears at Forbes.com.)