The New York Times’ front-page report this week that the Chinese army is hacking into America’s most sensitive computer networks from a 12-story building outside Shanghai might finally persuade skeptics that the threat of “cyber warfare” isn’t the fevered fantasy of Richard Clarke, the producers of Die Hard 4, or the generals at the ever-growing U.S. Cyber Command. Alas, it’s real.
But what is the threat? Few of those in the know believe that some fine day, out of the blue, China will zap the programs that run our power grids, gas lines, waterworks, or banking systems, sending our economy—and much else—into a tailspin. Even if the Chinese could pull off such a feat with one keystroke, it’s hard to imagine what they’d accomplish, especially since their fortunes are wrapped up with our own.
The more worrisome threat is subtler: that the Chinese (or some other powers) will use their ability to wreak cyberhavoc as leverage to strengthen their position, and weaken ours, in a diplomatic crisis or a conventional war.
For instance, in a brewing conflict over Taiwan or the South China Sea (areas where China has asserted claims aggressively in recent years), would an American president respond with full military force if he knew that the Chinese would retaliate by turning out all the lights on the Eastern Seaboard?
A familiar concept in strategic war games is “escalation-dominance.” The idea is that victory goes to the player who can take a conflict to the next level of violence in a way that inflicts enormous damage on his opponent but very little on himself. The expected outcome of the next round is so obvious that the opponent decides not to escalate; the dominant player thus controls the subsequent course of the battle and possibly wins the war.
Real war is messier than war games. Escalation holds risks all round. The two sides might have different perceptions of which one is dominant. Or the dominant side might miscalculate the opponent’s strategic priorities. For instance, China might think the American president values uninterrupted electricity on the East Coast more than a free, independent Taiwan—but that thought might be mistaken.
Still, leaders in war and crisis do take these kinds of factors into account. Many surrenders in history have been prompted less by the damage already absorbed than by fears of the damage to come.
And China is not the only foe or rival whose calculations are complicating this new cyber world. Iran is another. Last summer, all of a sudden, a computer virus nicknamed Shamoon erased three-quarters of the Aramco oil company’s corporate files, replacing much of it with images of a burning American flag. It is widely believed that the Iranians planted the “kill switch” in retaliation for the U.S.-Israeli Stuxnet virus that disabled the centrifuges in their nuclear program.
The implicit message sent not only to the United States but also, and perhaps more importantly, to its Arab commercial partners: Don’t mess with us, or we will mess with you. The Shamoon virus is now regarded as the hint of another consequence that we’d likely face in the aftermath of a military strike on Iran’s nuclear facilities. Will it deter such a strike or serve as the final straw in a pile of risks that deters us from striking (or deters the West’s Arab allies from playing whatever part they might play in an attack)? Hard to say, but the Iranians probably intended the virus to have that effect.