Russia’s invasion of Ukraine in February has been accompanied by a barrage of cyber attacks on the nation’s power and communications infrastructure, reminding us that the Kremlin views its digital arsenal as being no less important than its aging stock of tanks and missiles. Yet none of these incursions dealt a knock-out blow. One explanation is that Kyiv built up its defenses over the past decade and is now a world leader at fending off such online offensives.
Yet there’s also a sense that maybe Moscow has been holding back. Perhaps President Vladimir Putin has something bigger planned, goes that line of thought, with a devastating digital weapon we’ve yet to see. He’s already issued veiled threats about deploying nuclear weapons as the conflict continues. The White House is certainly cautious about cyber warfare, and has warned that the U.S. itself is under threat due to its ongoing support for Ukraine and its leader Volodymyr Zelenskiy.
There’s currently as many as nine members of the “nuclear club” — including those confirmed as having such weapons, and others presumed to be in possession of them.(1) But there are only three countries that I might consider to be cyber superpowers. Among them, China has shown itself to be a proficient and aggressive hacker, but as yet hasn’t demonstrated much evidence that it’s intent on outright destruction. Most attacks, widely believed to have Beijing’s implicit or explicit approval, have been focused on security or industrial secrets. A few have had economic motives, such as ransomware. Beijing has denied allegations of hacking.
Russia’s prowess is known, and legendary. Under Moscow’s guidance, or at least with its consent, cyber gangs have unleashed malware that brought pipelines to a halt, released reams of sensitive data, and caused other types of widespread and malicious damage. The 2020 SolarWinds attack, directed by Russian agencies, breached numerous U.S. government departments and caused up to $100 billion in damage.
Then there’s the U.S. The narrative on Washington-led offensives differs from those carried out by China and Russia. One reason is that U.S. agencies, including the Federal Bureau of Investigation and Justice Department, regularly publicize attacks from overseas, perhaps as a means to gin up budgetary support and to show they’re hard at work. Beijing and Moscow, on the other hand, don’t tend to admit being a victim and generally keep such breaches to themselves. Among the more-famous and destructive attacks carried out by the U.S. is its 2009 deployment of Stuxnet against Iran nuclear facilities (Israel is widely believed to have had a role).
While damaging, nothing we’ve seen so far amounts to all-out destruction. They are the digital equivalent of conventional weaponry. We still need to worry because these three cyber superpowers along with their allies — including North Korea on one side and the U.K and Australia on the other — are focused on developing even more powerful cyber arms. Canberra last month outlined a historic $7.5 billion 10-year budget to boost Australia’s capabilities, which will include offensive tools aimed squarely at China.
There’s no end in sight to this escalation, and so the attacks will continue. But if one power can prove it possesses an overwhelming and unstoppable weapon, and others quickly catch up, then there may be hope for some kind of armistice. We saw this with nuclear arms. Once the U.S. and former Soviet Union built enough stockpiles to destroy each other many times over, the door was then open to a wind down. The first step was the Non-Proliferation of Nuclear Weapons Treaty, which took effect in 1970 and helped dissuade more nations from joining the nuclear club.
Although it took another 15 years — and the collapse of the Soviet Union — for the two major powers to actually halt their build up, today’s nuclear inventory is at its lowest since 1958, and other nations have added only marginally to the stockpile.
Cyber de-escalation won’t be so easy because the ammunition is packets of data and the target is software that can’t be held or touched. Their unpredictability makes such arms harder to wield as a threat, and more challenging to quantify.
“When you launch a nuclear weapon, you know it’s going to explode and have the impact that you want. When you launch a cyber weapon, you cannot be sure it’ll land or get intercepted,” said Greg Austin, senior fellow in cyber, space and future conflict at the International Institute for Strategic Studies in Singapore. “We cannot count packets in cyberspace, but we could count nuclear warheads.”
Even under the shadow of an overwhelming cyber weapon there remains the possibility that proxy battles will be carried out, akin to the land wars waged in Vietnam and the Korean Peninsula, where digital combatants outsource operations and deny responsibility. This means that realistically we cannot expect to see a total cessation of all online warfare. But with a digital detente, we can at least hope for more peaceful world in cyberspace.
More From This Writer and Others at Bloomberg Opinion:
• The Next World War Will Begin With a Hack: Tim Culpan
• What a Russian Cyberattack Would Mean for You: Parmy Olson
• U.S. Opens a Risky New Front in Cyberdefense: Tim Culpan
(1) Non-Proliferation Treaty members: China, France, Russia, U.K. U.S. Non-NPT: India, Pakistan, North Korea. And then Israel, which maintains “opacity.”
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Tim Culpan is a technology columnist for Bloomberg Opinion. Based in Taipei, he writes about Asian and global businesses and trends. He previously covered the beat at Bloomberg News.
More stories like this are available on bloomberg.com/opinion