Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow him on Twitter @Jason_Healey.
America does not face an existential cyberthreat today, despite recent warnings. Our cybervulnerabilities are undoubtedly grave and the threats we face are severe but far from comparable to nuclear war.
The most recent alarms come in a Defense Science Board report on how to make military cybersystems more resilient against advanced threats (in short, Russia or China). It warned that the "cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War." Such fears were also expressed by Adm. Mike Mullen, then chairman of the Joint Chiefs of Staff, in 2011. He called cyber "The single biggest existential threat that's out there" because "cyber actually more than theoretically, can attack our infrastructure, our financial systems."
While it is true that cyber attacks might do these things, it is also true they have not only never happened but are far more difficult to accomplish than mainstream thinking believes. The consequences from cyber threats may be similar in some ways to nuclear, as the Science Board concluded, but mostly, they are incredibly dissimilar.
Eighty years ago, the generals of the U.S. Army Air Corps were sure that their bombers would easily topple other countries and cause their populations to panic, claims which did not stand up to reality. A study of the 25-year history of cyber conflict, by the Atlantic Council and Cyber Conflict Studies Association, has shown a similar dynamic where the impact of disruptive cyberattacks has been consistently overestimated.
Rather than theorizing about future cyberwars or extrapolating from today's concerns, the history of cyberconflict that have actually been fought, shows that cyber incidents have so far tended to have effects that are either widespread but fleeting or persistent but narrowly focused. No attacks, so far, have been both widespread and persistent. There have been no authenticated cases of anyone dying from a cyber attack. Any widespread disruptions, even the 2007 disruption against Estonia, have been short-lived causing no significant GDP loss.
Moreover, as with conflict in other domains, cyberattacks can take down many targets but keeping them down over time in the face of determined defenses has so far been out of the range of all but the most dangerous adversaries such as Russia and China. Of course, if the United States is in a conflict with those nations, cyber will be the least important of the existential threats policymakers should be worrying about. Plutonium trumps bytes in a shooting war.
This is not all good news. Policymakers have recognized the problems since at least 1998 with little significant progress. Worse, the threats and vulnerabilities are getting steadily more worrying. Still, experts have been warning of a cyber Pearl Harbor for 20 of the 70 years since the actual Pearl Harbor.
The transfer of U.S. trade secrets through Chinese cyber espionage could someday accumulate into an existential threat. But it doesn't seem so seem just yet, with only handwaving estimates of annual losses of 0.1 to 0.5 percent to the total U.S. GDP of around $15 trillion. That's bad, but it doesn't add up to an existential crisis or "economic cyberwar."
Instead, the true existential cyberdanger is likely to come after America connects the electrical grid and other infrastructure to the Internet. An interconnected Smart Grid connects things made not just of bytes and silicon but of concrete and steel. It is all too likely that America will take its overstretched and insecure electrical system and connect it to the Internet. In this future our electric supply is no more or less reliable than the Internet and the years when no one died because of cyberattacks will seem like the quaint good ol' days.
There are still practical solutions to avoid today's serious threats become tomorrow's existential ones but these are often overshadowed by the rhetoric of cyberwar, the push for ever better U.S. cyberoffense, and other distractions. Focusing on actual fixes, like securing the Smart Grid, will be the best ways to avoid future existential attacks.