There can be little doubt that a new “Cold War” is taking place in cyberspace among states with potentially destabilising consequences for international relations. Revelations have surfaced of state-produced malware being specifically targeted at the critical infrastructures of other countries. These cyber-attacks, some of which might be considered retaliatory, have been executed with great effect against energy producers like Saudi Arabia and Iran, or financial centres in the U.S. and South Korea.
Cyberspace has for some time been known as the domain of industrial espionage and cybercrime, but the 2013 SNOWDEN/PRISM revelations point to domestic and foreign spying surveillance programmes that are run by governments. These and other disclosures have raised international concern, not least in the EU over reports of U.S. government spying, sometimes aided by American businesses, on other countries’ citizens and institutions. Over 120 governments around the world are now thought to be rushing to create cyber commands.
The chief obstacle policymakers face in dealing with this new Cold War is the general lack of an understanding as to where this all started and what led to the current state of affairs. Jason Healey’s book presents a timely and ground-breaking work on the history of cyber conflict; he gives a fascinating account of the first steps governments took to deal with cyber security issues since the computing and internet eras began. It is chiefly a book for United States policymakers, as it mostly covers development of cyber security/defence policy and institutional structures in the U.S. But its discussion of case histories of actual cyber-attacks, the policy issues they generated and lessons learned make it a good guidebook for general readers everywhere.
Healey’s discussion of attribution (identifying the attacker) is particularly noteworthy. His proposal for determining “what nation, if any, is responsible?” suggests that instead of vainly looking for a culprit it is preferable to find ways of pressuring nations to behave correctly in cyberspace. His book characterises several cyber incidents as “wake up calls” whose lessons risk being lost until rediscovered by the next generation of policymakers. Governments and international organisations should be wary of leaving the problem to law enforcement agencies, the military or technologists to solve, says Healey. “These [cyber] conflicts are best understood as issues of international security, not information security.”