The Cold War was, in large part, about weapons of mass destruction. Today's hand-wringing over the villainies certain to visit us in cyberspace is primarily about weapons of mass distraction.
Despite nearly twenty years of predictions, the total physical damage from cyberattacks so far has been low compared even to the smallest of real wars. No one has died. Very little machinery has been broken. One exception, Stuxnet, was a concentrated effort by first-rate cyber powers focused on a nuclear enrichment facility managed by a third-rate industrial power (Iran) with scant mastery of the process, a jerry-rigged collection of blackand gray-market parts, and very little help from the outside world. Extrapolating such limited success (80 percent of the centrifuges survived the attack) into a Cold War II is more than a bit of a stretch. What appear to have been revenge attacks against U.S. banks in September deprived bank customers of online access—an annoyance, to be sure—but the perpetrators have not managed to penetrate banking systems or challenge the integrity of the financial system. This kind of war we can survive easily.
Granted, a great deal of espionage is carried out in cyberspace. It seems safe to say that if your internetconnected systems have something of interest to a state intelligence agency, it's probably not a secret anymore. But espionage is not war—and claims that China's cyber espionage constitutes the most serious threat to the U.S. economy are grossly exaggerated. After all, the theft of information does not necessarily deprive its owner of the information's use, and it would be easy enough to exaggerate the value it affords to the thieves. Technology transfer is hard enough when the exchange is mutually agreed upon; it is significantly harder when the primary means of exchange is theft of files with no context.
As for cyberspace, as a medium of war, if you have no networks you cannot play, either as an attacker or (not to put too fine a point on it) as a victim. By contrast, lacking an army, navy, air force, or satellite constellation hardly keeps one from being victimized by someone else's army, navy, air force, or space assets. Thus, there are real limits to how much damage U.S. cyberwarriors can inflict against low-tech countries (or at least those who do not acquire systems before they understand how to protect them).
The U.S. military, with its high-tech systems, must protect itself from cyber threats with much the same careful management that protects it against vulnerabilities associated with, say, explosives. But there can be no choice between boots on the ground and fingers on a keyboard. A military that scrimps on firepower will have no way to exploit the temporary confusion that its hackers can cause to the other side. In other words, cyber operations can supplement a war, but they cannot be the war.
Martin Libicki is a senior management scientist at the RAND Corporation and author of Cyberdeterrence and Cyberwar (RAND, 2009)
This commentary originally appeared in The International Economy on December 1, 2012. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.