Syrian conflict could pose real-world test for nascent politics and programs.
With talk of the potential use of cyber weapons in the Syrian conflict, discussions inevitably have turned to the U.S. arsenal of cyber capabilities. Both the use of cyber weapons against Syria and the defense against Syrian attacks would raise serious questions -- not just about U.S. capabilities but the policies behind their use.
Those involved in debate have plenty of fodder, but some are looking even further ahead to future conflicts – including whether Syria could be a run-up to Iran or another future cyber war.
Others are dubious that the United States would roll out cyber weapons against Syria, given the reluctance already shown on the question of a conventional attack.
"If you use it, you've exposed it," said Thomas Rid, reader in war studies at King's College London and author of "Cyber War Will Not Take Place," Published by Oxford University Press earlier this month. "The question is whether [a strike on Syria] is so difficult to do with conventional capabilities that you'd want to depend on cyber, and secondly, whether you want to give away that capability if indeed you're confident that you're willing to apply that."
Rid, speaking on a Sept. 9 panel at the Brookings Institution in Washington, D.C., noted that the United States walks a fine line, since a cyberattack on Syria would have broader implications on foreign and national security policies.
"The key question is the balance between offense and defense," Rid said. "Some of these capabilities essentially would be a one-shot weapon; you could only use them against one specific target. So that's one example of how investments in the offense are not necessarily making us any safer on the defense. The [leaked National Security Agency] black budget showed that the U.S. is spending too much money on the offense and not enough in the defense."
The emphasis on cyberspace as a military domain puts greater pressure on the balance between offense and defense – and the policies that govern both. The central role of the Pentagon in cyberspace affects more than just Syria or any hot issue of the moment, others said.
"We've allowed our cyberspace policy to be taken over on the ground and in the network by Fort Meade," said Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative, referring to the military complex in Maryland that houses NSA and U.S. Cyber Command. "American cyberspace policy is not made by the Homeland Security Department or White House anymore. Our international posture is not decided by the State Department. We've made it predominantly a place about our immediate national security questions in the short term, rather than what we need the Internet and cyberspace to be 10 years or 20 years in the future."
That future portends an era of increased cybersecurity threats amid the rise of the so-called Internet of things: the online connectedness of what we use in everyday lives that is designed to make life easier, but also creates unprecedented security concerns. It represents the beginnings of a society that increasingly will rely on cyber policy in ways that the current concept of cyber warfare does not cover, the panelists said.
"Now you're connecting things made of concrete and steel to the Internet. And when concrete and steel fail, it's not just a short-term disruption...it's real failure, real destruction, real death," Healey said. "We're going to remember these days not as the days of cyber war, like some people want to scare you into believing – but as the halcyon days when all you had to worry about was credit card theft."
But for now, as the United States juggles Syria, formal cybersecurity policy and a changing technological reality, it is critical not to overlook history and the lessons that still apply today.
"We've been having these things that are understandable as [electronic] national security conflicts since 1986. And that includes things that range between espionage and sabotage to high-end attacks that don't cross into war," Healey said. "We still haven't seen anyone die from a cyberattack. But there is this conflict that's happening at the technology level with these very strong national security implications that we can look at and learn from, and most importantly, try to understand what's happening next."