After CrowdStrike
On grounded flights, the People's Liberation Army, and what Teddy Roosevelt has to warn us about the geography of cyberattacks
As efforts continue to fix computer systems broken by a faulty update pushed by CrowdStrike, recognition seems to be spreading that our computer technology may be more fragile than the popular imagination has heretofore believed. Microsoft says that 8.5 million Windows devices were affected, though the impact was amplified by the fact that many of those machines were doing critical work in sectors like air transportation. It's been so traumatizing that members of Congress have already requested a hearing with CrowdStrike's CEO.
■ Mistakes will happen, but so will deliberate attacks. That this event was the result of the former should still compel some serious thinking about the potential for the latter. Cyberwarfare is a whole new domain, and America has well-equipped adversaries who are determined to make asymmetric use of their tools, to cause damage and inflict pain.
■ What makes the cyber domain especially challenging is that everywhere is on the front line. It both flattens and scrambles geography, so that an attack may come from anywhere and cause trouble anywhere else.
■ Yet it is often geographically attributable: The US has, for instance, identified specific buildings in China that are used for cyberwarfare, and Russia is known to send attackers abroad to conduct on-site attacks. The scale of the trouble is hard to exaggerate, and adversaries will be tempted to use ever more of the cyber weapons they develop.
■ It is also possible (perhaps even likely) that some Americans may decide to engage in cyberwarfare for themselves, possibly even for patriotic motives. And that raises a problem from the past. In his 1906 annual message to Congress, President Theodore Roosevelt warned that when Americans mistreated foreigners, "The mob of a single city may at any time perform acts of lawless violence against some class of foreigners which would plunge us into war. That city by itself would be powerless to make defense against the foreign power thus assaulted", and that "The entire power and the whole duty to protect the offending city or the offending community lies in the hands of the United States Government."
■ Applying Roosevelt's question to modern claims, what happens if a group of computer science students at an American university decides to apply their skills against the Russian army to hamper an attack against Ukraine? Or against China as retaliation for a provocation against the Philippines in the South China Sea? Or against Israel as a protest against a military action in Gaza? Or against Hungary for mistreating asylum-seekers?
■ The targets may be allies or adversaries. The causes may be righteous or unjust. But the tools are now available everywhere to do damage almost anywhere -- so it's much easier to step over the line from private behavior to international incident, and while we have some legal framework for handling such cases, it's hardly complete. We need a holistic understanding of cybersecurity to take root -- encompassing questions of defensive and offensive behaviors, civil and criminal legal boundaries, military reach, and more. Thus far, we have little of the above, and the CrowdStrike incident should serve only to highlight the scale of what could be the grim consequences if the next incident is intentional.