GJIA: In today’s event, you discussed how cyber warfare is more like covert operations than traditional warfare. What do you think might be the positive and negative implications of these differences?
BB: One of the positive aspects is that cyberattacks kill far fewer people than I think we feared two decades ago when we were talking about a cyber Pearl Harbor or the like. One of the negative implications is that they are more complicated for theory to explain. These are fundamentally different than Tomahawk cruise missiles or nuclear weapons. We have to figure out how we conceptualize these capabilities, how we use these capabilities, what they are good for, and what they are less good for.
In what ways do you think cybersecurity attacks make it more difficult to hold states accountable for their actions?
Many cyberattacks exist in the zone between peace and war. Nations like the United States have struggled to respond because American policymakers do not always have great tools to change adversary behavior. Policymakers have tried indictments, sanctions, and naming and shaming, and yet the threat of cyberattacks seems to continue to rise.
During the event, you discussed how the United States did not clearly warn Russia of the consequences for interfering during the 2016 election. What do you think might be the underlying reasons why they did not do so?
Michael Daniel, who was the head cybersecurity official in the White House at the time, mentioned after the fact that part of the reason the White House was not more aggressive was that it was worried about what Russia could do next. In some sense, American officials were deterred from pushing back because, it seems, they were worried about interference on election day itself, and that might be a case of deterrence in cyberspace.
You made a comment that social media can have a large role at the moment in regulating misinformation. Do you think governments have or can play a role in effectively regulating these companies? Do you think technology has a role in strengthening democracy at all?
They [companies] might, but it is hard when it comes to, essentially, moderation of content on the Internet. The First Amendment in the United States is a unique variable here that we have to consider. Certainly companies like Facebook and Twitter are not bound by the First Amendment, so they have more capacity to regulate what is happening on their own platforms. Certainly there is a role for the government to play in pushing back on foreign interference that is not affected by the First Amendment, like interference from Russia.
Right now, I am worried about technology and democracy more than I am heartened. Whether that is artificial intelligence or cyberattacks, I worry that democracies are going to face unique challenges in thinking about how technology is changing society, and I think we have got to get those challenges right, but it will not be easy.
What do you foresee international cooperation on cybersecurity issues looking like in the future? Do you think states will outline laws on how cyber warfare should be conducted?
I am pretty skeptical of the prospects for too much meaningful international cooperation between adversaries. I think this is an environment in which nations seem content to compete, and I think that they think it is in their interest to do so. States might outline laws, but the questions are how do you verify and how do you enforce? These are always the types of questions relating to arms control. I am not saying that it is impossible, but it is going to be challenging.
. . .
Ben Buchanan directs the Cybersecurity and AI Project at Georgetown’s Center for Security and Emerging Technology. He is an Assistant Teaching Professor and conducts research on cybersecurity and statecraft at Georgetown’s Center for Security Studies. His previous works include his first book, The Cybersecurity Dilemma, as well as journal articles and peer-reviewed papers on artificial intelligence, attributing cyber attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors.
