The dangerous business of comparing cyber and bio attacks to each other.
David E. Hoffman's article ("The New Virology," March/April 2011) laid out some interesting likenesses between Stuxnet and swine flu, but the differences may be more telling. In some ways, cyber and bio attacks are almost polar opposites, with an inverse relation in frequency and effect. Bioattacks threaten grave devastation, but the big one rarely -- if ever -- occurs.
The actual pandemics we deal with, like the swine or avian varieties, produce minimal casualties. Biological warfare is an improbable threat, akin to an asteroid strike: Because neither terrorists nor militaries prefer weapons that are cumbersome, difficult to deploy, and erratic in effect, biological weapons have rarely ever been used.
In contrast, malware used against computer networks is a daily occurrence, with millions of incidents every month. Stuxnet was precisely the sort of high-caliber, targeted attack that we have never encountered in the world of biological warfare. It combined sophisticated single-use techniques and was crafted to limit collateral damage. There are four or five advanced cyberpowers that have Stuxnet-like capabilities, and perhaps another 20 countries are developing them. The world should prepare for more such attacks in the future.
Unfortunately, policy can go off course if we too easily equate bio and cyber warfare. The U.S. government squandered billions of dollars on Project BioShield, without improvement to security, while cyber went neglected even as agencies and companies were pillaged by foreign opponents. Hoffman's piece may inadvertently serve to perpetuate that kind of mistake.
Center for Strategic and International Studies
David E. Hoffman replies:
I quite agree that cyber and bio threats should be evaluated for differences as well as parallels. Cyberattacks are certainly more frequent, but they have not caused mass casualties, at least not yet. By contrast, biological agents pose a danger to living organisms. The anthrax letters were more lethal to humans than Stuxnet. The swine flu pandemic led to thousands of deaths and was considered a relatively mild pandemic. Thankfully, we have not experienced a larger attack with biological agents, but it is prudent to prepare for risks that are not necessarily frequent. A nuclear bomb has not been used in military conflict for more than six decades, yet we make extraordinary efforts, and investments, to prevent and deter nuclear attacks. We need to better understand both bio and cyber threats for the same reason; to explore the dangers doesn't mean to equate them in policymaking.
HURRICANEWARNING: All I know is, conventional wisdom is nearly always wrong. If people are saying that this is the generation of virology, it will probably end up being something very different, and usually less complex. Example: IEDs. Probably one of the top 10 most effective tools of warfare ever devised … and, we never saw it coming.