Think Again

Think Again: Al Qaeda

A year after Osama bin Laden's death, the obituaries for his terrorist group are still way too premature.

"Al Qaeda Is on the Brink of Defeat."

Keep dreaming. Osama bin Laden was fond of recounting the following parable from the Quran to rally his followers in times of despair: A much-better-armed Christian army employed war elephants in a fearsome assault against Mecca, aspiring to destroy the Kaaba shrine, one of Islam's most sacred sites. But birds showered the Christian army with pellets of hard-baked clay, and the Arabs eventually defeated the invaders. To bin Laden and other al Qaeda leaders, this demonstrated that God was on their side -- even in the face of certain defeat.

Over the past decade, U.S. policymakers and pundits have repeatedly written al Qaeda's obituary. The latest surge of triumphalism came after bin Laden's killing a year ago. U.S. Defense Secretary Leon Panetta asserted that the United States was "within reach of strategically defeating al Qaeda," while President Barack Obama proclaimed, "We have put al Qaeda on a path to defeat," and academic experts churned out a new wave of books with such bullish titles as The Rise and Fall of al-Qaeda.

These declarations of victory, however, underestimate al Qaeda's continuing capacity for destruction. Far from being dead and buried, the terrorist organization is now riding a resurgent tide as its affiliates engage in an increasingly violent campaign of attacks across the Middle East and North Africa. And for all the admiration inspired by brave protesters in the streets from Damascus to Sanaa, the growing instability triggered by the Arab Spring has provided al Qaeda with fertile ground to expand its influence across the region.

Al Qaeda's bloody fingerprints are increasingly evident in the Middle East. In Iraq, where the United States has withdrawn its military forces, al Qaeda operatives staged a brazen wave of bombings in January, killing at least 132 Shiite pilgrims and wounding hundreds more. The following week in Yemen, fighters from al Qaeda in the Arabian Peninsula seized the town of Radda, while expanding al Qaeda's control in several southern provinces. "Al Qaeda has raised its flag over the citadel," a resident told Reuters.

Beyond these anecdotes, several indicators suggest that al Qaeda is growing stronger. First, the size of al Qaeda's global network has dramatically expanded since the 9/11 attacks. Al Qaeda in Iraq, al Qaeda in the Arabian Peninsula, al Qaeda in the Islamic Maghreb, and Somalia's al-Shabab have formally joined al Qaeda, and their leaders have all sworn bayat -- an oath of loyalty -- to bin Laden's successor, Ayman al-Zawahiri.

These al Qaeda affiliates are increasingly capable of holding territory. In Yemen, for example, al Qaeda in the Arabian Peninsula has exploited a government leadership crisis and multiple insurgencies to cement control in several provinces along the Gulf of Aden. Al Qaeda's affiliates in Somalia and Iraq also appear to be maintaining a foothold where there are weak governments, with al-Shabab in Kismayo and southern parts of Somalia, and al Qaeda in Iraq in Baghdad, Diyala, and Salah ad Din provinces, among others.

The number of attacks by al Qaeda and its affiliates is also on the rise, even since bin Laden's death. Al Qaeda in Iraq, for instance, has conducted more than 200 attacks and killed more than a thousand Iraqis since the bin Laden raid, a jump from the previous year. And despite the group's violent legacy, popular support for al Qaeda remains fairly high in countries such as Nigeria and Egypt, though it has steadily declined in others. If this is what the brink of defeat looks like, I'd hate to see success.

"Al Qaeda's Mergers Are a Sign of Weakness."

Wishful thinking. In recent years, al Qaeda leaders have consciously developed a strategy to expand their presence in North Africa, the Middle East, and South Asia. Rather than weakening the organization, this mergers-and-acquisitions strategy has been fairly successful in allowing al Qaeda to expand its global presence.

Today, al Qaeda has evolved from a fairly hierarchical organization at its 1988 founding to a more decentralized one composed of four main tiers. First, there's al Qaeda's core leadership in Pakistan. Zawahiri took over as emir after bin Laden's death, and Abu Yahya al-Libi, the head of al Qaeda's religious committee, became his deputy. They are flanked by a new cast of younger operatives, such as Hassan Gul, Hamza al-Ghamdi, Abd al-Rahman al-Maghrebi, and Abu Zayd al-Kuwaiti al-Husaynan -- figures charged with plotting al Qaeda operations, managing its media image, and developing its religious dogma.

Security concerns, however, have prohibited this core group -- al Qaeda Central -- from playing a major strategic and operational role. Its leaders can't meet together anymore, are unable to provide timely information or guidance to operatives, and spend an inordinate amount of time simply trying to survive. This reality makes the proliferation of al Qaeda franchises critical to the network's survival. Still, as documents seized from bin Laden's home in Abbottabad show, al Qaeda Central is not entirely isolated. It has remained in contact with its affiliates overseas and provided strategic advice on issues from leadership appointments to fundraising, as well as mandates for attacks. Before his death, bin Laden himself instructed deputies to focus "every effort that could be spent" on targeting the United States and even to plot the assassinations of Obama and Gen. David Petraeus.

The next tier of al Qaeda includes a growing list of affiliated groups in Iraq, Yemen, North Africa, and Somalia. Al Qaeda's most recent merger was this February, when it publicly announced a formal relationship with Somalia's al-Shabab. These affiliates benefit from al Qaeda Central's ideological inspiration and guidance. Take al-Shabab. In announcing his group's official merger with al Qaeda, al-Shabab's emir, Mukhtar Abu al-Zubair, gloated that his group's prestige had now been lifted in the jihadi world and beckoned Zawahiri to "lead us to the path of jihad and martyrdom that was drawn by our imam, the martyr Osama."

The third tier incorporates more than a dozen allied groups that remain formally independent but work with al Qaeda on operations when their interests converge. One example is Pakistan's Tehrik-i-Taliban, which, though focused on South Asia, has been involved in terrorist plots overseas, notably the failed 2010 attack in Times Square. Al Qaeda has assisted in several Tehrik-i-Taliban-led attacks, including the May 2011 siege of the Pakistan Navy's Mehran naval base in Karachi. In Nigeria, the Salafi group Boko Haram has emerged as an increasingly deadly threat -- most spectacularly killing more than 200 people in January -- and has also developed relations with al Qaeda. Since 2009, according to U.S. government officials in the region, Boko Haram operatives have traveled to Mali to train with members of al Qaeda in the Islamic Maghreb in explosives manufacturing and suicide attacks.

Finally, al Qaeda draws on support from inspired networks -- groups and individuals that have no direct contact with al Qaeda Central but are motivated by the movement's cause and outraged by the perceived oppression of Muslims. Lacking direct support, these networks tend to be amateurish, if occasionally lethal. The quintessential example is Nidal Malik Hasan, a U.S. Army major who in November 2009 gunned down 13 people and wounded 43 others at Fort Hood, Texas. There are more recent cases as well. In February 2011, Khalid Aldawsari was arrested in Lubbock, Texas, on charges of planning terrorist attacks after purchasing sulfuric acid, nitric acid, wires, and other bomb-making material. Last September, Rezwan Ferdaus was arrested for allegedly plotting to attack the Pentagon and the U.S. Capitol.

Sure, al Qaeda's mergers could eventually create fissures among increasingly autonomous groups. For now, though, these mergers have allowed al Qaeda to survive -- and expand.

"Al Qaeda Is Unpopular."

Not as much as you might think. In May 2011, shortly after bin Laden's death, the Pew Global Attitudes Project released an opinion survey with the pithy headline: "Osama bin Laden Largely Discredited Among Muslim Publics in Recent Years." Its findings have been widely trumpeted by those seeking to highlight the organization's decreasing popularity in Muslim countries. And indeed, the poll found that support for al Qaeda, and for bin Laden himself, has been steadily declining among Muslims in Jordan, Lebanon, Pakistan, Turkey, and a handful of other countries.

Yet a closer look at the data reveals that al Qaeda's support has not fallen as far as the headlines would have you believe. According to the same Pew poll, roughly one-quarter of the Muslim population in the Palestinian territories, Indonesia, and Egypt still supports al Qaeda -- some 73 million people. Even if that estimate is high, this seems a significant foothold for the organization, because al Qaeda doesn't appear to require significant levels of public support to accomplish its bloody work. Indicators of al Qaeda's support elsewhere are even more disturbing. Its popularity among Nigerian Muslims was just under 50 percent -- a striking finding for a country that has witnessed the growth of Boko Haram.

Before we write al Qaeda's epitaph, it would be wise to understand what the available facts tell us -- and what they don't. After all, al Qaeda's popularity is frequently less important than that of insurgent groups to which it is attached. That is exactly al Qaeda's objective: to establish a symbiotic relationship with local groups that have more support and legitimacy. In Afghanistan, for example, a Taliban overthrow of President Hamid Karzai's government would be an enormous victory for al Qaeda, which would almost certainly re-establish a sanctuary in the country.

"The Arab Spring Was Bad for al Qaeda."

If only. The Arab Spring triggered an initial -- perhaps naive -- wave of optimism that al Qaeda had lost the war of ideas. Take Egypt, where a group of plugged-in liberal youths in Cairo appeared to be guiding the revolution. "The young men and women who had filled Liberation Square," wrote scholar and author Fouad Ajami, "wanted nothing of that deadly standoff between the ruler's tyranny and the jihadists' reign of piety and terror."

Not so fast. A growing body of research conducted by such scholars as Stanford University's David Laitin and James Fearon has found that weak, ineffective governments are critical to the rise of insurgencies -- and, ultimately, are fertile ground for terrorist groups. Weak states do not possess sufficient bureaucratic and institutional structures to ensure the proper functioning of government, and their security forces are unable to establish basic law and order.

In other words, the Arab Spring revolutionaries may not be sympathetic to violent jihad, but the instability they sow may be al Qaeda's gain. The unfortunate reality, at least for the moment, is that the uprisings over the past year have weakened governments across the Arab world from Syria to Yemen. The World Bank ranks many among the world's worst-performing governments.

Even on the off chance that democracy takes root in the Arab world, a dose of reality is still appropriate. Research conducted by the University of Vermont's Gregory Gause and other scholars has found that democratization does not reduce the likelihood of terrorism. Democratic states are just as likely to face terrorism and insurgency as undemocratic ones. Nor is there any evidence that democracy in the Arab world would "drain the swamp," as U.S. Defense Secretary Donald Rumsfeld put it in 2001, eliminating support for terrorist organizations among the Arab public. Just ask Turkey, which has suffered through several decades of terrorism by Kurdish groups, despite remaining one of the Muslim world's longest-lasting democracies. Terrorism, in short, is not caused by regime type.

If Zawahiri gets his wish, the Arab Spring will be a boon for al Qaeda. In an eight-minute video released in February, titled "Onward, Lions of Syria," Zawahiri urged each Muslim to help "his brothers in Syria with all that he can, with his life, money, opinion, as well as information." Al Qaeda in Iraq responded to the call by standing up terrorist cells in Syria and participating in several attacks, as U.S. intelligence officials had warned publicly.

"Zawahiri Lacks bin Laden's Charisma."

Yes, but… Western assessments of Zawahiri have almost uniformly brushed him aside as too unpopular to consolidate and hold power. Tom Donilon, Obama's national security advisor, bluntly remarked that Zawahiri "is not anywhere near the leader that Osama bin Laden was."

Zawahiri, however, has now bested bin Laden in an important category: He has survived. Zawahiri has certainly been through the fire before. He was imprisoned and tortured by the Egyptians in the early 1980s for his involvement in the assassination of President Anwar Sadat. After his release, he fled to Pakistan and then survived repeated threats in Sudan, Afghanistan, and finally Pakistan again. Meanwhile, he has become one of the chief architects of al Qaeda's mergers-and-acquisitions strategy, supporting a formal relationship with al-Shabab and encouraging al Qaeda to exploit the Arab Spring.

Zawahiri has long been one of al Qaeda's most important writers and strategic thinkers, from his 1992 Black Book to his 2001 Knights Under the Prophet's Banner, which outline al Qaeda's vision of overthrowing Arab regimes -- the "near enemy" -- and replacing them with governments that implement an extreme interpretation of sharia law. Despite the bromides and incongruities, Zawahiri's writings have been pillars of al Qaeda's ideology.

Still, Zawahiri has weaknesses. Among jihadists, he does not enjoy the swashbuckling aura of bin Laden. He is a scholar and a medical doctor, not a vaunted warrior. Zawahiri has also been a deeply polarizing figure, publicly feuding with Islamist movements and rival leaders. "Zawahiri's policy and preaching bore dangerous fruit and had a negative impact on Islam and Islamic movements across the world," Issam al-Aryan, a top Egyptian Muslim Brotherhood figure, shot back in 2007 after the al Qaeda leader criticized the Brotherhood's refusal to advocate the violent overthrow of the Egyptian government.

It is tempting to dismiss Zawahiri as an irascible leader incapable of bin Laden's strategically daring feats. But he has survived on the run for almost three decades. If his persistence and organizational savvy tell us anything, it's that he can be an implacable, dangerous, and sometimes underappreciated enemy.

"Al Qaeda Will Never Work with Iran."

Never say never. Some scholars and former policymakers dismiss the possibility of al Qaeda-Iranian cooperation. "I think [there] is a war-fevered hysteria that is going on now," protests Hillary Mann Leverett, a National Security Council aide during the Clinton and Bush administrations. "A lot of this stuff is really flimsy." On the surface, she seems right. Not only is Iran a fundamentalist Shiite regime while al Qaeda is violently Sunni, but the two groups also have different long-term goals and have occasionally clashed.

Yet on the geopolitical chessboard, they share a common enemy: the United States. Iran has held several al Qaeda senior leaders since they were driven from Afghanistan in late 2001. Some have raised funds for the terrorist organization by leveraging wealthy Persian Gulf donors, while others have provided strategic and operational assistance to al Qaeda Central. Of particular importance are members of al Qaeda's former management council, which bin Laden established as a backup command-and-control node in Iran. They include Saif al-Adel, Sulaiman Abu Ghaith, Abu al-Khayr al-Masri, Abu Muhammad al-Masri, and Abu Hafs al-Mauritani -- all of whom apparently remain in Iran under various forms of house arrest, according to my interviews with government officials from Britain, Jordan, Saudi Arabia, and the United States.

The details of al Qaeda's relationship with the Iranian government are hazy. Many of the operatives under house arrest have petitioned for release. In 2009 and 2010, Iran began to free some detainees and their family members, including members of bin Laden's family, while the management council remains in Iran under limited house arrest. Members are allowed to communicate with al Qaeda Central, fundraise, and help funnel foreign fighters through Iran, according to several senior U.S. government officials.

Iran is likely holding al Qaeda leaders on its territory first as an act of defense. So long as Tehran has several leaders under its control, the terrorist group is unlikely to attack Iran. The strategy, however, might also have an offensive component if the United States or Israel were to target Iran's nuclear facilities. Tehran has long used proxies to pursue its foreign-policy interests, especially Hezbollah in Lebanon. And several of al Qaeda's leaders in Iran, such as Adel, the group's onetime security chief, have extensive operational experience that would be valuable in such a situation.

Al Qaeda is likely making similar calculations about working with Iran. To be sure, some al Qaeda leaders revile the ayatollahs. In a 2004 letter, Abu Musab al-Zarqawi, the late al Qaeda chief in Iraq, called Shiites "the insurmountable obstacle, the lurking snake, the crafty and malicious scorpion." In a sign of Churchillesque pragmatism, though, Zawahiri publicly chastised Zarqawi, writing that the Shiites were not the primary enemy -- at least not for the moment. It was crucial, he explained, to understand that success hinged on support from the Muslim masses in Iraq. "In the absence of this popular support," argued Zawahiri, "the Islamic mujahid movement would be crushed in the shadows."

For al Qaeda, Iran is a refuge. The United States has targeted al Qaeda in Iraq, Pakistan, Yemen, and other countries, but it has limited operational reach inside the Islamic Republic. What's more, Iran borders the Persian Gulf, Iraq, Turkey, Afghanistan, and Pakistan, making it centrally located for most al Qaeda affiliates.

With the management council under limited house arrest, Iran and al Qaeda's relationship remains at arm's length. But that could change if Washington and Tehran finally come to blows. Should the United States or Israel decide to attack Iranian nuclear facilities or tensions otherwise escalate, Iran and al Qaeda could find that they share a common interest in bloodying America's nose.

"Al Qaeda Is Too Weak to Strike in the United States."

Dead wrong. It only takes one attack to be successful. Also, lest we forget, there have been some close calls in recent years: In June 2009, Abdulhakim Mujahid Muhammad attacked a military recruiting center in Little Rock, Arkansas, fatally gunning down one soldier and wounding another. He had listened to the sermons of Anwar al-Awlaki, the late Yemeni-American al Qaeda operative, and had spent time in Yemen. Najibullah Zazi, Nidal Malik Hasan, Umar Farouk Abdulmutallab, Faisal Shahzad, and the 2006 transatlantic plotters based in Britain also planned or carried out al Qaeda-inspired terrorist attacks on American soil or on U.S.-bound airplanes -- some with deadly results. What if more of these attempts had succeeded?

But that's not all. Dozens of people have been arrested and prosecuted in U.S. courts in recent years for their ties to al Qaeda and its affiliates. They include Zachary Adam Chesser, who was arrested by the FBI in July 2010 for his ties to al-Shabab, and Jamshid Muhtorov, an Uzbek refugee arrested in Chicago this January for allegedly providing material support to the Islamic Jihad Union, an al Qaeda ally. These examples -- and there are many more -- should dampen any exuberance about the group's supposed demise.

Since Sept. 11, 2001, the West has repeatedly declared al Qaeda all but dead and buried -- only to see it rise again. This time, the weakness of governments across the Arab world and South Asia, the durability of some of al Qaeda's main allies, and the decreasing U.S. presence in Iraq, Afghanistan, Pakistan, and other countries could contribute to al Qaeda's post-bin Laden survival. Drones and special operations forces may kill some al Qaeda leaders, but they will not resolve the fundamental problems that have turned the region into a breeding ground for terrorism and insurgency.

Predictions of al Qaeda's imminent demise are rooted more in wishful thinking and politicians' desire for applause lines than in rigorous analysis. Al Qaeda's broader network isn't even down -- don't think it's about to be knocked out.

Rehan Khan/EPA

Mohamed Abdiwahab/AFP/Getty Images

AFP/Getty Images

MISAM SALEH/AFP/Getty Images

Mohamed Abdiwahab/AFP/Getty Images

BEHROUZ MEHRI/AFP/Getty Images

TIMOTHY A. CLARY/AFP/Getty Images

Think Again

Think Again: Cyberwar

Don't fear the digital bogeyman. Virtual conflict is still more hype than reality.

"Cyberwar Is Already Upon Us."

No way. "Cyberwar is coming!" John Arquilla and David Ronfeldt predicted in a celebrated Rand paper back in 1993. Since then, it seems to have arrived -- at least by the account of the U.S. military establishment, which is busy competing over who should get what share of the fight. Cyberspace is "a domain in which the Air Force flies and fights," Air Force Secretary Michael Wynne claimed in 2006. By 2012, William J. Lynn III, the deputy defense secretary at the time, was writing that cyberwar is "just as critical to military operations as land, sea, air, and space." In January, the Defense Department vowed to equip the U.S. armed forces for "conducting a combined arms campaign across all domains -- land, air, maritime, space, and cyberspace." Meanwhile, growing piles of books and articles explore the threats of cyberwarfare, cyberterrorism, and how to survive them.

Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we've seen so far, from Estonia to the Stuxnet virus, simply don't meet these criteria.

Take the dubious story of a Soviet pipeline explosion back in 1982, much cited by cyberwar's true believers as the most destructive cyberattack ever. The account goes like this: In June 1982, a Siberian pipeline that the CIA had virtually booby-trapped with a so-called "logic bomb" exploded in a monumental fireball that could be seen from space. The U.S. Air Force estimated the explosion at 3 kilotons, equivalent to a small nuclear device. Targeting a Soviet pipeline linking gas fields in Siberia to European markets, the operation sabotaged the pipeline's control systems with software from a Canadian firm that the CIA had doctored with malicious code. No one died, according to Thomas Reed, a U.S. National Security Council aide at the time who revealed the incident in his 2004 book, At the Abyss; the only harm came to the Soviet economy.

But did it really happen? After Reed's account came out, Vasily Pchelintsev, a former KGB head of the Tyumen region, where the alleged explosion supposedly took place, denied the story. There are also no media reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed's book is the only public mention of the incident and his account relied on a single document. Even after the CIA declassified a redacted version of Reed's source, a note on the so-called Farewell Dossier that describes the effort to provide the Soviet Union with defective technology, the agency did not confirm that such an explosion occurred. The available evidence on the Siberian pipeline blast is so thin that it shouldn't be counted as a proven case of a successful cyberattack.

Most other commonly cited cases of cyberwar are even less remarkable. Take the attacks on Estonia in April 2007, which came in response to the controversial relocation of a Soviet war memorial, the Bronze Soldier. The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9, when 58 Estonian websites were attacked at once and the online services of Estonia's largest bank were taken down. "What's the difference between a blockade of harbors or airports of sovereign states and the blockade of government institutions and newspaper websites?" asked Estonian Prime Minister Andrus Ansip.

Despite his analogies, the attack was no act of war. It was certainly a nuisance and an emotional strike on the country, but the bank's actual network was not even penetrated; it went down for 90 minutes one day and two hours the next. The attack was not violent, it wasn't purposefully aimed at changing Estonia's behavior, and no political entity took credit for it. The same is true for the vast majority of cyberattacks on record.

Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the "wars" on obesity and cancer. Yet those ailments, unlike past examples of cyber "war," actually do kill people.

Illustration by Francesco Bongiorni for FP

"A Digital Pearl Harbor Is Only a Matter of Time."

Keep waiting. U.S. Defense Secretary Leon Panetta delivered a stark warning last summer: "We could face a cyberattack that could be the equivalent of Pearl Harbor." Such alarmist predictions have been ricocheting inside the Beltway for the past two decades, and some scaremongers have even upped the ante by raising the alarm about a cyber 9/11. In his 2010 book, Cyber War, former White House counterterrorism czar Richard Clarke invokes the specter of nationwide power blackouts, planes falling out of the sky, trains derailing, refineries burning, pipelines exploding, poisonous gas clouds wafting, and satellites spinning out of orbit -- events that would make the 2001 attacks pale in comparison.

But the empirical record is less hair-raising, even by the standards of the most drastic example available. Gen. Keith Alexander, head of U.S. Cyber Command (established in 2010 and now boasting a budget of more than $3 billion), shared his worst fears in an April 2011 speech at the University of Rhode Island: "What I'm concerned about are destructive attacks," Alexander said, "those that are coming." He then invoked a remarkable accident at Russia's Sayano-Shushenskaya hydroelectric plant to highlight the kind of damage a cyberattack might be able to cause. Shortly after midnight on Aug. 17, 2009, a 900-ton turbine was ripped out of its seat by a so-called "water hammer," a sudden surge in water pressure that then caused a transformer explosion. The turbine's unusually high vibrations had worn down the bolts that kept its cover in place, and an offline sensor failed to detect the malfunction. Seventy-five people died in the accident, energy prices in Russia rose, and rebuilding the plant is slated to cost $1.3 billion.

Tough luck for the Russians, but here's what the head of Cyber Command didn't say: The ill-fated turbine had been malfunctioning for some time, and the plant's management was notoriously poor. On top of that, the key event that ultimately triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away. Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of reaching the end of its 30-year life cycle, sparking the catastrophe.

If anything, the Sayano-Shushenskaya incident highlights how difficult a devastating attack would be to mount. The plant's washout was an accident at the end of a complicated and unique chain of events. Anticipating such vulnerabilities in advance is extraordinarily difficult even for insiders; creating comparable coincidences from cyberspace would be a daunting challenge at best for outsiders. If this is the most drastic incident Cyber Command can conjure up, perhaps it's time for everyone to take a deep breath.

JUNG YEON-JE/AFP/Getty Images

"Cyberattacks Are Becoming Easier."

Just the opposite. U.S. Director of National Intelligence James R. Clapper warned last year that the volume of malicious software on American networks had more than tripled since 2009 and that more than 60,000 pieces of malware are now discovered every day. The United States, he said, is undergoing "a phenomenon known as 'convergence,' which amplifies the opportunity for disruptive cyberattacks, including against physical infrastructures." ("Digital convergence" is a snazzy term for a simple thing: more and more devices able to talk to each other, and formerly separate industries and activities able to work together.)

Just because there's more malware, however, doesn't mean that attacks are becoming easier. In fact, potentially damaging or life-threatening cyberattacks should be more difficult to pull off. Why? Sensitive systems generally have built-in redundancy and safety systems, meaning an attacker's likely objective will not be to shut down a system, since merely forcing the shutdown of one control system, say a power plant, could trigger a backup and cause operators to start looking for the bug. To work as an effective weapon, malware would have to influence an active process -- but not bring it to a screeching halt. If the malicious activity extends over a lengthy period, it has to remain stealthy. That's a more difficult trick than hitting the virtual off-button.

Take Stuxnet, the worm that sabotaged Iran's nuclear program in 2010. It didn't just crudely shut down the centrifuges at the Natanz nuclear facility; rather, the worm subtly manipulated the system. Stuxnet stealthily infiltrated the plant's networks, then hopped onto the protected control systems, intercepted input values from sensors, recorded these data, and then provided the legitimate controller code with pre-recorded fake input signals, according to researchers who have studied the worm. Its objective was not just to fool operators in a control room, but also to circumvent digital safety and monitoring systems so it could secretly manipulate the actual processes.

Building and deploying Stuxnet required extremely detailed intelligence about the systems it was supposed to compromise, and the same will be true for other dangerous cyberweapons. Yes, "convergence," standardization, and sloppy defense of control-systems software could increase the risk of generic attacks, but the same trend has also caused defenses against the most coveted targets to improve steadily and has made reprogramming highly specific installations on legacy systems more complex, not less.

EBRAHIM NOROOZI/AFP/Getty Images

"Cyberweapons Can Create
Massive Collateral Damage."

Very unlikely. When news of Stuxnet broke, the New York Times reported that the most striking aspect of the new weapon was the "collateral damage" it created. The malicious program was "splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment," the Times reported. Such descriptions encouraged the view that computer viruses are akin to highly contagious biological viruses that, once unleashed from the lab, will turn against all vulnerable systems, not just their intended targets.

But this metaphor is deeply flawed. As the destructive potential of a cyberweapon grows, the likelihood that it could do far-reaching damage across many systems shrinks. Stuxnet did infect more than 100,000 computers -- mainly in Iran, Indonesia, and India, though also in Europe and the United States. But it was so specifically programmed that it didn't actually damage those machines, afflicting only Iran's centrifuges at Natanz. The worm's aggressive infection strategy was designed to maximize the likelihood that it would reach its intended target. Because that final target was not networked, "all the functionality required to sabotage a system was embedded directly in the Stuxnet executable," the security software company Symantec observed in its analysis of the worm's code. So yes, Stuxnet was "splattered" far and wide, but it only executed its damaging payload where it was supposed to.

Collateral infection, in short, is not necessarily collateral damage. A sophisticated piece of malware may aggressively infect many systems, but if there is an intended target, the infection will likely have a distinct payload that will be harmless to most computers. Especially in the context of more sophisticated cyberweapons, the image of inadvertent collateral damage doesn't hold up. They're more like a flu virus that only makes one family sick.

RAIGO PAJULA/AFP/Getty Images


"In Cyberspace, Offense Dominates Defense."

Wrong again. The information age has "offense-dominant attributes," Arquilla and Ronfeldt wrote in their influential 1996 book, The Advent of Netwar. This view has spread through the American defense establishment like, well, a virus. A 2011 Pentagon report on cyberspace stressed "the advantage currently enjoyed by the offense in cyberwarfare." The intelligence community stressed the same point in its annual threat report to Congress last year, arguing that offensive tactics -- known as vulnerability discovery and exploitation -- are evolving more rapidly than the federal government and industry can adapt their defensive best practices. The conclusion seemed obvious: Cyberattackers have the advantage over cyberdefenders, "with the trend likely getting worse over the next five years."

A closer examination of the record, however, reveals three factors that put the offense at a disadvantage. First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly. And a weapon, even a potent one, is not much of a weapon if an attack cannot be repeated. Any political threat relies on the credible threat to attack or to replicate a successful attack. If that were in doubt, the coercive power of a cyberattack would be drastically reduced.

ALEXEY DRUZHININ/AFP/Getty Images

"We Need a Cyberarms Control Agreement."

We don't. Cyberwar alarmists want the United States to see cybersecurity as a new challenge on a geopolitical scale. They see cyberspace becoming a new area for military competition with rivals such as Russia and China, and they believe new cyberarms limitation agreements are needed to prevent this. There are some rumblings to establish international norms on this topic: The British government convened a conference in London in late 2011, originally intended to make the Internet more secure by agreeing on new rules of the road, and Russia and China proposed at the U.N. General Assembly last September the establishment of an "international code of conduct for information security." Now, diplomats are debating whether the United Nations should try to forge the equivalent of nuclear arms control in cyberspace.

So, should it? The answer is no. Attempts to limit cyberweapons through international agreements have three principal problems. The first difficulty is drawing the line between cybercrime and potentially political activity in cyberspace. In January, for instance, a Saudi hacker stole about 20,000 Israeli credit card numbers from a shopping website and leaked the information to the public. In retaliation, a group of Israeli hackers broke into Saudi shopping sites and threatened to release private credit card information.

Where is the dividing line? Even if it were possible to distinguish criminal from state-sponsored political activity, they often use the same means. A second hitch is practical: Verification would be impossible. Accurately counting the size of nuclear arsenals and monitoring enrichment activities is already a huge challenge; installing cameras to film programmers and "verify" they don't design malicious software is a pipe dream.

The third problem is political, and even more fundamental: Cyberaggressors may act politically, but in sharp contrast with warfare, they are likely to have a strong interest in avoiding attribution. Subversion has always thrived in cyberspace because preserving one's anonymity is easier to achieve than ironclad attribution. That's the root of the political problem: Having a few states agree on cyberarms limitation is about as realistic as a treaty to outlaw espionage and about as practical as outlawing the general subversion of established order.

Aude GENET/AFP/Getty Images

"The West Is Falling Behind Russia and China."

Yes, but not how you think. Russia and China are busy sharpening their cyberweapons and are already well steeped in using them. The Russian military clandestinely crippled Estonia's economy in 2007 and Georgia's government and banks in 2008. The People's Liberation Army's numerous Chinese cyberwarriors have long inserted "logic bombs" and "trapdoors" into America's critical infrastructure, lying dormant and ready to wreak havoc on the country's grid and bourse in case of a crisis. Both countries have access to technology, cash, and talent -- and have more room for malicious maneuvers than law-abiding Western democracies poised to fight cyberwar with one hand tied behind their backs.

Or so the alarmists tell us. Reality looks quite different. Stuxnet, by far the most sophisticated cyberattack on record, was most likely a U.S.-Israeli operation. Yes, Russia and China have demonstrated significant skills in cyberespionage, but the fierceness of Eastern cyberwarriors and their coded weaponry is almost certainly overrated. When it comes to military-grade offensive attacks, America and Israel seem to be well ahead of the curve.

Ironically, it's a different kind of cybersecurity that Russia and China may be more worried about. Why is it that those countries, along with such beacons of liberal democracy as Uzbekistan, have suggested that the United Nations establish an "international code of conduct" for cybersecurity? Cyberespionage was elegantly ignored in the suggested wording for the convention, as virtual break-ins at the Pentagon and Google remain a favorite official and corporate pastime of both countries. But what Western democracies see as constitutionally protected free speech in cyberspace, Moscow and Beijing regard as a new threat to their ability to control their citizens. Cybersecurity has a broader meaning in non-democracies: For them, the worst-case scenario is not collapsing power plants, but collapsing political power.

The social media-fueled Arab Spring has provided dictators with a case study in the need to patrol cyberspace not only for subversive code, but also for subversive ideas. The fall of Egypt's Hosni Mubarak and Libya's Muammar al-Qaddafi surely sent shivers down the spines of officials in Russia and China. No wonder the two countries asked for a code of conduct that helps combat activities that use communications technologies -- "including networks" (read: social networks) -- to undermine "political, economic and social stability."

So Russia and China are ahead of the United States, but mostly in defining cybersecurity as the fight against subversive behavior. This is the true cyberwar they are fighting.

China Photos/Getty Images