One example of how this type of IP theft affects U.S. industry involves the F-35 stealth fighter (the most expensive military procurement program in history). According to Rep. Michael McCaul, several years ago Chinese hackers stole the plans for the F-35. Then, in November, China released video of their new J-31 stealth fighter, which appears, on the surface at least, to be a duplicate of the F-35 fighter from the stolen designs. Semi-autonomous Chinese hackers were able to radically advance a top secret program -- a skill they bring to commercial ventures as well. Chinese hackers often steal the designs for products, then build and sell them before the original U.S. designers can begin production.
It is difficult to calculate how much damage cyber IP theft is causing the U.S. economy. In a 2009 speech, President Obama warned that cyber-criminals cost the economy over a trillion dollars each year. That is more than the base U.S. and Chinese defense budgets combined. It is enough to hire 30 million Americans at median salary at a time when U.S. unemployment stands at 12 million individuals. Even if the real figure is half that, over time cyber IP theft will change the world's economic balance of power. Given the scale of the theft, it is not clear that the developed world's current economic model can succeed. While cyber-militias are not responsible for all cyber-theft, they and the systems states have set up to allow them to function are responsible for most of it.
The second geostrategic effect cyber-militias have is to empower militarily weak states in two ways. First, they provide a screen behind which states can implant malware into other states' critical military and civilian infrastructure. Second, they allow attacking states to deflect legal and diplomatic accountability. While Russia pioneered this approach during its conflict with Estonia, smaller states that cannot afford to project conventional military power have vastly more to gain from using it. For example, cyber-militias in Estonia, Latvia, Lithuania, Georgia, and Kyrgyzstan have threatened to attack infrastructure in Russia if it deploys cyber or kinetic weapons against them. While none of these states could really harm Russia with conventional weapons, a successful attack on Russia's energy infrastructure could devastate the economy and undermine the ruling party. Meanwhile, the governments in the attacking nations can plausibly, and perhaps honestly, deny involvement.
In a similar vein, Iran's current campaign against U.S. banks has the potential to inflict much greater costs than the Iranian military could extract in a conventional war. If Iran is willing and able to replicate in the United States a scaled-up version of North Korea's successful May 2011 three-day takedown of South Korea's largest bank, the cost would be on par with a small war. If it took down the U.S. electric grid, the costs could outstrip the trillion dollars the United States has spent in Iraq and Afghanistan. Whether or not Iran or other weak states are willing and able to inflict this type of damage on large states, their ability to do so increases their geopolitical influence. If the current Iranian attack on the United States eventually demonstrates the ability of a small state to cause, with impunity, significant harm to a large state, it will empower Iran and, by extension, other small states with offensive cyber-militias.
The third way cyber-militias affect geopolitics follows from the second, and is particularly worrisome. In order to empower cyber-militias, states must facilitate their ability to obtain cyberweapons and create institutions that reduce evidence of state control. Because reducing evidence of state control generally requires reducing actual state control, militias usually have some real level of autonomy. In an earlier age, when the worst damage cyber-militias could do involved defacing webpages and conducting minor denial of service attacks, this had limited implications for international security. In the post-Stuxnet era, however, it is conceivable that organized and empowered non-state actors could damage nuclear power plants, air traffic control systems, gas pipelines, banking systems, or electric grids.
Whether current-day militias could carry out such attacks is questionable -- though a 2008 National Journal article argued that various blackouts in the United States were caused by Chinese cyber-militias -- but with the rapid proliferation of cyber-weapons, they will likely have such a capability in the near future. The likelihood that a country's militia might attempt to autonomously carry out a massive life-threatening attack during an emotionally intense future crisis is a risk state-sponsors must accept when they deploy militias. How the United States, Russia, or other major powers might react to such an attack is anybody's guess.
This state use of militias is not historically unique. In the 16th century, England made extensive use of semi-autonomous pirates to raid Spanish seagoing commerce and colonial port cities. English piracy served the dual purpose of weakening a hegemonic opponent while enhancing England's national wealth. Like modern cyber-militia states, the British were able to plausibly deny they were behind the attacks while they bled their opponent nearly to death. The problem was, the attacks caused deep tensions between the two powers and led to two decades of ruinous military competition. In the end, England was forced to capture and execute its own pirates, international commerce was set back 20 years, and both the English and Spanish governments were bankrupted. Let's hope we can resolve the threat from cyber-militias before they do quite so much damage.
SUBJECTS:
