Modern technology has outpaced the ability of shared familiar metaphors to describe it. Trying to tie modern threats, executed with code over a global network infrastructure that didn’t exist decades ago, to historical analogies is a perilous activity. Which is why I was perplexed to find a recent instance of Russian hacking frames as a “Cyber Cuban Missile Crisis.” There will never be a “Cyber Cuban Missile Crisis,” for the same reason that there will never be a “Cyber Pearl Harbor” or a “Cyber 9/11:” the metaphor doesn’t work, and trying to structure debate and preparations around bad metaphors can only lead to bad policy.
History is rich with threats and reactions, signals read correctly or misread obviously in hindsight, and so there is a natural inclination when trying to explain a new threat, a new kind of problem, to anchor it to something in the past. For the American audience, and especially American policymakers, three events loom large: the surprise attack on Pearl Harbor, the careful brinkmanship and de-escalation of the Cuban Missile Crisis, and the terrorist attack on September 11th, 2001. World War II, the Cold War, and the War on Terror are integral to the history of this nation, but isolating them into single catch-phrase events, and then slapping a technology adjective on the front, does not make the lessons of the past any clearer, or offer only a single suggestion about the way forward.
Every Attack Needs An Architecture
Behind every invocation of “Cyber Pearl Harbor” is a fear of a surprise attack, carrier out on existing and highly visible assets thought to be safe. With every mention of “Cyber 9/11”, the emphasis is on both surprise and the non-state nature of the attackers. And “Cyber Cuban Missile Crisis” calls to mind world-shattering peril, only halted through careful diplomacy and intelligence collection, and not a small bit of luck. What is missing from these tellings is the greater geopolitical context needed for a repeat performance: how many articles about “Cyber Pearl Harbor” posit multiple near-peer expansionist powers and a singular concentration of American military assets into one location that renders them all vulnerable in the same way at once?
Likewise, a recent discussion of a possible “Cyber Cuban Missile Crisis” took the Cold War standoff as reference point for the revelation around widespread compromise of half a million routers.
“The risk posed to U.S. national security by what are believed to be Russian-backed hacking groups,” writes Suzanne Kelly, “is similar to the October 1962 Cuban Missile Crisis according to Cipher Brief Experts, but different, in that the U.S. has no clear and obvious deterrent this time around.”
The lack of a deterrent is not a trivial part of why the analogy breaks down. It is the integral part, the key point to understand in how a crisis of nuclear deployment is wildly unlike a problem of compromised routers. The presence of nuclear-capable missiles on Cuba, paired with the existing nuclear arsenals of both the United States and the USSR, meant that the conflict was one fundamentally about deterrence and first strikes. The entire conversation, as well as the negotiations that ended the standoff by withdrawing Soviet weapons from Cuba and American weapons from Turkey, hinged around clear and obvious deterrents.
The threat described in the symposium, instead, is a large network of compromised routers, with the potential to gather intelligence, launch disruptive attacks, or mask attribution for other attacks. An impending nuclear war, this is not. When we are comparing attacks, an element of surprise or preparation alone is not enough to warrant an analogy to potentially world-ending missile exchanges.
Listen all y’all, this is sabotage
Because of the vast reach of the internet, and the ability for states and non-state actors to intrude into vulnerable networks across continents and oceans, existing metaphors from the past are limited in how they can describe such a phenomena. There is nothing like the internet anywhere in history before the telegram, and even in the first great age of connectivity, the ability to run hostile programs inside the message-relaying equipment of others was an impossibility.
“In my opinion, I see no logical difference between the placement of Soviet missiles in Cuba and the placement of Russian Malware in our critical infrastructure,” Kevin McLaughlin, former deputy commander of U.S. Cyber Command, told Cipher Brief. “We almost went to nuclear war over the simple basing of those missiles in Cuba, but hardly a peep over the Russian ‘basing’ of malware on our own soil.”
The sense of peril on display here is wildly out of proportion. As war is argued down to include nonlethal hacking but on behalf of a state, intelligence operations get scaled up into the specter of great power conflict when they involve disruptions carried out through connected computer networks. Cyber blurs the lines between espionage and sabotage, and since both happen in the informal realm of intelligence operations and explicit military campaigns, it’s at least understandable why the two get conflated. Yet it’s a disservice to the public, and to people setting policy, to compare denial-of-service attacks to a nuclear war close call, and it misses the logic of deterrence when the action deterred is sabotage and not the deaths of millions.
What was terrifying about the Cuban Missile Crisis, what shaped the response to it, was not so much that the missiles were close to the United States, but that the missiles were close to the United States and armed with nuclear warheads. The V-2 rockets of World War II demonstrated that nations could strike other countries hundreds of miles away, but conventional explosives meant this was a conventional threat, and a minor one on the scale of World War II. What changed the calculus was not so much the basing of missiles but the basing of missiles with far deadlier payloads.
If we are looking to analogize to the past, we should instead look to the long history of saboteurs, a real part of active conflicts that remains relatively obscure in the popular imagination because the scale of harm was drastically less. And deterrence for saboteurs did not require, say, a separate fully formed sabotage apparatus, ready to mildly inconvenience a rival superpower at any moment.
Instead, the response is to harden targets, to prosecute people found engaging in sabotage, and to build resiliency. These are all possible in response to cyber threats, and are much more attainable goals than actively compromising foreign networks as staging ground for ... some unknown threat, to be determined in the future.
We may still see a world of lethal attacks conducted across networks by cyber means, but what will elevate those attacks from espionage and sabotage to genuine wartime concerns is the scale of harm conducted through those means. Until then, we’d be better protected learning the full lessons from the history around the historical metaphors, and understanding cyber threats as a distinctly modern phenomena.