Until recently, cybersecurity had primarily interested computer geeks and cloak-and-dagger types. The internet’s creators, part of a small, enclosed community, were very comfortable with an open system in which security was not a primary concern. But, with some three billion or so users on the Web nowadays, that very openness has become a serious vulnerability. Indeed, it is endangering the vast economic opportunities that the internet has opened for the world.
A “cyber attack” can take any number of forms, including simple probes, defacement of Web sites, denial-of-service attacks, espionage and destruction of data. And the term “cyber war,” though best defined as any hostile action in cyberspace that amplifies or is equivalent to major physical violence, remains equally protean, reflecting definitions of “war” that range from armed conflict to any concerted effort to solve a problem (for example, “war on poverty”).
Cyberwar and cyberespionage are largely associated with states, while cybercrime and cyberterrorism are mostly associated with non-state actors. The highest costs currently stem from espionage and crime; but, over the next decade or so, cyberwar and cyberterrorism may become greater threats than they are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap. Terrorists may buy malware from criminals and governments may find it useful to hide behind both.
Some people argue that deterrence does not work in cyberspace, owing to the difficulties of attribution. But that is facile: Inadequate attribution affects inter-state deterrence as well. Yet, it still operates. Even when the source of an attack can be successfully disguised under a “false flag,” governments may find themselves sufficiently enmeshed in symmetrically interdependent relationships such that a major attack will be counterproductive. China, for example, will lose from an attack that severely damaged the American economy and vice versa.
An unknown attacker may also be deterred by cyber-security measures. If firewalls are strong or redundancy and resilience allow quick recovery or the prospect of a self-enforcing response (“an electric fence”) seems possible, an attack becomes less attractive.
While accurate attribution of the ultimate source of a cyberattack is sometimes difficult, the determination does not have to be airtight. To the extent that false flags are imperfect and rumours of the source of an attack are widely deemed credible (though not legally probative), reputational damage to an attacker’s soft power may contribute to deterrence.
Finally, a reputation for offensive capability and a declared policy that keeps open the means of retaliation can help to reinforce deterrence. Of course, non-state actors are harder to deter, so improved defences such as pre-emption and human intelligence become important in such cases. But, among states, even nuclear deterrence was more complex than it first looked and that is doubly true of deterrence in the cyber domain.
Given its global nature, the internet requires a degree of international cooperation to be able to function. Some people call for the cyber equivalent of formal arms-control treaties. But differences in cultural norms and the difficulty of verification will make such treaties hard to negotiate or implement. At the same time, it is important to pursue international efforts to develop rules of the road that can limit conflict. The most promising areas for international cooperation today most likely concern problems posed for states by third parties such as criminals and terrorists.
Russia and China have sought to establish a treaty establishing broad international oversight of the internet and “information security,” which will prohibit deception and embedding malicious code or circuitry that can be activated in the event of war. However, the US has argued that arms-control measures banning offensive capabilities can weaken defences against attacks and will be impossible to verify or enforce.
Likewise, in terms of political values, the US has resisted agreements that can legitimise authoritarian governments’ censorship of the internet — for example, by the “great firewall of China”. Moreover, cultural differences impede any broad agreements on regulating online content.
Nonetheless, it may be possible to identify behaviours like cybercrime that are illegal in many domestic jurisdictions. Trying to limit all intrusions will be impossible, but one can start with cybercrime and cyberterrorism involving non-state parties. Here, major states will have an interest in limiting damage by agreeing to cooperate on forensics and controls.
The transnational cyber domain poses new questions about the meaning of national security. Some of the most important responses must be national and unilateral, focused on hygiene, redundancy and resilience. It is likely, however, that major governments will soon discover that the insecurity created by non-state cyberactors will require closer cooperation among governments.
— Project Syndicate, 2013
Joseph S. Nye is University Professor at Harvard University’s Kennedy School of Government and the author of The Future of Power.
Sign up for the Daily Briefing
Get the latest news and updates straight to your inbox
Network Links
GN StoreDownload our app
© Al Nisr Publishing LLC 2026. All rights reserved.