What’s the Real Cybersecurity Risk?

Brandon Valeriano has a working paper which gathers some quantitative data to take a look at cybersecurity issues. Like Gartzke, he finds that reports of cyber-war have been greatly exaggerated.

even though there are 106 observed cyber incidents within 44 cyber disputes among 20 rivals, the intensity, duration, and level of attack remain low compared to the dire warnings one receives from the media. We hope that this research can return the debate on cyber conflict to a more nuanced examination of the threat.

One of the risks of this kind of research is that the data is very likely systematically biased. As Valeriano acknowledges, the set of publicly known cybersecurity incidents (Valeriano scrapes media reports to gather his data set) may only imperfectly reflect the actual universe of attacks that have been committed. David Sanger reports that one of the architects of the Stuxnet/Olympic Games attack told him that “The most elegant attacks are a lot like the most elegant bank frauds … They work best when the victim doesn’t even know he’s been robbed”(pp.190-191, Confront and Conceal). To the extent that this is true (which is again unknowable given publicly available information), many of the most interesting cybersecurity attacks will not be publicly known (and may, perhaps, never be known – e.g. attacks creating critical vulnerabilities to be used in the event of wars that never happen).

[Originally posted at The Monkey Cage]

Henry Farrell

Henry Farrell is an associate professor of political science and international affairs at George Washington University.