Why cyber warfare is so attractive to small nations

December 21, 2014, 4:27 PM UTC
An employee working at the headquarters of Kaspersky Lab, a cyber-security firm, in Moscow, Russia in Dec. 2014.
An employee working at the headquarters of Kaspersky Lab in Moscow, Russia in Dec. 2014. Kaspersky is one of several cyber security firms that monitor and defend against cyber attacks.
Photograph by Alexander Zemlianichenko Jr. — Bloomberg/Getty Images

Last week news broke that North Korea, which is believed to be responsible for a massive cyber attack against Sony (SNE), may have as many as 1,800 cyber warriors. That may seem like a large figure for the nation of 24.9 million people, especially considering that Pyongyang isn’t exactly known for its centers of higher learning. Yet many small nation-states—even those that are in regions that lack universities with notable computer science programs—are finding that cyber war provides more bang for the buck than investment in conventional weapons.

“Cyber warfare is a great alternative to conventional weapons,” says Amy Chang, a research associate in the technology and national security program at the Center for a New American Security. “It is cheaper for and far more accessible to these small nation-states. It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are [caught].”

There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. According to recent intelligence studies more than 140 countries have some level of cyber weapon development programs. In 2012 the U.S. Defense Advanced Research Projects Agency, the research arm of the Pentagon, invested $110 million in Plan X, a “foundational cyber warfare program” that aims to harness computing power to wage war more effectively. The program was only one part of DARPA’s reported $1.54 billion cyber budget for 2013 to 2017.

Many small nations don’t have those kinds of resources to allocate toward such projects, but experts say large amounts of funding isn’t really necessary.

“You don’t need that much money to invest in cyber warfare,” warns Martin Libicki, senior management scientist with the Rand Corporation, the nonprofit global policy think tank. “It is really a people thing, not a money thing. North Korea has a small GDP and may only have a thousand or so specialists dedicated to cyber warfare. But it can still accomplish big things with what it has.”

It may have taken as long as a year for Sony’s attackers to accomplish the task, according to the latest reports about the recent breach. For a criminal enterprise seeking money, the effort would not have enjoyed a good return on investment. But if the hackers were in fact from North Korea, money was likely not the objective.

“The hacking of Sony would have been a bad investment for a criminal,” Libicki says. “For a government, it wasn’t that bad of an effort—and it accomplished the mission, as Sony pulled the film from theaters.”

In addition to an alternative to conventional weapons, cyber war programs also serve as a means for small nations to acquire another state’s advanced technology, whether for commercial or military application.

“North Korea lacks infrastructure to support a massive computer industry or even a computer science education program,” Chang says. “But there is a relative value in investing in information technology over weapons systems. It is far more economical to invest in technology that could be used to pilfer other technology from developed nations. Why develop advanced weapons technology when you can steal it?”

Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one—which means small nations may have more of a stomach for going on the cyber offensive than for stopping a similar attack. In 2012 Iran’s nuclear program was reportedly the target of a massive cyber attack believed to have been perpetrated by the United States and Israel. Iran is believed to have responded by unleashing its own attack against Saudi Aramco, the state-owned oil and gas company, during which hackers destroyed data on 30,000 Aramco computers. As with the recent Sony attack, Aramco is considered a “soft target” attack because the victim is less likely to have the same level of computer security investment—to the tune of hundreds of millions of dollars—as systems for a government or financial entity.

“For good or bad, cyber attacks aren’t [usually] directed at ‘hard’ targets,” Libicki says. “This is an extension of terrorist attacks, which typically don’t go after a military base but go after an embassy or other interests. It sends a message and is easier to perpetrate.”

In an Internet-connected world, the ancient notion of barbarians at the gate—used to describe the Sack of Rome in 410 by the Visigoths after they entered the city through its Salarian Gate—has been replaced with a far more complex concept. Online, there is a seemingly endless number of entrances to someone’s secure infrastructure, a gate for every authorized user and device.

“Sony is a great example of how this sort of thing happens even though they had been warned about it before,” says Lt. General Clarence E. McKnight Jr. (Retired), former head of the Signal Corps and author of From Pigeons to Tweets. “There is too much information going around the cyber world and so many ways to access it. As the whole world gets connected, it just provides the details that make these attacks possible.”

What’s more, an Internet-connected world has given smaller players a communication network on a global scale with which to coordinate such attacks. “We need to think about how these groups such as ISIS use Twitter and other social media to communicate,” Chang says, using the acronym for the Islamic State of Iraq and Syria. “The level of instant communication has increased because of this technology.”

So far, such attacks do not appear to have taken out any “hard” targets. Even the highly publicized Sony hack, which has left the company reeling, is not significant enough to roil world markets with catastrophic side effects. Neither was the brief shutdown of the Warsaw stock exchange in October. Yet such nuisance attacks demonstrate that a small player like North Korea or ISIS (which is believed to have been behind the Warsaw attack) could have an outsized impact online relative to their resources.

“This is really physiological warfare, and in Sony’s case people won’t go to the movies,” McKnight says. “At this point cyber warfare is over-hyped on what it can accomplish. But it is the only game in town for a lot of countries.”