Is Cyberwar Really War?
Author: Thomas Wagner-Nagy and Ross Ryan
Originally Published at Peace and Conflict Monitor on: 02/19/2015
While US-President Barack Obama was giving a lecture on nuclear threats during his June 2013 visit to Germany, Chancellor Angela Merkel made a remarkable comment on a different kind of peril to democracy and peace:
“The internet is virgin territory (“Neuland”) for us all. And, of course, it also provides enemies and opponents of our democratic basic order with new tools and opportunities to threaten our way of life.” The surprising part of her statement was not that she finally acknowledged the potential threat behind cyber operations in the light of the 2013 global surveillance disclosures but rather the fact that she referred to the internet as virgin territory in the year of its 30th anniversary.
The inhabitants of this virgin territory, especially those of the social networks, were quick to respond with an online mockery campaign. As the hashtag #Neuland went viral and the ridicule spread to the mainstream press, Merkel’s spokesman, tried to clarify her comment stating “[…] that the internet is new legal and political territory, as we sense daily in political dealings”. The incident not only exposed the scale of confusion, uncertainty, and lack of expertise on cyberspace at the highest government levels, it also sparked a public debate on how to deal with the internet as a medium many are using, yet very few are understand.
Cyberspace – or rather control over it – has become an important aspect of international relations. But just how dangerous is our ever intensifying dependence on the digital and virtual world? Some scholars argue that cyberwar is one of the new major threats to international peace. Others state that the harmful potential of cyber operations is being overestimated, and still others hold that they can be beneficial in preventing physical violence in conflict situations. The purpose of this paper is therefore to assess the scale of threats that a so-called cyber warfare with its various subcategories can pose to national and international security.
The quest for hidden information
The nature of warfare has evolved from one-on-one sword fights to high precision long range missiles that are capable of hitting a target on the opposite side of the world at the push of a button. Violent confrontation has expanded from land to the depths of the sea and the heights of airspace. While all of these spheres still require the physical presence of soldiers or at least weapons, cyberspace represents a new kind of territory with new kinds of weapons. As William Lynn states in a 2010 Foreign Affairs article: “Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space”. This has led to a situation in which “[a]ccess to sensitive data no longer requires physical proximity. The benefits […] are balanced by the knowledge that information is more accessible and less protected than ever before”, writes Mark Doll (et al.), a realization that has led him to search for ways of “defending the digital frontier” in his book of the same title.
On the organizational level, Doll identifies four broad categories of threats to digital security:
• Interception: Data is siphoned from the system
• Interruption: Networks and internet access are rendered unusable in a denial-of-service attack
• Modification: Authorization or access codes are changed
• Fabrication: False information is inserted into a system
These four ways of intervention constitute the gateway to cyber operations that – as some experts argue – have the potential to cause a virtual war among nations and countries. But what does the term “cyberwar” actually mean?
Arquilla and Ronfeld coined the term “cyberwar” in the early 1990s. Much attention has been given to their paper Cyberwar is coming, in which they warn of the consequences of what they call the information revolution: “Warfare is no longer primarily a function of who puts the most capital, labor and technology on the battlefield, but of who has the best information about the battlefield. What distinguishes the victors is their grasp of information […]”. The authors hypothesize “that the information revolution will cause shifts both in how societies may come into conflict, and how their armed forces may wage war” and make an important distinction between what they call “netwar”, that is “societal-level ideational conflicts waged in part through internetted modes of communication” and the term “cyberwar” at a military level. “While both netwar and cyberwar revolve around information and communications matters”, as Arquilla and Ronfeldt emphasize, “at a deeper level they are forms of war about “knowledge”—about who knows what, when, where, and why, and about how secure a society or a military is regarding its knowledge of itself and its adversaries.”
In a 2001 interview, Arquilla was asked what he thinks about the fact that the term cyberwar was becoming a buzzword being used by authorities and the media to describe any larger hacker intrusion. He took the chance to clarify what he and his colleague were refering to when talking about cyberwar: “Both David and I believe very strongly that what we have called cyberwar has something to do with technology, but just as much — if not even more — to do with organization and military doctrine. And what we realized ten years ago is that if you can control information flows, an opposing military cannot function […] We saw this in the Gulf War and we’ve seen it in a variety of actual events as well as in advanced military experiments. So, our notion of cyberwar was intended to refer basically to military interaction. Hacking today, that is conflated with cyberwar, is a small part of it. But it can be the part that strikes directly at a country’s infrastructures.”
A domain of uncertainties
In Doll’s view, it is a misperception that “[s]ecurity technology will solve security needs”. Cordesman expresses similar concerns and uses the U.S. as an example to highlight a lack of effective countermeasures and identifies a general pattern with “a clear disconnect between the efforts in the U.S. to plan offensive cyber warfare and efforts at cyber defense”. This means that while the U.S. might be able to carry out sophisticated cyber operations their capability of responding to the latter is relatively poor. Or as Clarke and Knake put it: “The biggest secret in the world about cyber war may be that at the very same time the U.S. prepares for offensive cyber war, it is continuing policies that make it impossible to defend the nation effectively from cyber attack.” The assumption that this disconnect applies even more strongly to the vast majority of countries that are not as technologically advanced as the U.S. does not seem farfetched.
In February 2011, then-Central Intelligence Agency Director Leon Panetta warned the House Permanent Select Committee on Intelligence of the possibility of a “Cyber Pearl Harbor” and has reiterated this alert since. Other experts like Anthony Cordesman are more cautious about predicting such nightmare scenarios, but are warning about the uncertainties that cyber attacks bring along. With regard to “an […] electronic Pearl Harbor,” Cordesman states that “[i]t is far from clear that this level of potential damage from cyber attack is likely or even possible. […] Resolving this very uncertainty is one of the most critical priorities in improving the U.S. effort in critical infrastructure protection.”
Cyber attacks on Estonia – a foretaste of the future of warfare?
In 2007, the world was able get a glimpse at how such a virtual operation targeting a state’s critical infrastructure might look like: The government of Estonia had decided to move a memorial statue honoring Soviet World War II war dead from the central square of Tallinn to a cemetery on the city’s outskirts, which made Russians in and outside the country express their anger in demonstrations that turned violent. Simultaneously, distributed denial-of-service (DDoS) attacks began against Estonian computers. The Baltic country was hit by a series of cyber attacks that targeted websites of national organizations, including the parliament, banks, ministries, newspapers and broadcasters. “Estonia, although small […], is a remarkably web-dependent country, with widespread internet access, digital identity cards, an 80-percent usage rate for online banking, electronic tax collection, and remote medical monitoring.”
Estonia accused Russia of orchestrating the attack claiming the DDoS attacks could be traced to IP addresses in Moscow owned by the Russian government. Outside experts, however, found the evidence of official government involvement weak. Lesk estimates that the cyber attacks against Estonia might have cost in the neighborhood of $100,000 and concludes that “the size of the attack doesn’t imply government involvement. The amount of money needed to launch the attacks is easily within the capacity of a group of middle-class terrorists”.
Estonian authorities were, in the end, unable to effectively counter the attack. The country cut its Internet connections to the outside world so that people within Estonia could continue to use their conventional services. This, for example, made it difficult for people with Estonian bank cards to use ATMs in other countries.
While Lesk lists a number of additional examples of cyber attacks between Israel and Palestine, China and Taiwan as well as China and the US, he emphasizes that “[a]ll of these incidents, however, involved attempts to overwrite websites with embarrassing and childish messages; they don’t seem to be something that governments would waste their effort on. Most seemed to be the actions of uncoordinated agents”. Nonetheless, in his view “the Estonian cyberwar ought to be a wake-up call [as] producing so much disruption for so little money has to be attractive to many groups”.
Real threats vs scaremongering
As opposed to the scholars and politicians mentioned above, Thomas Rid argues that “cyberwar will not take place” in his 2011 paper of the same title. Rid dismantles the idea of a large-scale cyberwar in three steps, arguing that what he defines as cyber war has never happened in the past, does not take place in the present and “that it is unlikely that cyber war will occur in the future”.
Referring to Clausewitz’s concept of war in his book Vom Kriege, Rid notes that an offensive act has to meet at least three criteria simultaneously in order to qualify as an act of war: “Any act of war has to have the potential to be lethal; it has to be instrumental; and it has to be political.” After applying these criteria to several examples of cyber offenses, Rid concludes that “[n]ot one single past cyber offense, neither a minor nor a major one, constitutes an act of war on its own. He emphasizes the lack of force in all past cyber operations and deduces that “[i]f the use of force in war is violent, instrumental, and political, then there is no cyber offense that meets all three criteria.”
Even if one accepts Rid’s line of argument, the fact that no cyber operation to date can be classified as an act of war does not mean that this can not happen in the future. Clarke & Knake give a vivid description of how a Chinese cyber attack on the United States homeland in case of a political crisis may look like. According to them, the Chinese could black out a major city by activating so-called logic-bombs that were pre-installed in America’s electricity grid. The attack could derail trains, cut communication in air traffic systems and target control systems of nuclear power stations with fatal consequences. Many people could be injured or killed as a result. Rid refers to this scenario and acknowledges that “[s]uch mediated destruction caused by a cyber offense could, without doubt, be an act of war, even if the means were not violent, only the consequences”. Since he would not call it war in that case either, Rid offers a more nuanced terminology to come to terms with cyber attacks.
Rid goes even one step further by highlighting possible benefits of cyber operations. In his recent Foreign Affairs article, he claims that hacking can reduce real-world violence as opposed to amplifying it and indeed make the world more peaceful: “Cyberattacks diminish rather than accentuate political violence by making it easier for states, groups, and individuals to engage in two kinds of aggression that do not rise to the level of war: sabotage and espionage. Weaponized computer code and computer-based sabotage operations make it possible to carry out highly targeted attacks on an adversary’s technical systems without directly and physically harming human operators and managers.”
Four main conclusions regarding the danger of cyber operations can be drawn from this brief review of the literature:
• If one applies Clausewitz’s criteria for warfare strictly to past cases of cyber operations, none of them constitutes an act of war and should therefore not be referred to as cyberwar.
• Politicians, authorities and media alike tend to use the term “cyberwar” to describe any bigger hacking operation. This frivolous use bears some scaremongering potential and forms an obstacle to a more differentiated discourse. Since Rid discusses the issue terminology in depth, his approach might be helpful in restoring the credibility of the term.
• The cyber attacks that have been recorded to date have proven that virtual operations have the potential to inflict a relatively high economic damage in proportion to their low costs.
• While experts are split over the extent of damage that can be caused by virtual operations, they agree on the fact that governments have failed to boost efforts to effectively defend their nations from large-scale cyber attacks.
Due to the partly contradictory literature on the threats posed by cyber operations it seems farfetched to assume that they have become the strongest weapons of war over the years. Chances are that they are not – at least not yet, if one considers that to our knowledge no or hardly any people died of the consequences of cyber attacks. Their full destructive potential, however, can only be assessed from the day when somebody decides to push it to its limits, as it is the case with many other warlike threats. It is hard to predict when and how this will happen. The literature that arises from the 2013 global surveillance disclosures might provide a deeper insight into the status quo and reveal if and how the general tone when addressing security and warfare in cyberspace has changed after the debate that followed Edward Snowden’s revelations.
Bio: Thomas Wagner-Nagy is a freelance journalist currently based in Germany. He holds a BA in Science Journalism with a minor in Biomedical Sciences from the University of Dortmund. Born in Transylvania/Romania and raised in Germany, his work has taken him to France, Cameroon and Costa Rica. He graduated from the United Nations-mandated University for Peace in June 2014 with an MA in Media, Peace and Conflict Studies. Thomas is currently working to establish his own NGO which aims to provide schooling and a leisure program for children in refugee camps.
Ross Ryan is a UPEACE faculty member who teaches in the Media and Peace Studies programme.