Why There’s No Such Thing as a Cyberwar

New Scientist
Stories from New Scientist.
Sept. 15 2013 7:08 AM

What Would a Real Cyberwar Look Like?

Dark warnings exaggerate and distort the real risks.

No cyberwar in sight.
This is not war.

Photo by PN Photo/iStock/Thinkstock

Talk of combat in the fifth domain has become a fixture in Washington. But let's not use that as an excuse to quash a free Internet, says a war studies academic.

Exactly two decades ago, the RAND Corp., an influential think tank, proclaimed that "Cyberwar is Coming!" In 2005 the U.S. Air Force declared it would now "fly, fight, and win in cyberspace." The future of war would surely play out in that fifth domain, on top of land, sea, air, and space. Dark warnings of "Cyber Pearl Harbor" soon became a staple of Washington discourse.

Leaks revealed last week that the U.S. government spends a staggering $4.3 billion a year on cyberoperations. In 2011 American intelligence agencies reportedly mounted 231 offensive operations. The United States, it seems, is gearing up for cybercombat.

What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can't hurt or kill, it can't be war. An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do. Finally, it would need to be political, in the sense that one opponent says, "If you don't do X, we'll strike you." That's the gist of two centuries of strategic thought.

Advertisement

No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we're talking about war—the real thing, not a metaphor, as in the "war on drugs"—then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.

That is not to say that cyberattacks do not happen. In 2010 the United States and Israel attacked Iran's nuclear enrichment program with a computer worm called Stuxnet. A computer breach could cause an electricity blackout or interrupt a city's water supply, although that also has never happened. If that isn't war, what is it? Such attacks are better understood as either sabotage, espionage, or subversion.

Code-borne sabotage is a real risk. Industrial control systems run all sorts of things that move fast and can burn: trains, gas pipelines, civilian aircraft, refineries, even elevators and medical devices. Many of these are highly susceptible to breaches, and information about system vulnerabilities is easily available.

Even so, the number of violent computer-sabotage attacks against Western targets is zero.

Why? Because causing havoc through weaponized code is harder than it looks. Target intelligence is needed. Control systems are often configured for specific tasks, limiting the possibility of generic attacks. Even if they happened, such attacks may not constitute a use of force.

The second threat is cyberespionage. Data breaches are not just a risk, but a real bleeding wound for the United States, Europe, and other advanced economies. But espionage is not war, and cyberespionage is not cyberwar.

Finally, there is subversion—using social media and other Internet services to undermine established authority. It is not a surprise that subversives, from Anonymous and Occupy to Arab protesters, use new technologies. Twitter and Facebook have made organizing nonviolent protest easier than ever, often in the service of liberty and freedom. But again, subversion is not war, and cybersubversion is not cyberwar.

There are other problems with the concept of cyberwar. First, it is misleading. Closer examination of the facts reveals that what is happening is the opposite of war: Computer breaches are less violent than old-style attacks. Violent sabotage is harder if it is done through computers, while nonviolent sabotage is now easier and is happening more often: crashing websites, deleting files and so on. The same goes for espionage: Infiltrating software and opening remote back doors is much less risky than sending in human agents and clandestinely bugging embassy walls.

Talk of cyberwar is also disrespectful. Last year the U.S. Department of Defense considered creating a Distinguished Warfare Medal for drone operators and developers of computer attacks. Real combat veterans protested vehemently when they learned that the award would have ranked higher than the Purple Heart. Secretary of Defense Chuck Hagel then scrapped the idea. Ending or saving the life of another human is an existential experience; deleting or modifying data is not.

Talk of cyberwar also kills nuance. Intelligence agencies have started to take "cyber" seriously. By doing so, signals-intelligence agencies such as the U.S. National Security Agency and the U.K.'s Government Communications Headquarters, as well as human intelligence agencies, are updating their tradecraft for the 21st century. The West is beginning to have an overdue debate about what kind of intelligence activity is legitimate for a 21st-century democracy, and where red lines should be drawn. Drawing these lines requires subtlety. It is time for this debate to drop the prefix "cyber" and call a spade a spade: Espionage is espionage.

Finally, talk of cyberwar is in the interest of those with a harsher vision of the Web's future. Many countries are tempted to take control of their "cyberspace." Authoritarian states like to tweak their technical infrastructure, their national laws, and their firewalls to "protect sovereignty in cyberspace," as they like to say—which in practice means protecting intellectual property thieves from foreign pressure and rounding up dissidents at home.

The armed forces need to stay focused on fighting and winning the real wars of the future. That's hard enough. Let us not militarize the struggle for the free and liberal Internet today.

This article originally appeared in New Scientist.

Thomas Rid is a reader in war studies at King's College London. His most recent book is Cyber War Will Not Take Place (Oxford University Press).

TODAY IN SLATE

The World

The Budget Disaster that Sabotaged the WHO’s Response to Ebola

How Movies Like Contagion and Outbreak Distort Our Response to Real Epidemics

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

Everything You Should Know About Today’s Eclipse

An Unscientific Ranking of Really, Really Old German Beers

Education

Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.

Culturebox

The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Can Democratic Sen. Mary Landrieu Pull Off One More Louisiana Miracle?

  News & Politics
Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
  Business
Moneybox
Oct. 23 2014 11:51 AM It Seems No One Is Rich or Happy: I Looked.
  Life
The Vault
Oct. 23 2014 12:02 PM Delightfully Awkward Studio Action Shots of Players, Used on Early Baseball Cards
  Double X
The XX Factor
Oct. 23 2014 11:33 AM Watch Little Princesses Curse for the Feminist Cause
  Slate Plus
Working
Oct. 23 2014 11:28 AM Slate’s Working Podcast: Episode 2 Transcript Read what David Plotz asked Dr. Meri Kolbrener about her workday.
  Arts
Brow Beat
Oct. 23 2014 12:01 PM Who Is Constantine, and Should You Watch His New Show?
  Technology
Technology
Oct. 23 2014 11:45 AM The United States of Reddit  How social media is redrawing our borders. 
  Health & Science
Bad Astronomy
Oct. 23 2014 7:30 AM Our Solar System and Galaxy … Seen by an Astronaut
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.