Why There’s No Such Thing as a Cyberwar

Stories from New Scientist.
Sept. 15 2013 7:08 AM

What Would a Real Cyberwar Look Like?

Dark warnings exaggerate and distort the real risks.

No cyberwar in sight.
This is not war.

Photo by PN Photo/iStock/Thinkstock

Talk of combat in the fifth domain has become a fixture in Washington. But let's not use that as an excuse to quash a free Internet, says a war studies academic.

Exactly two decades ago, the RAND Corp., an influential think tank, proclaimed that "Cyberwar is Coming!" In 2005 the U.S. Air Force declared it would now "fly, fight, and win in cyberspace." The future of war would surely play out in that fifth domain, on top of land, sea, air, and space. Dark warnings of "Cyber Pearl Harbor" soon became a staple of Washington discourse.

Leaks revealed last week that the U.S. government spends a staggering $4.3 billion a year on cyberoperations. In 2011 American intelligence agencies reportedly mounted 231 offensive operations. The United States, it seems, is gearing up for cybercombat.

What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can't hurt or kill, it can't be war. An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do. Finally, it would need to be political, in the sense that one opponent says, "If you don't do X, we'll strike you." That's the gist of two centuries of strategic thought.

Advertisement

No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we're talking about war—the real thing, not a metaphor, as in the "war on drugs"—then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.

That is not to say that cyberattacks do not happen. In 2010 the United States and Israel attacked Iran's nuclear enrichment program with a computer worm called Stuxnet. A computer breach could cause an electricity blackout or interrupt a city's water supply, although that also has never happened. If that isn't war, what is it? Such attacks are better understood as either sabotage, espionage, or subversion.

Code-borne sabotage is a real risk. Industrial control systems run all sorts of things that move fast and can burn: trains, gas pipelines, civilian aircraft, refineries, even elevators and medical devices. Many of these are highly susceptible to breaches, and information about system vulnerabilities is easily available.

Even so, the number of violent computer-sabotage attacks against Western targets is zero.

Why? Because causing havoc through weaponized code is harder than it looks. Target intelligence is needed. Control systems are often configured for specific tasks, limiting the possibility of generic attacks. Even if they happened, such attacks may not constitute a use of force.

The second threat is cyberespionage. Data breaches are not just a risk, but a real bleeding wound for the United States, Europe, and other advanced economies. But espionage is not war, and cyberespionage is not cyberwar.

Finally, there is subversion—using social media and other Internet services to undermine established authority. It is not a surprise that subversives, from Anonymous and Occupy to Arab protesters, use new technologies. Twitter and Facebook have made organizing nonviolent protest easier than ever, often in the service of liberty and freedom. But again, subversion is not war, and cybersubversion is not cyberwar.

There are other problems with the concept of cyberwar. First, it is misleading. Closer examination of the facts reveals that what is happening is the opposite of war: Computer breaches are less violent than old-style attacks. Violent sabotage is harder if it is done through computers, while nonviolent sabotage is now easier and is happening more often: crashing websites, deleting files and so on. The same goes for espionage: Infiltrating software and opening remote back doors is much less risky than sending in human agents and clandestinely bugging embassy walls.

Talk of cyberwar is also disrespectful. Last year the U.S. Department of Defense considered creating a Distinguished Warfare Medal for drone operators and developers of computer attacks. Real combat veterans protested vehemently when they learned that the award would have ranked higher than the Purple Heart. Secretary of Defense Chuck Hagel then scrapped the idea. Ending or saving the life of another human is an existential experience; deleting or modifying data is not.

Talk of cyberwar also kills nuance. Intelligence agencies have started to take "cyber" seriously. By doing so, signals-intelligence agencies such as the U.S. National Security Agency and the U.K.'s Government Communications Headquarters, as well as human intelligence agencies, are updating their tradecraft for the 21st century. The West is beginning to have an overdue debate about what kind of intelligence activity is legitimate for a 21st-century democracy, and where red lines should be drawn. Drawing these lines requires subtlety. It is time for this debate to drop the prefix "cyber" and call a spade a spade: Espionage is espionage.

Finally, talk of cyberwar is in the interest of those with a harsher vision of the Web's future. Many countries are tempted to take control of their "cyberspace." Authoritarian states like to tweak their technical infrastructure, their national laws, and their firewalls to "protect sovereignty in cyberspace," as they like to say—which in practice means protecting intellectual property thieves from foreign pressure and rounding up dissidents at home.

The armed forces need to stay focused on fighting and winning the real wars of the future. That's hard enough. Let us not militarize the struggle for the free and liberal Internet today.

This article originally appeared in New Scientist.

TODAY IN SLATE

Politics

Meet the New Bosses

How the Republicans would run the Senate.

The Government Is Giving Millions of Dollars in Electric-Car Subsidies to the Wrong Drivers

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Cheez-Its. Ritz. Triscuits.

Why all cracker names sound alike.

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Medical Examiner

Did America Get Fat by Drinking Diet Soda?  

A high-profile study points the finger at artificial sweeteners.

The Afghan Town With a Legitimately Good Tourism Pitch

A Futurama Writer on How the Vietnam War Shaped the Series

  News & Politics
Photography
Sept. 21 2014 11:34 PM People’s Climate March in Photos Hundreds of thousands of marchers took to the streets of NYC in the largest climate rally in history.
  Business
Business Insider
Sept. 20 2014 6:30 AM The Man Making Bill Gates Richer
  Life
Quora
Sept. 22 2014 8:07 AM Why Haven’t the Philadelphia Eagles Ever Won a Super Bowl?
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Science
Sept. 22 2014 8:08 AM Slate Voice: “Why Is So Much Honey Clover Honey?” Mike Vuolo shares the story of your honey.
  Arts
Television
Sept. 21 2014 9:00 PM Attractive People Being Funny While Doing Amusing and Sometimes Romantic Things Don’t dismiss it. Friends was a truly great show.
  Technology
Future Tense
Sept. 22 2014 7:47 AM Predicting the Future for the U.S. Government The strange but satisfying work of creating the National Intelligence Council’s Global Trends report.
  Health & Science
Bad Astronomy
Sept. 22 2014 5:30 AM MAVEN Arrives at Mars
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.