Tuesday, September 10, 2013

No Such Thing As Cyberwar

There's been lots of talk over the past decade about cyberwarfare, but rarely has the concept been teased out in order to understand exactly what it is. Thomas Rid does this for us in a brief essay at New Scientist. It's Rid's thesis that when we understand what cyberwar entails we realize that it probably won't ever happen although lots of other bad things that are wrongly considered to be versions of cyberwar have happened and will continue to happen.

Rid starts by explaining three characteristics of warfare that do not typify cyber attacks:
What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can't hurt or kill, it can't be war.

An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do.

Finally, it would need to be political, in the sense that one opponent says, "If you don't do X, we'll strike you." That's the gist of two centuries of strategic thought.

No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we're talking about war – the real thing, not a metaphor, as in the "war on drugs" – then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.
He's quick to point out that cyberwar should be differentiated from cyber attacks:
That is not to say that cyberattacks do not happen. In 2010, the US and Israel attacked Iran's nuclear enrichment programme with a computer worm called Stuxnet. A computer breach could cause an electricity blackout or interrupt a city's water supply, although that also has never happened. If that isn't war, what is it? Such attacks are better understood as either sabotage, espionage or subversion.
Even granting Rid the distinctions he makes his essay has about it the feel of quibbling about words. Sabotage, espionage, and subversion are all tactics widely used in war, even if they also occur between parties not in direct violent conflict with each other. Indeed, sabotage, like the insertion of the Stuxnet virus into the Iranian computers used in the development of their nuclear weapons, is an act of war. The only reason Iran did not respond against Israel or the U.S. for damaging their centrifuges with this virus was because they were too weak to do anything about it.

At any rate, Rid goes on to elaborate on his view of why cyberwar, properly understood, is not in our future. It's an interesting read if you're into that sort of thing.