Cyberwar Is Mostly Bunk

But expect more cyber sabotage, espionage, and subversion

Cyber War Will Not Take Place, Thomas Rid, Hurst & Company, London, 218 pp., £14.99

The U.S. Cyber Command, or USCYBERCOM, was launched with great fanfare in 2010 to conduct "full-spectrum military cyberspace operations...in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries." In a recent speech, former director of national intelligence Michael McConnell warned that the U.S. "is fighting a cyberwar today, and we are losing." This week the media was atwitter over the "cyberwar" against various news services, apparently instigated by supporters of Syria's President Bashar al-Assad.

Since 2010, USCYBERCOM's budget and its ranks have both swelled. It is now housed in a $358 million headquarters at Fort Meade, which is also home to the National Security Agency. Reuters reports that it is "adding 3,000 and 4,000 new cyber warriors under its wing by late 2015, more than quadrupling its size." In the 2014 budget Cyber Command spending will grow by $800 million to $4.7 billion.

Is McConnell right? Is the U.S. losing a cyberwar? In his intriguing new book, Cyber War Will Not Take Place, Thomas Rid, a War Studies scholar at King's College in London, argues that not we are not currently engaged in a cyberwar, and indeed that such a "war" is unlikely ever to take place. Rid is a careful thinker who believes that the public and policymakers are being misled about the magnitude of harm that cyberattacks can inflict.

War, Carl von Clauswitz wrote, "is an act of force to compel the enemy to do our will." Citing this definition, Rid argues: "All war, pretty simply, is violent. If an act is not potentially violent, it's not an act of war, and it's not an armed attack." Without violence, war becomes a metaphor, like the war on obesity or the war on cancer. Clauswitz also argued in a war, a political goal must be attributed to one of the sides. With no goal and no attribution, the activity is something other than war.

Rid proceeds to see how well recent cyberattacks fit these criteria. Consider, for example, the denial of service  attacks against Estonia in 2007 and Georgia in 2008, which evidently emanated from Russia. While somewhat disruptive, these "attacks" involved no violence, had no clear political goals, and could not be firmly attributed to the Russian government. At worst, they fall into a middle ground of infotech-mediated aggression that does not amount to war, a zone occupied by acts of sabotage, espionage, and subversion.

The chief aim of war is to harm the bodies of the enemy. While some computer code might be able to manipulate some machinery into harming a person, the experience of violence is greatly attenuated compared to being shot at by a machine gun or bombed by a plane. Unlike conventional bombs and missiles, computer code does not carry its own explosive charge. To do physical damage it must be aimed at machinery that can damage itself when its operations are disrupted. The first reported casualty of a cyberattack, Rid predicts, will produce a lot of fear and a massive public outcry. But in the meantime, "Not a single human being has ever been killed or hurt as the result of a code triggered cyber attack."

The most famous case of weaponized code causing physical damage is the Stuxnet worm, which disrupted Iran's nuclear enrichment centrifuges at Natanz. Evidently, the U.S. and Israel developed and targeted this highly sophisticated software, which reportedly delayed Iran's nuclear program by as much as two years. Rid argues that Stuxnet is not an example of warfare, but of sabotage. "Cyber attacks which are designed to sabotage a system may be violent, or the vast majority of the cases, non-violent,” argues Rid. Sabotage is aimed chiefly at things, not people. In addition, most saboteurs do not want to be identified. Rid cites several examples of cybersabotage, including the Shamoon attack (likely unleashed by coders located in Iran) against the oil company Saudi Aramco in 2012, which wiped the data from several thousand of the companies' computers. Yet it harmed no critical oil production and control facilities.

Another form of cyberattack—exfiltrating data from computers—is best classified as espionage. The Shady RAT attacks, for example, downloaded data from 13 U.S. defense companies, six U.S. government agencies, five national Olympic Committees, three electronics companies, three energy companies, and two think tanks in 2011. The pilfering (apparently organized by Chinese hackers) was discovered in 2011; it's not clear what was taken. The Flame attack, discovered in 2012, was aimed at Iran's oil industry. That “bug on steroids” had the remarkable capabilities; it could turn on an infected computer's microphone, take screen shots, log keystrokes, and overhear Skype conversations, as well as exfiltrate documents. Given its intricacy, Kaspersky Lab, the Russian computer security firm, suspects that Flame was devised by the same groups that created Stuxnet.

Cyberespionage, Rid notes, carries less risk of violence than traditional cloak-and-dagger spying. It also has a greater tendency to blur the lines between foreign and domestic surveillance. Rid suggests that the Foreign Intelligence Surveillance Act, adopted in 1978, "imposed severe limits on the use of intelligence agencies inside the U.S." Edwin Snowden's recent revelations have shown that the limits weren't so severe after all.

Finally, infotech can be used to subvert. Rid argues that modern communications technologies have made it much easier to launch movements against the existing order but harder to maintain discipline among the would-be subverters. The anti-globalization movement at the turn of the century, for example, was savvy in its use of information technologies but petered out as its often contradictory goals proliferated.

"Subversion," Rid notes, has quite different meanings and effects in liberal and authoritarian regimes. Occupy Wall Street was a form of more or less legitimate subversion in the U.S.; Occupy Tahrir Square in Egypt has quite a different political valence. "In liberal democracies subversion has been successfully legalized and institutionalized," Rid writes. Meanwhile, authoritarian regimes such as China and Russia tried to push for the United Nations to adopt an "International code of conduct for information security." The proposed code of conduct would have specifically obligated nations to “combat” the use of information and communication technologies that “undermines other countries' political, economic and social stability.”  

Rid frets, "The real risk for liberal democracies is not that these technologies empower individuals more than the state; the long-term risk is that they empower the state more than individuals." Given the NSA spying scandal, this observation seems disturbingly prescient. "Open systems," Rid argues, "no matter if we're talking about a computer's operating system or a society's political system, are more stable and run more securely." That much is absolutely right.

Ultimately, Rid makes a strong case that “cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future.”

Find this and hundreds of other interesting books at the Reason Shop, powered by Amazon.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Fist of Etiquette||

    ...former director of national intelligence Michael McConnell warned that the U.S. "is fighting a cyberwar today, and we are losing."

    Now there's a man who has seen The Net, Virtuosity AND all of the Terminator movies.

  • ||

    What about Lawnmower Man?!?

  • sarcasmic||

    What about Tron?

  • jasno||

  • ||

    Jane: How do you fit all that shit in your head anyway? Must have been pretty good at memorizing, huh?

    Johnny: Implant. Wet-wired. I had to dump a chunk of long-term memory.

    Jane: You had to dump a chunk of what?

    Johnny: My childhood.

  • Fist of Etiquette||

    How the hell would I know if he's seen those other movies?

  • Archduke Trousersenthusiast||

    What about Bob?

  • April06||

    Start working at home with Google! It’s by-far the best job I’ve had. Last Wednesday I got a brand new BMW since getting a check for $6474 this - 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, http://www.max47.com

  • sarcasmic||

    The use of the term "cyber war" is a good indicator that the person knows very little about anything cyber, except maybe cyber sex.

  • Dweebston||

    In some cases (like Warty), they're one and the same.

  • Ptah-Hotep||

    "is an act of force to compel the enemy to do our will." Citing this definition, Rid argues: "All war, pretty simply, is violent. If an act is not potentially violent, it's not an act of war, and it's not an armed attack." "There is no such thing as cyber war"

    FTFH

  • Steve G||

    I work w/ someone who just transfered from cybercom. From the way she describes it, they are somewhat without clue. ...and have a fairly tenuous relationship with their NSA neighbors.

    A lot of money to be made in this new wing of the Mil-Ind complex

  • Ptah-Hotep||

    "is an act of force to compel the enemy to do our will." Citing this definition, Rid argues: "All war, pretty simply, is violent. If an act is not potentially violent, it's not an act of war, and it's not an armed attack." "There is no such thing as cyber war"

    FTFH

  • Archduke Trousersenthusiast||

    Wait.
    There are books not written by Reason staff?

  • Protagoronus||

    Rid seems to be claiming that cyberwar does not exist because electronic attacks only attempts to destroy/corrupt property. Taking this to one extreme, is Rid arguing that blowing up a building is not an act of war if no one is inside?

    You can argue that the government is not well-positioned to protect property from electronic attacks, but this argument needs to be approached from another direction.

  • Dweebston||

    I think the better question is whether blowing up the building is an act of war or an act of terrorism; the former deserves the descriptor act of war, the latter is the crux of the issue. In the same vein, cyberwar is just as silly a notion as going to war against terrorism.

  • Protagoronus||

    I will grant that cyberwar is a silly notion.

    My point: A government funding/committing attacks against computer systems in another country with the intent to destroy property seems to constitute an act of war. Rid seems to take the denial of that as a given.

    Whether you call it terrorism as well is moot.

  • Dweebston||

    Agreed, although as an act of war it still seems better suited to sanctions or whatever we do when we catch spies. I forget how we resolved the Chapman incident, other than throwing her group out of the country, but we certainly didn't declare war on Russia.

  • NotAnotherSkippy||

    Agreed. It's a semantic distinction without being a real one. It's completely conceivable that prior to a war becoming hot that an enemy could launch a preemptive electronic strike. It (likely) wouldn't be that disruptive to military command and control, but imagine the chaos and headaches you could inflict on your opponent if you could disrupt all sorts of civil services: utilities, financials, civilian communications. It's a bit like saying that the successful deployment of a continent-wide EMP isn't an act of war because it doesn't directly kill anyone. I think the latter is unlikely, but given the complete lack of security in "modern" SCADA implementations I do think that an attack on civilian infrastructure, potentially by state actors, is one to be taken very seriously.

  • ||

    The real risk for liberal democracies is not that these technologies empower individuals more than the state; the long-term risk is that they empower the state more than individuals.

    DING DING DING

    Before the internet and ultra cheap storage, the government wouldn't have dreamed of trying to amass every telephone call or snail mail letter in the country, because they just couldn't. They mostly contained themselves to atrocities like MKULTRA. But now, as soon as they can, they do. Because they can.

  • grey||

    Yes. Maybe: War = Government Power Grab?

  • ||

    Three steps are required to defend a critical piece of infrastructure from cyber attack:

    Step 1: Connect the controls for vital processes to the internet.

    Step 2: Do nothing while an enemy computer cracker attacks.

    Step 3: Unplug the server.

    You have now defended your nation's nuclear reactors from having their control rods overridden by a cyber attack.

    Of course, if you've got above room temperature IQ, you would never do step 1 in the first place, so your nuclear reactors would never be vulnerable to cyber attack in the first place.

  • John Galt||

    "The U.S. Cyber Command, or USCYBERCOM, was launched with great fanfare in 2010 to conduct "full-spectrum military cyberspace operations...in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries.""

    Judging from their track record, it's the American people that the U.S. Government views as "adversaries." If USCYBERCOM exists for any purpose it's most likely to expand, and improve, the countless programs used to monitor and spy on the American people.

  • Rat Pest Control||

    Preserve sharing such concepts in the future as well. This was actually what I was in search of, and I’m glad to came right here!

  • RightofCenter||

    I sent your spam through the Google translator a few more times and came up with this:
    "In the future, this kind of exchange of ideas. This is really what were looking for, and I'm glad I came here!"

  • umh||

    If the government hadn't insisted on all the backdoors cyberwarfare would be virtually impossible.

  • John Galt||

    Sad, but true.

  • grey||

    Explain please?

  • laurenrhoades||

    like Albert responded I am amazed that a single mom able to profit $8568 in 1 month on the internet. have you read this web page... www.max38.com & my classmate's sister-in-law makes $73 every hour on the laptop. She has been out of work for 7 months but last month her check was $17103 just working on the laptop for a few hours.

  • Larakris||

    like Thelma responded I am startled that a mother can make $6821 in a few weeks on the computer. did you look at this web sitego to this site home tab for more detail--- www.blue76.com

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Progressive Puritans: From e-cigs to sex classifieds, the once transgressive left wants to criminalize fun.
  • Port Authoritarians: Chris Christie’s Bridgegate scandal
  • The Menace of Secret Government: Obama’s proposed intelligence reforms don’t safeguard civil liberties

SUBSCRIBE

advertisement