Policy

Cyber War: Still Not a Thing

|

Despite what your congressman may tell you, cyber war might never happen, says a researcher in the Department of War Studies at King's College London.

Thomas Rid, also a fellow at Johns Hopkins' School for Advanced International Studies, writes that "Cyber War Will Not Take Place", an assessment that contrasts with those of many elected U.S. officials. Rid claims that no online attack to date constitutes cyber war and that it's "highly unlikely that cyber war will occur in the future."

For an online attack to constitute war, he writes, it would have to be "a potentially lethal, instrumental, and political act of force conducted through malicious code." Despite a lack of an on-the-record online attack that fulfills these criteria, and little evidence that one ever will, members of Congress have relentlessly touted a message of cyber doom in recent years.

"We are at war, we are being attacked, and we are being hacked, " said Sen. Barbara Mikulski (D-Md.), when U.S. Cyber Command headquarters were established in Maryland in 2010. Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) published an op-ed in The Wall Street Journal last year titled, "Now Is the Time to Prepare for Cyberwar." Rockefeller and Snowe sponsored one of the numerous cybersecurity bills that has been proposed in the past two years.

At a Senate hearing in 2010, Sen. Carl Levin (D-Mich.) said, "cyber weapons and cyber attacks potentially can be devastating, approaching weapons of mass destruction in their effects." At a House hearing, Rep. Yvette Clarke (D-N.Y.) also implied that cyber threats are as dangerous as kinetic warfare saying, "There is no more significant threat to our national and economic security than that which we face in cyberspace."

But, Rid writes, even previous politically motivated cyber attacks are "merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage."

His sentiments echo ones that Jerry Brito and I expressed in "The Cybersecurity-Industrial Complex: The feds erect a bureaucracy to combat a questionable threat", from the August/September 2011 issue of Reason. Brito and I noted that warnings from members of Congress and government officials about online threats almost unfailingly include rhetoric about war, doom, or catastrophe. But the evidence they offer almost unfailingly relates to things like espionage, crime, vandalism, or flooding websites with traffic via distributed denial of service (DDoS) attacks.

We pointed out, as Rid does, that oft-cited examples of cyber war—like DDoS attacks on Estonian government and bank websites in 2007 and similar attacks against the nation of Georgia in 2008—do not constitute war. Rid notes that the attacks against Estonia fail to pass the criteria that render an attack "war": namely, that it's potentially lethal, instrumental, and political:

Unlike a naval blockade, the mere 'blockade' of websites is not violent, not even potentially; unlike a naval blockade, the DDoS attack was not instrumentally tied to a tactical objective, but an act of undirected protest; and unlike ships blocking the way, the pings remained anonymous, without political backing.

One government official who has laudably countered the cyber war rhetoric is White House cybersecurity coordinator Howard Schmidt. "There is no cyberwar," Schmidt told Wired.com in 2010. "I think that is a terrible metaphor and I think that is a terrible concept."

Read Brito and my full treatment of the cybersecurity-industrial complex and dangers of cyber threat inflation in "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy", forthcoming from the Harvard National Security Journal.