Cyber War: Still Not a Thing


Despite what your congressman may tell you, cyber war might never happen, says a researcher in the Department of War Studies at King's College London.

Thomas Rid, also a fellow at Johns Hopkins' School for Advanced International Studies, writes that "Cyber War Will Not Take Place", an assessment that contrasts with those of many elected U.S. officials. Rid claims that no online attack to date constitutes cyber war and that it's "highly unlikely that cyber war will occur in the future."

For an online attack to constitute war, he writes, it would have to be "a potentially lethal, instrumental, and political act of force conducted through malicious code." Despite a lack of an on-the-record online attack that fulfills these criteria, and little evidence that one ever will, members of Congress have relentlessly touted a message of cyber doom in recent years.

"We are at war, we are being attacked, and we are being hacked, " said Sen. Barbara Mikulski (D-Md.), when U.S. Cyber Command headquarters were established in Maryland in 2010. Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) published an op-ed in The Wall Street Journal last year titled, "Now Is the Time to Prepare for Cyberwar." Rockefeller and Snowe sponsored one of the numerous cybersecurity bills that has been proposed in the past two years.

At a Senate hearing in 2010, Sen. Carl Levin (D-Mich.) said, "cyber weapons and cyber attacks potentially can be devastating, approaching weapons of mass destruction in their effects." At a House hearing, Rep. Yvette Clarke (D-N.Y.) also implied that cyber threats are as dangerous as kinetic warfare saying, "There is no more significant threat to our national and economic security than that which we face in cyberspace."

But, Rid writes, even previous politically motivated cyber attacks are "merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage."

His sentiments echo ones that Jerry Brito and I expressed in "The Cybersecurity-Industrial Complex: The feds erect a bureaucracy to combat a questionable threat", from the August/September 2011 issue of Reason. Brito and I noted that warnings from members of Congress and government officials about online threats almost unfailingly include rhetoric about war, doom, or catastrophe. But the evidence they offer almost unfailingly relates to things like espionage, crime, vandalism, or flooding websites with traffic via distributed denial of service (DDoS) attacks.

We pointed out, as Rid does, that oft-cited examples of cyber war—like DDoS attacks on Estonian government and bank websites in 2007 and similar attacks against the nation of Georgia in 2008—do not constitute war. Rid notes that the attacks against Estonia fail to pass the criteria that render an attack "war": namely, that it's potentially lethal, instrumental, and political:

Unlike a naval blockade, the mere 'blockade' of websites is not violent, not even potentially; unlike a naval blockade, the DDoS attack was not instrumentally tied to a tactical objective, but an act of undirected protest; and unlike ships blocking the way, the pings remained anonymous, without political backing.

One government official who has laudably countered the cyber war rhetoric is White House cybersecurity coordinator Howard Schmidt. "There is no cyberwar," Schmidt told in 2010. "I think that is a terrible metaphor and I think that is a terrible concept."

Read Brito and my full treatment of the cybersecurity-industrial complex and dangers of cyber threat inflation in "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy", forthcoming from the Harvard National Security Journal.

NEXT: Reason Writers Watching TV: Peter Suderman on Homeland in The Washington Times

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. “Cyberwar” as a concept is pretty much something the security researchers have come up with in order to get some attention paid to preventative measures. The concept as a whole is farfetched, but it’s just scary enough to sell the brass and the politicians on. Unfortunately without some BIG SCARY DOOM on the horizon everyone will be quite content to operate in reactive mode and ignore the recommendations of the security guys.

    1. “cyber” war is of great interest to politicians because it allows them to implement the so-called “master switch via innocuous sounding net neutrality regs.

  2. That’s five Democrats in favor of wholesale, ubiquitous civil liberties violations. I doubt those idiots know how to log into Windows, much less anything about the Internet. They’re immediately disqualified from discussing the issue by their use of the word “cyber” anyway.

  3. What a shitty article and shitty paper. Who gives a fuck if a potential cyber attack does not meet the three criteria to be considered an act of war? The potential for massive losses remains.

    1. I started a cyber war. In your mom’s pants.

    2. Seems like the issue is what is the technical definition of war, so I agree, an act intended to do harm is still an act intended to do harm.

    3. Jerry and I never say that no serious online threats exist. That’s why I linked to the paper, which captures much more nuance of the issue than a blog post can, especially one that was focused on ‘cyber war.’

      I think a lot of people would take issue with your assessment that it doesn’t matter whether an online attack constitutes an act of war.

  4. The dumbing down of the American Congress continues.

  5. The potential for massive losses remains.

    Massive losses? Of what?

    1. Zeros and ones?

    2. Cyber-stuff. And Space Cash. Mountains and mountains of Space Cash.

      1. A million hypothetical dollars.

    3. Real money, real property and private information. You wouldn’t believe the shit that gets hooked up to the internet, not to mention the stuff you can reach through an “air gap” with a flash drive borne trojan.

      1. “private information.”
        If it’s on the web, it ain’t private.

        1. It doesn’t have to be “on the web”, in the sense that it is easily accessible through an internet browser, to be vulnerable to a cyber attack. Any information on any computer connected through a network to the internet could potentially be vulnerable to an attack if the hackers were good enough.

        2. “If it’s on the web, it ain’t private.”


  6. Are you sure everyone’s not meaning to say “Cyborg War”? Cause that COULD be a big problem, particularly if they’re the shiny metal Cyborgs like on [the old] Battlestar Galactica and have “laser beams” and shit.

  7. Yeah, that whole Stuxnet thing was just a hoax. Nothing to see here.

  8. Props to a member of the Ruling Class trying to dial back on the on-so-handy (to authoritarians, anyway) use of the term “war,” though.

    I got no problem limiting it to acts of actual, you know, violence.

    1. Poverty is violence.
      It was on a bumper sticker, so it’s true.

  9. Threat inflation.

    How do we hedge against it?

  10. I must disagree with Thomas Rid’s assertion that act is only a act of war if Thomas Rid says it is.

    However, I agree that cyberwar is greatly overblown as a threat. I think a large part of the reason why is that senior leadership in the U.S. military is utterly, completely, soundly, thoroughly stupid on the subject of information technology in general. Combine that with some of the worst personality traits one could ever throw at innovation and reasonable adoption of new technologies (“I know everything about everything, after all, I’m me…why are you looking at me like that?”).

    But, that doesn’t mean that hacking is not a tool for warfare, intelligence collection, and covert action. You can achieve decisive results through hacking, when the hacking supports some other, more physical action. As an analogy, an army equipped solely with trucks and radios is not much of an army – but that does not mean that trucks and radios are inapplicable in war. Quite the opposite, an army with lots of trucks and radios can move farther faster and can coordinate for the massing of force at critical points in the battle to overwhelm defenders. Trucks and radios allow you to get there first with the most.

    Hacking is not likely to accomplish much on its own, but it can do quite a bit as a supporting arm. Furthermore, as more and more of a modern military relies routinely on information technologies to conduct operations, then those operations will be more and more vulnerable to attacks on information systems. Therefore, cybersecurity, system redundancy, and designing for “graceful degradation” will be necessary elements of procurement and doctrinal development.

  11. Using the same logic as Mr. Rid I could claim that 1. Nuclear war has never happened (attacks do not equal war), 2. Nuclear war is not happening today, and 3. Nuclear war is unlikely in the future.

    There is no cyberwar the same way there is no nuclear war. Yet, every modern country is arming for cyber conflict and every future war will include cyber elements.

    -Richard Stiennon

Please to post comments

Comments are closed.