Cybersecurity

Cyberwar Is Mostly Bunk

But expect more cyber sabotage, espionage, and subversion

|

Cyber War Will Not Take Place, Thomas Rid, Hurst & Company, London, 218 pp., £14.99

The U.S. Cyber Command, or USCYBERCOM, was launched with great fanfare in 2010 to conduct "full-spectrum military cyberspace operations…in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries." In a recent speech, former director of national intelligence Michael McConnell warned that the U.S. "is fighting a cyberwar today, and we are losing." This week the media was atwitter over the "cyberwar" against various news services, apparently instigated by supporters of Syria's President Bashar al-Assad.

Since 2010, USCYBERCOM's budget and its ranks have both swelled. It is now housed in a $358 million headquarters at Fort Meade, which is also home to the National Security Agency. Reuters reports that it is "adding 3,000 and 4,000 new cyber warriors under its wing by late 2015, more than quadrupling its size." In the 2014 budget Cyber Command spending will grow by $800 million to $4.7 billion.

Is McConnell right? Is the U.S. losing a cyberwar? In his intriguing new book, Cyber War Will Not Take Place, Thomas Rid, a War Studies scholar at King's College in London, argues that not we are not currently engaged in a cyberwar, and indeed that such a "war" is unlikely ever to take place. Rid is a careful thinker who believes that the public and policymakers are being misled about the magnitude of harm that cyberattacks can inflict.

War, Carl von Clauswitz wrote, "is an act of force to compel the enemy to do our will." Citing this definition, Rid argues: "All war, pretty simply, is violent. If an act is not potentially violent, it's not an act of war, and it's not an armed attack." Without violence, war becomes a metaphor, like the war on obesity or the war on cancer. Clauswitz also argued in a war, a political goal must be attributed to one of the sides. With no goal and no attribution, the activity is something other than war.

Rid proceeds to see how well recent cyberattacks fit these criteria. Consider, for example, the denial of service  attacks against Estonia in 2007 and Georgia in 2008, which evidently emanated from Russia. While somewhat disruptive, these "attacks" involved no violence, had no clear political goals, and could not be firmly attributed to the Russian government. At worst, they fall into a middle ground of infotech-mediated aggression that does not amount to war, a zone occupied by acts of sabotage, espionage, and subversion.

The chief aim of war is to harm the bodies of the enemy. While some computer code might be able to manipulate some machinery into harming a person, the experience of violence is greatly attenuated compared to being shot at by a machine gun or bombed by a plane. Unlike conventional bombs and missiles, computer code does not carry its own explosive charge. To do physical damage it must be aimed at machinery that can damage itself when its operations are disrupted. The first reported casualty of a cyberattack, Rid predicts, will produce a lot of fear and a massive public outcry. But in the meantime, "Not a single human being has ever been killed or hurt as the result of a code triggered cyber attack."

The most famous case of weaponized code causing physical damage is the Stuxnet worm, which disrupted Iran's nuclear enrichment centrifuges at Natanz. Evidently, the U.S. and Israel developed and targeted this highly sophisticated software, which reportedly delayed Iran's nuclear program by as much as two years. Rid argues that Stuxnet is not an example of warfare, but of sabotage. "Cyber attacks which are designed to sabotage a system may be violent, or the vast majority of the cases, non-violent," argues Rid. Sabotage is aimed chiefly at things, not people. In addition, most saboteurs do not want to be identified. Rid cites several examples of cybersabotage, including the Shamoon attack (likely unleashed by coders located in Iran) against the oil company Saudi Aramco in 2012, which wiped the data from several thousand of the companies' computers. Yet it harmed no critical oil production and control facilities.

Another form of cyberattack—exfiltrating data from computers—is best classified as espionage. The Shady RAT attacks, for example, downloaded data from 13 U.S. defense companies, six U.S. government agencies, five national Olympic Committees, three electronics companies, three energy companies, and two think tanks in 2011. The pilfering (apparently organized by Chinese hackers) was discovered in 2011; it's not clear what was taken. The Flame attack, discovered in 2012, was aimed at Iran's oil industry. That "bug on steroids" had the remarkable capabilities; it could turn on an infected computer's microphone, take screen shots, log keystrokes, and overhear Skype conversations, as well as exfiltrate documents. Given its intricacy, Kaspersky Lab, the Russian computer security firm, suspects that Flame was devised by the same groups that created Stuxnet.

Cyberespionage, Rid notes, carries less risk of violence than traditional cloak-and-dagger spying. It also has a greater tendency to blur the lines between foreign and domestic surveillance. Rid suggests that the Foreign Intelligence Surveillance Act, adopted in 1978, "imposed severe limits on the use of intelligence agencies inside the U.S." Edwin Snowden's recent revelations have shown that the limits weren't so severe after all.

Finally, infotech can be used to subvert. Rid argues that modern communications technologies have made it much easier to launch movements against the existing order but harder to maintain discipline among the would-be subverters. The anti-globalization movement at the turn of the century, for example, was savvy in its use of information technologies but petered out as its often contradictory goals proliferated.

"Subversion," Rid notes, has quite different meanings and effects in liberal and authoritarian regimes. Occupy Wall Street was a form of more or less legitimate subversion in the U.S.; Occupy Tahrir Square in Egypt has quite a different political valence. "In liberal democracies subversion has been successfully legalized and institutionalized," Rid writes. Meanwhile, authoritarian regimes such as China and Russia tried to push for the United Nations to adopt an "International code of conduct for information security." The proposed code of conduct would have specifically obligated nations to "combat" the use of information and communication technologies that "undermines other countries' political, economic and social stability."  

Rid frets, "The real risk for liberal democracies is not that these technologies empower individuals more than the state; the long-term risk is that they empower the state more than individuals." Given the NSA spying scandal, this observation seems disturbingly prescient. "Open systems," Rid argues, "no matter if we're talking about a computer's operating system or a society's political system, are more stable and run more securely." That much is absolutely right.

Ultimately, Rid makes a strong case that "cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future."

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

42 responses to “Cyberwar Is Mostly Bunk

  1. …former director of national intelligence Michael McConnell warned that the U.S. “is fighting a cyberwar today, and we are losing.”

    Now there’s a man who has seen The Net, Virtuosity AND all of the Terminator movies.

    1. What about Lawnmower Man?!?

      1. What about Tron?

        1. Abby. I just agree… Daniel`s article is incredible, yesterday I bought a gorgeous Volkswagen Golf GTI after I been earnin $9376 this – five weeks past and-a little over, ten/k last munth. with-out any question its my favourite job I’ve had. I actually started 6 months ago and pretty much straight away brought home at least $79 per-hr. I use this website….. WEP6.COM

          Go to website and click Home tab for more details.
          ?????????????????????????

        2. Maria. even though Barry`s story is cool… on sunday I bought themselves a Lotus Esprit after having earned $4944 this past 4 weeks and-in excess of, ten grand this past month. it’s actualy the most comfortable job I have ever had. I started this eight months/ago and right away started making a nice more than $71 per/hr. I work through this link…. http://www.wep6.com
          Go to webs…..e details.

          ?????????????????????????

        3. upto I looked at the check four $4355, I be certain that my neighbour actualie taking home money in there spare time online.. there sisters neighbour has been doing this 4 only about fifteen months and at present paid for the loans on there apartment and purchased a great Mercedes. I went here……….WEP6.COM

          Go to website and click Home tab for more details.
          ?????????????????????????

        1. Jane: How do you fit all that shit in your head anyway? Must have been pretty good at memorizing, huh?

          Johnny: Implant. Wet-wired. I had to dump a chunk of long-term memory.

          Jane: You had to dump a chunk of what?

          Johnny: My childhood.

        2. How the hell would I know if he’s seen those other movies?

      2. What about Bob?

    2. Start working at home with Google! It’s by-far the best job I’ve had. Last Wednesday I got a brand new BMW since getting a check for $6474 this – 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, http://www.max47.com

  2. The use of the term “cyber war” is a good indicator that the person knows very little about anything cyber, except maybe cyber sex.

    1. In some cases (like Warty), they’re one and the same.

  3. “is an act of force to compel the enemy to do our will.” Citing this definition, Rid argues: “All war, pretty simply, is violent. If an act is not potentially violent, it’s not an act of war, and it’s not an armed attack.” “There is no such thing as cyber war”

    FTFH

  4. I work w/ someone who just transfered from cybercom. From the way she describes it, they are somewhat without clue. …and have a fairly tenuous relationship with their NSA neighbors.

    A lot of money to be made in this new wing of the Mil-Ind complex

  5. “is an act of force to compel the enemy to do our will.” Citing this definition, Rid argues: “All war, pretty simply, is violent. If an act is not potentially violent, it’s not an act of war, and it’s not an armed attack.” “There is no such thing as cyber war”

    FTFH

  6. Wait.
    There are books not written by Reason staff?

  7. Rid seems to be claiming that cyberwar does not exist because electronic attacks only attempts to destroy/corrupt property. Taking this to one extreme, is Rid arguing that blowing up a building is not an act of war if no one is inside?

    You can argue that the government is not well-positioned to protect property from electronic attacks, but this argument needs to be approached from another direction.

    1. I think the better question is whether blowing up the building is an act of war or an act of terrorism; the former deserves the descriptor act of war, the latter is the crux of the issue. In the same vein, cyberwar is just as silly a notion as going to war against terrorism.

      1. I will grant that cyberwar is a silly notion.

        My point: A government funding/committing attacks against computer systems in another country with the intent to destroy property seems to constitute an act of war. Rid seems to take the denial of that as a given.

        Whether you call it terrorism as well is moot.

        1. Agreed, although as an act of war it still seems better suited to sanctions or whatever we do when we catch spies. I forget how we resolved the Chapman incident, other than throwing her group out of the country, but we certainly didn’t declare war on Russia.

        2. Agreed. It’s a semantic distinction without being a real one. It’s completely conceivable that prior to a war becoming hot that an enemy could launch a preemptive electronic strike. It (likely) wouldn’t be that disruptive to military command and control, but imagine the chaos and headaches you could inflict on your opponent if you could disrupt all sorts of civil services: utilities, financials, civilian communications. It’s a bit like saying that the successful deployment of a continent-wide EMP isn’t an act of war because it doesn’t directly kill anyone. I think the latter is unlikely, but given the complete lack of security in “modern” SCADA implementations I do think that an attack on civilian infrastructure, potentially by state actors, is one to be taken very seriously.

  8. The real risk for liberal democracies is not that these technologies empower individuals more than the state; the long-term risk is that they empower the state more than individuals.

    DING DING DING

    Before the internet and ultra cheap storage, the government wouldn’t have dreamed of trying to amass every telephone call or snail mail letter in the country, because they just couldn’t. They mostly contained themselves to atrocities like MKULTRA. But now, as soon as they can, they do. Because they can.

    1. Yes. Maybe: War = Government Power Grab?

  9. like Sandra responded I’m shocked that some one can profit $9048 in one month on the internet. did you look at this link Go to site and open Home for details
    http://WWW.JOBS31.COM

  10. Three steps are required to defend a critical piece of infrastructure from cyber attack:

    Step 1: Connect the controls for vital processes to the internet.

    Step 2: Do nothing while an enemy computer cracker attacks.

    Step 3: Unplug the server.

    You have now defended your nation’s nuclear reactors from having their control rods overridden by a cyber attack.

    Of course, if you’ve got above room temperature IQ, you would never do step 1 in the first place, so your nuclear reactors would never be vulnerable to cyber attack in the first place.

  11. “The U.S. Cyber Command, or USCYBERCOM, was launched with great fanfare in 2010 to conduct “full-spectrum military cyberspace operations…in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries.””

    Judging from their track record, it’s the American people that the U.S. Government views as “adversaries.” If USCYBERCOM exists for any purpose it’s most likely to expand, and improve, the countless programs used to monitor and spy on the American people.

  12. Preserve sharing such concepts in the future as well. This was actually what I was in search of, and I’m glad to came right here!

    1. I sent your spam through the Google translator a few more times and came up with this:
      “In the future, this kind of exchange of ideas. This is really what were looking for, and I’m glad I came here!”

  13. If the government hadn’t insisted on all the backdoors cyberwarfare would be virtually impossible.

    1. Sad, but true.

    2. Explain please?

  14. upto I looked at the paycheck 4 $7907, I have faith that my brother truley making money part-time on their laptop.. there friend brother had bean doing this for less than 20 months and a short time ago repaid the morgage on there villa and purchased a great Honda. go to, http://www.w?rk25.??m

  15. what Valerie implied I can’t believe that some people able to earn $9818 in 4 weeks on the computer. did you see this web link Go to site and open Home for details
    http://WWW.JOBS31.COM

  16. what Valerie implied I can’t believe that some people able to earn $9818 in 4 weeks on the computer. did you see this web link Go to site and open Home for details
    http://WWW.JOBS31.COM

  17. my buddy’s step-sister makes $72 an hour on the computer. She has been laid off for 8 months but last month her payment was $12918 just working on the computer for a few hours. Here’s the site to read more,,,,

    http://7.ly/SAK

  18. up to I looked at the check that said $8452, I be certain that…my… brother was like actually bringing in money part time at their laptop.. there uncle haz done this for less than sixteen months and at present repayed the dept on their appartment and bourt a great new Mercedes. we looked here, http://www.w?rk25.??m

  19. my buddy’s step-sister makes $72 an hour on the computer. She has been laid off for 8 months but last month her payment was $12918 just working on the computer for a few hours. Here’s the site to read more,,,,

    http://xurl.es/jzta1

  20. my classmate’s mom makes $60 an hour on the computer. She has been out of work for six months but last month her income was $13604 just working on the computer for a few hours. Read more on this site…

    http://www.Rush60.com

  21. like Albert responded I am amazed that a single mom able to profit $8568 in 1 month on the internet. have you read this web page… http://www.max38.com & my classmate’s sister-in-law makes $73 every hour on the laptop. She has been out of work for 7 months but last month her check was $17103 just working on the laptop for a few hours.

  22. my best friend’s mom makes $87/hour on the internet. She has been fired from work for five months but last month her paycheck was $18889 just working on the internet for a few hours. Read more here..

    http://www.Rush60.com

  23. like Thelma responded I am startled that a mother can make $6821 in a few weeks on the computer. did you look at this web sitego to this site home tab for more detail— http://www.blue76.com

Please to post comments

Comments are closed.