Thomas Rid (“Cyberwar and Peace,” November/December 2013) describes cyberattacks as somehow separate from conventional warfare because they fail to meet all three of Clausewitz’s definitions of war as violent, instrumental, and attributable to one side as an action taken for a political goal. Therefore, he says, “cyberwar has never happened in the past, it is not occurring in the present, and it is highly unlikely that it will disturb the future.” But his argument is a simplified representation of the complex realities of war and security today and their inherent links to cyberspace.
Today, the world is so immersed in technology that activities in cyberspace have become inseparable from the everyday operations of business, education, government, and the military. Actions online affect actions offline, and vice versa. Thus, far from being separate from conventional war, as Rid would have it, cyberwar is deeply embedded in contemporary military practices.
Cyberwar, in fact, is part of the evolution of conventional warfare, which itself is linked to broader social and political change. It is no longer easy to imagine a confrontation that does not include some element of cyber-activity, such as surveillance or sabotage. Asking whether cyberwar is real, then, is less important than concentrating on how to contain the threats posed by some uses of computer technology. After all, a cyberattack need not kill someone or cause major material damage to still be considered dangerous.
Moreover, understanding war as solely physical contestation is an unnecessarily limited view. Consider, for example, nonlethal military tactics that fall under the broad category of strategic communication, which include psychological operations. States and militaries seeking to avoid unnecessary or disproportionate killing need to find other ways to influence potential adversaries and strengthen ties with allies. Strategic communication seeks to coerce enemies and sway allies and includes operations in peace as well as war, blurring the line between the two.
The concept of violence is also ambiguous. In addition to causing physical injury or death, violence can refer to mental abuse and different forms of deprivation. The academic discipline of peace studies has for decades advanced the concept of structural violence, such as racism and sexism. In its widest sense, then, violence can be found in almost any coercive situation. And the various attacks and activities associated with cyberwar, from stealing data to disrupting other governments’ computer systems, clearly fall within this broad category.
Still, Rid is right to criticize the hype over cyberwar. The specter of cyberwar, with its supposedly vast and unimaginable destructive potential, contributes to plenty of fear-mongering. The hype must be tamed, but not to the point where it minimizes or ignores real and present dangers.
The best defenses against those threats should be built into everyday practices. Governments and businesses need to strengthen people’s understanding of cyberattacks and make cyberspace safer. But officials and ordinary people alike also need to learn to live with the threats. Decision-makers in the public and private sectors need to think strategically about how to organize cyberdefenses in government, business, and the military. Such coordination is the only way to secure today’s Internet-dependent societies, even as waging cyberwar still remains the business of the armed forces alone.
JARNO LIMNÉLL is Director of Cyber Security at Stonesoft, a McAfee Group company. Follow him on Twitter @JarnoLim.
Jarno Limnéll argues that activities in cyberspace are an inherent part of conventional warfare. He also contends that the psychological impact, not just the physical violence, of cyberattacks matter. I agree on both counts. But Limnéll’s conclusion, that “waging cyberwar still remains the business of the armed forces alone,” is simply wrong -- and the U.S. government thinks so as well.
Last December, the White House announced that it would not separate the National Security Agency and the Pentagon’s Cyber Command and that it would continue to put one chief in charge of both agencies. Like Limnéll, some other experts, including the members of a review panel appointed by U.S. President Barack Obama, recommended separating Cyber Command’s military capabilities from the NSA’s intelligence activities. But the White House’s decision to maintain the current setup was correct. Creating separate agencies focused on offensive cyber-operations would be rash, because it would mean ignoring four problems.
First, there is actually little difference between contemporary computer-based military operations and the signals intelligence work of the NSA. Indeed, most cyber-operations that are considered offensive actually amount to intelligence collection, not sabotage of critical infrastructure. Thus, an artificial institutional division of labor between the military and the NSA would likely create duplication and waste.
Second, it is unlikely that an independent cyber command would accomplish much. Hawkish generals and politicians ignore the fact that it is quite difficult to create a cyberweapon, software that can physically harm an opponent’s critical infrastructure. There is a reason why proponents of such operations have only one proper example to draw on: Stuxnet, a U.S.-Israeli operation that was designed to damage Iranian uranium-enrichment centrifuges. A high-end sabotage campaign is likely to be a complex, intelligence-devouring, labor-intensive, and target-specific engineering challenge. As frustrated and confused lower-ranking insiders have told me, their superiors balk at that reality and turn to developers and say, in general terms, “Build me a cyber–Tomahawk missile.”
This relates to a third problem: a potential arms race in cyberspace. If having a cyber command becomes a symbol of power, other nations will want to have their own cyber commands. Some countries, among them the United Kingdom, are already considering plans to waste significant resources on offensive cyber-capabilities, needlessly gearing up for a cyberwar that may never occur.
Finally, the idea of creating an independent cyber command ignores the fact that refined offensive capabilities do not translate into better defensive ones. Many conventional weapons can be used defensively or offensively. But cyberweapons are different; Stuxnet, for example, could be used only offensively. The NSA’s offensive strategy exploits vulnerabilities, or “back doors,” in widely used software. But U.S. computer systems have back doors, too: just ask Edward Snowden, the former NSA contractor who leaked classified information about such vulnerabilities. In cybersecurity, a good offense is the worst defense.
U.S. officials should work to prevent a “cyber–Pearl Harbor” through better defenses. But waiting for cyberwar, as Limnéll suggests, is a failure of imagination. “This is our cyber-9/11,” a British intelligence official told me, referring to the Snowden leaks. “We just imagined it differently.”