Everyone has been freaking out for a few years now about the prospect of sci-fi style cyber war, but is any of the hype really justified? Here are five key things to keep in mind.
1. It’s not that complicated.
There are only three things that you can do to a computer: steal things, change things, and take things offline. Cyber security experts call this the ‘CIA triad’ because attacks are targeting a system’s confidentiality,integrity and availability. The difference between a pimply teenage hacker guessing someone’s Twitter password and USCYBERCOM sabotaging Iranian centrifugesis really only a matter of resources and intent. So not all hacks are cyberattacks, and not all cyberattacks count as cyber war. Some things, like identity theft, are still just crimes. Other computer penetrations, like the Chinese Unit 61398 stealing American military secrets, are just espionage. Spying on other states is normal, but using computers is a lot more efficient than organizing dead drops and microfiches and justifying James Bond’s bar tab.
2. Hacking isn’t war.
So cyber ‘war’ is something specific. It means the serious sort of attacks that cause real damage akin to conventional war. When tensions between Estonia and Russia blew up in 2007 over the moving of a Soviet-era statue, Russian hackers launched Distributed Denial of Service (DDoS) attacks against Estonian government websites (which worked like keeping a telephone line engaged). This is one of the most commonly cited examples of ‘cyber war’, but nothing actually exploded; no one died; there was no lasting damage. It just wasn’t war.
3. It’s too risky.
What if Russian hackers had infiltrated Estonian infrastructure and caused malfunctions that blew stuff up? If the damage was severe enough, then yes this would probably have met the threshold for war. It’s also a relatively easy feat to accomplish, so why has no one done it yet? See Answer A: because exploding stuff is so clearly an act of war. Governments are unlikely to start that stuff without already being locked in escalating tensions that are headed towards missiles, jets and troops regardless. That pre-existing relationship makes it likely that the target and the attacker are fully aware of each other, which means forfeiting all of the secrecy that’s supposed to be a big benefit of attacking in cyberspace.
4. A bomb is better.
And the kicker is that any cyberattack designed to cause war-like damage is a gamble. Stuxnet is the most famous cyber weapon – an American worm devised to sabotage the nuclear facility at Natanz in Iran and remain undetected. To ensure its delivery, the weapon included four zero days (knowledge of previously unidentified vulnerabilities) and needed to be developed by a small army of nerds who understood malware, nuclear equipment, Siemens brand paraphernalia and had all the necessary intel to make sure Stuxnet was fed into the right system via a USB stick. This took a long time, a lot of money, a few attempts to get it right and they were still found out when the worm jumped into too many other computers by 2010. The main goal of this attack was simply to turn things off. If President Obama had ordered wonton destruction then it would have been much simpler (and cheaper) to just fire a missile. Stuxnet wasn’t war either.
5. It’s only useful during actual war.
In fact, truly successful cyberattacks have, so far, only been used to facilitate physical military strikes. Israel’s Operation Orchard, for example, was able to bomb a Syrian nuclear facility in 2007 because cyberattacks prevented Syrian air defences from sounding the alarm. This use of the digital domain doesn’t suffer from the drawbacks mentioned above because Operation Orchard was an act of war regardless of its cyber component.
So, if most cyberattacks are far too trivial to be labelled ‘war’ and they are risky, unreliable, expensive and only likely to be used during actual war, then there’s only one thing everyone really needs to know about cyber war: that it probably won’t happen.
More interesting things to read:
Rid, Thomas. Cyber War Will Not Take Place(Oxford: Oxford University Press, 2017).
Kaplan, Fred. Dark Territory: The Secret History of Cyber War(New York: Simon & Schuster, 2016).
Singer, P.W. and Friedman, Allan. Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford: Oxford University Press, 2014).