You May Not Be Interested in Cyber War, but It’s Interested in You
Thomas Rid, Cyber War Will Not Take Place (London: C. Hurst & Co, 2013).
Is any of the breathless hype about cyber war real, or is it simply an overdone analogy to justify more resources and expand government? As Hew Strachan has noted, strategy and war have lost their meaning if everything is tied to them (wars on poverty, obesity, etc.). Is cyber warfare another example of an overused analogy?
Years ago, prescient analysts at the RAND Corporation published a monograph with the scary title Cyber War is Coming! Since then, the growing importance of the cyber dimension of politics, economics, and security has become increasingly taken as a given. We live in what is often called the Information Age, and increasingly our lives, our work, and our defense is tied to, controlled by, or connected by computers. Our tightly integrated world is both more prosperous but more vulnerable today because of the ever growing reliance and interconnectivity of our computers. The slow evolutionary adoption of computers and networks into many aspects of our daily lives and by our military has not gone unnoticed by authors and government officials seeking to surpass RAND’s prognosticators.
Senior members of the U.S. national security establishment have often sounded general alarms over the frequency of computer attacks on U.S. banks, businesses, and American military bases and installations. Former Deputy Secretary of Defense William Lynn and former Vice Chairman of the Joint Chiefs of Staff General “Hoss” Cartwright are prominent leaders who sought an effective strategy to thwart the seemingly daily penetration of the Pentagon’s networks and the strategic implications of developments in cyber technology. The defense establishment has slowly responded, standing up the U.S. Cyber Command at Fort Meade and now a host of new cyber teams with defensive and offensive capabilities. Each of the Services has also created computer network cells, stressing the need to defend military networks from probes, viruses and Trojan horses that seek to infiltrate U.S. military commands and weapon systems. It is one of the very few growth industries in a plunging U.S. defense budget.
Fortunately, the debate about cyber war has been given a dose of cold water by a UK-based scholar named Thomas Rid in Cyber War Will Not Take Place. (Full disclosure, Dr. Rid is a Reader at KCL where I am a student and once saved my life with a Heimlich maneuver when I was choking to death in a DC pizzeria—seriously). The book is drawing quite a bit of buzz (deservedly so), and has been prominently mentioned in the Washington Post and the Economist.
Judging from the scare routines about Digital Pearl Harbors or “Cyber 9/11” by those seeking to create new institutions and invest more authority in the federal government, we’re already at war or at least open to being knocked back to the Stone Age by bots. These are samples of what Rid calls a “flawed debate” of abysmally low quality.
Rid notes that the claims of cyber war are very overblown. No one has died and no buildings or bridges have been destroyed by cyber as of this writing. “Lethal cyber attacks,” Rid emphasizes, “while certainly possible, remain the stuff of fiction novels and action films. Not a single human being has been killed or hurt as a result of a code-triggered cyber attack.”
Since as Thomas Rid notes, there are no body bags in cyber land, analogies such as Cyber Pearl Harbor or a Computer Waterloo are certainly farfetched. But the analogy nevertheless could be seen as a well-meaning effort to raise concern and promote constructive change within bureaucracies that have proven slow in embracing necessary conceptual and defensive measures. Similar claims about terrorism were made prior to 9/11, and ignored if not laughed at.
However, Rid argues that “Cyber war will not take place,” and it has not happened in the past, and “it is unlikely that it will disturb our future.” Our concerns misplaced and our energy wasted on the war metaphor, Rid contends, whereas we should be on three activities that have been fundamentally altered by computers; sabotage, espionage, and subversion. Paradoxically, computers have sharply increased the effectiveness of these activities in key ways, but also radically reduced the need of violence.
Rid’s perspective is refreshing and a useful pause in the rush to endow another national security agency with control over critical private infrastructure. But it may be tied to an outdated conception of warfare. As noted by Colin Gray, war proper is technically a state or relationship between two politically organized groups (not necessarily states). Warfare is the physical act of fighting. Rid clings to this classical and precise definition in claiming that cyber warfare cannot occur, since while it may be political motivated and instrumental, it does not directly generate or apply violence.
I’m usually pedantic about definitions but there is precedent for talking about cyber warfare. The U.S. military has a host of such questionable terms, if you are want to be precise. For example, Unconventional Warfare, Political Warfare, and Electronic Warfare are all recognized terms in U.S. doctrine. None necessarily directly involved the application of violence. Political warfare is the ultimate oxymoron (and isn’t all warfare political?).
Is violence as critical to a broader understanding of conflict and modern security? Is the application of a suite of technologies that do not kill, but that neutralizes or renders useless major military hardware items that do kill still a part of warfare? For example, does the introduction of cyber tools that knock out the defensive systems of a $2.5B Aegis-equipped destroyer constitute a militarily relevant asset? Certainly. Does that make cyber a new form of warfare, probably not? But does a computer virus or some injected code that shuts down the catapult system on an aircraft carrier have utility as a military attack? It may not involve the destruction of a single aircraft or drone, but if it makes a $15B aircraft carrier irrelevant, does it not accomplish something militarily relevant? Certainly, even if the nature of the attack does not cause the system to melt down or send body parts flying. Is it part of warfare, yes, in my opinion.
In the sense that cyberspace exists in the physical realm and that it is contested space where security communities maneuver or penetrate for advantage in the quest to enhance their security and obtain relative advantage over another security community, I think it can be considered part of warfare.
Rid’s critique reminds this reviewer about Stephen Rosen’s comments about defining new ways of war in Winning the Next War. Rosen found that one of the challenges with new ways of war is identifying their new metrics or measures of effectiveness. Cyber wars, or more accurately cyber-enabled operations, may be another example. Perhaps the character of warfare has been changed by the introduction of computers and our reliance on them so much that kinetic metrics like Killed in Action are outdated or irrelevant? What if our Clausewitzian paradigm is outdated or that one element (violence and death) no longer has the same pride of place? What if cyber power and the ability to control and manipulate the cyber domain (which includes a degree of physical space in the form of keyboards, servers, routers, fiber optic networks, and human operators) is more than a force multiplier but a new form of power and influence? If true, then Rid’s dampening may actually undermine our preparation for conflicts in which connectivity is a center of gravity. While cyber war lacks its Mahan or Douhet or Prussian Sage, perhaps Sun Tzu is more relevant in the Information Age?
Overall, Dr. Rid poses a serious pushback on the hyperbole of cyber wars and the vast resources and authorities given to the Pentagon, the National Security Agency and U.S. Cyber Command. Clearly, as Rid notes, most of the nefarious cyber activity we experience today is closer to vandalism or the moral equivalent of graffiti. But there are numerous external “attacks” that are a daily occurrence for government, and the defense/security community cannot ignore the impact of increasingly sophisticated penetrations and system attacks. Surely, the barriers to entry in this contest are not insurmountable. New tools that could cripple military networks will arise if we are complacent about the nature of the technology and the motivation of our enemies. They may not seek physically destructive attacks or body bags, but they seek to undermine our capabilities and ability to respond in support of our foreign policy.
Cyber warfare has come, or at least the preparation of the battlespace is ongoing and we’re defending a porous Maginot line. To be sure, Dr. Rid is right about the extensive nonviolent and criminal nature of most cyber activity. Yet, overall, I think that cyber warfare, defined as attacks by computers directly on other computers to abet a conflict against a politically organized security community, is a reality despite the lack of blood. Moreover, despite Dr. Rid’s reasoned cautions, I think this contest has been ongoing for some time. We can debate our lexicon and our level of risk, but we cannot delude ourselves that future adversaries will not aggressively identify, target and neutralize weaknesses in our command posts, supporting infrastructure and operating systems via cyber operations. The singular purpose of that effort will be to defeat us, directly or indirectly.
We need to balance the hype with the equally dangerous attitude of complacency. Cyber War Will Not Take Place will help us obtain that sweet spot between ignorance and fear mongering. For that reason this book is recommended with enthusiasm for its balanced tone, thorough research, and exhaustively explored argument.
F. G. Hoffman is a Senior Research Fellow at the Institute for National Strategic Studies, National Defense University. These comments are his alone and do not reflect the views of the Department of Defense.
Photo Credit: NASA