From Interstate - Journal of International Affairs VOL. 2015/2016 NO. 2
Book Review: Cyber War Will Not Take Place
IN THIS ARTICLE
In Cyber War Will Not Take Place1, Thomas Rid develops his argument on the concept of "cyberwar", previously formulated in an article of the same name2 published in January 2012. His chief point is that "cyber war has never happened in the past, it does not occur in the present, and it is unlikely that it will disturb our future";3 ergo the use of this concept to describe cyberoffenses is misleading.4 He has also written several articles related to cyberwar5, cyberweapons6 and cyberpeace,7 in which he argues against the militarization of the debate about cyberattacks,8 and in particular the confusing use of analogies referring to the Cold War and nuclear deterrence.9
In this piece, I will review the literature related to cyberwar and more specifically three widely disputed questions covered by Rid's book, namely the potential violence inflicted by cyberattacks, the definition of what is a cyberweapon, and – in relation to the attribution problem – the possibility of a cyberdeterrence strategy. As a conclusion, I will broaden the perspective by briefly highlighting other issues related to the current conceptualisation of cyberspace.
Will Cyberwar Take Place, Or Not?
John Arquilla and David Ronfeldt introduced the concept of cyberwar in 1993, 10 declaring that the information age will transform "the nature of war,"11 and that the "military organization and doctrine, as well as strategy, tactics, and weapons design"12 must necessarily be redefined. In the same line, James Adams stated in 2001 that "the information age is now revolutionizing warfare for the twenty-first [century]",13 and that "Washington urgently needs to modernize its thinking and transcend its strategies of deterrence and national security"14 to be able to fight in the cyberspace which is the "new international battlefield."15 Noticeably, Adams articulated all key elements which remain the dominant perception of cyber-conflicts amongst U.S. officials,16 cybersecurity experts,17 and a substantial number of scholars.18 According to him, cyberwar is asymmetric and favours nations (above all, China19 and Russia20) and non-state actors, less powerful from a conventional perspective but supposedly actively "exploring the possibilities raised by this new American vulnerability."21
Indeed, the U.S. is seen as especially vulnerable, because of its superiority in information technology, which in turn, increases its dependence on cyberspace, and the attractiveness of its national targets.22 For instance, the former US Director of National Intelligence, Mike McConnell, declared that "as the most wired nation on Earth, [the U.S.] offer[s] the most targets of significance, yet our cyber-defenses are woefully lacking."23 This idea is reinforced by the perception of cyberweapons as cheap and relatively easy to obtain,24 but capable to engender "potential nightmares"25. Indeed, the idea that an "electronic Pearl Harbor"26 will occur is widespread (Adams claimed that even if cyberattacks have not inflicted critical damage so far, they are nevertheless "just a taste of dangers to come"27, while Clarke and Knake declared that "cyber war could devastate a modern nation"28). Accordingly, discourses about cybersecurity are abound of very evocative metaphors. Panetta declared notably that cyberattacks can "cause physical destruction and loss of life"29 and "be as destructive as the terrorist attack 9/11."30
Adams also develops the idea that in cyberspace, offense dominates defence (similarly, Arquilla and Ronfeldt stated that the information age has "offense-dominant attributes"31), and consequentially that the best defence is offensive, which means "deterring the attacks before they occur."32 Therefore, the major problem in cyberspace is the attribution problem because it determines the possibility of retaliation, and deterrence.33 Panetta stated that cyber attackers "will be far less likely to hit [the U.S] if we will be able to link the attack"34 and that his department "has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of those attacks."35 Moreover, McConnell also declared that to be able to deter cyberattacks, the U.S. must "reengineer the Internet to make attribution [...] more manageable."36
In this context, Rid was in total opposition with what seemed to be the mainstream assumptions about cyberwar, when he wrote in 2012:
"cyber war has never happened in the past. Cyber war does not take place in the present. And it is highly unlikely that cyber war will occur in the future. Instead, all past and present political cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage. That is improbable to change in the years ahead."37
Drawing on Clausewitz's conception of war as an instrumental, political and potentially lethal "act of force to compel the enemy to do our will,"38 Rid argued that cyberwar does not exist because "if the use of force in war is violent, instrumental, and political, then there is no cyber offense that meets all three criteria."39 He concluded in highlighting that an act of "stand-alone cyber war, with code as the main weapon"40 has never occurred yet, and that alarmist predictions as well as analogies between nuclear and cyber war are "misplaced and problematic."41
Reiterating his original statement in his book released in 2013, Rid's argument is significant and quite provocative, in the sense that it calls into question the very basis of the U.S. cyber security policy, which has named cyberspace the fifth domain of military intervention42 (and defined it "as critical [...] as land, sea, air and space"43), as well as the relatively shared perception amongst scholars that "cyber war is real"44 and even "already upon us."45 In the next sections we will see how he challenges their visions and what the repercussions of these different conceptualisations are.
Cyberattacks & Political Violence
In his book, Rid resumes his initial findings and adds that "cyber attacks help to diminish rather than accentuate political violence."46 Instead of a cyberwar, "the opposite is taking place: a computer-enabled assault on violence itself."47 Indeed, he demonstrates how sabotage, espionage and subversion mediated though cyberspace are so far mostly non-violent and only indirect (in the sense that "computer code can only directly affect computer-controlled machines, not humans"48); something which makes them "less physical, less emotional, less symbolic, and less instrumental than more conventional uses of political violence."49 Consequently, according to Rid, a cyberattack – in comparison with its kinetic alternatives – is often ethically preferable in the sense that it "may be less violent, less traumatizing and more limited."50 In the same line, Tim Mauer argues that it might be a good thing if such a thing as cyberwar does exist, because cyberattacks cause limited damages and can save lives compared to other forms of attacks.51
However, this ethical superiority is contingent to the idea that the main goal of any form of political violence is to undermine social trust52 and that cyberoffenders would logically use cyberattacks as a "non-violent shortcut",53 as they have the capacity to achieve this goal in non-violent ways and, importantly, at lower costs. As Mauer rightly pointed out, this argument does not concern terrorist groups,54 which could aim at making as much damage as they can to increase the traumatic effect of the attack. Nevertheless, Rid argues that "the use of cyber weapons that could inflict damage and pain comparable to pummelling of Dresden, London, Belgrade, or Beirut at the receiving end of devastating airpower is at present, too unrealistic even for bad science fiction plot."55 Consequently, he dismisses the idea that cyberattacks can have similar effects as the kinetic ones in view of the cyberattacks on record. However, he cannot eliminate on this basis the idea that in the future cyberattacks may have comparable effects.
Furthermore, an interesting critique of Rid's vision of violence as intrinsically related to the human body (leading to his conclusion that cyberwar does not exist, because it cannot be violent enough to be defined as such56) has been formulated by John Stone57. He underlines notably that the link between violence and lethality (stipulated by Rid in accordance with his interpretation of Clausewitz's work58) is not inexorable: a military intervention, even in "minimizing loss of human life by employing advanced military technique"59 is still an act of war (Stone uses the example of US raids on Schweinfurt in 1943, aiming not at killing civilians but at destroying the ball-bearing factories and thus undermining the German war capacities). Accordingly, Stone declares that acts of war "need not to be lethal in character: they can break things, rather than kill people, and still fall under the rubric of war,"60 and that consequently, "cyber war is possible [because] cyber attacks could constitute acts of war."61 Erik Gartzke also criticises Rid, in saying that his argument stipulating that cyberwar does not exist "because it fails to conform to conventional definitions of conflict62 is a perspective that risks becoming "a purely academic exercise",63 neglecting the probable role of cyberattacks combined with actions "on the ground." He states that cyberwar is indeed not a distinct form of conflict; but is "basically tied to conventional forms of warfare."64
What is a Cyberweapon?
In his book, Rid underscores the need to define what a cyberweapon is.65 His chief point is that if cyberwar has only remained a metaphor, cyberweapons do exist, in the sense that arms are not only used in war but for a wide range of purposes.66 Therefore, it allows us to use the term cyberweapon (that is, "computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, system, or living beings"67) in a broader sense than cyberwar.68 Moreover, he draws a distinction between "generic but low-potential tools"69 and "specific but high-potential weaponry"70, and demonstrates than even an extremely sophisticated cyberweapon is not going to lead necessarily to a "cyber-catastrophe", precisely because of its degree of sophistication which allows to minimize or even remove the risk of collateral damage.71
However, his argument is contingent to the idea that a cyber-attacker's goal is not to inflict as much collateral damage as they can, or alternatively that these attackers do not have yet the capacity to do so. Yet, Rid demonstrates quite persuasively that cyberattacks are not all the same and that making the distinction is fundamental in order to provide relevant solutions to cybersecurity issues. Moreover, he points out that exceptional cyber weapons require a large amount of human, technical and financial resources,72 which undermines the common idea that cyberwar is asymmetric and, therefore, in favour of conventionally weak states and nonstates actors.
Furthermore, he states that this distinction between weapons and nonweapons is fundamental because it has security (a tool with the potential to be used as a weapon is more dangerous), political ("an unarmed intrusion is politically less explosive than an armed one"73), and legal consequences74. Concerning the latter, Rid argues that this distinction is crucial because it is the first step to develop appropriate responses. If a very sophisticated piece of malware can gather a large amount of information and have noticeable consequences, but cannot be used for other purposes than spying, it should not be considered a weapon because "the law of conflict does not deem espionage an armed attack."75
This example shows the pragmatic significance of Rid's argument: indeed, if cyberwar does not exist and only a few cyber instruments can indeed be rightly called "weapons", cyberattacks should not be examined from a "law of armed conflict" perspective. Yet, it has been done by scholars, such as Russell Buchan or Charles Dunlap76 (even if the latter warns against the unproductive effects of applying a "martial rhetoric" to the cyberspace77), and nowadays, "few if any scholars publishing on international law and cyber security do so from a non-military perspective."78
Cyberdeterrence & The Attribution Problem
In his book, Rid progresses beyond his initial triptych (online sabotage, espionage and subversion) to address for the first time one of the most prominent concerns about cyberattacks: the attribution problem. Leon Panetta declared – as has already been mentioned above – that the U.S. Defense Department, after "significant investments",79 "has [now] the capacity to locate [potential aggressors] and hold them accountable for actions that harm America or its interests."80 According to Rid, who assesses Panetta's rhetoric as including at least partly "a measure of bluff and bluster,"81 the possibility of solving the attribution problem by improving only technological tools is misleading. In essence, he argues that far from being an inherent problem with cyberattacks (induced by their technical specificities), the attribution problem is more significantly a political one; consequently, no purely technical solution is likely to resolve it.82
According to him, attribution is always a call of judgement (even if this point has been underexplored in IR – as opposed to Criminal law – where the "state-againststate" conventional conflicts "mostly left little doubt about the attacker's identity"83), and that achieving even an incomplete attribution cannot be done without non-technical insights.84 He also stresses that the standards of proof depends on what is considered subjectively by governments as "sufficient basis for political action".85 In doing so, Rid provides thoughtprovoking insight about the inherent part of subjectivity in the attribution problem, questioning the appropriateness of focusing only on technical capacities to resolve it.
This argument is of particular importance in view of the fact that some people impute the attribution problem and the difficulty of deterrence to the structure of the Internet itself, and therefore, propose to modify its design in order to solve this problem. This is noticeably the case in McConnell's analysis. He argues: "we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment [...] more manageable."86 This view and sentiment is also echoed in the work of David Clark and Susan Landau.87 Their vision is embedded in the idea that a cyberdeterrence policy must be established in order to prevent cyberattacks, in the same way that deterrence has been used during the Cold War to protect the U.S. from nuclear attacks.88 This use of analogies is widely criticised by Rid, arguing that they fail to highlight the real cybersecurity issues.89
Sean Lawson also has pointed out that it is the comparison between the effects of nuclear and cyberweapons that leads to the application of deterrence in the context of cybersecurity90 . He states that "it is neither natural nor inevitable"91 nor even desirable. Similarly, to Rid and James Lewis,92 he considers that it results "in a tendency to focus on hypothetical worst cases while ignoring actual threats."93 Howard Schmidt, former U.S. Cybersecurity Coordinator, reinforced this idea, stating – quite surprisingly for a U.S. official at that time – that "the government needs to focus its cybersecurity efforts to fight online crime and espionage",94 and that cyberwar "is a terrible metaphor [...] and a terrible concept."95
The recurrent analogies with the Cold War and the attempts to implement a cyber-deterrence doctrine display interesting insights, denoting a common mentality and a shared experience of Cold War amongst the people in charge of cybersecurity. However, it is necessary to examine these rigorously in order to assess the impact of such mind-sets on the current development of cybersecurity and defence strategies.96
Undoubtedly, it is difficult to avoid the extremely sensitive issue of interests at stake, and how they can influence the discourses on cyber-threats. Mary O'Connell notably states that "plainly some of the pressure to militarize cyber security is being driven by business concerns in the military security sector."97 Accordingly, Myriam Dunn Cavelty displays that cybersecurity is a highly politicised issue in a context where "different bureaucratic entities that compete against each other for resources [and that] this is usually done by stating an urgent need for action."98 Moreover, she points out that "being a cyber-expert has become a lucrative market, but only if the problem is continuously portrayed as grave."99
In regard to the acceptance of the concept of cyberwar by certain scholars, but most importantly by the U.S. administration, Rid – in challenging the validity of this conceptualisation and its related security, political and legal consequences – provides a thought-provoking analysis. As he has persuasively displayed, the debate about cyberattacks has been militarized and is now dominated by the "terminology of warfare",100 which distorts the issues in emphasising on prospective catastrophic scenarios, and is counterproductive in addressing existing cybersecurity concerns.101 However, his rigid conception of war might ignore some pragmatic uses of cyberspace that already are or will become crucial in the conduct of warfare, and his assessment of cyberwar on the basis of documented cyberattacks that have already occurred cannot totally exclude the possibility of "cyber act of wars" in the future.
Adams, J. "Virtual Defense", Foreign Affairs, 80:3 (2001).
Arquilla, J. "Cyberwar Is Already Upon Us." Foreign Policy [website](published 27 February 2012). Available at: http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us
Arquilla, J & Ronfeldt, D. "Cyberwar Is Coming!", Comparative Strategy, 12:2 (1993).
Arquilla, J & Ronfeldt, D. "Cyberwar Is Coming!" In Athena's camp: Preparing for conflict in the information age, edited by John Arquilla and David Ronfeldt. Santa Monica: RAND, 1997, pp. 23-60. Originally published in Comparative Strategy, 12:2 (1993): pp.141-165.
Arquilla, J & Rondfeldt, D. The Advent of Netwar. Santa Monica: RAND, 1996.
Bendrath, R. "The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection." Information & Security: An International Journal. 7 (2001), pp.80-103.
Buchan, R. "Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?" Journal of Conflict & Security Law, Vol. 17, No. 2 (2012), pp. 211-227.
Clark, D & Landau, S. "Untangling Attribution." Harvard National Security Journal, 2:2 (2011), pp. 25-40.
Clarke, R & Knake R. Cyber War (New York: Ecco 2010).
Clark, W & Levin, P. "Securing the Information Highway", Foreign Affairs, 88:6 (2009), pp. 2-10.
Dunlap, C. "Perspectives for Cyber Strategists on Law for Cyberwar." Strategic Studies Quarterly (Spring 2011), pp. 81-99.
Dunn Cavelty, M. "The Militarisation of Cyberspace: Why Less May Be Better." International Conference on Cyber Conflict Proceedings, CCD CoE, 2012.
Gartzke, E. "The Myth of Cyberwar." International Security, 38:2 (2013), pp. 41-73.
Knapp, K & Boulton, W. "Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments", Information Systems Management, 23:2 (2006), pp. 76-87.
Lawson, S. "Putting the "war" in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States." First Monday [website], 17:7 (2012). Available at: http://firstmonday.org/ojs/index.php/fm/article/view/3848/3270
Lewis, J. "The fog of cyberwar." International Relations and Security Network [website] (2009). Available at: http://isnblog.ethz.ch/intelligence/isn-weeklythemethe-fog-of-cyberwar
Lynn, W. "Defending a New Domain", Foreign Affairs, 89:5 (2010), pp. 97-108.
Maurer, T. "The Case of Cyberwarfare." Foreign Policy (published 19 October 2011). Available at: http://www.foreignpolicy.com/articles/2011/10/19/the_case_for_cyberwar
McConnell, M. "How to win the cyber-war we're losing." The Washington Post [website] (28 February 2010). Available at: http://www.washingtonpost.com/wpdyn/ content/article/2010/02/25/AR2010022502493.html
NSA. "Biography General Keith B. Alexander" [website]. Available at: http://www.nsa.gov/about/leadership/bio_alexander.shtml
O'Connell, M. "Cyber Security without Cyber War." Journal of Conflict & Security Law, Vol. 17, No. 2 (2012), pp. 187-209.
Panetta, L. "Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security." U.S. Department of Defense [website] (New York City, 11 October 2012). Available at: http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136
Rid, T. "Cyberwar and Peace", Foreign Affairs, 91:6 (2012), pp.77-87.
Rid, T. "Cyber War Will Not Take Place", Journal of Strategic Studies, 35:1 (2012), pp. 5-32.
Rid, T. Cyber War Will Not Take Place (London: Hurst & Company, 2013).
Rid, T. "End this phony cyberwar", New Scientist, 219: 2933 (2013), pp. 26-27.
Rid, T & McBurney, P. "Cyber-Weapons", The RUSI Journal, 157:1 (2012), pp.6-13.
Rid, T. "Think Again: Cyberwar." Foreign Policy (published 27 February 2012). Available at: http://www.foreignpolicy.com/articles/2012/02/27/cyberwar
Shachtman, N & Singer, P. "The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive." Bookings (published 15 August 2011). Available at: http://www.brookings.edu/research/articles/2011/08/15-cybersecurity-singershachtman
Singel, R. "White House Cyber Czar: ‘There is no Cyberwar'." Wired [website] (published 4 March 2010). Available at: http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/
Stone, J. "Cyber War Will Take Place!" Journal of Strategic Studies, 36:1 (2013), pp. 101-108.
U.S. Department of Defense. "The Cyber Domain: Security and Operations." U.S. Department of Defense [website]. Available at: http://www.defense.gov/home/features/2013/0713_cyberdomain/
Valeri, L & Knights, M. "Affecting Trust: Terrorism, Internet and Offensive Information Warfare", Terrorism and Political Science, 12:1(2000), pp. 15-36.