One of the most alarming visions of modern warfare, and one high on the Pentagon’s list of worries, is a catastrophic digital attack. For all we know, it could be heading for us right now.
The prevailing image of full-blown cyberwar resembles a trailer for one of those summer blockbusters where the White House and Brooklyn Bridge explode. Planes would crash in the air; nuclear power plants would melt down. Aging world leaders and army commanders would find their pacemakers hacked. Defense Secretary Leon Panetta offered a few more possibilities in an October 2011 speech: “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” As Panetta described it, we are facing no less than the threat of an eventual “cyber Pearl Harbor.”
With this in mind, the defense establishment is bringing massive resources to the emerging fight. One of the documents leaked recently by Edward Snowden, the former National Security Agency contractor, was a budget for US cyberoperations. The scope and ambition are staggering. In 2011 alone, US intelligence services carried out 231 offensive cyberoperations, according to The Washington Post, where the revelations were published, including a $652 million program code-named GENIE, in which a staff of 1,870 US computer specialists broke into foreign networks and put them under surreptitious US control. The goal is to keep America ahead in the arms race against aggressive, cyber-savvy adversaries like China.
But in this march toward putting the nation on a new kind of war footing, a critique is emerging: We are making a mistake in thinking of cyberattacks as a form of war at all. The most powerful voice on this front is Thomas Rid, a German-born professor in the Department of War Studies at King’s College London and a fellow at Johns Hopkins University’s School for Advanced International Studies.
Rid, who has written books on the changing nature of warfare and counterinsurgency, believes we’re living at a moment of cyberwar hype—not unlike the fears of a domino effect or a “missile gap” that drove the excesses of the Cold War. In a new book, provocatively titled “Cyber War Will Not Take Place,” he argues that what we have seen so far in the cyber realm can’t properly be classified as war at all. And, he and his allies suggest, in thinking of it that way, we’re creating new international hazards and diverting attention from changes that might actually keep us safe.
‘If we call something war, the instinct is that the military should really be in charge……But if you say it’s not actually military conflict, it’s not war in any sensible way, then you raise questions about whether the Department of Defense should really be responsible for this.’
“If we call something war, the instinct is that the military should really be in charge,” Rid said. “And that’s actually taking place. People are claiming responsibility because it’s a new form of military conflict. But if you say it’s not actually military conflict, it’s not war in any sensible way, then you raise questions about whether the Department of Defense should really be responsible for this.”
Rid represents one pole of an emerging debate, as the world’s policy establishment grapples with how to think about virtual attacks. One side believes that to downplay them is dangerously naive—that this latest weapon of war has to be treated with the same seriousness as conventional arms, even nuclear weapons. An international effort is now underway to codify international rules of war as they apply to cyberattacks, placing them on a continuum with conventional warfare.
Rid’s side of this debate, which includes both experts on cybersecurity and those given the task of designing the new “weapons” for cyberspace, argues that although the threat is real, in overstating it we’re helping create a new kind of global risk. Framing cyberattacks as acts of war has already fueled escalation, as countries like Iran and China invest in their own offensive cyberwarfare capabilities. And the military’s enthusiastic embrace of this new theater of war, stoked by public fear, could have dangerous consequences. The United States is already launching hundreds of attacks, not visible to most people, which could easily become the triggers for responses that move quickly and uncontrollably outside the virtual realm.
RID HAS STUDIED the increasing advance of military forces into cyberspace in his own research and for influential think tanks like the RAND Corporation. He sees little evidence that attacks in the digital realm merit the name of “war.” Even the most sophisticated known cyberattack, the Stuxnet virus, meant to undermine Iran’s nuclear enrichment capabilities, led to no loss of life; no one claimed responsibility, though the virus is widely thought to have been the work of the United States and Israel. Rid would call it an act of sabotage—aggressive for a state action, yes, but falling considerably short of warfare.
And an attack like Stuxnet is very much one of a kind. More typical is the attack last year against Saudi Arabia’s national oil company, ARAMCO, by a group of hackers calling themselves the “Cutting Sword of Justice.” In one of the most destructive hacker strikes yet leveled against a single company, 30,000 ARAMCO computer workstations were shut down and their data deleted. But, Rid points out, it was entirely nonviolent, and it did not affect oil production.
“It was a massively efficient act of sabotage, because the company was not able to operate at the office level for an entire week,” said Rid. “But not a single person was hurt.”
In a sense, Rid’s argument is about terminology. For a cyberattack to qualify as war, he argues, it needs to be physically violent or at least potentially so—otherwise, the word “war” is simply a metaphor, like the “war on poverty.” It needs to be instrumental, forcing a change in behavior. And it needs to be political, in the sense that the instigator of an attack takes responsibility for it and makes it clear why it was carried out.
Calling digital attacks “war,” he argues, wrongly equates computers with traditional military weapons. “Code can’t explode, plain and simple,” he says. “So you have to weaponize a target system, be it an airplane, a pacemaker, a power plant, something else.” Any successful digital attack must be highly tailored, requires quality intelligence, and only becomes “war” if the end result is something we’d acknowledge as an act of war.
To call it “warfare” from the outset is to suggest that computers are just the latest weapon in mankind’s arsenal, which demand a response in the form of a counterattack. The potential for escalation is a real threat. Earlier this year, the Department of Defense released the findings of a task force that suggested that the United States could justifiably retaliate for a cyberattack with nuclear weapons, at least if an attack proved existentially threatening, such as one that would destroy the nation’s infrastructure.
Rid doesn’t discount the prospect that cyberattacks could cause real physical damage. He believes, in fact, that in the next few years we will see the first lethal cyberattack. “What is a worst case scenario, or a really bad scenario?” Rid asked. “We could have a dam incident, possibly, that costs human lives. That hasn’t happened in the past, but it could happen. We could have a blackout in a city or in a region that would be caused by some sort of computer attack. But if that happens that will probably remain the exception.”
It’s not hard to find critics of Rid’s cautionary perspective. To people who define warfare as any aggressive action taken against a state by another state, or even by a nonstate actor, digital warfare is a natural evolution in how we understand human hostility.
Rid “has a very narrow definition of ‘warfare,’ which is basically limited to bullets and bombs and deaths,” said Andrew Ruef, who works on research and development on computers and information systems for Trail of Bits, an information security company. “Obviously, if you phrase things this way, then of course a cyber ‘war’ is impossible unless there are armies of hacked robots with guns.”
Major Paulo Shakarian, a professor at West Point and the author of the recently published “Introduction to Cyber-Warfare: A Multidisciplinary Approach,” applies what he calls a “Carl von Clausewitz approach to cyberwar.” Invoking the famous strategist’s tenet that “war is an extension of politics by other means,” Shakarian said, “It’s no different in cyberspace. It doesn’t have to involve a certain type of violence.”
Rid’s critics do agree that there’s a degree of hype to dire visions of “cyberwar.” But they also believe that the ability to create viruses and other types of detrimental software is becoming more widespread, and that our defense forces need to keep pace. Eventually, the knowledge and capability to launch cyberattacks will fall into more dangerous hands than those of hackers hired by the Chinese state. When that happens, they say, it won’t seem so farfetched—and we may even be grateful—that the military is in the lead.
Coming on the heels of the successful Stuxnet attack, the recent NSA leaks only make clearer that the defense establishment sees cyberspace as a new theater of war. Observers are moving to formalize rules for thinking of cyberoperations as war, including the publication this year of the Tallinn Manual. Created by a group of legal and military experts hosted by NATO, the manual attempts to apply international rules of war to the cyber realm, implicitly positioning these new attacks as extensions of conventional warfare.
For Rid, such an effort seems like an interesting exercise for legal scholars, but one with little practical application today. Notably, the authors of the manual could not agree on whether even Stuxnet—the outer limit of contemporary cyberattack—constituted an act of war. Rid sees this as proof that the conversation belongs in the realm of the hypothetical. “If they cannot agree on whether the most sophisticated attack that ever happened falls within the realm of their own document, then they are basically talking about a class of events above Stuxnet, and that class is empty,” Rid said.
But the lead author of the Tallinn Manual, Michael Schmitt, chairman of the international law department at the United States Naval War College, said that despite the ambiguity of some of his group’s findings, the laws of war are still the correct framework through which to understand these attacks. With cyberattacks on the rise, some emanating from state-sponsored entities, it’s important, Schmitt said, to understand what analogies exist with conventional warfare and where the divergences occur. On Stuxnet, Schmitt said, there wasn’t enough information to determine whether the virus could be considered an “armed attack”—a technical definition found in the United Nations charter—that would give Iran the right to respond with force.
Rid says he’s found some unexpected allies elsewhere in the defense establishment—namely, among the computer engineers actually tasked with implementing cyberweapons, often by military commanders who have unreasonable expectations about what is possible. “People who work for the Pentagon have come to me exasperated that their superiors are asking for a ‘cyber tomahawk missile,’” Rid said. “They are working under a false analogy that creates unrealistic ideas about what can be done.”
Some experts in cybersecurity agree, fearing that the broad embrace of cyberwar by the military establishment means that we’ve begun focusing on offensive operations without first making ourselves secure. “We’ve been investing in exploiting systems that are already vulnerable and broken instead of figuring out how to do security engineering right and build systems that are not so susceptible to hacking,” said Gary McGraw, the author of a number of books on cybersecurity. “We need a separation of powers so that the military leaders charged with offense aren’t the same ones also charged with our defense, because there is no way they can accomplish these two missions simultaneously.”
For Rid, these are problems rooted in our misguided urge to see cyberoperations as the newest military frontier. If nothing else, he wants to make people understand that hostility in the digital realm just does not line up neatly with the long human experience of warfare and its accompanying blood and destruction.
“I grew up in Germany, and we know what war looks like in that part of the world,” Rid said. “And cyberwar is just not the same thing as bombs destroying cities. We have to respect violence—and I say this both as a German and someone who has spent a long time in Israel. Real war is just something that is absolutely horrifying. Anyone who has been to a war zone understands that and knows the difference.”