Talk of combat in the fifth domain has become a fixture in Washington. But let's not use that as an excuse to quash a free internet, says a war studies academic
EXACTLY two decades ago, the RAND Corporation, an influential think tank, proclaimed that "cyberwar is coming!" In 2005, the US Air Force declared it would now "fly, fight, and win in cyberspace". The future of war would surely play out in that fifth domain, on top of land, sea, air and space. Dark warnings of "Cyber Pearl Harbor" soon became a staple of Washington discourse.
Leaks revealed last week that the US government spends a staggering $4.3 billion a year on cyber operations. In 2011, American intelligence agencies reportedly mounted 231 offensive operations. The US, it seems, is gearing up for cyber combat.
What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can't hurt or kill, it can't be war. An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do. Finally, it would need to be political, in the sense that one opponent says, "If you don't do X, we'll strike you." That's the gist of two centuries of strategic thought.
No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we're talking about war – the real thing, not a metaphor, as in the "war on drugs" – then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.
That is not to say that cyberattacks do not happen. In 2010, the US and Israel attacked Iran's nuclear enrichment programme with a computer worm called Stuxnet. A computer breach could cause an electricity blackout or interrupt a city's water supply, although that also has never happened. If that isn't war, what is it? Such attacks are better understood as either sabotage, espionage or subversion.
Code-borne sabotage is a real risk. Industrial control systems run all sorts of things that move fast and can burn: trains, gas pipelines, civilian aircraft, refineries, even elevators and medical devices. Many of these are highly susceptible to breaches, and information about system vulnerabilities is easily available.
Even so, the number of violent computer-sabotage attacks against Western targets is zero.
Why? Because causing havoc through weaponised code is harder than it looks. Target intelligence is needed. Control systems are often configured for specific tasks, limiting the possibility of generic attacks. Even if they happened, such attacks may not constitute a use of force.
The second threat is cyber espionage. Data breaches are not just a risk, but a real bleeding wound for the US, Europe and other advanced economies. But espionage is not war, and cyber espionage is not cyberwar.
Finally, there is subversion – using social media and other internet services to undermine established authority. It is not a surprise that subversives, from Anonymous and Occupy to Arab protesters, use new technologies. Twitter and Facebook have made organising non-violent protest easier than ever, often in the service of liberty and freedom. But again, subversion is not war, and cyber subversion is not cyberwar.
There are other problems with the concept of cyberwar. First, it is misleading. Closer examination of the facts reveals that what is happening is the opposite of war: computer breaches are less violent than old-style attacks. Violent sabotage is harder if it is done through computers, while non-violent sabotage is now easier and is happening more often: crashing websites, deleting files and so on. The same goes for espionage: infiltrating software and opening remote back doors is much less risky than sending in human agents and clandestinely bugging embassy walls.
Talk of cyberwar is also disrespectful. Last year, the US Department of Defense considered creating a new Distinguished Warfare Medal for drone operators and developers of computer attacks. Real combat veterans protested vehemently when they learned that the award would have ranked higher than the Purple Heart. Secretary of Defense Chuck Hagel then scrapped the idea. Ending or saving the life of another human is an existential experience; deleting or modifying data is not.
Talk of cyberwar also kills nuance. Intelligence agencies have started to take "cyber" seriously. By doing so, signals-intelligence agencies such as the US National Security Agency and the UK's GCHQ, as well as human intelligence agencies, are updating their tradecraft for the 21st century. The West is beginning to have an overdue debate about what kind of intelligence activity is legitimate for a 21st century democracy, and where red lines should be drawn. Drawing these lines requires subtlety. It is time for this debate to drop the prefix "cyber" and call a spade a spade: espionage is espionage.
- New Scientist
- Not just a website!
- Subscribe to New Scientist and get:
- New Scientist magazine delivered every week
- Unlimited online access to articles from over 500 back issues
- Subscribe Now and Save
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
Have your say
Only subscribers may leave comments on this article. Please log in.
Only personal subscribers may leave comments on this article
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
