Cyber War Will Not Take Place
by Thomas Rid
ISBN ISBN 978-0-19-933063-8 . amazon.com USD 18.38 Table of Contents
Reviewed by Richard Austin November 16, 2013
It is difficult to find a media outlet these days that doesn't contain multiple assurances that cyber warfare is a widespread phenomenon on the Internet, with consequences ranging from loss of intellectual property to interference with critical industries. Nations are racing each other to develop cyber warfare capabilities to inflict/counter these phenomena, and private organizations are wondering how they can deal effectively with their becoming targets in this global "cyber war". Rid takes a step back and asserts that a cyber-war is not in progress and may even be impossible.
Before getting into Rid's argument, one might wonder why it even matters. War is a terrible phenomenon where the usual rules of civil conduct are thrown out the figurative window and behaviors that are normally reprehensible become commonplace and even admirable. A visit to any commemorative cemetery or historical battlefield will graphically remind one that war is a horrible thing that must be avoided until the last extremity of national need. Applying the label of "war" inappropriately may be the first step onto a slippery slope leading to an awful (and perhaps unintended) destination.
But at the same time, "war" is an amorphous concept, even though humanity has routinely practiced its arts throughout history. Consider, for example, where one would draw the lines between crime, acts of terror and an overtly aggressive act by a nation state? Even the US military acknowledges this notional swamp in its term "operations other than war (OOTW)".
Factor in the cyber world and the confusion grows exponentially. Malware aims at a panoply of effects ranging from ransomeware to credential stealing to exfiltration of intellectual property to real-world effects (e.g., StuxNet). Where does one draw the line between crimeware and cyber-weapon? Which malware effects would trigger a nation state's right of self-defense? Are their times when destructive real-world effects would constitute a crime rather than an act of war?
Rid tackles these issues head-on by opening the book with a discussion of "What is Cyber War?" He proposes Clausewitz's tripartite definition of war: violence, instrumentality, and political nature. To constitute an act of war, the act must be violent - "potentially or actually lethal, at least for some participants on at least one side" (p. 1). Notice that people don't necessarily have to suffer harm; the threat of harm is sufficient to qualify as violence. Instrumentality implies that there is a purpose or means to an end. This turns the well-known attribution problem on its head (at least as far as war is concerned). If Agrivona* and Eurya* have a national dispute over issue X, and Eurya launches a violent cyber-attack against its adversary, Agrivona must in no uncertain terms know that Eurya is behind the attack or it will not understand that if it accedes to Eurya's position, no further attacks will occur. Finally, there must be a political purpose (political in the sense of serving national policy on an issue). While one could certainly quarrel about the specifics of Rid's definition, it does clearly define the criteria that distinguish an act of war from espionage or random violence.
Rid then explores the critical concept of "violence" (specifically, "instrumental violence, violence administered (or threatened) in the service of a political purpose", p. 21). If an attack is not "violent" then it cannot be an act of war. Violence in the cyber realm is rather distinct from violence in the physical realm. For example, a hand-grenade is in and of itself "violent" (its detonation creates both direct physical effects and scatters shrapnel over a wide area). However, a cyber-weapon cannot be physically destructive in the same way - it can only create violence indirectly (or parasitically) by exploiting the violence already potential in a system (p. 13f). Thus, cyber-weapons can only affect systems controlled by other systems (e.g., a cyber-weapon could destabilize a control process to cause a machine to exceed its safe operating parameters and "self-destruct" in some way). Any violence done to people as the result of the cyber-attack is actually caused by the targeted system not the weapon itself. This indirect nature of cyber-violence gives rise to the second difference - cyber-violence has less of an emotional impact (p. 17), Continuing with the earlier analogy, hurling a hand grenade into a crowd produces a greater emotional impact (think news headlines) than a cyber-mediated explosion at a chemical plant even though the latter likely produced more human casualties. Lastly, instruments of cyber-violence have little symbolic value - compare the symbolic impact of an aircraft carrier battle group to the possibility that a StuxNet-II exists somewhere (p. 19f). These limitations impose significant challenges for cyber-weapons ability to produce sufficient violence to qualify as weapons-of-war.
Rid then explores another concept lacking in precise definition: weapon. For example, a hammer is both a useful tool (for driving nails or accidentally smashing one's finger while driving nails) and a potential weapon (perhaps specialized as a mace). To distinguish these different use cases, he defines "weapon" as "a tool that is used, or designed to be used, with the aim of threatening or causing physical, functional or mental harm to structures, systems or living things" (p. 37). Note the essential requirement of potential violence in this definition. This definition is immediately useful in distinguishing attacks that might trigger a nation's right of self-defense versus activities such as espionage (e.g., exfiltration of valuable intellectual property) that does not. With the definitional firmly established, Rid then explores the use cases of sabotage (undermining the intended function of a system) and espionage (clandestine pilfering of information). He notes that while sabotage might potentially qualify in terms of violence, instrumentality and political intent as "war", espionage does not.
Rid then turns his attention to an area where cyber techniques have clear advantages: subversion. When the intent is to affect "regime change", a critical task is to undermine confidence in the sitting government. This is an area where cyber techniques' stealthy nature and ability to interfere with information infrastructure are clear advantages. If a government cannot protect its official websites, assure critical services (electricity, water), etc., in the face of a subversive movement's cyber actions, the populace may well begin to consider the movement's call for change in a much more positive light.
As Rid draws his discussion to a close, he reviews the "attribution problem" or how actions in the cyber realm are tied to the actor responsible for them. As noted earlier, with acts of war, it is in the actor's best political (or policy) interest that their responsibility for the action be clearly known without doubt. However, when dealing with acts of espionage, the actor's benefit lies in their responsibility being concealed in a fog of plausible deniability.
The final chapter, aptly titled "Beyond Cyber War", is a call to move the discussion beyond graphic, one-size-fits-all analogies such as "Cyber Pearl Harbor" or "Cyber Hiroshima" to a more nuanced discussion that recognizes the spectrum of potential actions in cyberspace and tailors policy and technical responses appropriately.
This is a disturbing book about an uncomfortable subject, but it is an important topic for the practicing security professional. Applying the label of "war" inappropriately produces bad policy decisions - on the one hand, it absolves the private sector of responsibility (contracts commonly include indemnity for "acts of war") while on the other, it encourages inappropriate responses. Many will find Rid's definitions and arguments controversial but his definitions and well-referenced reasoning bring clarity to what has been a fractious and murky debate. Highly recommended for your consideration.
*Note: Agivona and Eurya are fictional country names generated by http://nine.frenchboys.net/country.php