Cipher Book Review, Issue E132

Cyber War versus Cyber Realities: Cyber Conflict in the International System
by Brandon Valeriano and Ryan C. Harris

Oxford University Press 2015.
ISBN 978-0-19-020479-2 .
Table of Contents:

Reviewed by  Richard Austin   05/17/2016 

There are troubling questions in the cyber world with disturbing implications for how we view our jobs, our profession and the vast industry infrastructure that supports them. If one imagines a continuum running from cybercrime through cyber terrorism to cyber war, where are we? Popular media is awash with assurances that we are in the midst of a cyber war and are just waiting for a "cyber Pearl Harbor" that will devastate society as we know it. Mikko Hypponen, in his keynote at the Berlin FIRST Conference in 2015, raised the disturbing possibility that cyber security professionals were legitimately targetable as military assets under the Law of Armed Conflict. It appears that national security agencies are hoarding undisclosed vulnerabilities in widely used software and systems to allow them to be used as components in cyber weapons rather than disclosing them so they can be remediated.

The authors acknowledge the troubling questions but pose very interesting questions in response: What do we actually know? What does the research, where it's been done, reveal? Their answers, though necessarily tentative and, as they note, subject to invalidation by future events, suggest a more nuanced future that may not be all that much different from the past.

The book opens with a broad survey of "The Contours of the Cyber Conflict World" and quickly identifies wide misuse of the term "cyber war" with potential for wide misunderstanding and overreaction. The concept of "war" has become muddled with the idea that it reflects a level of effort (e.g., "war on drugs", "war on illiteracy", etc.) rather than a situation where substantial violence is done to people and property in pursuit of a political end. They also identify a persistent focus on the worst possibilities (failure of the power grid, failure of the international banking system ...) rather than most-of-the-time reality. They make the important point that in a risk-adverse world, it is much easier to obtain budget and resources by concentrating on highly destructive possibilities. The authors do not deny that calamitous events are possible but that they are relatively unlikely and therefore an exclusive focus on the worst possibilities biases planning and broader discussion.

Chapter 2, "Cyber Power, Cyber Weapons and Cyber Operations", is excellent in its development of meaningful terminology. They tackle the important question of what can be defined as "cyber war" and what qualifies as "cyber conflict" which brings much needed clarity to discussions of "cyber war" and whether we are actually in the midst of one.

Chapter 3, "Theories of Cyber Conflict", positions cyber conflict within the international system. As the authors note, this is largely uncharted territory as much of the current discourse is focused on calamitous possibilities with little attention to how entities actually interact when disagreements arise. A telling quote is "When cyber operations are used, they typically are low-scale events akin more to propaganda and espionage than warfare. This leads to cyber restraint, a form of operations derived from deterrence theory but not dependent on it" (p. 46). This observation is based on analysis of the cyber operations that have been observed and not on the all too familiar catalog of apocalyptic possibilities. In reading their argument, one is reminded of Herman Kahn's escalation ladder (conflict at a low level runs the possibility of escalating to conflict at a more severe one) and the famous quote from "War Games" to the effect that the best way to successfully negotiate the escalation ladder is to never set foot on it.

Chapters 4 through 7 form a detailed look at what has actually been observed in cyber conflicts to date. The focus is on what actually occurred, the real impacts observed and what those suggest about the real nature of cyber conflict. These chapters are well-researched and their apt analysis is hard to refute.

Chapter 6, "Cyber Rules", examines the types of norms that should govern cyber operations. The concept that governs traditional military conflict is that of "Just War" where conflict only occurs for defensible reasons as a last resort and is conducted so as to minimize collateral damage such as non-combatant casualties. These goals are challenging to achieve in the cyber realm (e.g., Stuxnet, one of the most "lawyered up" pieces of software still spread to non-targeted systems though, as far as we know, it never detonated on any them). The authors propose a set of guidelines for "cyber justice and an international system of cyber norms" (p. 201) which form a good starting point for discussion.

This is an important book which deals with very difficult questions. The authors bring a fresh approach in their diligent focus on the available evidence and how that evidence can be fitted to what we know about how the international system works. While this brief review cannot begin to do justice to the book's content (my copy is festooned with sticky notes and looks like someone spilled a bottle of yellow ink on the interior), I hope that I have aroused sufficient interest for you to read it. As the authors note in their conclusion, the cyber "realm will only be as dangerous as we let it" (p. 228) and cyber security professionals are deeply involved in that process. I heartily second the author's admonishment that we have to stop letting ourselves be compelled by the hype and follow their well-researched leadership in asking "But what is it that we actually know?"

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org