New Scientist

What Would a Real Cyberwar Look Like?

Dark warnings exaggerate and distort the real risks.

No cyberwar in sight.
This is not war.

Photo by PN Photo/iStock/Thinkstock

Talk of combat in the fifth domain has become a fixture in Washington. But let’s not use that as an excuse to quash a free Internet, says a war studies academic.

Exactly two decades ago, the RAND Corp., an influential think tank, proclaimed that “Cyberwar is Coming!” In 2005 the U.S. Air Force declared it would now “fly, fight, and win in cyberspace.” The future of war would surely play out in that fifth domain, on top of land, sea, air, and space. Dark warnings of “Cyber Pearl Harbor” soon became a staple of Washington discourse.

Leaks revealed last week that the U.S. government spends a staggering $4.3 billion a year on cyberoperations. In 2011 American intelligence agencies reportedly mounted 231 offensive operations. The United States, it seems, is gearing up for cybercombat.

What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can’t hurt or kill, it can’t be war. An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do. Finally, it would need to be political, in the sense that one opponent says, “If you don’t do X, we’ll strike you.” That’s the gist of two centuries of strategic thought.

No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we’re talking about war—the real thing, not a metaphor, as in the “war on drugs”—then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.

That is not to say that cyberattacks do not happen. In 2010 the United States and Israel attacked Iran’s nuclear enrichment program with a computer worm called Stuxnet. A computer breach could cause an electricity blackout or interrupt a city’s water supply, although that also has never happened. If that isn’t war, what is it? Such attacks are better understood as either sabotage, espionage, or subversion.

Code-borne sabotage is a real risk. Industrial control systems run all sorts of things that move fast and can burn: trains, gas pipelines, civilian aircraft, refineries, even elevators and medical devices. Many of these are highly susceptible to breaches, and information about system vulnerabilities is easily available.

Even so, the number of violent computer-sabotage attacks against Western targets is zero.

Why? Because causing havoc through weaponized code is harder than it looks. Target intelligence is needed. Control systems are often configured for specific tasks, limiting the possibility of generic attacks. Even if they happened, such attacks may not constitute a use of force.

The second threat is cyberespionage. Data breaches are not just a risk, but a real bleeding wound for the United States, Europe, and other advanced economies. But espionage is not war, and cyberespionage is not cyberwar.

Finally, there is subversion—using social media and other Internet services to undermine established authority. It is not a surprise that subversives, from Anonymous and Occupy to Arab protesters, use new technologies. Twitter and Facebook have made organizing nonviolent protest easier than ever, often in the service of liberty and freedom. But again, subversion is not war, and cybersubversion is not cyberwar.

There are other problems with the concept of cyberwar. First, it is misleading. Closer examination of the facts reveals that what is happening is the opposite of war: Computer breaches are less violent than old-style attacks. Violent sabotage is harder if it is done through computers, while nonviolent sabotage is now easier and is happening more often: crashing websites, deleting files and so on. The same goes for espionage: Infiltrating software and opening remote back doors is much less risky than sending in human agents and clandestinely bugging embassy walls.

Talk of cyberwar is also disrespectful. Last year the U.S. Department of Defense considered creating a Distinguished Warfare Medal for drone operators and developers of computer attacks. Real combat veterans protested vehemently when they learned that the award would have ranked higher than the Purple Heart. Secretary of Defense Chuck Hagel then scrapped the idea. Ending or saving the life of another human is an existential experience; deleting or modifying data is not.

Talk of cyberwar also kills nuance. Intelligence agencies have started to take “cyber” seriously. By doing so, signals-intelligence agencies such as the U.S. National Security Agency and the U.K.’s Government Communications Headquarters, as well as human intelligence agencies, are updating their tradecraft for the 21st century. The West is beginning to have an overdue debate about what kind of intelligence activity is legitimate for a 21st-century democracy, and where red lines should be drawn. Drawing these lines requires subtlety. It is time for this debate to drop the prefix “cyber” and call a spade a spade: Espionage is espionage.

Finally, talk of cyberwar is in the interest of those with a harsher vision of the Web’s future. Many countries are tempted to take control of their “cyberspace.” Authoritarian states like to tweak their technical infrastructure, their national laws, and their firewalls to “protect sovereignty in cyberspace,” as they like to say—which in practice means protecting intellectual property thieves from foreign pressure and rounding up dissidents at home.

The armed forces need to stay focused on fighting and winning the real wars of the future. That’s hard enough. Let us not militarize the struggle for the free and liberal Internet today.

This article originally appeared in New Scientist.