Published daily by the Lowy Institute

Is there such a thing as cyberwar?

Is there such a thing as cyberwar?
Published 27 Sep 2013 

Ian Wallace is a visiting fellow in the Center for 21st Century Security and Intelligence at the Brookings Institution and previously a senior official at the British Ministry of Defence, where he helped develop UK cyber strategy.

Darragh Murray may be surprised to learn that I share several of the concerns he lays out in his riposte to my piece on the potential for greater cooperation between the ‘Five Eyes’ in the realm of military cyber operations. It might be helpful to clarify a few misunderstandings, as well as addressing Darragh's questions.

First, just to be clear, I do not believe we are currently in a ‘cyberwar’. In fact, quite the opposite. As I have written previously, I believe such talk is dangerous.

Equally, I agree that we need to be careful about falsely applying the term ‘war’ to what happens in cyberspace. One of the most interesting writers on this subject is King’s College, London’s Thomas Rid, the author of a new book called Cyber War Will Not Take Place. As Rid set out at a recent event at the Brookings Institution, his main target is on the notion of ‘cyberwar’ as something set apart from more general war.

His essential argument, following Clausewitz, is that ‘war’ by definition must be 'violent, instrumental and political'. It follows, then, that not only has cyberwar never happened, but it is also unlikely to happen in the future. Instead, he argues we should focus more on espionage, sabotage and subversion in addition to more general cyber crime.

Not everyone agrees with Rid. Perhaps the most significant criticism of his position is that it is based on a very Western conception of war, ignoring for example a long Chinese tradition that includes more ‘indirect’ methods like economic warfare. The two sides of this debate were well captured in a recent debate in The Economist between Rid and US cybersecurity expert Richard Bejtlich. [fold]

Personally, I tend toward the view that we should reserve the term ‘war’ for when people get hurt (which is, I admit, a gross simplification of Rid’s position and that of Clausewitz, but not an entirely flippant one). My concern, however, is that by focusing on debunking the popular notion of ‘cyberwar’ as a separate, stand-alone phenomenon, there is a risk of drawing attention away from two more practically pressing public policy questions.

The first of these (which I will park for another day) is: how should governments deal with cyber acts that have a national security impact (espionage, sabotage and subversion, if you will) but which fall below the threshold of ‘war’, especially when the perpetrators are based overseas and often beyond the reach of law enforcement?

The second is: how should governments prepare for the fact that whether or not standalone ‘cyberwar’ will happen, cyber capabilities are almost certain to be used alongside more conventional capabilities when wars are fought, possibly as the opening salvo? More specifically, how do they reconcile the fact that modern wars are usually coalition affairs, and yet cyber capabilities are often highly classified and dependent on sensitive ‘eyes only’ intelligence? It is this second dilemma that inspired my original post.

Darragh is, of course, right to be sceptical about overblown claims for new military technologies. However, I stand by my view that cyber is a game-changer. This is not to argue that cyber capabilities can win wars on their own any more than the strategic bombers of World War II could defeat the Axis Powers on their own. But they do offer a new set of opportunities (and challenges) for future commanders to factor into their planning.

Providing specific examples of how cyber capabilities have already been used to support military operations is fraught with challenges, especially the highly classified nature of much of the subject. However, the former ISAF Commander in South West Afghanistan, Lt Gen Richard Mills (and at the time Commanding General, Marine Corps Combat Development Command) spoke with unusual frankness about Regional Command South West’s use of cyber capabilities against the Taliban in 2010. The speech is well worth watching; his experience is not, of course, unique.

It is not wrong to envisage and plan for innovative new uses of cyber capabilities. All modern militaries are increasingly dependent on information systems, not just for communications but also to operate equipment. This so-called ‘cyber-physical convergence’ offers major and novel opportunities to operators on both sides of a conflict. This includes giving commanders new and hopefully better options for delivering their missions.

Imagine, for example, if a commander had the option to disable a particular air defence system that she might not have wanted to attack with conventional weapons because it had been, say, deliberately placed near a hospital or close to a strategically significant bridge.

Nor is it wrong to recognise that cyber capabilities have the potential to extend the battlespace right back to the homeland. Information technologies continue to proliferate across modern societies. And with everything from cars to industrial control systems connected to the internet (the so-called the ‘internet of things’) it is right to be concerned about what a determined and well-prepared adversary could do.

So while I tend to agree with Darragh about the risks of being seen to ‘militarise’ our approach to internet security, I do not think this should paralyse us into failing to address the military potential of this new area.

The essential point here is that we do not yet know exactly where developments will take us. At least three points are clear, though. First, as in previous eras of military innovation, the militaries that experiment and innovate (including organisationally) are likely to come out on top. Second, because being prepared for warfighting in a cyber context will require sensitive intelligence for effective targeting, cyber will remain closely linked to national signals intelligence organisations, thus complicating international cooperation. And third, for political if not military reasons, most of the future wars we fight will be within coalitions.

Reconciling these various strands will take time. But looking at the issues together, it is difficult to think of a set of international partners better placed than the Five Eyes to start that thinking process – hence my original post.

Photo by Flickr user jronaldlee.



You may also be interested in