Cyberwar Is Already Upon Us
But can it be controlled?
In the nearly 20 years since David Ronfeldt and I introduced our concept of cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.
Back then, we emphasized the growing importance of battlefield information systems and the profound impact their disruption would have in wars large and small. It took just a few years to see how vulnerable the U.S. military had become to this threat. Although most information on cyberwar’s repercussions — most notably the 1997 Eligible Receiver exercise — remains classified, suffice it to say that their effect on U.S. forces would be crippling.
Cyberwar waged against one of America’s allies has already proved devastating. When Russian tanks rolled into Georgia in 2008, their advance was greatly eased by cyberattacks on Tbilisi’s command, control, and communications systems, which were swiftly and nearly completely disrupted. This was the very sort of online assault Ronfeldt and I had envisioned, with blitzkrieg-style operations on the ground augmented by a virtual "bitskrieg."
In some respects, the Russo-Georgian conflict illuminates the potential of cyberwar in a manner not unlike the way the Spanish Civil War foreshadowed the rising dominance of air power 75 years ago, offering a preview of World War II’s deadly aerial bombings. Like air warfare, cyberwar will only become more destructive over time. For that reason, the Pentagon was right last year to formally designate cyberspace as a "warfighting domain."
These developments align closely with our own predictions two decades ago. But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.
I have been bemused by the high level of attention given to this second mode of "strategic cyberwar." Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.
Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects. The 2007 cyberwar against Estonia, apparently arising out of ethnic Russian anger over removal of a World War II monument, offered a clear example. The attack was initially highly disruptive, forcing the government to take swift, widespread measures to install security patches, improve firewalls, and make strong encryption tools available to the people. Estonia is small, but one of the world’s most wired countries; 97 percent of its people do all their banking online. Costs inflicted by the attacks — from business interruption and disruption to the need to erect new defenses — are estimated in the many millions of euros. A scaled-up version of this kind of cyberwar, to America-sized attacks, would cause damage in the hundreds of billions of dollars.
The Stuxnet worm, which struck directly at Iranian nuclear-enrichment capabilities, is another example of strategic cyberattack — what I prefer to call "cybotage." But will it achieve the larger goal of stopping Iranian proliferation efforts? Not on its own, no more than the Israeli air raid on the Osirak nuclear reactor 30 years ago ended the Iraqi nuclear program. Iraq’s pursuit of nuclear technology simply became more covert after the Osirak attack, and the same will surely hold true for Iran today.
A key aspect of both Stuxnet and the Estonian cyberattacks is that the identity of the perpetrators, though suspected, cannot be known with certainty. This anonymity is also the case with the extensive cybersnooping campaigns undertaken against sensitive U.S. military systems since the late 1990s — and against leading companies, too, some of which are seeing their intellectual property hemorrhaging out to hackers. A few of these campaigns have suspected links to China and Russia, but nothing is known for sure. So these actions, which to my mind qualify as a low-intensity form of cyberwar, have gone unpunished. Rid himself acknowledges that these sorts of attacks are ongoing, so it seems we are in agreement, at least about the rise of covert cyberwar.
My deeper concern is that these smaller-scale cyberwar exploits might eventually scale up, given the clear vulnerability of advanced militaries and the various communications systems that cover more of the world every day. This is why I think cyberwar is destined to play an increasingly prominent role in future wars. Yes, some cyberweapons do require substantial investment of resources and manpower, as Rid suggests. But once created, they can be used in ways that easily overcome existing defenses. Even for those exploits that don’t require significant resources, like the campaign against Estonia, the lesson remains clear: The advantage lies with those who take the offensive.
The challenge for cyberwarriors today lies in figuring out how to thwart these various cyberoffensives. This won’t happen if defenders remain dependent on a cyberspace-based version of the Maginot Line: the "firewalls" designed to detect viruses, worms, and other tools, and to keep attackers from intruding into and roaming about one’s systems. Like the original Maginot Line, which failed to protect France in World War II, the firewall is easily outflanked. Sadly, undue faith in this passive mode of defense means that, right now, far too much data can be found in fixed places, "at rest." This results in far too much data remaining at risk, easily located and targeted for extraction, manipulation, or destruction. Far better to move away from dependence on firewalls to the ubiquitous use of strong encryption, which protects data with unbreakable codes, and "the cloud," the vast expanse of cyberspace in whose far reaches data can be safely secreted and then swiftly summoned back when needed.
A final aspect of cyberwar that Ronfeldt and I began contemplating so long ago — virtual conflict in the form of society-wide ideological strife — is also coming to pass. Such virtual operations, we wrote back in the early 1990s, would one day extend to "efforts to promote dissident or opposition movements across computer networks." Clearly, we have seen this form of conflict take shape in the "color revolutions" of the past decade and most recently in the Arab Spring; in both cases, the impact of political activism was greatly enhanced by cyber-enabled social networking tools and sites. If there is to be more cyberwar in the future, better it should be what we called "social netwar" than the alternatives.
So, yes, cyberwar has arrived. Instead of debating whether it is real, we need to get down to the serious work of better understanding this new mode of war-fighting, which has been enabled by an information revolution that has brought so much good to the world, but which at the same time heralds an age of perpetual conflict. What we really must ask is: Can cyberwar be controlled? Rid implies that international cooperation to do so is doomed, but I’m not so sure. Pledges not to employ cyberattacks against purely civilian targets, for example, may be genuinely worthwhile — at least for nations, if not for shadowy networks. But networks, too, may come to follow some kind of code of behavior. Even the loosely linked cybervigilante group Anonymous takes considerable pains to explain the rationales for its actions.
So here’s hoping that, amid the looming havoc of cyberwars to come, there will also be prospects for cyberpeace.