Cyber Attacks, Real or Imagined, and Cyber War

Assorted “cyber attacks” have attracted much attention in the past few months. One headline in this genre recently proclaimed “Anonymous Declares War on Orlando.” This is wrong on so many levels that it almost defies analysis. A more precise accounting would show that there have been no cyber wars and perhaps two or three cyber attacks since the Internet first appeared.

The most ironic example of hyperbole catching itself involves the new Department of Defense Cyber Strategy, which says that the United States reserves the right to use military force in response to a cyber attack. Since many reports call everything—pranks, embarrassing leaks, fraud, bank robbery, and espionage—a cyber attack, the strategy led to expressions of concern that the United States would be shooting missiles at annoying teenage hackers or starting wars over Wikileaks. In fact, the strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.

Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities. An extortion attempt in Brazil against a public utility may have backfired and temporarily disrupted electrical service. A better way to identify an attack is to rely on “equivalence,” where we judge whether a cyber exploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack.

Many militaries are developing attack capabilities, but this is not some revolutionary and immensely destructive new form of warfare that any random citizen or hacker can engage in at will. Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.

The denial-of-service efforts against Estonian and Georgian websites in 2007 and 2008 were not attacks. The Estonian incident had a clear coercive purpose, and it is worth considering whether the denial-of-service exploit against Estonia could have become the equivalent of an attack if it had been extended in scope and duration. The exploits against Georgia, while undertaken with coercive intent and closely coordinated with Russian military activities (and a useful indicator of how Russia will use cyber warfare), did no damage other than to deface government websites.

The recent escapades involving groups like Anonymous or Lulzsec do not qualify as attacks. Anonymous and Lulzsec did not disrupt critical operations of the companies or agencies they struck. There was embarrassment, but no damage, destruction, or casualties. These were political actions—cyber demonstrations and graffiti—spun up by media attention and copycatting.

Some nations—Russia in particular—argue that political actions are in fact the core of the new kind of warfare, and the issue is really “information warfare” rather than “cyber warfare.” They have said that information is a weapon and that the United States will exploit the Internet to destabilize governments it opposes. Information is a threat to authoritarian regimes, and they want to limit access to websites and social networks. This effort to extend cyber attack to include access to information, however, makes little sense. It distorts long-standing ideas on warfare and military action by disconnecting them from the concept of the use of armed force and violence. The use of force produces immediate physical harm and is central to defining attack and warfare. The concept is incorporated in elements of the UN Charter and the Hague and Geneva Conventions. Publishing or sharing an idea is not the use of force. Though an expanded definition of warfare may serve the political interests of authoritarian regimes, it is not an accurate description of military action or attack.

There are countries that could launch damaging cyber attacks. At least 5 militaries have advanced cyber-attack capabilities, and at least another 30 countries intend to acquire them. These high-end opponents have the resources and skills to overcome most defenses. Just as only a few countries had aircraft in 1914 but most militaries had acquired them 10 years later, every military will eventually acquire some level of cyber-attack capability. Cyber attacks will likely be used only in combination with other military actions, but they will be part of any future conflict. We can regard them as another weapons system with both tactical and strategic uses, similar to missiles or aircraft that can be launched from a distance and strike rapidly at a target.

Stuxnet, for example, was a “military grade” cyber exploit and a precisely targeted alternative to an airstrike on Iranian nuclear facilities. It did less damage than an air attack but avoided distressing photos of burning buildings and claims of civilian casualties. The political effect on the Iranian people was negligible, while an airstrike would have prompted an emotional reaction. Military planners now have an additional system to consider in their portfolio of weapons and attacks, which offers a new and attractive combination of effect and risk.

The Aurora test at the Idaho National Labs and the Stuxnet worm show that cyber attacks are capable of doing physical damage. Leading cyber powers have carried out network reconnaissance against critical infrastructure in preparation for such attacks. But these infrastructure are the most dangerous form of attack, and therefore hold the most risk for the attacker. At the onset of conflict, attacks that seek to disrupt and confuse are more likely than infrastructure attacks. Cyber warfare will begin with the disruption of crucial networks and data and seek to create uncertainty and doubt among opposing commanders. The goal will be to increase the Clausewitzian “fog of war.” This “informational” aspect of cyber war, where an opponent might scramble or erase data or insert false information to mislead an opponent, is a new and powerful military tool.

The Battle of Britain is a historical example of this kind of warfare. If the Germans had first destroyed the relatively simple network of sensors, control facilities, and communications systems used by Royal Air Force Fighter Command to maneuver defending aircraft, it would have seriously degraded British air capabilities and made ultimate success much more likely. They did not because they did not fully realize how warfare had changed to emphasize the importance of these intangible assets. Exploiting signals, data, and communications had become essential for military superiority. Future warfare between advanced opponents will begin with efforts to degrade command and control, manipulate opponent data, and misinform and confuse commanders (accompanied by electronic warfare actions, along with kinetic strikes on communications networks and perhaps satellites). Cyber exploits will be the opening salvo and a short-notice warning of impending kinetic attack.

Strikes on critical infrastructure carry a higher degree of risk for the attacker if they are used against targets outside the theater of military operations or in the opponent’s homeland. An attack on the networks of a deployed military force is to be expected. Attacks on civilian targets in the opponent’s homeland are another matter and may escalate any conflict. Military planning will need to consider when it is beneficial to launch cyber attacks that damage critical infrastructure in order to strain and distract the opposing political leadership, and when it is better to limit any cyber strikes to military targets in theater.

This is one area where cyber attack, because of its global reach, may resemble nuclear war. Just as the U.S. Single Integrated Operations Plan and other documents listed and prioritized targets for nuclear weapons, based on satellite and other forms of reconnaissance, an astute cyber planner will identify and prioritize targets for cyber strikes under different conflict scenarios.

A full-blown, no-holds-barred cyber attack against critical infrastructure and networks might be able to reproduce the damage wrought by Hurricane Katrina, with crucial services knocked out and regional economic activity severely curtailed. While Katrina brought immense suffering and hardship, it did not degrade U.S. military capabilities and would not have led to a U.S. defeat. Multiple, simultaneous Katrinas would still not guarantee victory and could risk being seen as an existential threat that would justify a harsh kinetic response. There are many examples of militaries attacking targets that were irrelevant to success and only inflamed the opponent, so we cannot rule out such attacks (which could be very appealing to terrorist groups, should they ever acquire the ability to launch them), but no one should believe that this is a decisive new weapon. The only “decisive” weapons ever developed were nuclear weapons, and even then, many would have been needed to overcome an opponent.

Pure cyber war—“keyboard versus keyboard” or “geek versus geek”—is unlikely. Cyber attacks are fast, cheap, and moderately destructive, but no one would plan to fight using only cyber weapons. They are not destructive enough to damage an opponent’s will and capacity to resist. Cyber attacks will not be decisive, particularly against a large and powerful opponent. The threat of retaliation that is limited to a cyber response may also not be very compelling. Cyber attack is not much of a deterrent.

Deterrence uses the implied threat of a damaging military response to keep an opponent from attacking. “Cross-domain” deterrence (where a cyber attack could result in a kinetic response) works at some levels—no nation would launch a cyber-only attack against the United States because of the threat of retaliation. But deterrence does not stop espionage or crime because these actions do not justify the use of military force in response. Since our opponents stay below the threshold of war, this limits what we can “deter.”

In the future, even this limited deterrence may not work against terrorist groups or irresponsible nations like Iran or North Korea. For nonstate actors, such as terrorists, it is hard to make a credible threat, since they lack cities and infrastructure to hold hostage and can be willing to commit suicide in an attack. Nations such as Iran and North Korea may have a very different calculation of acceptable risk, being willing to do things that strike other nations as insanely risky (as when North Korea torpedoed a South Korean patrol boat). Iran, North Korea, and others may miscalculate the reactions of the West to a limited cyber attack. When these less deterrable actors acquire advanced cyber capabilities, the likelihood of cyber attack will increase.

A century ago, armies discovered that technology could be the key to victory. Since then there has been a steady stream of new weapons, new technologies, and new ways to attack. Perhaps it is best to see the Internet and cyber attack as the latest in a long line of technologies that have changed warfare and provided new military capabilities. We have only begun to explore the uses of this new capability, and as the world becomes more dependent on networks and computer technology, the value and effect of cyber attack will grow.

James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2011 by the Center for Strategic and International Studies. All rights reserved.