Monday, June 09, 2008

Notes on Cyberwarfare

I don’t know about you, but I often see news stories and features that talk about cyber-warfare.

They seem generally to fall into two categories: (i) those that, IMHO, grossly exaggerate the likely nature and consequences of cyberwar; and (ii) those that take completely the opposite approach and essentially deny it’s possible.

Those in the latter category often tend to characterize those in the first category as people who are spreading hype about cyberwarfare because they have a stake in its being a risk, i.e., they are in the business of providing services that at least arguably can help businesses and other prospective victims defend themselves.

I have no idea what motivates those in either category. I tend to assume people are sincere, so I’m going to assume both camps really believe what they say and have some legitimate basis for saying it.

What I find interesting is the categorical nature of both claims. I see these diametrically opposed (impending disaster vs. complete hype) positions on cyberwarfare as similar to positions some people (perhaps some of the same people) take on cyberterrorism.

As I noted in an earlier post, I wonder if the completely analogous and equally diametrically opposed positions some people take on cyberterrorism isn’t the function of definitional or other problems. As I wrote in that
earlier post, I think the disconnect between those two camps might lie in mischaracterizing what cyberterrorism is likely to be. As I noted then, I do not subscribe to the “Digital Pearl Harbor” school of thought either for cyberterrorism or for cyberwarfare.

I take issue with those who completely dismiss the possibility of cyberterrorism and/or cyberwarfare because I do not see why computer technology – like other, antecedent technologies – cannot be employed in the commission of terrorist acts and/or the waging of war. I agree with them that claims which tend to equate a cyber-attack of either type with the kind of attacks we have seen in conventional warfare – Hitler’s invading Poland, the Japanese bombing of Pearl Harbor and my own country’s invading Iraq – are wrong.

In my
earlier post I explained why I think such claims are wrong with it comes to cyberterrorism. Here, I want to talk a bit about why I think they are equally wrong when it comes to cyberwarfare; at the same time, I want to make it clear that I also reject the “Digital Pearl Harbor” theory of cyberwarfare.

I’m not going to go into great detail as to how I analyze cyberwarfare, both because of the limited space I have here and because I have written about it elsewhere. What I want to do here is essentially note two things: One is why, IMHO, we have the conflicting camps I noted above; the other is to offer a little speculation about what I think cyberwarfare may look like.

In analyzing the reasons for the totally divergent views I outlined at the beginning of this post, I want to begin with the naysayers. Their comments may be, in whole or in part, an understandable reaction to what they see as disingenuous, venal hype. While I would still not agree with everything they say, I would take no issue with the reaction, as such. But even if the naysayers’ comments are a product of a justifiable reaction to what they see as exploitive self-interest, their argument is necessarily predicated on the notion that cyberwarfare is a sham, a nullity, a nonstarter. I disagree with that.

As I wrote in that earlier post, I think it is foolish to assume that new technologies cannot and will not be used to wage warfare. I was thinking about that: It seems to me that the denial of cyberwarfare is reminiscent of the post-World War I U.S. military’s denying that airplanes could ever play an important role in warfare. As you may know, General Billy Mitchell met tremendous opposition when he tried to convince the U.S. Army, Navy and War Department that airpower would be tremendously important in future conflicts. They didn’t buy it, and he wound up leaving the military.

I do think it’s difficult to conceptualize how computer technology can be used in warfare. I find the U.S. military’s opposition to General Mitchell’s arguments astonishing because it had already become apparent, during World War I, that aircraft could play an important role in combat. Winston Churchill, who spent some time in the trenches on the Western front during World War I, saw that very clearly.

We don’t have that initial, albeit limited, experience to guide our conceptualization of how computer technology can be used in future combat, of whatever type. I say “of whatever type” because I think (and argued in an article published last year) that cyberwarfare as such will be a very different beast. I should clarify: By cyberwarfare, as such, I’m referring to scenarios in which computer technology plays the primary, if not the sole, role in implementing combat. I am not talking about what is already occurring, i.e., computer technology’s being used to wage conventional, real-world warfare. (As I’m sure everyone knows, the U.S. military, along with many or most others, is highly reliant on computer technology for various things.)

It’s already clear that cyberwarfare, as such, will be different from traditional warfare in several respects: For one thing, it will take place in virtual, rather than real, space; that means we will not literally be talking about physical invasion of one state’s territory by armies and weapons owned and acting on behalf of another state. We will, no doubt, at least in a sense be dealing with a virtual invasion . . . bits and bytes coming across virtual frontiers (insofar as they exist) to wreak “harm” of varying types on the territory controlled by another state. But the initial assaults won’t look anything like the bombing of Pearl Harbor, and that may mean it will be difficult to tell when a state is at war.

I’m sure everyone is familiar with what happened a year ago in Estonia. Estonia was the object of sustained DDoS attacks and believed the attacks were cyberwarfare launched by Russia. I think there was reason to question whether it really was cyberwarfare, but I can understand why the Estonian authorities reached that conclusion. Aside from some issues they’d very recently had with Russia, there was the fact that a whole country came under attack. That’s historically been a defining characteristic of war: Crime (and terrorism) targets individual people and buildings; war targets the territory and the very viability of states.

I suspect, though, that cyberwarfare will not look like the traditional, zero-sum notion of warfare. It is already apparent that cyberwarfare will not be limited to a conflict between the military forces of the opposing states (and I’m assuming, for the moment, that the conflicts will be between two states, since that is our conception of warfare) but will certainly involve civilian targets and will probably involve civilian participation in the process of waging war, as well.

How can it be otherwise? Our conception of war and the laws we have developed to govern the waging of war (“combatants” versus “non-combatants”) assume concurrent conflict in a physical space, conflict waged by designated cadres of warriors equipped with specialized weapons and identifying insignia. To me, that conception does not make sense for cyberwarfare. There are no territorial boundaries and while countries are developing dedicated cadres of cyberwarriors, I do not see how cyberwarfare can conform to the simultaneous, sustained-until-one-side-prevails model of war.

That model evolved from and assumes a physical struggle for a specific, zero-sum objective: One side wants to take the bridge or the territory or the city or whatever, and the other side doesn’t want them to. That model simply doesn’t make sense to me when we start dealing with conflict in cyberspace.

As I have written, I think conflict in cyberspace will be sporadic (focused on particular targets for the purpose of achieving specific, limited objectives) and diffuse (will focus, more or less simultaneously or, more probably, sequentially on a variety of smaller targets). I also think it will not be designed to achieve a specific, all-or-nothing objective. Instead, I wonder if it won’t take the form of eroding the enemy state’s ability to . . . do what? To withstand attacks? To survive as a viable entity? To survive as a viable and extremely competitive state?

I have no crystal ball, so I cannot answer those questions. I think that one of the most important things we can do right now is to think about these and other questions. We are in a situation far more complex and difficult than that which confronted the U.S. military after World War I: They only had to grasp the inevitability of aircraft as a new instrumentality for waging traditional warfare. We have to figure out what moving war into cyberspace can really mean.

Before I end this terribly inconclusive post, I want to note one more thing (which I’ve already written about): Another difficulty with cyberwarfare is, as many people have noted, attribution. How do you tell when a cyberassault is (i) crime, (ii) terrorism (which is generally a type of crime) or (iii) war?

No comments: