And an attack like Stuxnet is very much one of a kind. More typical is the attack last year against Saudi Arabia’s national oil company, ARAMCO, by a group of hackers calling themselves the “Cutting Sword of Justice.” In one of the most destructive hacker strikes yet leveled against a single company, 30,000 ARAMCO computer workstations were shut down and their data deleted. But, Rid points out, it was entirely nonviolent, and it did not affect oil production.
“It was a massively efficient act of sabotage, because the company was not able to operate at the office level for an entire week,” said Rid. “But not a single person was hurt.”
In a sense, Rid’s argument is about terminology. For a cyberattack to qualify as war, he argues, it needs to be physically violent or at least potentially so—otherwise, the word “war” is simply a metaphor, like the “war on poverty.” It needs to be instrumental, forcing a change in behavior. And it needs to be political, in the sense that the instigator of an attack takes responsibility for it and makes it clear why it was carried out.
Calling digital attacks “war,” he argues, wrongly equates computers with traditional military weapons. “Code can’t explode, plain and simple,” he says. “So you have to weaponize a target system, be it an airplane, a pacemaker, a power plant, something else.” Any successful digital attack must be highly tailored, requires quality intelligence, and only becomes “war” if the end result is something we’d acknowledge as an act of war.
To call it “warfare” from the outset is to suggest that computers are just the latest weapon in mankind’s arsenal, which demand a response in the form of a counterattack. The potential for escalation is a real threat. Earlier this year, the Department of Defense released the findings of a task force that suggested that the United States could justifiably retaliate for a cyberattack with nuclear weapons, at least if an attack proved existentially threatening, such as one that would destroy the nation’s infrastructure.
Rid doesn’t discount the prospect that cyberattacks could cause real physical damage. He believes, in fact, that in the next few years we will see the first lethal cyberattack. “What is a worst case scenario, or a really bad scenario?” Rid asked. “We could have a dam incident, possibly, that costs human lives. That hasn’t happened in the past, but it could happen. We could have a blackout in a city or in a region that would be caused by some sort of computer attack. But if that happens that will probably remain the exception.”
It’s not hard to find critics of Rid’s cautionary perspective. To people who define warfare as any aggressive action taken against a state by another state, or even by a nonstate actor, digital warfare is a natural evolution in how we understand human hostility.
Rid “has a very narrow definition of ‘warfare,’ which is basically limited to bullets and bombs and deaths,” said Andrew Ruef, who works on research and development on computers and information systems for Trail of Bits, an information security company. “Obviously, if you phrase things this way, then of course a cyber ‘war’ is impossible unless there are armies of hacked robots with guns.”
Major Paulo Shakarian, a professor at West Point and the author of the recently published “Introduction to Cyber-Warfare: A Multidisciplinary Approach,” applies what he calls a “Carl von Clausewitz approach to cyberwar.” Invoking the famous strategist’s tenet that “war is an extension of politics by other means,” Shakarian said, “It’s no different in cyberspace. It doesn’t have to involve a certain type of violence.”
Rid’s critics do agree that there’s a degree of hype to dire visions of “cyberwar.” But they also believe that the ability to create viruses and other types of detrimental software is becoming more widespread, and that our defense forces need to keep pace. Eventually, the knowledge and capability to launch cyberattacks will fall into more dangerous hands than those of hackers hired by the Chinese state. When that happens, they say, it won’t seem so farfetched—and we may even be grateful—that the military is in the lead.
Coming on the heels of the successful Stuxnet attack, the recent NSA leaks only make clearer that the defense establishment sees cyberspace as a new theater of war. Observers are moving to formalize rules for thinking of cyberoperations as war, including the publication this year of the Tallinn Manual. Created by a group of legal and military experts hosted by NATO, the manual attempts to apply international rules of war to the cyber realm, implicitly positioning these new attacks as extensions of conventional warfare.Continued...