One of the most alarming visions of modern warfare, and one high on the Pentagon’s list of worries, is a catastrophic digital attack. For all we know, it could be heading for us right now.
The prevailing image of full-blown cyberwar resembles a trailer for one of those summer blockbusters where the White House and Brooklyn Bridge explode. Planes would crash in the air; nuclear power plants would melt down. Aging world leaders and army commanders would find their pacemakers hacked. Defense Secretary Leon Panetta offered a few more possibilities in an October 2011 speech: “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” As Panetta described it, we are facing no less than the threat of an eventual “cyber Pearl Harbor.”
With this in mind, the defense establishment is bringing massive resources to the emerging fight. One of the documents leaked recently by Edward Snowden, the former National Security Agency contractor, was a budget for US cyberoperations. The scope and ambition are staggering. In 2011 alone, US intelligence services carried out 231 offensive cyberoperations, according to The Washington Post, where the revelations were published, including a $652 million program code-named GENIE, in which a staff of 1,870 US computer specialists broke into foreign networks and put them under surreptitious US control. The goal is to keep America ahead in the arms race against aggressive, cyber-savvy adversaries like China.
But in this march toward putting the nation on a new kind of war footing, a critique is emerging: We are making a mistake in thinking of cyberattacks as a form of war at all. The most powerful voice on this front is Thomas Rid, a German-born professor in the Department of War Studies at King’s College London and a fellow at Johns Hopkins University’s School for Advanced International Studies.
Rid, who has written books on the changing nature of warfare and counterinsurgency, believes we’re living at a moment of cyberwar hype—not unlike the fears of a domino effect or a “missile gap” that drove the excesses of the Cold War. In a new book, provocatively titled “Cyber War Will Not Take Place,” he argues that what we have seen so far in the cyber realm can’t properly be classified as war at all. And, he and his allies suggest, in thinking of it that way, we’re creating new international hazards and diverting attention from changes that might actually keep us safe.
“If we call something war, the instinct is that the military should really be in charge,” Rid said. “And that’s actually taking place. People are claiming responsibility because it’s a new form of military conflict. But if you say it’s not actually military conflict, it’s not war in any sensible way, then you raise questions about whether the Department of Defense should really be responsible for this.”
Rid represents one pole of an emerging debate, as the world’s policy establishment grapples with how to think about virtual attacks. One side believes that to downplay them is dangerously naive—that this latest weapon of war has to be treated with the same seriousness as conventional arms, even nuclear weapons. An international effort is now underway to codify international rules of war as they apply to cyberattacks, placing them on a continuum with conventional warfare.
Rid’s side of this debate, which includes both experts on cybersecurity and those given the task of designing the new “weapons” for cyberspace, argues that although the threat is real, in overstating it we’re helping create a new kind of global risk. Framing cyberattacks as acts of war has already fueled escalation, as countries like Iran and China invest in their own offensive cyberwarfare capabilities. And the military’s enthusiastic embrace of this new theater of war, stoked by public fear, could have dangerous consequences. The United States is already launching hundreds of attacks, not visible to most people, which could easily become the triggers for responses that move quickly and uncontrollably outside the virtual realm.
RID HAS STUDIED the increasing advance of military forces into cyberspace in his own research and for influential think tanks like the RAND Corporation. He sees little evidence that attacks in the digital realm merit the name of “war.” Even the most sophisticated known cyberattack, the Stuxnet virus, meant to undermine Iran’s nuclear enrichment capabilities, led to no loss of life; no one claimed responsibility, though the virus is widely thought to have been the work of the United States and Israel. Rid would call it an act of sabotage—aggressive for a state action, yes, but falling considerably short of warfare.Continued...