At first sight, and against certain counterparties, cyber warfare has appeared and proved to be a phenomenally low-cost and low-risk tool of adversarial foreign policy. But while questions increasingly arise about exposure to reciprocal risk to the most heavily digitized knowledge- and data-based economy and society, it has become clear that the genie will never again return into its bottle. Strategic, legal, and political questions will not be dodged much longer. The very advantages of cyber warfare may easily and all too quickly be turned against a first mover, especially one as vulnerable as a highly digitized industrial state. Its use for asymmetric warfare increases attractiveness to non-state actors. And one of its arguably greatest potential, the disruption of enemy economic functionality by disruption of payment systems has regularly been vetoed in the interest of the integrity of the global system. It may appear that the philosophy underlying the Nuclear Non-Proliferation Treaty as well as treaties banning use of chemical and biological weapons may provide even stronger rationales in an understanding to ensure mutual non-aggression by digital electronic means between major and even mid-size powers.
Given the seriously increasing reluctance of U.S. voters and public opinion to countenance significant military engagements overseas, and given further the economic necessity to abandon former U.S. military doctrine of maintaining the capability of conducting two wars simultaneously at all times, demand for and attention to low-level engagement strategies such as drone warfare, special ops and cyber warfare has risen sharply, and with good reason. The events surrounding Stuxnet and the resulting partial temporary paralysis and setback of the Iranian nuclear program as well as targeted assassination of nuclear scientists have shown that, although low-level engagement cannot produce equivalency to boots on the ground (nor does it come at comparable cost), it is an increasingly important tool in any nation’s strategic and tactical arsenal. But it is also a double-edged sword: cyber warfare in particular takes advantage of an area of significant U.S. superiority (but also particular vulnerability) – and has been utilized already very successfully at low cost by the Obama administration and also by its predecessor. Yet it also raises important questions of homeland security and exposure of vital domestic infrastructure. Our nuclear experience has shown that technological leadership in strategic areas can be measured in years at best. This is all the more true for relatively low-cost weapons such as offensive digital technology and know-how. However, low publicity and evidentiary problems under international law make this an issue even middle and minor powers can ill afford to ignore and indeed have every motivation to use it in their need for asymmetric strategies. The following sketch showcases critical analysis and policy both in the offensive and defensive dimension.
First off, cyber warfare as a phenomenon of low-level engagement needs to be distinguished conceptually from the use of digital electronic technology on the conventional military battlefield. For example, much information is in the public domain about U.S. tactical use of digital technology during the Afghan war and prior to the 2003 operation against Saddam Hussein that took out critical parts of the Iraqi command-and-control system. But rather than those ancillary uses, low-level engagement strategies seek to obviate conventional military engagement with its attendant material and intangible cost and risks altogether.
It is estimated that at least two dozen states are developing capabilities for cyber warfare, including Russia, China (both considered leaders in sovereign-sponsored targeted attacks), the U.S., the U.K., France, Germany, Israel, Iran, North Korea, South Korea, Estonia, Denmark, Switzerland, Australia, India, Pakistan, Georgia, Azerbaijan, as well as NATO, to name just the most visible. U.S. cooperation within NATO and with Israel has proved to be most significant (including the joint U.S.-Israeli intelligence project dubbed “Operation Olympic Games” commenced under the administration of George W. Bush). In addition, corporations, individuals and terrorist groups have some or most of the resources to conduct operations similar in nature if not in size and quality. Specialized agencies have been created and tasked specifically with the agenda of cyber warfare, including USCYBERCOM (headed by the director of NSA), the British GCHQ (Government Communications Headquarters), the EU’s ENISA (European Network and Information Security Agency), departments of Russia’s Federal Security Service FSB, the Cyber Security Squad of the Chinese People’s Liberation Army, the Israeli IDF Operations Department, as well as other agencies in the same and other countries.
Whenever a ‘game changer’ of such caliber appears on the national policy horizon it behooves us to engage critical judgment and skepticism. Cyber warfare is no exception. The same mentality that considered nuclear confrontations “winnable” in the 1950s is now shining forth in much of the public talk about “conducting a combined arms campaign across all domains – land, air, maritime, space, and cyberspace.” Branches of the U.S. military establishment compete over who should get what share of this fight – and, more importantly, what share of the budget. Consequently, scaremongers abound, not least among security firms, but also among universities whose financing by taxpayers decreases, and IT companies that created unsafe hard- and software in the first place (including intended vulnerabilities that facilitate government access in the first place but also can be exploited by third parties). All these experts’ testimony is rife with examples of past events that did not quite happen as described (or happen at all), or, from a vantage point of looking at the actual science behind the hype, could not produce in realistic likelihood the fearsome consequences often attributed to them. But some reality remains to such concerns: India and Australia have legally prohibited inclusion of Chinese Huawei hardware in products manufactured or sold on their territory, while the U.S. tries to curtail exposure to vulnerabilities inherent in the global information technology supply chain.
The issues become particularly murky if the possibility (and, presumably, indeed reality) of occasional cyber activity against allies rather than opponents is taken into consideration. Even friendly governments are not always governed by politicians entirely in agreement with their allies’ leadership, and adding a little inconvenience or blackmail or digital sabotage may often present temptation a government could find all too difficult to resist. Some evidence was believed to exist that the U.S. conducted a cyber operation against the executive office of the French president in the later days of Nicholas Sarkozy’s term.
Even less clear is the legal basis for cyber warfare. The foremost unresolved question there is attribution. From a forensic viewpoint, it is exceedingly difficult to trace a competently executed digital attack back to its perpetrator(s) with any even remotely acceptable degree of certainty that would suffice as evidence for invoking the new U.S. military doctrine that reserves the right to treat an attack in cyberspace as an act of war and respond to it by military means. First off, the vast majority of cyber attacks fail the definition of an act of war: it would have to be potentially violent, purposeful, and political. And, most of all, it needs to be attributable. Acts of economic or informational sabotage, distributed denial of service attacks or disruption of even vital infrastructure seldom if ever rise to this level. So perhaps the law of war needs a definitional upgrade? Can we continue to afford maintaining that there is a material difference between a blockade of harbors or airports of a sovereign state – a conventional act of war – and the blockade of government institutions, newspaper websites and bank payment systems? It is also common in the Kafkaesque world of cyber operations that attackers would act on a strong incentive of providing a false flag to implicate a third party as the perpetrator. In any event, lack of reliable attribution beyond a reasonable doubt raises difficult constitutional issues in many countries and particularly under international law, aside from the fact that events and techniques are developing faster than controlling legal authority can be developed virtually anywhere. Art. 26 Sec. 1 of the German constitution, for example, prohibits purely offensive capabilities, and no jurisprudence exists from its Constitutional Court. But then distinctions between offense and defense have long been blurred in cyberspace, as they have with the (logically indispensable) right to preventative self-defense in the context of numerous advanced technologies. What level of intrusive intervention triggers a state’s right to self-defense?
While taking credit for disruptive actions is usually a major prize to terrorist and other adversarial organizations, it is almost unheard of in the case of cyber hostilities. Stealth over the long term is absolutely key to most cyber operations on both the offensive and defensive side of the game, especially those aiming at activities over a lengthy period, which is substantially more difficult than causing a systemic shutdown that will result in a quick and likely adequate corrective response. Damage from even a catastrophic system shutdown caused by malware typically falls short of the considerably more complex objectives of intruders in strategically worth-while targets. But even a non-destructive worm such as Duqu (nearly identical to Stuxnet but with a completely different purpose) could be equipped with a payload targeted at cyber-physical attacks based on its modular structure. Such malware is typically capable of evading current security software through rootkit functionality or other means, and is sometimes written in proprietary, unknown high level programming language. This is among the factors that suggest sovereign resources backing its author.
Attacks of any kind invite and legitimize retaliatory counterattacks. Countries that are to a greater extent ‘off the grid’ are less vulnerable than those with a greater dependence on cyber-controlled systems. America’s financial, energy and transportation infrastructure is likely the most vulnerable target globally today: air traffic control, train safety and logistics, urban traffic systems, pipelines, port operations, refinery sites, power stations, the electrical grid, financial exchanges and payment systems, bank and securities clearing, hospital logistics, news media and social networks are all extremely exposed to digital risks vulnerable to attacks backed by sovereign resources. There is also the need to balance cost of increased security and its frequently disproportionate opportunity cost that can grow up to a point where basic operational necessities in a competitive environment would no longer be possible if “adequate” security were to be mandated. That is why presidents Clinton and Bush both declined to use cyber warfare against banks maintaining accounts that supported both state and non-state adversaries. Of course it would be naïve to assume that avoiding an offensive precedent will long or even likely spare one necessities to improve on a weak defense. Also, responses need not be symmetrical: while a retaliatory response by Iran for the Stuxnet attack is technically and tactically possible, it is strategically unlikely, as it would increase the likelihood of a conventional response that the regime would be unlikely to survive.
Cyber warfare is substantially more humane than conventional military operations. This aspect in and of itself justifies for any conventional force the development and maintenance of extensive expertly trained hacking units to extend its digital reach and capabilities. Depending on the level of the target’s dependence on digital communications, cyber warfare can lead to decisive checkmate situations on the economic and political battlefields, theoretically up to the total exclusion of any lethal action.
Examples of vital infrastructure include financial and commodity exchanges. They are networked and interconnected to an extreme. Some have argued that this state of affairs is irreversible. But all that is a matter of choice, really. Only in a very superficial analysis is society enslaved by technology. Our true serfdom consists of being beholden to finance to the extent we are – which is hardly news. Deconstructing digital interconnection would involve great expense but could nonetheless be worthwhile in the case of stock and commodities exchanges that have already been invaded by a plethora of illegitimate uses, even without counting hostile sovereign digital operations.
Offensive digital operations can – and often do – pursue strategies below the threshold of conflict. Manipulation of economic information and price levels, manipulation of the flow of political information (or restrictions thereof), or economic intelligence all fall short of sabotage in the proper sense that many will consider to qualify as an openly hostile act.
It should be noted that the Stuxnet operation took place in the general environment leading up to an American election. The ensuing “Obama leaks,” less aimed at preserving strategic advantage over the foreign adversary than over a domestic political competitor were, just like in the case of the announcement following the elimination of Osama bin Laden in Abbottabad, undoubtedly targeted also, if not primarily, at putting at a disadvantage a political rival who lacked a track record or proven capability in foreign affairs.
It should also be noted that the intelligence agencies of many countries routinely penetrate and probe foreign computer systems. Military-grade malware is characteristically developed years ahead of its actual use - but also years ahead of conventional software tools. Virtual “sleeper agents” are planted and maintained subject to activation at a later point in time, but also to test the target’s analytic and remedial defensive capabilities. Sometimes detection is actually desired as a warning, but in most instances it is not. Offensive tools today have a far shorter half life than defensive measures. Yet the preparation of a highly effective stealth attack is not only resource-intensive but also typically very specific – not least to avoid collateral damage in other infected computer systems – and often can be activated only once.
Great danger follows from inevitable “dual use” of technology that cannot be safely contained even in the medium term: spillovers into the hands of corporate or private players are inevitable and have already occurred. Intrusions by camera-equipped small private drones or targeted assassinations by unmanned combat aerial vehicle may eventually render the protection tasks of the Secret Service virtually impossible. Equally likely is the development of a multitude of Cold Wars well below the threshold of conventional military confrontation. They can be used to inflict considerable economic damage yet avoid triggering major alliances. U.S. and NATO cyber warfare doctrine regarding offensive capabilities re-established conventional pre-1989 Cold War logic instead of focusing at a much higher level on defensive efforts. Whether this will prove adequate in light of the nature and level of evolving threats remains to be seen but is unlikely.
There is very little doubt that digital technology was, is, and will continue to be used for both strategic and tactical military purposes, both defensive and offensive in nature. But it is equally apparent that cyber warfare will cause a paradigm shift of as yet inestimable proportions. This is so because, on the one hand, cyber warfare has the potential of minimizing human casualties dramatically. On the other hand, it severely curtails the cost of operations that have the potential to weaken or impede decisively and even disable a prospective military adversary. As in other such cases of contemporary genesis, it is not the technology itself that will remain the real and paramount challenge, but rather the appropriate integration of technology with far-reaching military uses into the arsenal of an open society, and the maintenance of a tolerable balance between the potential of its digital resources and its values.
[This text has been adapted from my Working Paper Series article: Caytas, Joanna Diane, Cyber Warfare as a Superficially Tempting Low-Level Engagement Strategy (April 26, 2013). Available at SSRN: http://ssrn.com/abstract=2348852]