Two years ago this week, as another Veteran’s Day approached, I wrote:
If there’s a word that’s becoming overused in national security affairs, it’s “cyber.” Not on the level of “epic fail” or other phrases, I grant you, but as a prefix, it’s starting to become nonsensical.
I am nothing if not prescient.
Since then, the “cyber” prefix has spun out of control, with cyber-warriors at cyber-command engaging cyber-enemies in cyber-warfare, after which we shall presumably see cyber-babes cheer on the cyber-veterans in cyber-parades with their cyber-medals. But we won’t have to go to the parades, since we’ll watch it all on Google Glass, which is what we’re apparently all going to be doing soon instead of dating, mating, and procreating, like any other mammalian species.
Now, finally, comes Thomas Rid, a German-born professor of war studies in the UK, to rekindle this debate. It took a younger German — irony alert — to explain to Americans what “war” means, in a new book whose title does not leave you grasping for his meaning: Cyber War Will Not Take Place.
A profile in the Boston Globe summed it up nicely:
Calling digital attacks “war,” Rid argues, wrongly equates computers with traditional military weapons. “Code can’t explode, plain and simple,” he says. “So you have to weaponize a target system, be it an airplane, a pacemaker, a power plant, something else.” Any successful digital attack must be highly tailored, requires quality intelligence, and only becomes “war” if the end result is something we’d acknowledge as an act of war.
Of course, military traditionalists love this kind of talk. For the record, I am not one of them. During the years I spent teaching in and chairing the Strategy Department at the Naval War College, I have dutifully taught the writings of Clausewitz (material I first learned as Jeane Kirkpatrick’s teaching assistant, so I studied with one of the Old Masters), but always with skepticism and with a warning not to fetishize the works of an early 19th century Prussian.
Indeed, if you want to see a good example of that kind of fetishism, here’s one of Rid’s critics in the Globe piece:
Major Paulo Shakarian, a professor at West Point and the author of the recently published “Introduction to Cyber-Warfare: A Multidisciplinary Approach,” applies what he calls a “Carl von Clausewitz approach to cyberwar.” Invoking the famous strategist’s tenet that “war is an extension of politics by other means,” Shakarian said, “It’s no different in cyberspace. It doesn’t have to involve a certain type of violence.”
With all due respect to the Major: yeah, it kinda does. This is cherry-picking Clausewitz, whose works actually provide a good reminder that war is more than hostility, it’s actual violence. (Not “cyber” violence. The real, getting dead kind of violence.)
And here, Rid is on to something essential: people have to die in wars. Lots of them. Saying that “a lot of people were massively inconvenienced” or “billions of dollars were looted and lost” is not the same thing. Consider this discussion in the Globe article of the 2012 attack against Saudi Arabia’s national oil company, ARAMCO, by a group of hackers calling themselves the “Cutting Sword of Justice:”
In one of the most destructive hacker strikes yet leveled against a single company, 30,000 ARAMCO computer workstations were shut down and their data deleted. But, Rid points out, it was entirely nonviolent, and it did not affect oil production.
“It was a massively efficient act of sabotage, because the company was not able to operate at the office level for an entire week,” said Rid. “But not a single person was hurt.”
Now that’s a cyberattack.
My students, especially the younger ones at Harvard Summer and Extension, where I teach a course on the “Future of War,” sometimes object to this, arguing that a massive blackout, for example, is “terrorism” or even “war.” (This, of course, leads me immediately to tease them that they naturally think of any disruption in their constant connection to the internet as “terrifying.”) I call those actions sabotage, economic attacks, espionage…in other words, all the perfectly good words we had for those things before computers.
Think of it this way. We’ve all celebrated how the U.S. (or so President Obama, I guess, has admitted) stuck a virus, STUXNET, into Iran’s nuclear research facilities, and slowed down Iran’s march towards a nuclear bomb. Cyber-attack! And cyber-success!
I’m a James Bond fan. I kind of like the opening of Goldeneye, the first Brosnan film (take your “Connery is God” arguments elsewhere), in which 007 and 006 sneak in and blow up a Soviet chemical weapons factory out in the middle of nowhere:
What’s the difference between STUXNET and 007? I don’t see much. In both cases, agents of one power conduct espionage and sabotage against facilities of an enemy power in a way that allows deniability. (Or as the major powers of planet Earth would call it, “Tuesday.”) Why does a using a computer instead of a vodka-soaked secret agent make it different?
Spoiler Alert: It doesn’t.
My military students sometimes make a better case, but along the same lines: what if someone attacks the computer systems that control the defense of the United States? What if someone tries to squirrel around with the stuff that lets the President communicate with important parts of our defense, like, say…oh, I don’t know…our nuclear weapons?
In that case, boys and girls, ladies and gentlemen, we already have a word for what’s going on: war.
No one in Moscow or Beijing is going to wake up one morning and say: “Let’s cripple STRATCOM and see what happens.” That’s mighty serious business, and if it’s going to be done, you can be sure that we’re either already in a shootin’ war, or soon to be in one.
Yes, cyber-attacks — that is, computer attacks on other computer systems — can get people killed. (Hey, we all saw Live Free or Die Hard, we know that messing up traffic lights and causing blackouts can kill people. It’s already happened by accident.)
But the essential thing about sabotage, whether done on-site by smirky Brits or by nerds with Cheetoh-stained fingers from afar, is that it is only war if states choose to recognize it as such, which is what makes “cyberwar” nonsense. Whether an attack on a country’s information infrastructure is an act of war is up to the targeted regime to decide, not political scientists trying to coin new terms or military officers looking for new commands to create.
What’s especially maddening, of course, is that the whole notion of “cyberwar” has been pushed as though no one’s ever done this kind of stuff before. (Insert my usual gripes about the limited historical awareness of Americans here.) For years, we passed faulty technical information on a lot of things to the USSR, and by one account we even helped blow up part of the Siberian gas pipeline. Whether that was our doing is less clear than the larger reality, which is that we conducted what today’s nerds would call “cyberwar” all the way back into the bad old Cold War.
Back then, it was simply called “sabotage,” because that’s what it is. When one country discovers it and decides to do something about it — something that involves an actual, physical attack — then it’s “war.”
I said it two years ago and I’ll say it again: “Cyberwar,” and its cousin “cyberterrorism,” are to war and terrorism what “cybersex” is to sex. They might generate some of the same emotions, and they may even produce, in some limited way, some of the same physical results. But they’re not the same thing, and no one would mistake one for the other.