Winter 2012
The Empty Threat of Cyberwar
– The Wilson Quarterly
Cyberwar does not take place in the present. And it is highly unlikely that cyberwar will occur in the future.
The specter of cyberwar haunts American leaders. “The next Pearl Harbor could very well be a cyberattack,” Leon Panetta warned last year when he was still CIA director.
Rubbish, says Thomas Rid, a reader in the Department of War Studies at King’s College London. There are plenty of dark doings online, but they fall far short of war. “Cyberwar does not take place in the present. And it is highly unlikely that cyberwar will occur in the future,” he asserts.
The 19th-century Prussian theorist Carl von Clausewitz formulated the classic definition of an act of war: It must be violent, purposeful, and overtly political. Few cyberattacks on record have met even one of these criteria. Instead, cyberattackers of a political bent—government sponsored and otherwise—prowl the Web with three old-fashioned objectives: espionage, subversion, and sabotage. Online or off, acts of these kinds can accompany war, but they also occur in peacetime.
Online espionage is “booming,” Rid writes. In 2008, the Pentagon reported that spyware—allegedly of Russian provenance—had slithered its way onto a laptop at a U.S. military base in the Middle East. Initially, only the Pentagon’s unclassified network was compromised. But the bug was crafty. It automatically copied itself onto removable thumb drives, leading an unwitting user to transfer the spyware to the military’s secret network. Defense officials blamed the incident on an unnamed “foreign intelligence agency.”
Subversion is also common. In 2007, assailants bombarded dozens of Estonian Web sites after a statue revered by Russians was moved from the center of Tallinn, the Estonian capital. Estonian officials blamed Moscow for the chaos, but they lacked conclusive evidence. During the clash between Georgia and Russia a year later, Georgian Web sites were attacked. Again Moscow was blamed, and again the accusers lacked proof. In any case, Rid says these were mere “cyber scuffles,” even though they made headlines. The attacks weren't violent, and they had little effect.
The Stuxnet computer virus is the latest and most serious instance of cybersabotage. In 2010, the super-sophisticated bug infected thousands of computers worldwide, but evidently its ultimate target was two computer systems at the heart of Iran’s nuclear program. The programming of the bug bore Israeli—and possibly American—fingerprints.
But even the unleashing of Stuxnet did not qualify as an act of war. The virus was not violent. Its origins—and the goals of those who created it—can only be guessed at.
Stuxnet has escalated cyberconflict to a new level, Rid allows, but it also shows how much more difficult life is becoming for attackers. Whoever designed the bug needed impeccable intelligence to know where and how to deliver it. A computer security expert joked that Stuxnet’s masters “probably even knew the shoe size” of the people operating the targeted computers. Would-be saboteurs aren't always so well informed. Nor are they always so well financed; the price tag to engineer Stuxnet was probably very high. The advantage may be shifting to the defense.
What’s certain, Rid concludes, is that war on the Web is hardly inevitable. “There was no and there is no Pearl Harbor of cyberwar.”
* * *
The Source: "Cyber War Will Not Take Place" by Thomas Reid, in Journal of Strategic Studies, February 2012.
Photo courtesy of Flickr/solo