Cyberwar is War: A Critique of “Hacking Can Reduce Real-World Violence”

Alex Calvo

The latest issue of Foreign Affairs includes an article critical of the “hype” concerning cyberwar. It says that there are “three basic truths: cyberwar has never happened in the past, it is not occurring in the present, and it is highly unlikely that it will disturb the future”, adding that instead we can observe “the opposite trend: a computer-enabled assault on political violence” since “Cyberattacks diminish rather than accentuate political violence by making it easier for states, groups, and individuals to engage in two kinds of aggression that do not rise to the level of war: sabotage and espionage”. This is because “Weaponized computer code and computer-based sabotage operations make it possible to carry out highly targeted attacks on an adversary’s technical systems without directly and physically harming human operators and managers. Computer-assisted attacks make it possible to steal data without placing operatives in dangerous environments, thus reducing the level of personal and political risk”.[i]

The text dismisses the idea that “computer-assisted attacks will usher in a profoundly new era”, adding that “No known cyberattack has met Clausewitz’s definition of an act of war”. The text explicitly refers to three well-known incidents, namely “a massive pipeline explosion in the Soviet Union in June 1982”, the 2007 cyber campaign against Estonia following the removal of a monument to Soviet WWII soldiers, and a “cyber-sabotage” campaign against Georgian Government websites right before the 2008 August War. It considers that none fits with Clausewitz's “three main criteria that any aggressive or defensive action must meet in order to qualify as an act of war”, being first “violent or potentially violent”, second “always instrumental: physical violence or the threat of force is a means to compel the enemy to accept the attacker’s will”, and third “some kind of political goal or intention” by the attacker. For this last reason, “acts of war must be attributable to one side at some point during a confrontation”.[ii]

The purpose of this paper is to provide an alternative reading of Clausewitz,[iii] supporting the view that cyberwarfare can, and will sooner or later, amount to an act of war. This will become an increasingly distinct possibility as the line between the virtual and the real worlds becomes gradually blurred. That is, as the “Internet of Things” becomes a reality.[iv] As a result, it is necessary for countries to develop not only the necessary capabilities to operate in this mixed real-cyber environment, but also to lay down the required doctrinal principles. This is very important in order to reduce the scope for miscalculation. By laying down what kind of cyber attacks, and in what circumstances, would be considered to be an act of war, and the scope of the resulting response, there should be fewer chances of would-be aggressors failing to predict the likely response.

Internet of Things: The Thinning Line between the Real and the Cyber Worlds

Before we study in some depths Klausewitz's definition of war we need to remember how the border between the real and the virtual spheres may soon become very much blurred. When the Internet was born, it was connected to a limited number of physical systems. This remains the case to this day. While we can, for example, operate a telescope remotely, or gather data from myriad sensors such as meteorological stations, just to name two examples, the fact is that most “real-world” systems remain unconnected to the network. Our cars, for example, can be operated in the absence of a working Internet connection. Over the last few years a growing number of these systems have come to rely to some extent on the “virtual” world, with for example automobiles increasingly coming equipped with GPS, but although convenient this is not an essential aspect of their operation. In the event of not being able to access this system, we could still drive our car. It may make our life a bit more difficult if traveling across an unfamiliar area, and we may not enjoy benefits such as early warning of road disruptions, but the car itself does not need a connection to the Internet or to some other network to operate.

This may soon change, however, with the emergence of what is being called “The Internet of Things”, namely “an idea about what happens when you embed communications and intelligence into household appliances, white goods, street furniture, clothing, medical devices, vehicles and everything that we use”.[v] This concept has been studied in some depth by Denmark's Alexandra Institute.[vi] While experts at the University of Southampton (UK) caution that we still have a “sketchy view” of “this future”, and concede that the Alexandra Institute's concept may be seen as “credible or crazy”,[vii] it is difficult to escape the military implications of the gradual integration of all sorts of gadgets and mechanical devices, including critical infrastructure and weapons systems, with the Internet.[viii] In other words, it is doubtful that the advent of “The Internet of Things” will concern only the civilian world. Instead, we can expect it to impact also military systems, plus critical infrastructures which, while not overly or exclusively military, either support military operations or are so important as to threaten to overpower a country's will should they cease to be available. That is, as a growing number of physical systems, from household appliances to industrial machinery, including infrastructure supporting essential services, cease to be islands and become interconnected through a much wider and above all deeper worldwide web, the scope for a hostile country to inflict physical damage by cyber means will increase exponentially.

The Real Impact of Cyberwarfare

Let us now have a look at two of the examples discussed in the Foreign Affairs article, leaving aside the alleged pipeline attack whose actual occurrence does not seem to be confirmed. Concerning the campaign against Estonia, the article says that the country “pointed their fingers at the Kremlin, but they were unable to muster any evidence” and criticizes the assertion by then Estonian Prime Minister Andrus Ansip that it had been akin to an act of war. Ansip is quoted as having wondered “What’s the difference between a blockade of harbors or airports of sovereign states and the blockade of government institutions and newspaper websites?”, and the text provides the following answer: “unlike a naval blockade, the disruption of websites is not violent -- indeed, not even potentially violent”.[ix] Is that so? Disrupting some websites can indeed be labeled non violent, if those websites' only role is to provide information. Thus, a government unable to put across its narrative on the web may lose an important weapon in the battle for public opinion and diplomatic support but the country could not be said to have been attacked in a physical sense. Now, let us imagine that the website disrupted has another function, one related to events in the physical world. Let us imagine for example that we are talking about a website governing the loading and unloading of ships in a harbor. Would that not amount to a blockade? What is the use of ships being able to reach a port, if cargo cannot be transferred to and from them? Should the target be a country's air navigation system, we could perhaps say something similar. Planes may still be physically able to fly, but only at a much higher risk of collision. Even if not all of them were grounded, the resulting disruption could well be seen as equivalent to, at least, a partial blockade. In either case, would it not be justified to talk about an act of war? Even if force had been employed indirectly, not by destroying something but by rendering it ineffective through the neutralization of its software? A software, going back to the above mentioned concept of “The Internet of Things”, which is increasingly less isolated and individualized and more and more part of wider systems such as the worldwide web.

The Foreign Affairs article also believes the Estonian case not to amount to an act of war for two additional reasons. First, that “the choice of targets also seemed unconnected to the presumed tactical objective of forcing the government to reverse its decision on the memorial” and second that, “unlike a naval blockade, the attacks remained anonymous, without political backing, and thus unattributable”.[x] Concerning the first point, we could perhaps say that it is nowhere written that the means to put pressure on a country must be related to the goal sought. Actually, a look at history offers plenty of cases where the reverse is true. Thus, just to mention an example, in seeking the release of a detained trawler captain and more generally insist on questioning Tokyo's sovereignty over the Senkaku Islands, China imposed an (officially denied) embargo on shipments of rare earths to Japan in 2010. It succeeded in forcing his release, although at the price of accelerating Japanese efforts to diversify sources of supply away from China.[xi] With regard to the second point, a country may not always wish to publicly admit that she is behind an attack. Rather the contrary, and even more so in our complex age, where nations often engage diplomatically and economically with one hand, while fighting (often through proxies or by means of “black” operations) with another. As long as the intended recipient gets the message, and ideally alters her behavior, there is no need to publicly claim responsibility. Furthermore, in a world of limited, undeclared war, there is often nothing to be gained by publicly claiming credit. Much better to avoid obstacles to a resumption of normal relations once the limited goal sought has been achieved. This also makes it easier, by not prompting the defeated government to lose so much “face”, to let a door open to an accommodation with the victor, thus making cyberwar even more “war-like” if we take war to be an instrument of politics, not an end in and by itself.

Despite the warnings by a number of voices about the advent of the “Internet of Things”, the Foreign Affairs article insists that “even cyberattacks that cause damage do so only indirectly” and while acknowledging the possibility of “for example, shutting down an air traffic control system and causing trains or planes to crash or disrupting a power plant and sparking an explosion”, it adds that “besides Stuxnet, there is no proof that anyone has ever successfully launched a major attack of this sort”, going as far as claiming that “lethal cyberattacks, while certainly possible, remain the stuff of fiction: none has ever killed or even injured a single human being”. Furthermore, the text states that “the use of computers would be ethically preferable to the use of conventional weapons: a cyberattack might be less violent, less traumatizing, and more limited”.

How to deal with these claims? First of all, it may be true that no lethal cyber attacks have taken place, and this paper will not seek to explore this matter further. However, the fact that they may not have taken place does not mean that they are inherently impossible. Their absence may simply reflect the birth of the Internet as a network not fully connected to the real world. As it evolves, going as far as the above explained concept of the “Internet of Things”, as all sorts of gadgets, basic infrastructures, industrial systems, vehicles, and the like, get connected to the Internet, it may be difficult for the contention that cyber attacks are unlikely to result in damage to life and limb to stand the test of time. Many actors are already taking steps to protect themselves against these cyber attacks, with for example Jeff Kohler (vice president of international business development for Boeing's defence arm) recently saying that he was “very concerned” about cyber threats against aircraft. In a video released by NATO, Kohler admitted “I don't think we still understand critical infrastructure protection and how cyber can affect that”, adding “From our commercial aircraft side we're very concerned about it. As commercial aeroplanes become more and more digital and electronic, we have actually started to put cyber protection into the software of our aeroplanes”.[xii] At the same time, the need to develop cyber capabilities appears clear on the mind of many policy-makers, with, for example, Secretary of Defense Chuck Hagel listing “cyber” as one of the “emerging military capabilities” to be protected in the current round of cuts at his November 2013 address to the Center for Strategic and International Studies, a list which according to Joseph J. Collins (National War College, and former Deputy Assistant Secretary of Defense) “makes great sense”.[xiii]

Despite such warnings from industry, it is still relatively common for authors to see the cyber and the real as two rather separate realms, with cyber attacks unable to significantly or permanently damage the former. For example, in a piece where it is also claimed that “cyberwar is not war”, Erik Gartzke (Professor of Government at the University of Essex and Associate Professor of Political Science at the University of California, San Diego) writes that “The bigger issue with internet attacks, however, is that their effects are temporary. Unlike a rocket strike on an oil refinery or destruction of elements of a nation's military, cyberwar generally involves 'soft kills,' temporary incapacitation that can be reversed quickly and at moderate cost”.[xiv] Again, while this may have been true in the past, and may even be true today, it could quickly change once most physical systems are connected to the Internet, at which point such statements may no longer be accurate.

Lethality is Not the Defining Characteristic of Warfare

Even conceding, for the sake of argument, that cyber attacks will never be as potentially lethal as their conventional counterparts, this does not in and by itself justify any reluctance to consider them as falling square under the label of warfare. A look into military history shows how whereas on some occasions and theaters the intention of one or both contenders is to inflict the highest possible degree of destruction, as a way to put an end to the enemy's will to fight, this is not always the case. The reality in which the military is forced to operate is much more complex than that. Just to mention two examples, one from a past conflict, another one from a current scenario, we can briefly refer to the opening phase of the 1982 Falklands War and to the perennial dispute over the South China Sea.

When the Argentine Junta decided to invade the Falklands, their intention was to present London and the World with a fait accompli, in the hope that the United Kingdom would not have the determination and commitment to liberate them. It is no accident that the original name of the operation was “Goa” (later changed to “Rosario”), for that was precisely what Buenos Aires expected, little more than some diplomatic noise at the UN. This explains why, in the attack against the Governor's Residence, Argentine troops employed stunt grenades, and more generally why "the guidelines remained that the operation had to be as bloodless as possible and should not excessively impinge upon the life of the population".[xv] The invaders had nothing to gain by killing or maiming British personnel, or committing atrocities against civilians, which would have only made it more likely for the British public to demand a reaction.

Another clear example of a limited use of force can be found in many of the regular incidents in the South China Sea, where Beijing’s goal is to push out fishermen and coast guards from other countries through non-lethal means if possible. In May 2012 the PLA's Major General Zhang Zhaozhong called this a “cabbage” strategy,[xvi] and Professor Brahma Chellaney (Centre for Policy Research in New Delhi) describes it as “asserting a claim, launching furtive incursions into the coveted territory, and erecting — one at a time — cabbage-style multiple layers of security around a contested area so as deny access to an opponent”.[xvii]

Cyberattacks Do Meet Clausewitz’s Conditions for Warfare

Going back to Clausewitz, whose conditions for an action to be considered an act of warfare the Foreign Affairs article considers cyber attacks not to meet, we may put forward a different interpretation, concluding they do. The first of the “three main criteria” is that the action must be “violent or potentially violent”, which once most physical systems are connected to the Internet could easily be met. It demands no long stretch of the imagination to think of potential attacks resulting in major physical damage and threats to the life and physical integrity of people, either military personnel or civilians. Disrupting a hospital, for example, may lead to the death of patients in critical care, while passengers traveling in a train may suffer injuries or die if the software controlling a railroad system is attacked. The second condition is that the action must be “always instrumental: physical violence or the threat of force is a means to compel the enemy to accept the attacker’s will”. Concerning this, although we may witness cyber attacks with other motivations, for example by perturbed individuals or disgruntled employees seeking revenge, there is nothing in the nature of cyber attacks preventing them from being employed as an instrument to force an enemy to submit to the will of those responsible for them. The same could be said about the third, namely “some kind of political goal or intention” by the attacker. The article adds that, for this third reason, “acts of war must be attributable to one side at some point during a confrontation”, and while this is true, it does not mean that this must take place from day one, or that such attribution must be public. Although more easily carried out with cyber attacks, there is nothing new about a government employing, tolerating, or somehow sponsoring or egging on, irregular forces in the pursuit of foreign policy objectives. Just to mention an example, we have the Boxers Rebellion.[xviii]

We could arrive at similar conclusions if, instead of Clausewitz, we directed our gaze at China’s Art of War, or India’s Arthashastra. The former famously states that “all warfare is based on deception” and many of its passages stress a limited use of force, stating for example that “to capture the enemy’s army is better than to destroy it”.[xix] Thus, while a cyber attack may well cause destruction among an enemy army, even if by its nature it was most prone to disable it there would be nothing in the top Chinese treatise on warfare pushing it out of the definition of an act of war.[xx] Concerning the latter, it refers to four different kinds of war: “Mantrayuddha, ‘war by counsel’, means the exercise of diplomacy; this applies mainly when a king finds himself in a weaker position and considers it unwise to engage in battle. Prakasayuddha is open warfare, specifying time and place – i.e., a set-piece battle. Kutayuddha is concealed warfare and refers primarily to upajapa, psychological warfare including instigation of treachery in the enemy camp. Gudayuddha, ‘clandestine war’, is using covert methods to achieve the objective without actually waging a battle, usually by assassinating the enemy. In waging clandestine war, the king used not only his own agents and double agents, but also allies, vassal kings, tribal chiefs and the suborned friends and supporters of the enemy”. [xxi] Again, we can see how the definition of war is wide enough to accommodate non-lethal cyber attacks, even before we take into account their potentially lethal nature once the “Internet of Things” becomes a reality.

Thus, as we can see, if we go beyond the Western tradition, we reach the same conclusions. There is nothing in cyber attacks preventing them from being classified as war. Although the Foreign Affairs article only refers to Clausewitz, this quick look at the Chinese and Indian traditions is a reminder that the conclusion that cyber war is indeed war is not linked to that particular author or, more generally, Western thought. This does not, of course, mean that we can simply mechanistically apply the doctrinal, ethical, legal, and operational concepts evolved over centuries to this new kind of weapons. As noted by Nikolas Gvosdev (US Naval War College), “we still are grappling with how to regulate the use of cyber tools in matters of war, peace and everything in between. In particular, how do we fit the cyber realm into an established system of ethics created to manage and mitigate the impacts of kinetic military action?”[xxii], a view also shared by Lucas Kello (Belfer Center for Science and International Affairs, Harvard Kennedy School), who has noted the “delay in the strategic adaptation to cyber realities”.[xxiii]

Conclusion: Cyberwar is Indeed War, And We Must Prepare for It

To conclude, as the preceding paragraphs have made clear, we can say that the contention that cyber attacks do not meet the conditions to be considered acts of war is at best, doubtful. Even if we conceded that this may be the case in the traditional Internet, the advent of the so-called “Internet of Things” is likely to put to rest any doubts that cyber attacks can indeed cause or threaten to cause physical damage, and that therefore they cannot be rightly be excluded from the definition of wars. Once most physical systems are permanently connected to the Internet, including critical infrastructure, industry, transportation systems, and dual-purpose infrastructure used by the military, not to mention weapons systems themselves, the borderline between attacking their hardware and attacking their software may become increasingly blurred. The difference, for example, between blockading a harbor by mining it and closing it to civilian and military traffic by disabling its software may become, in the eyes of most observers, academic.

This is of course not the end of the story. It does not mean that each and every cyber attack should be considered as an act of war. After all, not every physical attack is. Furthermore, wars are often fought without being formally declared, this being the rule since Korea. What it means is that, first of all, we must acknowledged the potentially deep impact of the “Internet of Things”, second, we must treat cyber warfare, both defensive and offensive, as an integral part of any military and of any security and defense policy, and third, that this must be reflected not only in terms of training and equipment, but also with regard to doctrine. In order to minimize the scope for miscalculation, it is necessary to determine and publicly enunciate when cyber attacks will be treated as equivalent to physical attacks. For example, would a cyber attack on nuclear facilities resulting in the release of radiation be considered to be equivalent to an attack with weapons of mass destruction (WMD). Would it justify a reprisal in kind? Concerning war crimes, could they be committed by cyber means? Is there an equivalent to a soldier's uniform for cyber warriors, giving them protected status under the laws of armed conflict?.[xxiv] Some voices have warned that we are facing an “international legal conundrum”.[xxv]

Computer-based attacks are not liable to reduce the scope for physical casualties, rather the contrary, in particular once the “Internet of Things” becomes a reality. It may be easier, not more difficult, for both state and non-state actors to inflict grievous bodily harm and death unto enemy civilians and military personnel, and to cause extensive material damage. This does not mean there is not, at the same time, a wider avenue for non-lethal “surgical” strikes, as the Foreign Affairs article rightly notes, but one development is no bar to the other. Once again, technological change fits with classical concepts of war, be they from the Western (Clausewitz) or Eastern traditions (Sun Tzu and Kautilya), confiming Patton's dictum that the nature of war is ethernal.

End Notes