BLOG@CACM The Three Faces of Cyberwar

In the years since the 9/11 attacks, the world has averaged about two-dozen shooting wars ongoing at any given time. Most have taken the form of armed insurgencies, suggesting that a fresh new "greening" of guerrilla warfare is under way. During this same period, cyberwars have been fewer in number, but have reflected greater diversity as to form. Perhaps the best way to portray the cyberwar spectrum is by grouping these conflicts by type. There are three basic domains: the military, where armed forces clash; the social, in which ideas are used to motivate action; and the economic, where infrastructure, commerce and intellectual property are the targets. These categories may overlap a bit at the edges; nevertheless, they are still quite useful for thinking about the world’s cyberwars.

When David Ronfeldt and I began developing our concept of cyberwar in the early 1990s, our principal interest was in the military domain. Our firm belief was that the Information Revolution was going to have a major impact on military organizational forms and fighting doctrines. The key to understanding these changes was, we reasoned, to be found in the Greek root of "cybernetics," kybernan, "to steer or control." Our view was that an informational advantage, skillfully employed, would enable smaller units to defeat larger ones, and that complex new field operations – like omni-directional "swarm" attacks – would emerge. The flip side of this view was that the vulnerability of information systems, particularly cyberspace-based ones, would make militaries increasingly susceptible to disruptive cyber incursions.

What has emerged in the military realm? At the organizational level, there has indeed been considerable downsizing. Aside from large cuts in standing armies – see Russia and China in particular – the basic units of action have grown smaller. In the United States, standard divisions have given way to an emphasis on "brigade combat teams" a third their size – thus roughly tripling the number of units of action. The brigades are better informed, with critical data moving more quickly, so these smaller units are newly empowered. Of course, terrorist and insurgent networks appreciated this point about the growing power of small units long before national militaries did – and still seem to be a step ahead.

The best example of a nation conducting a military cyberwar was the opening American action in Afghanistan late in 2001. Eleven Special Forces A-teams – just a few hundred soldiers – linked to attack aircraft for fire and to each other for maneuver via their Tactical Web Page, fought alongside the greatly outnumbered Northern Alliance and swiftly toppled the Taliban. That’s cyberwar. It is a real tragedy that the U.S. military reverted to more traditional "big unit" tactics afterward in Afghanistan – in Iraq, too – at a cost of trillions of dollars wasted and tens of thousands of lives lost or shattered.

In the social realm, cyberwar consists mostly of a "battle of the story" aimed at mobilizing supporters for one’s cause. Clearly, those we call terrorists (they don’t self-define this way) appreciate this point, a good example being the al Qaeda narrative about waging a great war to dispel the shadow cast by American power over the Muslim world. The ISIS splinter group – far too extreme even for Dr. Zawahiri, al Qaeda’s current head – has woven more violence into its cyberspace-based appeals, using grisly executions both to intimidate and/or provoke their enemies and to attract recruits. Most recently ISIS hackers have shown how social media can also be used to target U.S. service members and their families; yet another way to mobilize cadres in far-flung places.

Quite a bit of social-mobilization-based cyber operations have been used as well by Russia, or Russian sympathizers, in the ongoing conflict in the Ukraine, with considerable success, both in cyberspace and in the fighting on the ground. But where ISIS and the Russians have been seeking to mobilize support for their causes, sometimes cyberwar at the social level aims at "demobilizing." This was certainly the case in Iran some five years ago, as the regime of the mullahs used social media to infiltrate, exploit, and disrupt the nascent Green movement. This was a quintessential, highly successful case of cyber-counterinsurgency.

Finally, cyberwar is also waged in a manner that inflicts economic costs. The aims may sometimes be strategic, as was the case with the costly damage done by the Stuxnet attack on an Iranian nuclear facility several years ago. But that worm didn’t stop nuclear enrichment; it only caused delays and raised costs. Now Iran has at least twice the number of centrifuges that it did prior to the attack. And in apparent retaliation, Iran is thought to have launched the Shamoon virus, which destroyed much data and caused some disruption to the Saudi oil industry.

Others wage this kind of economic cyberwar too, most notably what appear to be sustained North Korean attacks on the Seoul stock market – and Pyongyang’s one-off, hacktivist-style campaign against the film "The Interview," that has cost Sony Pictures millions. There is also some evidence of attacks by veiled others on national infrastructures in many countries. So far, they have achieved very little. Much more damaging have been the systematic thefts of commercial intellectual property – something that President Obama has associated with cyber intrusions emanating from China. This, too, is a key form of economic cyberwar – to date, the costliest form. And while this activity nudges up against cyber crime, when these acts are committed or sponsored by nation-states, they rise to the level of economic warfare.

In sum, all three dimensions of cyberwar are very much in evidence today. Militaries have yet to actualize the full potential of cyberwar, but terrorists have already demonstrated their near-mastery of the social domain. Some nations are already waging economic cyber campaigns, inflicting serious damage – tacked on to the costs incurred due to the ever-growing cybercrime problem.

What is to be done?

In the military domain, the remarkable success of the U.S. Special Forces in Afghanistan back in 2001 needs to be closely studied and emulated. In its optimal use of information flows, this campaign comes very close to being an ideal case of military cyberwar.

At the social mobilization level, the clear priority today should be to work at "demobilizing" ISIS and affiliates. To do this, the best blueprint can be found in the Iranian cyber-counterinsurgency against the Green Movement.

This leaves economic cyberwar – truly the most vexing aspect of virtual conflict. It will be difficult, likely impossible, to extirpate. Wars against commerce have been with us from 16th century privateers to 20th century U-boats, and that’s just at sea. Economic cyberwar is a logical extension of what has gone before. But an emphasis on the ubiquitous use of strong encryption, and on achieving much better data mobility via the Cloud and the Fog, will improve defenses significantly.

Cyberwar is no doubt here to stay, in all its forms. But, as has been true of earlier modes of conflict, there are paths to mastering – or at least to coping with – its many varied challenges.

John Arquilla is professor and chair of defense analysis at the United States Naval Postgraduate School. The views expressed are his alone.

No entries found