P.W. Singer is strategist at the New America Foundation. August Cole is director of the Art of Future Warfare project at The Atlantic Council. They are the co-authors of Ghost Fleet: A Novel of the Next World War.

When a series of technical glitches hit companies that ranged from United to the New York Stock Exchange this week, suspicions immediately ran to a cyber attack. Was this just the beginning of something much worse? A surprise attack, the beginning of long feared “cyber war” or the “cyber Pearl Harbor”? The irony that these worries were mostly expressed online at places like Twitter was not lost on many, but it points to how deeply they have become woven into the narrative of threats that surround us. Indeed it is notable that the discourse too quickly pointed the finger at hackers, rather than al Qaeda terrorists as would have been the default a decade back.

A key challenge in this new environment of fear is that terms like “cyber war” and “cyber Pearl Harbor” are tossed around today in politics and media with as much precision as the term “war” itself. There is a massive array of cyber threats out there, ranging from the 317 million distinct pieces of malware discovered by Symantec last year to credit card theft that has hit almost every major retail firm to advanced persistent threat campaigns that have penetrated literally every major corporation and government agency.


Many repeatedly use military terms to describe this diversity. For example, after someone (ahem, China) hacked the Office of Personnel Management (OPM), stealing records of over 21.5 million citizens, outlets that ranged from mass media like USA Today to partisan outlets like Commentary and National Review magazine to true D.C. geek sites like Federal Computer Weekly all claimed that this was the “ Cyber Pearl Harbor” of the war that we are already in.

Cyber hogwash.

We are at cyberwar as much as the “War on Christmas” is an actual war.

Just as a glitch is not an attack, stealing data is not war. Dependent on the goal and target, it is crime or espionage. No one likes to have their secrets stolen, but no nation has ever in history gone to war over lost secrets.

War—the real kind of war—not the way we use the term to describe everything from anti-drug to anti-Yuletide decoration campaigns, involves two key elements, mass violence and high-level politics. That is what distinguishes it from all the other wonderful human enterprises that range from crime to spying to even terrorism. Indeed, for all the talk of “cyber terrorism” and “cyber Pearl Harbor,” terms used over a half-million times according to Google, not a single person has been directly hurt or killed by a cyber attack, ever. ( Cows, meanwhile, killed 22 people in the U.S. last year.)

That we have not seen the digital face of true conflict yet, however, does mean that “cyber war will not take place” as recent academic works have claimed. The reason we have seen no cyber war in the past is that we haven’t seen actors with actual cyber capabilities go to war with each other. But as the great strategic thinker Bachman Turner would advise, “You ain’t seen nothing yet.”

The Context of War

What made people’s minds jump to worrying about the glitches being something bigger is that the geopolitical context around these worries is changing. Terrorism and instability within failed and failing states is certainly not going away, particularly in the Middle East, but a larger concern of statecraft has made a comeback.

Conflict between the great powers was something that many think was dead and buried with the end of the Cold War. The New York Times even argued just four years ago that it had gone “out of style.”

But times and fashions change quickly. In Europe, NATO and Russia are at their highest levels of tension and alert since the mid-1980s height of the Cold War. In the Pacific, the U.S. and China have had standoffs over disputed waters, underscoring a deeper arms race that the two have fully leaped into, with China buying more warships and warplanes than any other nation over the last several years, and the U.S. launching a new plan to “offset” China with a new generation of military technology. Both nations this last week released new security strategies; notably the Pentagon’s document both pointed out the growing importance of the cyber realm and that the risks of interstate war were “growing,” while China’s new national security law sought to expand state control over what it sees as emerging risks in cyberspace.

This is what made the kind of attack we saw against OPM so concerning, aside from the fact that it revealed OPM was using COBOL, a language that dates back to 1960. It points to a penetration of US government networks deeper in scale than most realized and a targeting of information that was not about economic competition, but rather of immense political value (most notably security clearance forms) if the nations ever came to blows. To compare this to concerns over the so-called “Cyber Caliphate” of ISIL sympathizers, their most noted exploits are things like hacking a US military command’s Twitter feed and posting pictures of a goat.

A hot international war is by no means inevitable—but nor is it inevitable that history would repeat itself and ensure that the brewing 21 st Century’s Cold War never turns hot. War start by accident or design, but start all the same. As China’s regime newspaper advised just a few months ago, “The world war is a form of war that the whole world should face up to.”

These uncomfortable realities led us to write our new book Ghost Fleet, which explores what such a 21 st century world war might look like. The scenario of a war between the U.S., China, and Russia is fortunately fiction (for now and we hope forever), but the book is backstopped by years of research. By playing out the scenario, we traced how such a war would be different from both the wars of today and the great wars of the past, in part because it would involve battles in all domains—including the realm of cyber, an area that wasn’t even imagined the last time great powers dueled. Establishing just how different actual cyber war would be from the uncomfortable and embarrassing episodes that we’ve seen so far also shows the much higher stakes that should lead us to get our house in order.

Cyber Kinetic War: When Code Hurts

Today, more than 100 of the world’s militaries have some sort of organization in place for cyber warfare. The geographic hubs range from the Fort Meade complex in Maryland, home of the NSA and Cyber Command, which houses more personnel than the Pentagon, to Datong Road in Shanghai, the reported home of Unit 61398, a Chinese unit linked to hacks on everything from US military communications to the internal emails of the New York Times. These organizations’ size, scale, training and budgets all differ, but they all share the same goals: In the words of the U.S. Air Force, the purpose of cyber warfare is “to destroy, deny, degrade, disrupt, [and] deceive,” while at the same time “defending” against the enemy’s use of cyberspace for the very same purpose. Among military planners, it’s known as the “Five D’s plus One.”

Interest in these kinds of operations is exploding within the U.S. military. In the 2012 U.S. defense budget, for instance, the word “cyber” appeared 12 times. This year, it appeared 147 times, with new funding for everything from hiring thousands of new contractors to efforts like the U.S. military’s “Plan X,” a $110 million program designed to “help war planners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.” There is also a broader debate beginning in various militaries as to how such units should be organized to even whether they should be structured under entirely new military services, akin to how units a century ago that fought in the air were originally put under the command of the Signal Corps, then the Army Air Corps, and finally their own Air Force.

This very same shift is underway in China. In 2011, the Communist Party-controlled China Youth Daily newspaper published an article by two scholars at the Chinese Academy of Military Sciences that summed up in direct terms how the Chinese military establishment viewed what had been going on in cyberspace, from the creation of the U.S. military’s Cyber Command to the revelation of Stuxnet, the damaging offensive cyber-weapon that the U.S. and Israel deployed against Iran’s nuclear program: “Of late, an Internet tornado has swept across the world...massively impacting and shocking the globe. Behind all this lies the shadow of America. Faced with this warm-up for an Internet war, every nation and military can't be passive but is making preparations to fight the Internet war.”

In real terms, this has translated into a buildup of the People’s Liberation Army’s (PLA) cyber capabilities at just as rapid a pace as the U.S. military’s during the same period. Spending on cyber warfare became a “top funding priority,” up a reported 20 percent in the last year alone, and a host of new units were created with the responsibility of “ preparing attacks on enemy computer networks.”

While the Chinese military organization responsible for cyber operations is not as open about its structure as the U.S. military’s, many think it falls under the PLA General Staff Department’s Third Department. This entity, based in Beijing, is very similar to the U.S. National Security Agency, with a focus on signals intelligence and code-breaking, making it a natural fit for cyber activities, just as the NSA was for the U.S. cyber efforts. The Third Department has some 130,000 personnel assigned to it. A key part is the Beijing North Computer Center (also known as the General Staff Department 418th Research Institute or the PLA’s 61539 Unit), which some believe to be the Chinese equivalent to the Pentagon’s U.S. Cyber Command. It has at least ten subdivisions involved in “the design and development of computer network defense, attack, and exploitation systems.” There are at least an additional 12 training facilities located around the country, including a special unit located in Zhurihe that is permanently designated to serve as an “informationized Blue Team.” That is, the unit simulates how the U.S. military and its allies use cyberspace and provide targets for Chinese units to hone their skills on in wargames.

If there was a conflict to break out between the U.S. and China, these players will engage in operations far different than the jousting we have seen so far when their nations are not at war. We won’t just see the stealing information or revealing information, but the blocking of information or changing information. And, as such, we will see cyber operations shift from the field of espionage to having actual direct effects on the flow of battle. To make that parallel back to World War II, cyber operations offers the potential of not merely reading the enemy’s radio signals, but seizing control of the radio itself and crashing the plane it sits in.

For example, one of the key advantages of the U.S. military has been its global network of command and control, with the Global Positioning System being a key part of the architecture that allows forces to operate with incredible precision. Indeed, it is used not just by troops in the field to maneuver, but more than 100 American defense systems, from aircraft carriers to individual missiles, rely on GPS coordinates during operations. But that dependence points to a key aspect to target. How bad could it get? In 2010, a software glitch knocked 10,000 military GPS receivers offline for more than two weeks, meaning everything from trucks to the Navy’s X-47 prototype robotic fighter jet suddenly couldn’t determine their locations. Cyberwarfare would seek to make such a software error into a deliberate act, where the simple ability to block access would cause mass confusion and ineffective operations.

That sounds bad, but maybe worse is using access to a system, which is what hacking is all about, not to steal or block information, but to change it. As an illustration, a scene in Ghost Fleet was inspired by Israel’s real world Operation Orchard. In 2007, through a mix of cyber and electronic means, Israel was able to deceive Syrian air defenses into thinking that it was a regular night like any other, when in fact seven Israeli F-15s were flying overhead on their way to drop bombs on a suspected nuclear site.

But here again, it might be worse. Changing information might not just allow physical damage to happen through other means, but even directly cause it. Stuxnet was a wicked little piece of software code, allegedly created by U.S. and Israeli intelligence, that was used to sabotage Iranian nuclear research facilities. It did so by instructing the industrial control systems literally to damage themselves, all the while telling their human operators that everything was functioning well. Of note, both the recipe for Stuxnet is now in the wild, while the very same software it targets, SCADA, is used in everything from traffic lights to US navy warship engine rooms. One U.S. military wargame in which we participated saw an adversary send warships on what was jokingly called the “ Carnival Cruise Line Experience,” knocking them out of the fight not with cruise missiles but code.

Or, we might see “battles of persuasion,” where one’s own weapons are instructed to something contrary to owner’s intent. This last week, a NATO patriot missile battery was found to have been hacked and carrying out “unexplained orders.”

Such changes are not just something that can be caused by outside software sneaking in, but might also come through a hardware hack, where the flaws are literally baked into the systems themselves. For example, more than three-quarters of the field-programmable gate arrays in the F-35 strike fighter are made in China and Taiwan. So are the majority of chips in automobiles and wireless medical devices, such as pacemakers and dialysis machines. If that hardware was modified ever so slightly, a kill code could selectively disable the chip and the systems that depend on it. And that code could come from any number of sources. A command could originate in a text or email message. It could be delivered by radio signal to a micro-antenna hidden on the chip. It could even be a simple internal time bomb, programmed at the chip’s inception, to trigger a coordinated shutdown on a certain time and date. The result for the targets would be an experience akin to the first episode of Battlestar Galactica, where the good guys’ aircraft just stopped working all at the same moment, opening them up to a devastating attack.

It is important to note that such targets would likely not be limited to the military world. The first reason is the massive reliance of the U.S. military on the civilian world, whether it be via the massive industry of military service contractors—roughly half the personnel in Pentagon operations are contractors—to the utter dependence of the military on Internet itself, where over 98 percent of U.S. military communications goes over this civilian owned and operated channel.

The second reason is that our networked commerce and infrastructure offers up new pressure points on a population, or “centers of gravity” as the great 19 th century military thinker Clausewitz might put it. For instance, between December 2011 and June 2012, the Department of Homeland Security reported that hackers—likely from China—penetrated 23 different oil and gas pipeline companies, which also operate using much of the same vulnerable industrial software as explained above. But the hackers didn’t steal any information from the targets, whether intellectual property or employee credit cards. Instead, they were just setting up “beachheads,” testing vulnerabilities in case they needed to drop the hammer on these pipeline operations later on. As former White House cybersecurity expert Rob Knacke put it, “This incident crosses into what might be called ‘preparation of the battlefield,’ laying the groundwork for military operations.” Here again, one sees the difference between espionage and actual warfare, both the connection, but also the difference.

A New Mix of Players

While there might be many echoes of past great wars in future cyber conflict, there is another key fundamental difference that reflects the very makeup of the domain.

The Internet is not just a technology—it’s an ecosystem composed of the digital actions of an incredibly wide mix of players, from government agencies and military units to private corporations to individuals. So too will be warfare on the Internet. In modern times, wars between sovereign states have generally been left to militaries and government intelligence agencies, but a cyber war will almost assuredly see civilians join the fight.

For instance, while there are a number of formal state units preparing for cyber war, a wider variety of proxy and quasi-state actors extend that power much further. In the U.S., there is a vibrant cybersecurity industry, staffed by a mix of Silicon Valley tech geeks and veterans of agencies like the NSA. Some believe that this industry, which is on pace to reach $156 billion over the next decade could provide digital private military services, akin to a “cyber Blackwater.” Just like the physical private military firms, the lure of such outsourced talent is helped to supplement government capabilities with expertise from the marketplace.

But just as with Blackwater demonstrated in Iraq, such outside players—only loosely accountable to governments and militaries—can operate with their own agendas and rules, raising complicated questions of law, ethics, command and control, as well as the simple challenge of whether the hired help always has your own best interests in mind? The recent disclosure of the clients of the Italian company Hacking Team show just one of the perils. The leaked documents demonstrate the company sold its services to a wide range of clientele, from the FBI and U.S. Army to the Russian government.

Such state proxy groups need not only be corporate. Just as the U.S. military has reached out to various civilian research universities, such as through the NSA’s National Centers of Academic Excellence in Cyber Operations Program at 13 universities, China’s military draws from the wider cyber expertise resident in its eight million-strong people’s militia, supplementing official forces with a “patriotic hacker” program. Its universities make prime recruiting grounds—yet the very reasons they’re attractive recruiting targets sometimes later hinders attempts to keep the government’s units secret. Unit 61398, for instance, the aforementioned PLA organization identified in various advanced cyber-campaigns targeting everything from US government agencies to newspaper, steel and solar companies, tried to go to ground after garnering attention in a series of New York Times exposes. Yet researchers were able to find its digital tracks hadn’t been cleaned up well enough. The Zhejiang University website for example even had up a notice that “Unit 61398 of China’s People’s Liberation Army (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.”

This range of non-state actors would make, in many ways, cyberwarfare akin to the wars in the 18 th and 19 th Century that equally fought over the key domain of commerce and communication back then, the sea. Formal navies mattered, but quasi-state actors like pirates and privateers did too. Indeed, during the War of 1812, America’s privateer fleet numbered 517 warships to the U.S. Navy’s paltry 23. And, while British troops were able to capture Washington, D.C., and burn the White House, the private force was able to cause so much damage to the British economy that it compelled negotiations favorable to the American side.

Another group could also throw a new wrinkle into the fight. There really is no historic parallel for a group like Anonymous, the network of individuals who join forces in a mode that combines of hacking and civic activism. Such players are unlikely to affiliate with one side or another, but are also unlikely to simply sit aside as a fight plays out in a domain they’ve sworn to protect. Yet, when we spoke with senior U.S. military leaders about the complicating role such groups might play in a cyber war, they admitted they hadn’t even thought of how those groups might affect war—yet.

Avoiding the Fail

One of the biggest challenges of cyber warfare is that it while it will operate with digital precision, the effects of the actual attacks may be staggeringly imprecise. With a conventional bomb you can reasonably project the radius of the explosion and have a relatively clear idea of the damage that it would inflict, even if it went off target. We don’t have that ability with many facets of cyber weaponry. Stuxnet, for example, was designed specifically to go after Iranian nuclear research, but part of how it was discovered was that it also surfaced on more than 25,000 other computers around the world, in locations that ranged from Belarus to India.

Similarly, the kinetic effect can range wildly. Take the oft worried about scenario of someone taking down the power grid. Expert estimates of its impact range from over $1 Trillion in damages to little more than the damage that squirrels or flocks of parrots have caused in reality. Likewise, the number of people hurt or killed would depend on everything from whether traffic control systems are affected to the temperature that day (power outages in periods of high heat or cold disproportionately harm the elderly). This uncertainty points to a broader danger.

The risks of the great powers going to war and taking the fight to the Internet are real, but the risks also play out even if they never do directly battle. We must also simply worry about what such rapid efforts to militarize cyberspace will do to the Internet. China is not just a looming superpower but also home to the world’s largest number of Internet users. This is leading the web to be understood differently. As the Chinese military’s newspaper wrote just this spring, “Cyberspace is also the space for national security. If we do not occupy cyber territory, others will.”

The danger there is that a uniquely democratic space created for communication and sharing is instead becoming more and more envisioned as a future battleground. That realization proves incredibly frustrating its founders. Vint Cerf, one of the few folks who can veritably claim to have “invented” the Internet, e-mailed us after he reading through an early copy of Ghost Fleet, saying, “First I was angry at the Chinese. Then I got angry at the tech community, including myself, for failure to defend against cyberwarfare…. This is a clarion call to get our act together before fiction becomes fact.”

But this issue may now be beyond the power of the tech community, as the Internet becomes more and more a political issue and arena. That the Internet and war are increasingly intertwined isn’t a positive development for the wonderful World Wide Web that so defines 21 st Century life.

There is a potential bright side, however. The more we recognize the very danger of and costs of an actual cyber war, the more we can become incentivized to avoid the very cyber conflicts that we are all now gearing up to fight. At a meeting with U.S. officials, a high-ranking Chinese military officer explained how his views of cybersecurity are starting to evolve as each side builds up its cyber powers, but also simultaneously raises the stakes: “The United States has big stones in its hands but also has a plate-glass window. China has big stones in its hands but also a plate-glass window. Perhaps because of this, there are things we can agree on.”