Fear and War in Cyberspace

Lawfareblog.com

Cyberwar is all the rage, and with it, questions abound on what new technologies may mean for society and—Lawfare’s specialties—the implications of these technologies on surveillance, privacy, intelligence, and the laws of war. However, we may have rushed to explore the trees without looking at the overall forest. Erik Gartzke offers here a short version of his longer article on cyberwar, arguing that its importance as a coercive tool is limited at best, and that these technologies favor the strong (i.e. us), not the weak.

Erik Gartzke is Professor of Government at the University of Essex and Associate Professor of Political Science at the University of California San Diego.

In the depths of the depression, President Franklin Delano Roosevelt cautioned Americans against letting their imaginations loose on the unknown.  “The only thing we have to fear is fear itself.”  Contemporary leaders are instead telling Americans to be afraid.  Former U.S. Defense Secretary Leon Panetta warned that “the next Pearl Harbor…could very well be a cyber attack.” Press reports indicate that U.S. federal spending on cyber security will grow by roughly $800 million (to $4.7 billion) next year, even as the overall Pentagon budget is cut by $3.9 billion.

Should we fear cyberspace?  The internet is said to be a revolutionary leveler, reducing the hard won military advantages of western powers, even as the dependence of developed nations on computer networks leaves them vulnerable to attack.  Incidents like the Stuxnet worm and cyber attacks against U.S. government computers, apparently launched from servers in China, seem to testify to the need for concern.  Yet, even if these details are correct—and some are not—there is no reason to believe that the internet constitutes an Achilles heel for the existing world order.  To the contrary, cyberwar promises major advantages for status quo powers like the United States.

Contrasting a Logic of Possibilities with a Logic of Consequences

The ability to harm is ubiquitous.  Anyone passing on the street could just punch you in the face.  Still, violence is relatively rare in large part because little is typically gained from most potential uses of force. Perpetrators must ask not just “what harm can I inflict?” but “how can I benefit by inflicting harm?”  In short, cyberwar requires a logic of consequences.  Just as a morbid fear of being sucker punched at random may be misplaced, concern about cyberwar can be exaggerated if there is little to suggest how internet aggression can be of benefit to potential perpetrators.

Efficacy separates the widespread potential for harm from actual aggression.  Nations, groups and persons threaten force to influence, compelling others to cooperate or deterring aggression.  Violence is also exercised to alter the balance of power.  If the damage inflicted is temporary, however, then aggression must be followed up with other actions, or an attack serves no purpose.  Creating “a window of opportunity” cannot matter unless one intends to exercise the opportunity.

Fighting on the Internet

In isolation, the internet is an inferior venue for achieving objectives traditionally associated with military violence, particularly coercion.  Traditional military capabilities are observable.  Armies can be seen standing near city gates.  Missiles can be observed in firing positions ready to launch.  Capability coerces precisely because the effects of a contest can be anticipated.  A city does not need to be stormed for inhabitants to imagine the consequences of an attack.  Cyber coercion is problematic because capabilities are difficult to communicate without harming military potency.  Targets cannot assess credibility unless they are given access to details of a planned cyber attack, but attackers cannot share this information with defenders without undermining their own attack.  If instead a defender accedes to unverified threats, then it will invite a multitude of false claims.

Harm threatened can compel if it is credible and does not weaken the exercise of force.  Harm inflicted can be used to threaten future harm, but only if the act of harming is a good indicator of future effectiveness.  This works pretty well with war elephants, infantry brigades or high speed penetrating bombers, where capability is not determined by whether the enemy knows they exist.  But again the success of cyber aggression is unusually reliant on conditions of surprise and even an internet attacker that has succeeded before can be tempted to bluff if bluffing will be believed.

The bigger issue, however, is that the effects of internet attacks are temporary.  Unlike a rocket strike on an oil refinery or demolition of critical elements of the transportation grid, cyber attacks generally achieve “soft kills,” temporary incapacitation that can be reversed relatively quickly at moderate cost.  Unless it has a lasting effect on the balance of power, internet aggression serves either as an irritant, or as an adjunct to other, more traditional, forms of coercion or force.

Imagine that some unspecified cyber attack disables communication or transportation nodes in a target country.  What then?  While inconvenienced, the target will eventually get the lights back on and vehicles running.  The target will then attempt to retaliate.  Permanent harm inflicted over the internet can weaken an opponent and serve as a motive for aggression.  Yet, harm inflicted over the internet, or at Pearl Harbor for that matter, only benefits the attacker if it can extract concessions from the target, or if the attack can be made to permanently weaken an opponent.

Considerable damage was done to the U.S. Pacific Fleet in the Pearl Harbor attack, but it failed to force the United States to be bargaining table, a critical component of Japan’s grand strategy. Though Japan’s leadership knew that total war with the United States would result in their defeat, they hoped for a limited contest.  Cyberwar with no follow-on strategy is much more foolish than the Japanese plan in 1941 to the degree that the effects of an attack can be repaired more quickly.  Any attack over the internet must either convert short-term advantages into long-term effects, or wager that the enemy will accept defeat in cyberspace lying down.  A cyber Pearl Harbor has no purpose unless it is accompanied by a terrestrial attack precisely because the target is capable and is destined to respond to any serious attack with a vigorous reprisal.  If the target is unlikely to succumb to traditional forms of aggression, then cyber attack makes very little sense, either.

Cyberwar Benefits the Strong

While many can imagine a cyber attack on the United States, few find it practical to speculate about physical invasion of U.S. territory.  Yet, short of invasion, all that can be achieved by cyber attack are the kinds of pin pricks that anger and mobilize an enemy, rather than leading to concessions or defeat.  It is far less difficult to imagine powerful nations invading weaker states.  It is thus as an adjunct to existing capabilities that cyberwar is destined to prove most useful.

1.  Cyberwar is an adjunct to existing forms of warfare.

By itself cyberwar fails to conquer or compel.  Internet aggression can harm and may even lay open an opponent to attack, but it does not actually physically subdue.  Without access to this final arbiter of competition, the use of cyberwar can even be a liability, like bringing a knife to a gun fight.  Unless or until cyberwar can serve as a final arbiter of conflict, there is no reason to believe that warfare on the internet will remain on the internet, unless both sides prefer this to be the case.  But if opponents choose to keep conflict on the internet, this implies that the stakes are not (yet) high.  Traditional forms of power create the discretion to escalate or contain cyberwar.

With this reasoning in mind, we can reassess the incidents of cyberwar that have occurred to date. Chinese cyber attacks on U.S. computer facilities—as with the bulk of internet conflict—involve espionage or other low-level, and circumspect, harassment.  More concerted attacks, such as the Stuxnet worm and denial of service attacks against Estonia and Georgia, involve stronger states confronting much weaker opponents.  As the aggressor, the capable state is either using cyberwar in conjunction with more traditional forms of military violence to exploit and convert temporary advantages into permanent ones, or the capable state is using the prospect of traditional forms of military violence to deter retaliation and control escalation from the target of cyber attack.

2.  The potential effectiveness of cyberwar hinges on conventional forms of power.

Cyberwar is a weapon of the strong, not the weak.  States with capable conventional militaries or economic clout are best positioned to exploit windows of opportunity created by cyber attack.  Capable states are also best equipped to deter or defend against cyber attack through asymmetric threats or uses of force.  The internet age thus increases, not undermines, existing hierarchies.

A frequently voiced concern is that cyber attacks might undermine the effectiveness of existing military capabilities.  Ships might not be able to put to sea and aircraft could be grounded should enemy hackers be able to interfere with military command-and-control or computing systems.  The issue again is not what is possible, but what consequences might follow from such an attack.  Cyber attacks of this type would tend to produce what scholars call “defense dominance,” which paradoxically tends to make world affairs more, rather than less, stable.  If cyber attacks make it hard for a powerful country to use its military offensively, then aggression, and thus change, are more difficult.  Again, unless one believes that temporary damage can be made permanent, or wants to argue that an enemy will use the incapacitation of military forces to physically invade a powerful country, then cyber attacks of this type, while inconvenient, are ultimately futile acts.

The actions, as opposed to the rhetoric, of U.S. policy makers already reflect these facts.  While officials in the United States are certainly interested to protecting the nation from cyber attack, billions of federal dollars are flowing into offensive cyber capabilities.  Instead of behaving like an insecure and vulnerable target, U.S. security policy appears to reflect recognition of the major offensive advantages that cyberwar promises to a major military power.  If I am correct, then U.S. cyber operations will function as a complement to, rather than a substitute for, more traditional forms of military violence.  Whether this substantial investment in offensive cyber capabilities is a good idea or not remains an open question, one that is poorly served by misconceptions about the nature of internet conflict, or analogies that appear designed to frighten rather than inform.

Additional Reading

Blainey, Geoffrey.  The Causes of War (New York: Free Press, 1973)

Gartzke, Erik.  “The Myth of Cyberwar:  Bringing War in Cyberspace Back Down to Earth,”  International Security, Vol. 38, No. 2 (Fall 2013), pp. 41-73.

Lindsay, Jon.  “Stuxnet and the Limits of Cyber Warfare,” Security Studies, Vol. 22, No. 3 (August 2013), pp. 365–404.

Rid, Thomas.  “Cyber War Will Not Take Place,” Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5–32.