Modern Military Strategy
Page 28
• The manual also addresses the question of when a cyber attack would be considered an ‘armed attack’, thereby lawfully allowing for a war decision in response (Article 51 of the UN Charter). The experts, as expressed in the Tallinn Manual, made the following determinations:
a Whether a cyber attack reaches the threshold of an armed attack should be made based on scale and effects.
b The parameters of the scale and effects criteria remain unsettled beyond the fact that it is necessary to distinguish between the most grave and less grave forms of the use of force.
c Any use of force that injures or kills people or destroys property would satisfy the scale and effects requirement.
d An attack on a single military platform or installation might qualify as an armed attack.
e Cyber intelligence gathering, cyber theft and cyber operations that cause a brief interruption of non-essential services would not qualify as an armed attack.
f An armed attack must have a transborder element.
g The right to self-defence extends to situations when the attacker is a non-state actor.
h A response to cyber attack that meets the threshold of armed attack may be kinetic or non-kinetic in nature, i.e. using conventional or cyber means.
• Although Estonia was the target of persistent cyber operations in 2007, the law of armed conflict did not apply because the situation did not rise to the level of an armed conflict.
See: Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013); Andrew C. Foltz, ‘Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate’, Joint Force Quarterly (Winter 2012), 40–48.
The question of when offensive activities in cyberspace become an act of war is an important one because under international law, Article 51 of the UN Charter, the use of force in self-defence (cyber or kinetic) is allowable ‘if an armed attack occurs’. Moreover, pre-emptive military activity – that is, anticipatory self-defence – is permitted if an armed attack is imminent but has not actually already occurred. American scholars have stressed that in assessing whether to respond to a cyber threat the United States should not make a distinction between methods of attack, between cyber and kinetic tools, but should focus on effect.37 The National Research Council concurs that notions related to ‘use of force’ and ‘armed attack’ should be judged primarily by the effects of an action, rather than its modality.38
Looking at effect, much of what is loosely called a cyber attack or cyberwar would not pass muster as an ‘attack’ in the other domains. The intrusions are hacker, espionage or criminal in nature and are better characterized as a network irritant than an act of war. Legal scholars have argued that we can begin to distinguish between a criminal act and an act of war in cyberspace if we define war in cyberspace as something that produces the equivalent effect as an armed attack. From this perspective, the thresholds for war or attack should not be very different from war in a kinetic environment. An action that did not directly cause substantial death or physical destruction (or was not imminently about to do so) would be unlikely to qualify as an armed attack.39 Others have relaxed the terms slightly, arguing cyber activities that could result in casualties or a regional power failure, such as planting logic bombs on the US electrical grid, may be considered warfare.40
Consequences
Current US doctrine is unclear on what the consequences would be for a state launching a cyber attack that is deemed to be an armed attack. Some have proposed a response using conventional armed forces. Others recommend replying in kind through cyber means. Regardless, the commander of US Cyber Command and many others point out that a response would be conducted in accordance with longstanding rules and principles of war, including proportionality, discrimination and necessity. The latter refers to anticipatory self-defence (noted above) and dates to the early 1800s; the former two are familiar from Just War Doctrine and date back centuries. Proportionality weighs the use of force, in this case CNA, against the minimum necessary to achieve the military goal, while discrimination weighs the use of force against the likelihood of collateral (i.e. civilian) damage. Lynn has pointed out the need for clear rules of engagement for responding to cyber attacks, based on a determination of ‘what action is necessary, appropriate, proportional and justified in each particular case based on the laws that govern action in times of war and peace’.41 The US National Research Council has gone into more detail, noting that limitations mandated by the laws of armed conflict regarding, among other things, the differentiation of targets, military necessity and limiting collateral damage would apply in cyberwar. ‘If it was legitimate to attack a target with kinetic weapons, it remains legitimate under the laws of armed conflict to attack it with cyberweapons.’42
Imminence
This seemingly straightforward framework is complicated by additional factors, not least the fact that imminence, difficult to determine in any non-conventional war, is an even more challenging one when it comes to cyberwar. How do you determine that an attack is imminent? What degree of certainty is needed before authorizing a response? After the 9/11 terrorist attacks attempts were made at the multilateral level to adjust the concepts of necessity and imminence to the reality that an impending terrorist attack is far less visible than a traditional army massing on the border.43 A similar effort, ideally encompassing some general benchmarks (such as the discovery of numerous logic bombs), will be required with respect to cyberwar.
Attribution
Even if it is deemed that an armed attack has taken or imminently will take place, responding is complicated by the difficulty, in the cyber world, of assigning attribution. Today we still speak of the ‘alleged’ Russian attacks on Estonia because the identity of the attackers remains unclear. Attribution is the major stumbling block when it comes to adjusting the concept of deterrence to cyberwar. Without knowing the identity of the attacker, it is hard to threaten retaliation. The US military has set a goal of deterring adversaries from using offensive capabilities against US interests in cyberspace, and is improving its ability to locate the sources of electronic attack. Nonetheless, US officials believe deterrence by denial – making defences effective enough to deny adversaries the benefit of an attack despite the strength of offensive tools in cyberspace – will be more effective than deterrence by punishment or imposing costs of retaliation.44
Utility
Questions have also been raised about the utility of cyber attack as a tool of warfare. Growing redundancies in the systems that control critical infrastructures mean that the degree to which they are vulnerable to an ‘electronic Pearl Harbour’, a scenario presented in such books as Richard Clarke’s 2010 Cyber War, may be overstated. ‘Just because trivial attacks are easy to mount in cyberspace’, notes one scholar, ‘does not mean that consequential infrastructural attacks are also easy’.45 At the same time, cyber capabilities are ‘perishable’ in the sense that as soon as an offensive cyber weapon is detected, the victim can disarm it and decode its mechanism. Offensive cyber weapons thus have a ‘use-and-lose’ quality to them. Moreover, without physical destruction, the damage they inflict will have only a short-term impact on their target.
Unpredictability
Finally, even if the utility of cyberwar as an effective instrument of warfare can be determined, planners may be reluctant to wage cyberwar because of the unpredictable nature of the cyber instrument. Should a cruise missile be used to strike an adversary’s command and control centre, we can know with certainty some other facility around the corner or around the world will not also blow up as a result of that missile. But predicting the effects of a CNA on a complex set of computer systems can be far more difficult. A virus intended for another country’s computer system could accidentally contaminate one’s own or that of an ally. The effects of cyberspace weapons are global in nature and cannot necessarily be contained to a specific geographic theatre. There is the potential for unintended co
llateral damage and unintended effects, making the use of cyber attack risky. Notes one senior US military official, when it comes to military weapons one wants a predictable time and effect, something that is difficult to achieve in the cyber domain.46 The Stuxnet virus gives a possible counter example, targeting only a particular programmable logic controller made by Siemens that is prevalent in Iranian nuclear plants, and Clarke has gone so far as to describe the worm as a ‘precision guided munition’.47 Still, of the 100,000 hosts affected, 40,000 were outside of Iran, including some in the United States, indicating the potential for collateral or unintended damage.
The plausibility of strategic cyberwar
War, Clausewitz reminds us, is an act of force to compel the enemy to do our will. The growing digital interconnectedness of the world, combined with vulnerabilities created by dependence on digital systems, has spawned debate over whether cyber capabilities can act alone as an effective tool of war. Echoing early airpower enthusiasts – who argued wars might be won by airpower alone, reducing the need to send in soldiers and making warfare almost bloodless – those who foresee strategic potential for cyberwar argue it can compel the enemy to do one’s will by inducing a ‘paralytic effect onto an enemy nation, pushing it into chaos and mayhem’, thereby achieving the desired ends ‘with virtually no application of physical force’48 (see Box 8.4). In such a scenario cyber capabilities would be used not just at the military tactical level in the context of the conduct of war as discussed above, but also at the operational and strategic levels, targeting the enemy population and government. The approach is often framed in terms of Clausewitz’s concept of trinitarian war, whereby to be victorious one must effectively target a trinity of the people or the will to fight, the army or the means, and the government.
Box 8.4 Cyberwar: a scenario
• Some foresee cyber attack alone as being able to compel the enemy to do our will. One storyline from the 1990s, typical of scenarios envisioned then and now, is as follows:
• ‘The crisis: A Middle East state decides the time is ripe for a power grab in the Persian Gulf and directs its threat to an oil-rich neighbor that the United States is pledged to protect. Determined not to repeat Saddam Hussein’s mistake, the aggressors elect not to challenge America in a head-on military confrontation. Instead they prepare a more insidious assault … a pattern of computer mayhem begins to emerge in a cascading sequence of events.’
• ‘The attack: A three-hour power blackout in a Middle Eastern city has no reasonable explanation; computer-controlled telephone systems in the United States “crash” or are paralyzed for hours; misrouted freight and passenger trains collide, killing and injuring many passengers; malfunctions of computerized flow-control mechanisms trigger oil refinery explosions and fires … electronic “sniffers” sabotage the global financial system … causing stocks to plunge on the New York and London exchanges.’
• ‘In America, local automatic teller machines begin randomly crediting or debiting thousands of dollars to customers’ accounts; as news spreads across the country, people panic and rush to make withdrawals … Computerized dial-in attacks paralyze the phone systems at bases where U.S. troops are scheduled to begin deployment; various groups flood the Internet calling for massive rallies to protest U.S. war preparations; computers at U.S. military bases around the world are stricken – slowing down, disconnecting, crashing; more ominous, some of the military’s most sophisticated computer-controlled weapon systems are exhibiting flickering screens …’
See: Ann Shoben, ‘Information Warfare: A Two-Edged Sword’, RAND Review, Autumn 1995, www.rand.org/pubs/periodicals/rand-review/issues/RRR-fall95-cyber/infor_war.html, accessed 18 December 2015.
The problem is that purveyors of such doomsday scenarios fail to make the connection between means and ends – between being able to wreak mayhem and how such mayhem would lead to achieving the desired goal. Those who argue cyber warfare will have a strategic effect by acting as the primary means to achieve conventional ends fail to convincingly outline the logic of consequences as to how this could come about. An ability to create chaos does not mean that chaos will be created since simple chaos is not the end goal. In the scenario above, for example, the goal is a terrestrial ‘power grab’. ‘It is one thing for opponents to interrupt a country’s infrastructure, communications or military coordination and planning. It is another to ensure the damage translates into a lasting shift in the balance of national power or resolve … [D]urable harm … will occur only if cyberwar is accompanied by terrestrial military force or other actions designed to capitalize on any temporary incapacity.’49 Viewed in this regard, rather than having revolutionary effect the internet promises simply to extend existing international disparities in power and influence. Cyberwar’s chief beneficiaries are likely to be nation-states with strong conventional military capabilities, as opposed to marginal powers or weak states.
Cyberwar and non-state actors
While cyberspace probably changes less in the world of states than is often thought, it does have the potential to significantly alter relations between states and non-state actors, and among non-state actors.50 In their 1993 article ‘Cyberwar is Coming!’ Arquilla and Ronfeldt first raised the idea of ‘netwar’ as referring to ‘societal-level ideational conflicts waged in part through internetted modes of communication’.51 In later work they argued the rise of networked forms of organization, made possible by new information technology, meant that power was migrating to small, non-state actors who can organize into sprawling networks more readily than traditionally hierarchical nation-states.52 The highly prolific idea that protagonists would use networked forms of organization, operating in small groups from dispersed but interconnected locations, all but foretold the rise of al Qaeda and its mode of operation.
Digital information technology has enhanced the power of non-state actors to network regionally and globally, and to reach a wide audience in a manner once confined to state actors. But whether terrorists will use cyber approaches as a tool of warfare is another question. In the 1990s and 2000s, and even today, the case was and is made that terrorists could target critical infrastructures, asymmetrically striking the vulnerabilities of stronger state actors. Cyberspace, the argument went and goes, represents the death of distance and the end of national borders; terrorists no longer have to be physically present to strike at the heart of a state actor.53
Yet it is not clear that terrorists seek to use cyber capabilities as an offensive weapon. After 9/11 experts pointed out that many states found terrorist cells working within their borders and while these cells reportedly planned attacks using chemical, biological and radiological weapons, none had planned attacks using cyber weapons. Notes one expert: ‘The contrast between the thousands of terrorist attacks, tens of thousands of computer hacking incidents and an absence of cyber terror or cyber attacks on infrastructure, is striking and suggestive. It suggests … that cyber terror or cyber attacks on infrastructure are an unlikely threat.’54 One reason may be that cyberwar is not well suited to the effect terrorists seek to create. Terrorism is a strategy of the weak and relies on the creation of fear, panic and a psychological shock and horror of a physical attack to achieve its objectives. But, argues one scholar, how terrifying is a cyber attack? Taking out the power and banking system will provoke anger and frustration, but not horror. ‘The very attributes that make cyberwar appealing in the abstract – the sanitary nature of interaction, the lack of exposure to direct harm, and strikes from remote locations – all conspire to make cyberterrorism less than terrifying.’55 This factor, combined with the difficulty of achieving strategic objectives with cyber tools – Stuxnet required the collaboration of two strong governments – makes strategic cyber terrorism unlikely. Some go so far as to argue terrorists might avoid cyber warfare altogether because of the risks it would place on their ability to communicate and maintain their network.56
Conclusion
Strategic thought on cyberwar, on ho
stile action in cyberspace, is in its infancy. Largely denied in the 1990s as an area of activity, after the turn of the century offensive information warfare or CNA became an area of growing strategic focus. Driven by the desire to develop asymmetric offsets to American power, one of the earliest strategic thinkers in this area was the PLA. Martin Libicki and John Arquilla and David Ronfeldt of RAND have also produced several works in the area, as has the US military community writ large, including high-ranking military officers, civilian officials, and scholars. Strategic thought on the cyber dimension of war accelerated in the 2010s.
Cyber attack’s close connection with intelligence gathering, and the fact that a CNA, once launched, is almost immediately susceptible to enemy counter defences and offensive approaches, means that many views on the conduct of war in this environment remain classified. That said, it is possible to identify some common themes: cyberwar is largely the domain of state actors; it is best suited to offensive strategies, and even defensive approaches should paradoxically be pursued in an active or offensive manner; speed, manoeuvre and agility are important factors in cyberwar, which is best carried out in the opening phases of a conflict, or even pre-emptively; cyberwar is non-incremental in nature; once conflict has started, cyber attacks should be conducted in parallel or simultaneously with conventional strikes, closely synchronized for maximum effect; and sharp learning curves on the part of the targeted party dictate that cyberwar is well suited to surprise and a one-time bolt from the blue.
These themes drawn from the unclassified literature no doubt only scratch the surface of the true depths of contemporary strategic thought on cyberwar. The particular nature of CNA is such that we are unlikely to see an official treatise any time soon on how best to carry out war in the cyber dimension. Future facets of cyberwar are more likely to be revealed in real-life experiences, which ultimately provide the most instructive venue for understanding the conduct of war in the cyber domain.