I‘am currently studying Thomas Rid’s (2012) Book ‘Cyberwar will not take place‘. It is a great book resolves many misconceptions that politicians and military thinkers have about the trendy hype-concept called cyberwar.
- It starts with an argument against the use of the term cyber. Rid argues that: The policy debate’s lagging quality is neatly illustrated by the emergence of an odd bit of jargon, the increasing use of the word „cyber“ as a noun among policy wonks and many a uninformed officer. […] Note that computer scientists, programmers, or software security experts do to tend to use the word „cyber“ as a noun, neither do technology journalists nor serious scholars.“ (ix)
- One of his core argument is that „political cyberattacks – in contrast to computer crime – are sophisticated versions of three activities that are as old as human itself: sabotage, espionage, and subversion.“ (xiv)
- In Chapter 1 he argues, that Cyberattacks do seldom match just one of Clausewitz‘ criteria of war which are physical violence („If an act is not potentially violent, it’s not an act of war and it’s not an armed attack – in this context the use of the world will acquire a metaphorical dimension, as in the „war“ on obesity…“ 1). Second, war is a means to a political end. And third, war is always political: it is about a political will that is to be articulated. („History does not know of acts of war without eventual attribution“) This feature is often lacking from cyber attacks.
- He then goes on to debunk the flashy examples that are often put forward, the 1982 UDSSR pipeline incident, the 2007 Estonian case and the 2008 war in Georgia and shows, that none of these incidents fulfill the criteria.
- In Chapter 2 he discusses the parasitic nature of code as a way to administer violence (the other three are physical force, energy such as fire, or an agent such as biological weapons). The parasitic nature of code means that „Even the most sophisticated cyberattack can only physically harm a human being by unleashing the violent potential that is embedded in the target system.“ (13). With this argument he makes the case, that hacking a Predator drone might indeed be a more useful target than a power-plant or the public traffic system. Additionally, although the human body is the primary target of most forms of violence, it can only be indirectly affected by cyberattacks (at least as long as there are no neuro-implants).
- The second limitation is that even if a cyberattack administers indirect violence, it will most likely not induce fear and horror, like for example the firebombing of Dresden or London.
- Cyber attacks are therefore just symbolic: „Showing weapons, consequently becomes a crucial part of their use and justification.
- In Chapter 3 he discusses the nature of cyber weapons and compares simple, off-the-shelf solutions such as DDOS attacks to paint-ball guns: they look like guns, can be bought from the shelf and are just for playing around. They have no real destructive effect. More complex intrusion mechanisms such as used in Stuxnet are ambivalent: they require manpower an knowledge and therefore highly specialized (they target specialized hardware which makes cascade-effects very unlikely) and therefore expensive to produce, so that they cannot be easily build by hobby-programmers.
- The use of weapons is not restricted to war, think of crime so he argues that its counterproductive to talk bout cyberwar (its a dangerous concept), but it might help to talk about weapons. He argues, that a tool (such as a hammer) only becomes a weapon, „when an actor is intending to use it as such; whether harm is successfully inflicted or not is of secondary concern“(38). The same logic applies to cyber weapons. Intention also is what separates an attack from an accident.
- The victim’s estimation of a weapons harm is also important in this relationship.
- Harmful intention is key: the iLoveYou worm was not a cyber-weapon because it was not designed to inflect harm, but the Stuxnet Virus was.
- Rid argues, that there are 3 problems with cyberweapons. 1) the problem of generics, which describes the problem of targeting: a cyberweapon must aim for the middle, affecting enough systems to make a substantial impact without affecting all systems. 2) the problem of intentionality, which is particularly a problem with automated, self-replicating worms. If the author is unable to control the worm, then instrumentality is lost, which is crucial for weapons. 3) problem of learning agents: adversary learn to protect against an entry vector once its used.
- Chapter 4 argues, that cyber attacks are ideal instruments of sabotage. One key aspect of sabotage is that it is not directed against human bodies, but against things and that it is an indirect form of attack. He proves that by adopting a WW2 CIA definition of sabotage for cyber attacks.
- Traditionally, sabotage has been employed against industrial machines, the same target of many cyber attacks that target SCADA systems.
- Chapter 5 deals with cyber espionage or what Rid calls the most significant form of cyberattack, since empirically, the most registered forms of cyber attacks are cases of espionage (the intrusion into a system to extract data). He points to an interesting normalization paradox: complex cyber espionage requires more input in forms of human intelligence (insiders, informers), thus moving cyber espionage more and more out of cyberspace, back into meat space. The outcome is „the better intelligence agencies become at „cyber“, the less they are likely to engage in cyber espionage.
- The reason for that is the dramatically increase of the digital footprint, the increasing amount of data transmitted and stored on the internet. At the same time, the attribution problem reduces the risk of being detected, which leads to more actors engaging in espionage. Additionally, political and economic espionage are increasingly intertwined. (106)
- I skipped chapter 6 on subversion and instead read chapter 7 on attribution. The attribution problem has to do with attributing an attack or malware insertion an originator. The problem has three levels: a technical, at the level of TCP/IP protocols that chop up data transmitted through the internet in small packets and delivers them to an IP address. Because of various protocol decisions, this traceability is limited. The second dimension is social: even if a packet can be traced to a computer, how do we know who in fact used the computer? The third dimension is political: the Internet penetrates all states on earth originators can hide in states with weak legal bodies.
- Rid discusses four scenarios of attribution. 1) is to avoid attribution. Spies have an interest in that. 2) is message attribution, which is used when a group wants to reach a political goal, for example claiming responsibility for a DDOS attack. 3) correct attribution. If war is based on the idea that an actor tries to coerce another to change its behavior, anonymity is not useful. The exception are covert operations. 4) false attribution: a cyberattack could be designed to appear to have a certain origin, where in reality it has another. This would resemble a false flag operation. The conclusion of this analysis is, that the attribution problem is a function of an attack’s severity.
- The final chapter. Warns the reader of analogies that translate complex technical concepts (packets, firewalls, cyberspace) into comprehensible words that are often misleading. He demonstrates, that William Gibson’s metaphor or Cyberspace was later described by the author as an „effective buzzword…evocative and essentially meaningless“ (164).
- Also warns of speech acts that declare cyberspace as the ‘fifth domain for battle‘, wording that was developed by the Air Force to claim a larger piece of the defense budget. The idea that the Air Force is ‘flying in Cyberspace‘ is described by Rid as „ill-fitting“.
- He also argues against the mainstream argument that ‘cyberwar favors the offense‘, first because effective attacks are costly, while defense relatively cheap. Second because offensive tools such as Stuxnet have a limited life-time and often are instant-use only. Finally, there is a defensive market emerging that might alter the relationship between offense and defense, because defense was neglected for a long time.
- He rightfully points to the legal ramifications of the cyberwar concept, that is closely linked to espionage and intelligence gathering: this produces a severe tension between privacy rights of individuals in western democracies and state power.
- His final point is, that the U.S. and other states should stop war-mongering and militarizing cyberspace and instead should focus on the defense: adopting better industry standards that make the entire infrastructure more safe.