Last week, we attended a workshop on Information and Cyber Warfare, organised by the S. Rajaratnam School of International Studies (RSIS) in Singapore. Bringing together speakers from a range of countries and backgrounds, it discussed different aspects and trends of ‘cyber war’ in Asia—a hot topic for governments, agencies and the analytical community. Refreshingly, the debate refrained from the usual hype about the impending ‘cyber Pearl Harbor’ and cyber war as an inevitable ‘game changer’ in the region. Instead, there was a broad consensus about the need for a less alarmist and much more systematic debate on the subject. Indeed, the Australian strategic debate would also profit from a more measured analysis of ‘cyber war’ and its utility for statecraft.
Doing so is important for a number or reasons. First, the Australian debate has had a tendency to adopt the gloomy narrative that ‘cyber warfare’ is already upon us, allowing hostile state and non-state actors to almost strike at will at highly connected and therefore vulnerable modern societies. But while there’s no doubt a great deal of malicious cyber activity is taking place, none of these actions has constituted an act of war. Second, the proposed solutions to this new menace are significant financial and institutional investments in offensive and defensive cyber capabilities to ‘deter’ in the ‘cyberspace cold war’. We wouldn’t be surprised if Defence were feeling a strong temptation to adopt a military ‘Cyber Command’ model, akin to developments in the US and elsewhere. Third, in the face of the analytically very complicated but often vague cyber environment, pressure is high on policy-makers to ‘do something’ against the ‘growing cyber war threat’. But ‘war’ is the most fundamental form of conflict in the international system, so it’s essential that sober analysis of the real potential of cyber warfare as a tool of statecraft prevails.
To be sure, we certainly wouldn’t trivialise the impact of cyber operations on countries’ security and defence policy. We recognise, for example, that China’s extensive ‘cyber espionage’ activities have already poisoned Sino-US strategic relations. Indeed, in a volatile state of crisis between countries, cyber espionage could well be the trigger for states to go to war. But espionage isn’t an act of war. Neither was the Advanced Persistent Threat (APT) ‘Stuxnet’, a highly sophisticated malware worm that partially sabotaged Iran’s nuclear enrichment program, but which was rapidly neutralised. The fact that it was apparently a US–Israeli state-led operation didn’t make it ‘cyber warfare’ even though it demonstrated the growing capability and sophistication of cyberweapons. The 2007 Russian cyber attacks against Estonia certainly caused temporary problems to Tallinn’s online banking and government infrastructure. But again, it didn’t constitute a case of cyber warfare, despite contrary claims made by the Estonian government at the time. Finally, cyber espionage and cyber crime do cause considerable economic damage but unless they threaten the very existence of the state they also shouldn’t be considered a war.
This leads to the critical issue of how to define ‘cyber war’. In our view, it’s unhelpful to classify any form of attack by a state or non-state actor against another state’s computer or information systems as ‘cyber warfare’. Instead, the ‘cyber war’ should reflect traditional understandings of what constitutes an act of war. That is, states use or threaten the use of military force to deter or compel an adversary. It’s about imposing their will on the enemy. Further, military force can be used to alter or maintain the balance of power. ‘Cyberwar’ would require a clear political objective.
If we apply these more restrictive, Clausewitzian criteria, it becomes apparent that ‘cyberwar’ doesn’t revolutionise warfare. Indeed, it’s hard to see how ‘cyberwar’ can be utilised as a political instrument other than as an adjunct to conventional, terrestrial operations. The current crisis in Crimea proves this point. Apparently Russia infiltrated Ukrainian government computer networks with the ‘Snake’ cyberespionage tool kit. But much more consequential and worrisome for the international community is the physical intervention of Russian troops in Crimea.
Cyber operations alone can’t inflict enough damage to defeat a sophisticated country such as the United States or Australia. And the RAND Corporation isn’t alone in pointing out that cyberattacks as a means of deterrence and coercion face serious limitations, not least because of the lack of attribution, and understanding the intent of an attacker. Even the assumption that offensive cyber operations provide enormous advantages to the attacker is questionable. It has been argued that ‘cyber warfare’ provides less powerful states with an ‘asymmetric’ advantage against more advanced powers, but this assumes that those advanced powers haven’t invested in their own cyber capabilities. Nations such as North Korea can certainly enhance their espionage activities and create disruption via cyber operations, but ultimately they can’t fight solely in cyberspace and would simply loose a conventional war with more advanced states. In short, fighting a ‘cyber war’ in isolation from conventional military operations would be of limited utility.
That’s very likely the reason there hasn’t been a case of ‘cyber warfare’ in the Asia-Pacific region. ‘Cyber warfare’ in itself won’t change the regional power balance, although cyber espionage has the potential to allow opponents to understand others’ military capability and to design forces to counter their conventional force. However, Asia-Pacific powers are engaged in an intense ‘cyber competition’ (PDF). This is worrying, as it fuels mistrust and misperception among the regional players. And the strategic narrative of ‘cyber war’ isn’t helping either.
What does this all mean for Australia’s approach to ‘cyber warfare’? While the ADF is certainly wise to invest in capabilities to protect its critical information infrastructure in both war and peacetime, Australian strategic decision-makers would be well-advised to keep a cool head and to see through the fog of cyber warfare. Cyber won’t transform the nature of conflict and military operations nearly as much as did the advent of nuclear weapons. Those who argue otherwise need to make a better case for why that’s theoretically possible and likely.
Tobias Feakin is a senior analyst at ASPI and Director of the International Cyber Policy Centre. Benjamin Schreer is a senior analyst at ASPI. Image courtesy of Flickr user watchingfrogsboil.