Cyber(war) wrap
6 Jul 2016|

Edited image courtesy of Flickr user Carolyn Lehrke

With ASPI’s cyber team flat out like lizards drinking this week, here’s a special edition of the cyber wrap, based on a lecture on cyberwarfare I gave at the ANU earlier this year.

As all good undergraduates know, the first thing you do is to look for definitions. NATO had a crack at a summit in 2014, but didn’t manage to define what constituted a cyberattack for the purposes of an alliance military response. But their official statement was clear in its assessment of the impact of cyberattacks:

‘Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack.’

NATO has good reasons to think about cyberwar after the three weeks of extensive attacks on Estonia in 2007, which saw the Baltic state’s internet connectivity essentially disabled, including the banking system. Russia was widely seen as the culprit, and the attacks corresponded with heightened tensions between the countries. Today the NATO Cooperative Cyber Defence Centre of Excellence is located in Estonia, and NATO’s cyber doctrine has evolved in the wake of that incident.

One the reasons that NATO is working through its thinking on the subject is the vexed questions of appropriate and proportionate response to cyberattack. If hostile action is confined entirely to cyberspace, is a physical response justified and, if so, what level of violence is appropriate? NATO’s 2014 statement that a cyberattack could be treated as the equivalent of an attack with conventional weapons (a point reiterated last year) means that:

‘… a digital attack on a member state is covered by Article 5, the collective defence clause. That states that an attack against one member of NATO “shall be considered an attack against them all” and opens the way for members to take action against the aggressor — including the use of armed force — to restore security.’

The AUSMIN talks of 2011 reached a similar conclusion for the ANZUS alliance. Stephen Smith, then Australia’s Defence Minister, observed that ‘a ”substantial cyber attack” on either country would trigger the treaty in a response similar to that following the 2001 terror attacks on the US’. His hawkishness was matched by his American counterpart, Secretary for Defense Leon Panetta, who warned in 2012 that ‘the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government’. The Pentagon was similarly belligerent; the Wall Street Journal was told that a cyber attack on domestic infrastructure could generate a kinetic response: ‘if you shut down our power grid, maybe we will put a missile down one of your smokestacks’.

That’s problematic for a number of reasons. First, there’s the question of proportionality. An attack on a military system is one thing—and it might presage a physical attack as well—but if a civilian target such as a power grid or bank is taken down, does that justify a military response such as a bomb on a physical facility, with likely lethal consequences? Perhaps a case exists if there are fatalities due to a cyberattack, such as deaths due to extreme heat or freezing temperatures. But we have to keep this in perspective—power grids fail for all sorts of reasons, and so far squirrels constitute a greater danger to the US power grid than cyberattacks.

Second, cyberattacks aren’t always overt, and are often disavowable. Even if the location from which an attack is launched can be reliably discerned, there’s still the issue of who was responsible; was it state-backed, a ‘citizen’s militia’ or just an individual? It’s not surprising that there’s a live debate about attribution in IT professional and academic circles.

I think there’s still quite a bit of confusion in thinking about cyberwarfare. It’s certainly a new facet of conflict, and there has been a lot of work going on trying to understand what might be a new ‘domain’ in warfighting [PDF]. That’s not just an academic argument about definitions. In a recent evolution in its thinking, NATO declared cyberspace to be a military domain (in addition to land, air and sea), further lowering the bar for a collective defence response to cyberattacks.

Despite all that, I’d argue that cyberwarfare hasn’t yet been fully integrated into strategic thinking. Despite the ‘Pearl Harbor’ type hyperbole that still pops up from time to time, there are more measured voices that argue for a more nuanced approach, and caution against invoking defence treaties in response to cyberattacks.

Some analysts doubt that cyberwarfare will ever take place, at least as a stand-alone activity. That’s a view I tend to agree with. The 2007 attacks on Estonia were undoubtedly hostile, but ultimately no territory or lives were lost. On the other hand, the Russian military assault on Georgia in 2008, which was accompanied by extensive cyberattacks, was unambiguously an act of war. For now at least, I think we’re best off thinking about cyberwarfare as an adjunct to other forms of war.

Further reading

In 2012, ASPI produced an anthology of papers on the consequences of cyberattacks for the ANZUS alliance. More recently, our International Cyber Policy Centre Fellow Jim Lewis provided some thoughts on the role offensive cyber capabilities in cyberwarfare.