- The Strategist - https://www.aspistrategist.org.au -

Cyber(war) wrap

Posted By on July 6, 2016 @ 13:44

Edited image courtesy of Flickr user Carolyn Lehrke

With ASPI’s cyber team flat out like lizards drinking this week, here’s a special edition of the cyber wrap, based on a lecture on cyberwarfare I gave at the ANU earlier this year.

As all good undergraduates know, the first thing you do is to look for definitions. NATO had a crack [1] at a summit in 2014, but didn’t manage to define what constituted a cyberattack for the purposes of an alliance military response. But their official statement [2] was clear in its assessment of the impact of cyberattacks:

‘Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack.’

NATO has good reasons to think about cyberwar after the three weeks of extensive attacks on Estonia in 2007 [3], which saw the Baltic state’s internet connectivity essentially disabled, including the banking system. Russia was widely seen as the culprit [4], and the attacks corresponded with heightened tensions between the countries. Today the NATO Cooperative Cyber Defence Centre of Excellence [5] is located in Estonia, and NATO’s cyber doctrine has evolved [6] in the wake of that incident.

One the reasons that NATO is working through its thinking on the subject is the vexed questions of appropriate and proportionate response to cyberattack. If hostile action is confined entirely to cyberspace, is a physical response justified and, if so, what level of violence is appropriate? NATO’s 2014 statement [7] that a cyberattack could be treated as the equivalent of an attack with conventional weapons (a point reiterated last year [8]) means that:

‘… a digital attack on a member state is covered by Article 5, the collective defence clause. That states that an attack against one member of NATO “shall be considered an attack against them all [9]” and opens the way for members to take action against the aggressor — including the use of armed force — to restore security.’

The AUSMIN talks of 2011 reached a similar conclusion for the ANZUS alliance. Stephen Smith, then Australia’s Defence Minister, observed that [10] ‘a ”substantial cyber attack” on either country would trigger the treaty in a response similar to that following the 2001 terror attacks on the US’. His hawkishness was matched by his American counterpart, Secretary for Defense Leon Panetta, who warned in 2012 [11] that ‘the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government’. The Pentagon was similarly belligerent; the Wall Street Journal was told [12] that a cyber attack on domestic infrastructure could generate a kinetic response: ‘if you shut down our power grid, maybe we will put a missile down one of your smokestacks’.

That’s problematic for a number of reasons. First, there’s the question of proportionality [13]. An attack on a military system is one thing—and it might presage a physical attack as well—but if a civilian target such as a power grid or bank is taken down, does that justify a military response such as a bomb on a physical facility, with likely lethal consequences? Perhaps a case exists if there are fatalities due to a cyberattack, such as deaths due to extreme heat or freezing temperatures. But we have to keep this in perspective—power grids fail for all sorts of reasons, and so far squirrels constitute a greater danger [14] to the US power grid than cyberattacks.

Second, cyberattacks aren’t always overt, and are often disavowable. Even if the location from which an attack is launched can be reliably discerned, there’s still the issue of who was responsible; was it state-backed, a ‘citizen’s militia’ or just an individual? It’s not surprising that there’s a live debate about attribution in IT professional [15] and academic [16] circles.

I think there’s still quite a bit of confusion in thinking about cyberwarfare. It’s certainly a new facet of conflict, and there has been a lot of work going on trying to understand what might be a new ‘domain’ in warfighting [17] [PDF]. That’s not just an academic argument about definitions. In a recent evolution in its thinking, NATO declared cyberspace to be a military domain [18] (in addition to land, air and sea), further lowering the bar for a collective defence response to cyberattacks.

Despite all that, I’d argue that cyberwarfare hasn’t yet been fully integrated into strategic thinking. Despite the ‘Pearl Harbor’ type hyperbole that still pops up from time to time, there are more measured voices that argue for a more nuanced approach [19], and caution against invoking defence treaties [20] in response to cyberattacks.

Some analysts doubt that cyberwarfare will ever take place [21], at least as a stand-alone activity. That’s a view I tend to agree with. The 2007 attacks on Estonia were undoubtedly hostile, but ultimately no territory or lives were lost. On the other hand, the Russian military assault on Georgia in 2008, which was accompanied by extensive cyberattacks [22], was unambiguously an act of war. For now at least, I think we’re best off thinking about cyberwarfare as an adjunct to other forms of war.

Further reading

In 2012, ASPI produced an anthology of papers [23] on the consequences of cyberattacks for the ANZUS alliance. More recently, our International Cyber Policy Centre Fellow Jim Lewis provided some thoughts on the role offensive cyber capabilities [24] in cyberwarfare.

Article printed from The Strategist: https://www.aspistrategist.org.au

URL to article: https://www.aspistrategist.org.au/cyberwar-wrap/

URLs in this post:

[1] NATO had a crack: http://www.realclearworld.com/articles/2014/10/20/nato_tries_to_define_cyber_war_110755.html

[2] official statement: http://www.nato.int/cps/en/natohq/official_texts_112964.htm

[3] extensive attacks on Estonia in 2007: http://www.iar-gwu.org/node/65

[4] Russia was widely seen as the culprit: https://www.theguardian.com/world/2007/may/17/topstories3.russia

[5] NATO Cooperative Cyber Defence Centre of Excellence: https://ccdcoe.org/

[6] has evolved: http://www.natolibguides.info/cybersecurity

[7] 2014 statement: http://www.atlanticcouncil.org/blogs/natosource/nato-updates-policy-offers-members-article-5-protection-against-cyber-attacks

[8] reiterated last year: http://www.defensenews.com/story/defense/policy-budget/warfare/2015/03/25/nato-cyber-russia-exercises/70427930/

[9] shall be considered an attack against them all: http://www.nato.int/cps/en/natolive/official_texts_17120.htm

[10] observed that: http://www.smh.com.au/technology/technology-news/canberra-seals-us-pact-on-cyber-wars-20110915-1kbyj.html

[11] warned in 2012: http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?_r=0

[12] Wall Street Journal was told: http://www.wsj.com/articles/SB10001424052702304563104576355623135782718

[13] proportionality: http://www.cfr.org/cybersecurity/developing-proportionate-response-cyber-incident/p36927

[14] squirrels constitute a greater danger: http://cybersquirrel1.com/

[15] IT professional: http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/

[16] academic: http://www.tandfonline.com/doi/pdf/10.1080/01402390.2014.977382

[17] new ‘domain’ in warfighting: http://www.ccdcoe.org/publications/virtualbattlefield/09_GILBERT%20InfoSphere.pdf

[18] declared cyberspace to be a military domain: http://bigstory.ap.org/article/b7a8330df0114498a1611257d4cb5d58/air-land-sea-cyber-nato-adds-cyber-operation-areas

[19] argue for a more nuanced approach: http://www.aspistrategist.org.au/a-cyber-pearl-harbor/

[20] caution against invoking defence treaties: https://www.kpmgenterprise.co.uk/our-resources/knowledge-centre/articles/cyber-attacks-should-not-invoke-nato-article-v-says-kpmg/

[21] doubt that cyberwarfare will ever take place: https://ridt.co/no-cyber-war/

[22] accompanied by extensive cyberattacks: http://www.atlanticcouncil.org/blogs/natosource/russian-cyber-policy-and-the-war-against-georgia

[23] anthology of papers: https://www.aspi.org.au/publications/special-report-issue-46-anzus-2.0-cybersecurity-and-australia-us-relations

[24] the role offensive cyber capabilities: https://www.aspi.org.au/publications/cyberspace-and-armed-forces-the-rationale-for-offensive-cyber-capabilities

Copyright © 2022 The Strategist. All rights reserved.