One of the staff at my school (King’s College, London) recently published a paper that used Clausewitzian definitions of war to declaim that there has been no cyberwar, cyberwar is not happening now, and cyberwar is unlikely to occur in the future. Of course it is easy to prove a point if you control the definitions and I will stipulate that the idea of two nations engaging in purely network and computer based attacks would result in nothing but fodder for cyber pundits and tech journalists.
But warfare has seen many more permutations throughout history than even Clausewitz may have been exposed to. How would Clausewitz have treated India’s successful pacifist revolt? Would he have said you can’t wage a war by fasting? What about asymmetric warfare - a topic that most academic institutions, including King’s College, are focused on. Or psychological warfare? Clausewitz pre-dated the telegraph (invented six years after his death) let alone radio, television, and the Internet. Could Clausewitz have defined the 50 year protracted Cold War which entailed the largest arms build up ever? Arms that were never used.
One could as easily argue that there has never been a nuclear war. While Japan was the victim of nuclear holocaust it did not have nuclear weapons and was not in a position to retaliate. Japan had been so decimated by August of 1945 that Truman’s war department had difficulty selecting targets worth flattening. Hiroshima and Nagasaki were effective political moves that helped Hirohito depose his military elite and surrender unconditionally. By Clausewitz’s definition it was not nuclear war.
In the ensuing 66 years there have been over 2,000 tests of nuclear weapons (2,053 up to 1998) and an expenditure on the part of the US, USSR/Russia, UK, France, Pakistan, India, North Korea, Israel, and Iran that is measured in trillions of dollars. These countries certainly believe that nuclear attacks are possible and that the only way to prevent them is to have a nuclear capability. Thus a demonstrable stability has been achieved. A conventional war between two nuclear armed countries is unlikely because of the fear of escalation; resulting in a holocaust that neither country would survive.
So, while the likelihood of an all out nuclear war is slim, there is a higher chance, thanks to rogue actors, of nuclear attacks that are not deterred by the threat of nuclear retaliation.
I make this somewhat facetious argument to illustrate a point. I have been tracking the IT security industry since 1995. Changes to the industry come in waves as new threats arise and technology is deployed to counter them. Since 2008 we have entered the era of state response to cyber threats. Arguing about the impossibility of cyberwar is a needless distraction. In a presentation I made to the National Police in Bogota I walked the audience through the phases most countries have already experienced:
1. Wide spread use of computers and the Internet.
2. A wake up call. Note that the most rapidly advancing countries have had the rudest awakening. Think Estonia in 2007. The UK, Germany, and the US also had their initial wake up call in 2007 when they each experienced breaches of key email servers within their governments and militaries. There were earlier warning signs but they went unheeded. William Lynn, the just-retired Deputy Secretary of Defense has claimed that the Pentagon’s wake up call was the USB born malware that infected SIPRNet in 2008; though I imagine the breach of the Pentagon email servers in 2007 was actually what jolted the Pentagon awake.
3. Policy response. Governments move slowly and are only now beginning to see attempts to deal with the inherent vulnerability in critical infrastructure and government military networks. Eugene Kaspersky, speaking at the London Conference on Cyberpace this week, pointed out that he has been warning of the need for better security for the past eight years, as have many security professionals.
The epicenter of the security industry is moving from Silicon Valley, Atlanta, and Tel Aviv, to DC, London, Canberra, and Berlin. Government and military spending, policy, treaties, and legislation will become the drivers of this industry.
Debating the meaning of cyberwar bears little on the fact that governments are going to invest in cyber defenses, cyber intelligence, and yes- offensive cyber weapons. Call it what you will IT security is undergoing a dramatic shift greater than any seen before. To ensure that this transition occurs logically and to the benefit of everyone it is tantamount that the policy makers engage the technologists. IT security experts understand what is possible and what can work. Their guidance must be sought in the formulation of policy, legislation and international cooperation or there will be years of thrashing, bad laws, disastrous breaches, and encroachments of digital freedoms.
