Tag Archive for: cyberwar

Is this how World War III begins?

In October, Facebook and its related social media platforms went down in mysterious circumstances for six hours. On the same day, China sent 52 military aircraft into Taiwan’s air defence zone, the largest and most provocative incursion yet. If military theorists are correct, headlines like these will be the precursor to World War III.

A Chinese invasion of Taiwan is a scenario that many fear will be the catalyst for the next major international war. And most pundits believe cyber warfare will play a major role in such a conflict, or indeed any future international wars. So a cyberattack that knocks out the American media to hide or distract attention from a Chinese move against Taiwan is not unrealistic.

To be clear, there’s no suggestion that the Facebook outage and the Chinese incursion were linked. But it’s a timely reminder of how vulnerable our networked world is to cyberattack. What role would cyberwarfare play in a future conflict, and is it as important as traditional ‘kinetic’ military operations?

There are three ways in which cyberwarfare may play a role: as an alternative to, as an opening gambit of, or alongside kinetic operations.

Some believe that the emerging theatre of cyberwarfare will completely displace traditional military operations, or indeed that it has already happened. That might be true, but if so it isn’t much to worry about. Shutting down Facebook, closing an oil pipeline or interfering with the operations of a power plant, airport, bank or factory are all disruptive and costly. But the damage is temporary, and the world moves on. Cybercrime is part of the background noise of a modern economy, whether instigated by lone hackers, organised crime groups or state actors. But that’s not to say it has no cost.

Defending against and dealing with cyberattacks are a drain on economic growth, but modern nation-states are robust and resilient institutions. If cyber operations are the sole plan a nation adopts to defeat an enemy, it would take a very long time and would certainly involve reciprocal action against the initiating side that might be similarly damaging. If that’s what World War III will be, we can rest relatively easy at night.

Of course, a highly effective cyberattack might shut down an entire country for some time. Imagine the disruption to a modern developed economy if it lost power, communications and access to the internet all at once and it continued for months. But such an attack would be so devastating that the victim would likely feel a line had been crossed and that it was an overt act of war. Retaliation probably wouldn’t be limited to cyberspace.

Cyber operations could facilitate kinetic operations (like an invasion of Taiwan, for example) by disrupting the other side’s communications so that its military hardware was temporarily powerless to respond. Modern military forces are blind without radar and satellite imagery, deaf without the internet and mute without secure telecommunications systems. In a short war, this might be all that’s needed. If Taiwan was temporarily blinded by a cyberattack, in a month the country might be overrun, without the Taiwanese getting off a shot.

But in a longer war, any benefit of throwing the first cyber punch will be temporary. Systems will inevitably be restored or workarounds found. A ship at sea can fire its guns and missiles without satellites. Tank crews and ground troops were perfectly capable of raining death on their foes before the internet. In World War II, Germany landed a devastating first blow on the Soviet Union in June 1941 when it launched a surprise attack—Operation Barbarossa—that caught the Soviet air force on the ground and their troops unprepared. Japan was also successful at knocking out large parts of the American Pacific Fleet at Pearl Harbor in a surprise raid. These initial successes didn’t bring the Axis victory. The greater resources of the Allies meant they recovered, wore down their enemies and crushed them. A cyber Pearl Harbor is no guarantee of enduring success.

In a long, drawn-out modern war, cyber operations will play a part. Military forces may no longer be able to rely on the satellites they have grown so dependent on. Expensive weapons platforms that rely on modern communications to operate may prove a wasted investment compared to old-fashioned tanks, guns and artillery.

But cyber operations are unlikely to be decisive on their own. For years, airpower enthusiasts were predicting that strategic bombing would replace the need for traditional ground operations. We’re still waiting. Airpower alone has never won a war (as distinct from contributing to victory). Events are normally decided on the ground. In the same way, future wars are unlikely to be decided in cyberspace alone.

The real danger of cyberwarfare is not that it will replace kinetic operations, but that it will incite them. The line between war and peace is reasonably clear when dealing with tanks, warships and aircraft, but it is grey when dealing with malware and online bots. If countries feel safer engaging in conflict behind the veil of anonymity provided by the internet, the risk of a catastrophic miscalculation increases.

Can cyberwarfare be regulated?

Whether or not a conflict spirals out of control depends on the ability to understand and communicate about the scale of hostility. Unfortunately, when it comes to cyber conflict, there’s no agreement on scale or how it relates to traditional military measures. What some regard as an agreed game or battle may not look the same to the other side.

A decade ago, the United States used cyber sabotage instead of bombs to destroy Iranian nuclear enrichment facilities. Iran responded with cyberattacks that destroyed 30,000 Saudi Aramco computers and disrupted American banks. In June this year, following the imposition of crippling sanctions by US President Donald Trump’s administration, Iran shot down an unmanned American surveillance drone. There were no casualties. Trump initially planned a missile strike in response, but cancelled it at the last moment in favour of a cyberattack that destroyed a key database used by the Iranian military to target oil tankers. Again, there were costs but not casualties. Iran then carried out, directly or indirectly, a sophisticated drone and cruise-missile strike against two major Saudi oil facilities. While it appears there were no or only light casualties, the attack represented a significant increase in costs and risks.

The problem of perceptions and controlling escalation isn’t new. In August 1914, the major European powers expected a short and sharp ‘Third Balkan War’. The troops were expected to be home by Christmas. After the assassination of the Austrian archduke in June, Austria-Hungary wanted to give Serbia a bloody nose, and Germany gave its Austrian ally a blank check rather than see it humiliated. But when the kaiser returned from vacation at the end of July and discovered how Austria had filled in the check, his efforts to de-escalate were too late. Nonetheless, he expected to prevail and almost did.

Had the kaiser, the czar and the emperor known in August 1914 that, a little over four years later, they would all lose their thrones and see their realms dismembered, they wouldn’t have gone to war. Since 1945, nuclear weapons have served as a crystal ball in which leaders can glimpse the catastrophe implied by a major war. After the Cuban missile crisis in 1962, leaders learned the importance of de-escalation, arms-control communication and rules of the road to manage conflict.

Cyber technology, of course, lacks the clear devastating effects of nuclear weapons, and that poses a different set of problems, because there’s no crystal ball. During the Cold War, the great powers avoided direct engagement, but that’s not true of cyber conflict. And yet the threat of cyber Pearl Harbors has been exaggerated. Most cyber conflicts occur below the threshold established by the rules of armed conflict. They are economic and political, rather than lethal. It is not credible to threaten a nuclear response to cyber theft of intellectual property by China or cyber meddling in elections by Russia.

According to American doctrine, deterrence is not limited to a cyber response (though that is possible). The US will respond to cyberattacks across domains or sectors, with any weapons of its choice, proportional to the damage that has been done. That can range from naming and shaming to economic sanctions to kinetic weapons. Earlier this year, a new doctrine of ‘persistent engagement’ was described as not only disrupting attacks, but also helping to reinforce deterrence. But the technical overlap between intrusion into networks to gather intelligence or disrupt attacks and to carry out offensive operations often makes it difficult to distinguish between escalation and de-escalation. Rather than relying on tacit bargaining, as proponents of persistent engagement sometimes emphasise, explicit communication may be necessary to limit escalation.

After all, we can’t assume that we have enough experience to understand what is an agreed competition in cyberspace or that we can be certain of how actions taken in other countries’ networks will be interpreted. For example, Russian cyber meddling in US elections was not an agreed competition. With a domain as new as cyber, open rather than mere tacit communication can enlarge our limited understanding of the boundaries.

Negotiating cyber arms-control treaties is problematic, but that doesn’t make diplomacy impossible. In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or the same program can be used for legitimate or malicious purposes, depending on the user’s intent. But if that makes traditional arms-control treaties impossible to verify, it may still be possible to set limits on certain types of civilian targets (rather than weapons) and negotiate rough rules of the road that limit conflict.

In any event, strategic stability in cyberspace will be difficult to maintain. Because technological innovation there is faster than in the nuclear realm, cyberwarfare is characterised by a heightened reciprocal fear of surprise.

Over time, however, better attribution forensics may enhance the role of punishment; and better defences through encryption or machine learning may increase the role of prevention and denial. Moreover, as states and organisations come to understand better the limitations and uncertainties of cyberattacks and the growing importance of internet entanglement to their economic wellbeing, cost–benefit calculations of the utility of cyberwarfare may change.

At this point, however, the key to deterrence, conflict management and de-escalation in the cyber realm is to acknowledge that we all still have a lot to learn and expand the process of communication among adversaries.