RealSecurity

At this point in this series of posts about cyberwar (see previous postings Cyberwar and Weaponization of Cyberspace) I want to touch on cyberwar theory and talk about the physical manifestations of cyberwar.

Cyber is the computing world – virtual, ubiquitous, and interconnected. It’s more than just the Internet, it is digital systems interacting with other systems and information that plays an increasingly critical role in how humans live, survive, and function. Cyber is your financial system, what ensures power gets to your house, how you communicate with friends and emergency services, it controls doors and gates, airplanes, it is involved in the production of food, from harvest to the store, it is involved in nearly every aspect of our lives – globally. We’re connected to it.

There has been much in science fiction about the intermingling of humans and computers on a very deep and social level that has always seemed distant and improbable. However, I would argue we’ve crossed that line sometime ago. We may not be walking around with chips in our heads and body in some Borg-like existence and computers aren’t interacting with us in higher functions like in Minority Report, but our continued way of life is irrevocably intertwined with bits and bytes flowing through the digital either. The essence of what science fiction stories have dramatically portrayed is a reality quietly beneath our modern world.

The cyber world is difficult to envision… it’s hard to draw up a picture in your mind because it seems so big, so virtual. However, it does have mass and some degree of locality – it is not entirely intangible due to its integration with the physical world. Therefore, it has value, integral to survival, and it can be destroyed – and throughout history, anything that meets this definition has a corresponding weapon.

The import part is that cyber, regardless of virtualization or distribution, has some form of physical interconnect. A simple example, the phone system of a country can be greatly impacted by disrupting cyber assets that may or may not be within the borders of that country, such as satellites, switches in bordering countries, networks of providers, and a number of computer services that ensure dial tone. The same holds true with many things, such as systems for power distribution, water services, or emergency services – the list is quite comprehensive. It’s not without reason to potentially construct a cyberweapon that renders military aircraft ineffective, or disrupts targeting or navigation systems of tanks or ground to air missile systems. In short, at some point impacts to the cyber asset in the ether materialize in some form in the physical world – directly or indirectly.

Now that we’ve covered the basics, we can look at how this applies to cyberwarfare, a term that is generally interpreted incorrectly. People assume that a cyberwar will occur only in cyberspace, which is not entirely accurate. The fact of the matter is a cyberwar, or specifically cyberwarfare, is analogous to field of battle or operation as part of a larger “war”. In fact, I suspect, if it’s not happening already, that cyber, when used in the vernacular of war, will change to “theater of war” because of the environment of operations and the vast number of different types of weapons and strategies that will be used on conjunction with other forms of traditional warfare. This is not unlike fighting a war in the Pacific versus Europe in WWII– different environment requires different weapons and tactics.

In short, the term cyberwar gives the impression that the war is happening only in cyberspace, when in fact a more accurate interpretation is cyberweapons are used in the digital theater of war that can be strategically aligned with traditional (physical) warfare activities. Basically, if we accept the logic that cyberattacks can manifest in the physical domain, we must also accept that traditional war and cyberwar will become as interconnected as the digital domain is to our social structure and survival. When speaking in terms of war, cyber and physical cannot be separated – they are merely different theaters of war. And as a different theater of war, cyberwarfare will have different weapons, which is obvious, but it will also have different tactics, command structure, different rules of engagement, different forms of targets and different methods to identify a target, different expectations of collateral damage, and different expectations of risk.

Cyber is a different environment that requires different weapons and tactics, but it can have an impact on the physical environment. When we think about war we think in terms of frontlines and cyberwar as some virtual cloud of digital bullets and bombs. But realize that these two environments intersect. I can fire a cannon at a fortification and I can fire a cyberweapon at the same point. Two different domains – same point of intersection. Granted, the impacts will be different. The bomb will physically damage the target, but the cyberweapon may render other features useless, such as communications or have physiological impacts. When effectively combined they can have a devastating effect.

A basic example of this is when Russian tanks were invading Georgia's province of South Ossetia in late 2008 the government was simultaneously launching a massive cyber attack against the country’s digital assets. In fact, the cyber-attack actually started in late July, just preceding the rolling tanks the first week of August and continued well into the invasion. In this example, cyberweapons were used as a first strike option, which is no different from jamming communications that is considered part of traditional warfare.

So, the question that soon surfaces – is there such thing as a “cyberwar”? Meaning, can war – and all that this implies - exist only in cyberspace? The answer is no and my answer has become the basis of many arguments with others. Any cyber-based attack will have, as discussed, an impact to the physical domain in some form and therefore be seen by the enemy as an act of war that will escalate to include the physical domain. This interpretation is based on the difference between the terms attack, battle, and war. Basically, war is all encompassing and every possible asset is used to defeat the enemy. In the process of war there are various battles where small or large groups come into contact. And within battles are attacks, or the application of weapons against the enemy. Therefore, within this context, cyberwar is a theater of war, and one of many. Moreover, and more importantly, cyberwar falls within the definition of attack or battle.

There is a common law in defense called “escalation of force” that is something I talk to when discussing cyberwarfare and theater of war. For example, in personal defense, the phases of escalation are typically: physical presence, verbal, soft hands, hard hands, chemical (i.e., mace) impact weapons (i.e., club, stick), and deadly force (i.e., gun). The concept is based on potentially increasing levels of threat and the basics of “proportionate response”, which should be a very familiar term in a post 9-11 world. Basically, you can’t shoot someone in head when they call you a nasty word from across the street and claim self-defense – it was a disproportionate response to the threat. Within the context of war and cyberwar, the degree of escalation (and thereby response) is typically directly proportionate to the level of destruction. Levels of destruction can be: portion disruption, disruption, hindrance, inoperable, and destroyed. Interestingly, the level of acceptance in cyberattacks is quite high form a volume perspective, but equal in a destructive – or qualitative sense – to traditional war. In short, if cyberwar were to breakout, it would cause impacts representing a tangible level of destruction demanding a proportional response – deadly force.

To express this more clearly, take into consideration that in an official report from NATO, “NATO 2020: Assured Security; Dynamic Engagement”, which is an analysis and set of recommendations from a group of experts led by Madeleine Albright, the former US secretary of state, on a new strategic concept for NATO for the next decade, that specifically outlines that cyberattacks against member nations, under article 5 of the 1949 NATO charter, could result in the use of military retaliation. The lesson here is the cause of harm to one nation by another is – at the end of the day – harm, regardless if the process to achieve it was virtual or as real as a bomb.

In the domain of cyberwar, the term is best representative of early points of escalation. For example, using malware to take over computers that are used to perform a DDoS attack against a government agency’s network or perform comprehensive espionage, which these scenarios and more are occurring every day. Soon (and is happening in pockets), cyberattacks will have greater impact, but not necessarily focused or highly targeted, such as disrupting communications, affecting processing of information, and disrupting portions of systems that inhibit normal functions. However, when people in the government or military use the term cyberwar, they are thinking of highly targeted and impactful eventualities, such as shutting down power, phones, air traffic control, trains, and emergency services.

At that point, the physical manifestations are very real and, again, how they came to be is technically moot when considering a counter attack. All that needs to be understood to make that decision is “who to attack”. If the attacker can be effectively identified – which of course is not a foregone conclusion in a cyberattack scenario – a wide array of assets, including traditional weapons and cyberweapons - will be employed in various ways. Therefore, using this logic, there is no such thing as a cyberwar only occurring in cyberspace. As soon as a cyberattack causes measurable harm, it’s war. Granted, there a cyber “skirmishes” and some damage is occurring. But that’s not war. May be a better term is cyber-cold-war, which works better in my opinion, but I digress.

I want to leave you with a few things. Don’t think that cyberwar isn’t real or that it can’t have impacts to the real world. Also, don’t downplay the concept of escalation and the role cyberweapons can play in creating a war – throughout history wars have started over lesser things than shutting off a country’s power supply. And of course, cyberwar is a theater of war and one that will be shared with others in the physical domain. If you’re talking about cyberwar as a term to represent what we’re seeing today… stop. It’s really cyberattacks using cyberweapons in a cybercoldwar.

In my next post I’ll talk about how the theater of war will usher in new military strategy. I’ll start by discussing how governments will initially fail by trying to apply historically proven strategies, even modern ones, forcing the development a completely new concept of war in the digital domain. Then I’ll talk about how it will become isolated overtime and then ultimately harmonized within a 21st warfare strategy. Should be interesting.