The false cries and fog of 'cyber war'
Carl von Clausewitz wrote about what has since been called the “fog of war,” saying, “the great uncertainty of all data in war is a peculiar difficulty because all action must, to a certain extent, be planned in a mere twilight ....”
This fog unfortunately applies not only to war but also to much that is being written today about war, and cyber war in particular. James Lewis, a senior fellow at the Center for Strategic and International Studies, has written a thoughtful commentary that goes beyond the hyperbole to look at the role of cyber weapons in warfare.
Hacker and activist cooperatives such as Anonymous are fond of “declaring war” on their adversaries, and the press too often is happy play this up in headlines, all of which obscures the reality of an important new domain of military activity, Lewis says.
“This is wrong on so many levels that it almost defies analysis,” he writes. “A more precise accounting would show that there have been no cyber wars and perhaps two or three cyberattacks since the Internet first appeared.”
DOD's 5-point cyber plan sees Internet as an 'operational zone'
Cyber Command still struggling to define cyber war
As director of the CSIS Technology and Public Policy Program and the Commission on Cybersecurity for the 44th Presidency, Lewis is familiar with issues of national cybersecurity and the military role of IT. The terms “cyberattack” and “cyber war” are bandied about much more freely than is warranted, and this has a real impact on public understanding at a time when the nation is working to develop strategies and define policies for responding and engaging in cyberspace.
Lewis uses precise criteria for what constitutes a "cyberattack,” which, like the Pentagon’s, are that it must produce a result equivalent to a kinetic attack. “Countries do not go to war over espionage,” he writes.
“There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyberattack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities,” Lewis writes.
The oft-cited “attacks” against Estonia and Georgia do not fall into this category, he said. Likewise, “The recent escapades involving groups like Anonymous or LulzSec do not qualify as attacks.”
As a writer, I probably am guilty of using the word “attack” more freely than can be strictly justified. In my defense, it is easy to use it as a blanket descriptor for a wide variety of incidents that are reported every day. And you could make a good argument that “attack” is a legitimate term for any technique or process delivering malicious code or an exploit. But writers, and their readers, should distinguish between real military action and casual incidents.
Lewis is no Pollyanna and does not ignore or discount the reality of cyber war. “There are countries that could launch damaging cyberattacks,” he writes. “At least 5 militaries have advanced cyberattack capabilities, and at least another 30 countries intend to acquire them.” And it is likely that most militaries will have the capability before much longer.
But he also recognizes that political and military realities will control the use of these weapons, just as with kinetic weapons. “We can regard them as another weapons system with both tactical and strategic uses, similar to missiles or aircraft that can be launched from a distance and strike rapidly at a target.”
Failure to distinguish between a real cyberattack and daily incidents that can range from irritating to malicious only clouds important issues and adds to the fog of war.