"Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the "wars" on obesity and cancer. Yet those ailments, unlike past examples of cyber "war," actually do kill people."No matter how many times I read that paragraph I still can't figure out what he's trying to say. I find the idea that only physical violence represents an act of war to be a somewhat naive notion. While one can certainly argue about the plausibility of any given scenario, it would be difficult to believe that disruption of a nation's financial systems wouldn't be considered an "act of war". If a power grid were crashed or disabled, I'm quite confident that most people [and governments] would view this as an "act of war" if a foreign government instigated it.
So, I'm not sure what Rid's point is in creating these artificial boundaries using violence and death as a criteria.
It seems unnecessarily nit-picking and serves no purpose unless he really means that there is no threat on the "cyber-frontier". Of course, for that to be true, he'd need a bit more evidence that simply a kind of "it hasn't happened yet" rationalization.
"A closer examination of the record, however, reveals three factors that put the offense at a disadvantage. First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly."This statement also sounds quite naive since the costs of cyberware are miniscule compared to the costs of "on-the-ground" warfare. Like with so many things in the world today, it should be clear that the U.S. military is unparalleled in terms of its prowess in traditional combat. However, this also makes it exceedingly more attractive for countries to engage in endeavors that avoid such direct confrontations. This is precisely the mistake made in Iraq, and it appears that such thinking is still be perpetuated into future strategic thinking.
This certainly doesn't mean that we need to immediately push the panic button and engage in all manner of questionable activities to protect against an unknown enemy, but it would be foolish in the extreme to not take such threats seriously.
Near the end of the article, we find part of the rationale Rid employs to downplay the risks.
"Yes, Russia and China have demonstrated significant skills in cyberespionage, but the fierceness of Eastern cyberwarriors and their coded weaponry is almost certainly overrated. When it comes to military-grade offensive attacks, America and Israel seem to be well ahead of the curve."This is reminiscent of the type of short-term thinking and failure to recognize how quickly something can spin out of control. The truth is that while most systems are secured against traditional types of interference, a truly sophisticated attack is well beyond most businesses to address let alone correct. So, while it may seem reasonable to focus exclusively on military use of computers, it is also myopic. After all, if there is no "act of war" in such a non-violent attack, then civilian targets can legitimately be considered with all the downstream ramifications that such an effort would produce. The unspoken element here is that most systems are safe by ignorance and not intent, in that they rely on the ignorance of the attacker to maintain their secure status.