Cyber Warfare: The War Of Words
    By Gerhard Adam | February 27th 2012 04:59 PM | 5 comments | Print | E-mail | Track Comments
    About Gerhard

    I'm not big on writing things about myself so a friend on this site (Brian Taylor) opted to put a few sentences together: Hopefully I'll be able...

    View Gerhard's Profile
    I recently read two pieces in RealScience entitled "Cyberwar is already upon us" by John Arquilla and "Think again, Cyberwar" by Thomas Rid.  While there are obviously differing views about what each perspective entails, I couldn't help but be struck by a few comments made by Rid in his piece.
    "Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the "wars" on obesity and cancer. Yet those ailments, unlike past examples of cyber "war," actually do kill people."
    No matter how many times I read that paragraph I still can't figure out what he's trying to say.  I find the idea that only physical violence represents an act of war to be a somewhat naive notion.  While one can certainly argue about the plausibility of any given scenario, it would be difficult to believe that disruption of a nation's financial systems wouldn't be considered an "act of war".  If a power grid were crashed or disabled, I'm quite confident that most people [and governments] would view this as an "act of war" if a foreign government instigated it.

    So, I'm not sure what Rid's point is in creating these artificial boundaries using violence and death as a criteria.

    It seems unnecessarily nit-picking and serves no purpose unless he really means that there is no threat on the "cyber-frontier".  Of course, for that to be true, he'd need a bit more evidence that simply a kind of "it hasn't happened yet" rationalization.
    "A closer examination of the record, however, reveals three factors that put the offense at a disadvantage. First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly."
    This statement also sounds quite naive since the costs of cyberware are miniscule compared to the costs of "on-the-ground" warfare.  Like with so many things in the world today, it should be clear that the U.S. military is unparalleled in terms of its prowess in traditional combat.  However, this also makes it exceedingly more attractive for countries to engage in endeavors that avoid such direct confrontations.  This is precisely the mistake made in Iraq, and it appears that such thinking is still be perpetuated into future strategic thinking.  

    This certainly doesn't mean that we need to immediately push the panic button and engage in all manner of questionable activities to protect against an unknown enemy, but it would be foolish in the extreme to not take such threats seriously.

    Near the end of the article, we find part of the rationale Rid employs to downplay the risks.
    "Yes, Russia and China have demonstrated significant skills in cyberespionage, but the fierceness of Eastern cyberwarriors and their coded weaponry is almost certainly overrated. When it comes to military-grade offensive attacks, America and Israel seem to be well ahead of the curve."
    This is reminiscent of the type of short-term thinking and failure to recognize how quickly something can spin out of control.  The truth is that while most systems are secured against traditional types of interference, a truly sophisticated attack is well beyond most businesses to address let alone correct.  So, while it may seem reasonable to focus exclusively on military use of computers, it is also myopic.  After all, if there is no "act of war" in such a non-violent attack, then civilian targets can legitimately be considered with all the downstream ramifications that such an effort would produce.  The unspoken element here is that most systems are safe by ignorance and not intent, in that they rely on the ignorance of the attacker to maintain their secure status.


    Interesting, Gerhard.

    I read the article by Arquilla first; therefore my reactions were colored by that fact. The article by Mr. Rid seemed shallow. Oh sure, he had plenty of specific items to mention, but it still wasn't what I expected to read. Thinking about the Rid article a while led me to think that it may just have been a shadow article, one that the publisher needed to print so that his position was one of 'balance'.

    Following that line of thought, why did Mr. Arquilla, Chairman of the U.S. Naval Postgraduate School defense analysis department, need to publish his article? All sorts of conspiracy possibilities here! No, really, why would he need to have such an article published?

    Mr. Rid effectively shot at his foot with his last paragraph:
    >>So Russia and China are ahead of the United States, but mostly in defining cybersecurity as the fight against subversive behavior. This is the true cyberwar they are fighting. <<
    Mr. Rid stressed the ‘cost’ of a cyberattack, while saying that what was most fundamental was the talent. Sorry, Mr. Rid, those very talented individuals, who are capable of unknown levels of hackery, can be found at any of the ‘hackerCon or blackHat’ gatherings. That is why our government spooks troll the aisles and booths, hoping to recruit the best of them.
    People can be sloppy creatures. It doesn’t matter if the computer systems are of the government defense sort, or at the corner grocery store; lack of an effective security protocol can be deadly to your data and everything which that data depends upon.

    Gerhard Adam
    I agree, since my "concern" [such as it is] is more focused on the unexpected kind of "warfare".  Sure, in a straight confrontation, then money, time, talent will all be factors and that can go in a variety of ways.  However, that strikes me as using the same tactics in cyber-warfare, that they assumed in conventional warfare.

    I think about it like this.  How much harm could you cause to the U.S. infrastructure with $10 million dollars in cash to give away to technical insiders that are disgruntled with their employers.

    In essence its the cheapest way to wage "war" there is.  After all, millions of dollars is chump change compared to the costs of a real shooting war.
    Mundus vult decipi
    A war can obviously be fought with different means. Psychology is an element of traditional warfare, for instance. Of course there is a cyberwar going on. And it is a proper war. It is just a matter of medium...;-)
    Bente Lilja Bye is the author of Lilja - A bouquet of stories about the Earth
    Cyberwar and cybercrime are one and the same to me. These people are anonymous, whether they are terrorists, criminals, or foreign mililitary or their proxies doesn't matter, they are capable of doing enormous harm to civilian and military personnel. The losses can range from an individual's identity to knocking out power grid, destroying economic capacity, the list goes on. The FBI and the US military have to be at the cutting edge of both offensive and defensive efforts against these actors.

    The important question is ...where do you get one of those cool cyber war keyboard grenades?