King's College London scholar Thomas Rid argues in his new book that cyberwar has not  happened and never will.

King’s College London scholar Thomas Rid argues in his new book that cyberwar has not happened and never will.

WASHINGTON: Many a mother has warned roughhousing children that “it’s all fun and games until somebody loses an eye.” On Monday, four cybersecurity experts (two Americans and two Brits) agreed that the online attacks we’ve seen so far are all either espionage or sabotage: It doesn’t count as war until somebody dies.

We have not yet seen a real cyberwar, they agreed, and tossing the word around can misguide billion-dollar decisions and warp cybersecurity policy. Where they disagreed, however, was how likely we are to see a lethal cyberwar in the future.

“We’re going to look back at the days when no one had died from this stuff [as] the halcyon days, when all you had to worry about was credit card theft or somebody putting a picture of their butt on your website,” said Jason Healey, a former Air Force officer and White House cybersecurity aide now at the Atlantic Council, speaking yesterday at the Brookings Institution.

“We’re going to have ‘cyberwar’ when there’s dead people,” Healey told me afterward. “Of course we’re not at cyber war [today]. We’ve never had anyone that’s died from this and you can’t go around using terms like ‘war’.” But, he warned, as we rely more and more on networks to remote-control real, physical machines — from power generators to unmanned aircraft to, eventually, our cars and houses — the greater the risk of a cyber attack causing real, physical destruction and death.

The future’s not so dark, retorted the guest of honor at Brookings, Thomas Rid, whose new book is boldly titled Cyber War Will Not Take Place. Not only has no cyber attack to date risen to the level of lethal violence, the King’s College London scholar said, but online conflict seems increasingly to be replacing and displacing physical violence, not increasing it.

“Using cyber capabilities is not producing more violence,” Rid told the audience at Brookings. “In fact, it often takes violence and physical risk out of the question.”

Political movements that once might have resorted to acts of terrorism to get attention for their cause instead can organize a flash mob, use viral video, or deface highly trafficked websites. Spy agencies that once had to infiltrate human agents to insert a physical bug can now hack into enemy data from the safety of Langley or Fort Meade. Militaries that once had to drop bombs or launch missiles can now insert a program to make the target damage itself, as the US-Israeli Stuxnet virus did to Iranian centrifuges.

“We have to respect violence, we have to respect war,” Rid said, or we dishonor its victims. “Exfiltrating data, even crashing an entire company’s network… is different from hurting, killing, and injuring human beings, even a single one.”

“I think the experts agree there has been a fair amount of hype and hysteria in this space,” said Peter Singer, Brooking’s host and moderator at the event, when I asked him to sum up afterward. “If someone steals my jet fighter design or clogs my bank lobby for a few hours, I may not like it, but it doesn’t make it war.”

That said, Singer went on, “where I would disagree with Thomas [Rid] is the notion that it forever ‘will not take place.'” The military, business, and individuals are all becoming increasing dependent on computers and networks to get through the day. Malware that cuts this electronic lifeline can have severe, even violent consequences. “[Rid] describes Stuxnet as a one-off,” Singer said, “whereas I see it as the first of breed.”

While other observers find Stuxnet deeply disturbing, Rid held it up as an example of just how hard it is for a cyber attack to do physical damage. Stuxnet’s programmers needed a huge amount of intelligence about their target. It then took a great deal of expertise and effort to develop code that could exploit the weaknesses that the intelligence found. Finally, after all that work, the result was malware specifically tailored to damage one part of one Iranian facility, not a general purpose cyber weapon. By contrast, Rid noted, a cruise missile can destroy all sorts of targets and a dirt-cheap AK-47 can kill all sorts of people, whenever you want to.

With cyber attacks, added Healey, “It’s very easy to take a target down; it’s very hard to make it stay down.” Stuxnet was only a temporary, if significant, setback to the Iranian nuclear program. In a future conflict in, say, Syria, the US probably has cyber attack capabilities that can scramble enemy air defenses temporarily, he said, but “I don’t think we’re going to be able to keep the air defenses down, command down, power down, for more than a day or two for the most.” Those 24-48 hours, of course, would be enough to open a window of opportunity for conventional airstrikes.

So the military value of cyber attacks, at least for now, is to enable and supplement physical strikes, not to substitute for them. “You’re unlikely to get a, quote, ‘war’ that happens between two states purely in cyberspace,” said the fourth panelist, former British Ministry of Defense official Ian Wallace, when I called him after the Brookings event. “That doesn’t mean we don’t need to pay attention to cyber capabilities in relation to wars that are fought in cyberspace as well as other domains,” such as the land, air, sea, and space. “Just because cyber capabilities may be best classified as sabotage, subversion, espionage, that doesn’t mean that those instruments aren’t going to be useful in fighting a war.”

Cyber needs to considered alongside traditional military operations, Healey agreed, but “I’m doubtful it ever gets too fully integrated,” he told me. “It can be used more like special operations,” for clandestine strikes on specific, high-value targets, he said. With large-scale cyber attacks, however, “the effects are far too uncertain.”

It’s hard enough to ensure a physical bomb lands in the right place, even with precision guidance — ask the staff of the Chinese Embassy in Belgrade if you doubt it — and to determine afterwards whether the explosion destroyed, damaged, or just shook up the actual target. But at least commanders, their legal counsels and their political masters have decades of experience to draw on with physical attacks. Not so in cyberspace. Since cyber weapons attack networks, however, and networks are by definition interconnected in complex ways, it’s hard to predict how attacking one element will affect the whole system especially if the weapon is a computer virus that can self-replicate across the web. “You can’t be sure it’s going to cascade or not,” Healey told me.

Western militaries swore off biological and chemical weapons not only for ethical reasons but because their military effects were so difficult to control. (In one case in the eighties, for example, an Iraqi chemical attack on an Iranian position drifted back downhill onto the Iraqis). The same concerns may inhibit military use of cyber, at least in the West: “Non-western militaries — Iranians, Russians, Chinese — that don’t necessarily care about that stuff that much, they might make different decisions,” Healey said.

Healey doesn’t think much of some of the ethical and strategic choices the US has made, either. “I’m so against things like Stuxnet [and] how aggressive the NSA has been,” he said at Brookings. “We’ve got glass infrastructure and we shouldn’t be throwing stones.” Indeed, Healey argued that the military has grown too dominant in cybersecurity policy, which has been “militarized” in large part because of over-hyped fears of cyberwar.

Having the military play too large a role isn’t good for the military itself, either, added Wallace: “While we have defense secretaries and organizations like NATO focusing on defending the homeland, they’re arguably not focusing on how they fight.”

For example, Wallace told me, Senate Armed Services Committee hearings with Gen. Keith Alexander, the chief of Cyber Command and the National Security Agency, tend to be dominated by questions about protecting domestic infrastructure and privacy rights, not about the military’s own vulnerabilities. Likewise, NATO meetings about cybersecurity tend to fixate on how the alliance’s militaries can protect civilian networks, he said, “despite the fact that their own networks are not fully protected.”

US defenses on both military and civilian networks, Healey said, are “atrocious and wide-open.” But the military has gotten fixated on protecting US civilian networks and hacking foreign military ones, rather than getting its own house in order first. “When I first got involved in the business in 1998,” he recalled, “defense was the most important.” The Clinton-era thinking was that “we’re probably not going to win the next war with information warfare” — as the term was at the time — “but we could certainly lose it.”

Today, the Defense Department is still vulnerable, but “we’ve lost all that humility, we’ve lost all that focus on defense,” Healey lamented. “We’re a long ways into this debate with very, very little progress.”


  • JimBobJoe

    To borrow from accounting terminology, liabilities/expenses are realized even before the transaction takes place, and they will accrue up until it’s time to pay the piper. China has accrued hundreds of billions in stolen technology at America’s expense, and America is going to pay dearly because of it when that “transaction” comes.

  • M&S

    Forget Silicon Valley, we buy 90%+ of our most critical chipsets from foreign suppliers. If that chipset comes with firmware or even, a /separate architecture/ (circuit paths not part of the ‘official’ RISC drawings) the data that the Chinese learn about AEGIS defense systems may come back to haunt us, not in terms of conventional operating bands and the like but via special inserts which ‘click on’ when some person of Asian loyalty if not extraction turns on a special discrete waveform transmitter that only the corrupted chipset hears, in the same way that spybugs ‘hear’ conversations through the structural compression of a building’s nature current loads.

    If the USN BMD systems goes down fleetwide, and the Standards never launch, as the DF-21Ds come screaming in, I would say that that qualifies as a Hard Kill ‘cyber’ tasking, whether or not it’s electronic.

    Similarly, if the utterly misplaced and totally non-sensical approach to streamlining command and control across natural service compartments leads to a straight-thru BMC4 access vulnerability ‘from the lowest ranks to the highest echelons’, someone is going to request a mission which is so deeply buried in the other ATO fragmentaries that nobody bothers to ask why a UCAV has been tasked to bomb X target until it’s revealed that Y friendly force is headed through there.

    Whether you deny a strike, task a strike or report as accomplished a strike that never went through, this is also a potential hardkill capacity because it effects the ‘kinetics’ of warfare in a manner that wouldn’t happen if the network wasn’t wideopen to all service commands way higher (and lower) than it needed to be.

    Having people with specific access to discrete command encryption keyed equipment get the nod from their service counterpart across the compartment before tickling the keys which brings down the lightning may be a key element in ‘human control noding’ as sanity checks.

    And there is no reason for that capability to be networked because if it’s so important that you have to ask for it by face:name it’s also going to be rare enough and powerful enough to be looked at by multiple command levels as it executes, everyone seeking faults of who-what-why at the schwerpunkt tasking level.

    I’m not even going to go into the second and third order discretionary variables (a fuel tankfarm pump that refuses to turn on and so delays flight launch by twenty minutes on a key ISR asset) that can be effected from civilian level SCADA/ICS systems which may be _remote programmed_ with updates to prevent the very vulnerabilities which are being exploited.

    Automation across the board is a dumb idea because it doesn’t look at what happens when you increase access beyond the forcus of attention and leave mission critical systems open to lateral tasking beyond their control parameters (Stuxnet did this) or housekeeping masks that hide actions which would be reported as erroneous ‘if only’ the system was not active-online (Stuxnet did this too).

    As a key example: If Stuxnet started cycling the key frequency converters on motors that had a harmonic operating regime in the 1064MHz range _with uranium hexafluoride in the loops_ when a rotor busted loose and a pipe burst, all that plumbing is gonna void out highly toxic, radioactive, CLOUDS of gas which will kill everyone in the main cascade hall in minutes and, if it doesn’t seal, escape to the environment causing massive damage downwind to both arable land and water table and to humans and animals that live in small but ‘statistically significant’ numbers around Natanz.

    And the only difference in how bad it will be will be the time of day that the venting takes place as a function of which way the wind is blowing. Usually it’s N/NE or SW.

    But in certain seasons and TOD, it blows _SE_ or _NW_ which puts the entire area of Natanz city and Kashan in roughly a 20km circle around the processing plant at extreme risk with minimal emergency services capability to deal with the radiation and poison gas casualty that would result.

    Given that Israel likely doesn’t give a flip (and clearly didn’t with Stuxnet) would you like to be the one before Congress trying to explain that we needed to be prepared for another SERIES of Lockerby massacres as Iran responded in kind to some 37,000 potential deaths for what is _not illegal_?

    We would be held directly accountable because it was the Idaho National Labs which contacted Siemens and had the ICS frequency encoders (MOSFETs which trim very rapidly spinning motors) delivered to ‘test them for security purposes’.

    That data then being passed on to Israel or an Israeli/U.S. collaborative effort which resulted in almost half a megabyte of code (huge for a Trojan), most of it dedicated to bypassing security and not setting off emergency malfunction alerts in the diagnostic software.

    I don’t know who these men at this conflab were but if they are the best in the business then they are either LYING THEIR ASSES OFF or the U.S. is at an utter loss condition when it comes to competent ‘Cyber can be war’ understandings.

    Get this you moronic cretins: The only person who decides whether it’s a war is your enemy and not knowing how far you can push him before an offense becomes lethal is one of the inherent shortcomings of strategic diplomacy by baseball bat.

    Hitler pressed a bad situation over Danzig and got himself a war that cost millions of lives. Do not assume that just because Cyber got to the Natanz cascades that this ‘suddenly detoothed Iran’.

    All’s it likely did was send them back to the drawing board to learn to design and build their own frequency controllers while populating different, unknown, nuclear centers with higher capacity P2/P3 centrifuges that don’t need as many machines per cascade to get the same purity rise. Which in turn means that Iran may get a nuke while you’re giving the hairy eyeball to Natanz. And again _cyber becomes war_ because everyone is so damn afraid of the anarchic electron that they bury and compartmentalize their ugliest secrets past any possible knowing of where/when/how as logistics or key signature tracking.

    I hate morons. Especially gladhanders that try to convince you that the sky isn’t falling on a new class of warfare which _we invented_ and which the Chinese (_Wired For War_) are now dominant enough to steal the entire Internet’s traffic for minutes at a time.

    Why should we even trust you if this is the best you can do?????

    Natanz and hints of Isfahan…

  • BMS

    As a short note, Thomas Rid is not British