The threat of cyber war has captured the popular imagination. Hollywood was quick to realize and express these fears for us. Films like Wargames (1983) or, more recently, Die Hard 4.0 (2007) trod the obvious narrative path: dark forces mobilizing arcane and complex computer networks to wreak havoc, holding entire nations hostage and unleashing nuclear war by hacking into the Pentagon’s vast and powerful computer systems. Such fears have always touched a deep nerve. Most of us use computers but don’t really understand how hardware and software interact. A powerful embodiment of the pervasive human angst of losing control to technology itself was HAL, Stanley Kubrick’s terrifying, all-controlling machine aboard a spaceship in 2001: A Space Odyssey (1968). As more and more of us as well as more and more things go online, such fears cut deeper than ever.
Most people, young and old, carry a smart phone in their pocket at all times. And a great many have become addicted to connectivity, incessantly, sometimes furtively, checking their email and social media feeds—at the dinner table, on the beach, under the table at business meetings, and not just dull ones. An entire generation has grown up who believe that their personal and professional well-being depend on digital devices and constant connectivity. If you are fiddling with your touch screen before your morning coffee is ready, the chances are that you intuitively understand that almost everything that enables the rest of your day is controlled by computers: the water that flows from the tap, the electricity plant that powers your kettle, the traffic lights that help you cross the street, the train that takes you to work, the cash machine that gives you money, the lift that you use in the office, the plane that gets you to Berlin or Delhi or New York, the navigation system you will use to find your way around a less familiar city, and much more besides. All these features of life are now commonplace, and unremarkable—as long as they work. Just as commonplace and insidious is the all-pervasive fear that malicious actors lie in wait, at all hours, to assault and crash these computers and the software they run, thereby bringing entire societies to their knees. Water will stop flowing, the lights go out, trains derail, banks lose our financial records, the roads descend into chaos, elevators fail, and planes fall from the sky. Nobody, this adage has it, is safe from the coming cyber war. Our digital demise is only a question of time.
These fears are diverting. They distract from the real significance of cyber security: in several ways, cyber attacks are not creating more vectors of violent interaction; rather they are making previously violent interactions less violent. Only in the twenty-first century has it become possible for armed forces to cripple radar stations and missile launchers without having to bomb an adversary’s air defense system and kill its personnel and possibly civilians in the process. Now this can be achieved through cyber attack. Only in the twenty-first century did it become possible for intelligence agencies to exfiltrate and download vast quantities of secret data through computer breaches, without sending spies into dangerous places to bribe, coerce, and possibly harm informants and sources first. Only in the twenty-first century can rebels and insurgents mobilize dedicated supporters online and get thousands of them to take to the streets, without spreading violence and fear to undermine the government’s grip on power.
The ubiquitous rise of networked computers is changing the business of soldiers, spies, and subversives. Cyberspace is creating new—and often non-violent—opportunities for action. But these new opportunities come with their own sets of limitations and challenges, applicable equally to those trying to defend against new attack vectors as much as those seeking to exploit new technology for offensive purposes. This book explores the opportunities and challenges that cyberspace is creating for those who use violence for political purposes, whether they represent a government or not.
The rise of sophisticated computer incursions poses significant risks and threats, and understanding these risks and threats and developing adequate responses to mitigate them is of critical importance—so a short word on the evolving cyber security debate is appropriate here: the debate on cyber security is flawed, and in many quarters its quality is abysmally low. The larger debate takes place in technology journals, magazines, on specialised web forums, and of course in the mainstream media as well as in academia and on blogs and microblogs. It takes place at countless workshops and conferences that bring together representatives from the private sector, governments, intelligence agencies and the military, as well as hackers and scholars from a variety of academic disciplines. It happens publicly as well as behind closed doors and in classified environments. No doubt: a number of deeply versed experts from various backgrounds regularly produce high-quality research output on cyber security, and this book could not have been written without using their good work. But the wider one moves in political or military circles, in think tanks, parliaments, ministries, and military academies, the lower seems the density of genuine experts and the higher pitched the hyperbole. The policy debate’s lagging quality is neatly illustrated by the emergence of an odd bit of jargon, the increasing use of the word “cyber” as a noun among policy wonks and many a uniformed officer. As in, “I’m interested in cyber,” or, “What’s the definition of cyber?,” as one civil servant once asked me in sincerity after I recommended in a presentation in the Houses of Parliament not to use that empty yet trendy buzzword as a noun. Note that computer scientists, programmers, or software security experts do not tend to use “cyber” as a noun, neither do technology journalists nor serious scholars. I’ve come to be highly distrustful of “nouners,” as all too often they don’t seem to appreciate the necessary technical details—the phenomenon can be observed widely in Washington, but also in London, Paris, Berlin, and elsewhere. Improving the quality of the debate is all the more crucial. The public deserves a far better informed, more nuanced, and more realistic debate than that which has taken place hitherto. The public also deserves better thought-out and executed policies and legislation on cyber security.
Cyber War Will Not Take Place was written with the ambition of offering the reader a solid yet accessible contribution to this debate, an attempt to help consolidate the discussion, attenuate some of the hype, and adequately confront some of the most urgent security challenges. The book is designed to be a resource for students, analysts, and journalists. The expert debate on cyber security, as well as taught courses on cyber security, is spread across various academic disciplines, the most important of which are political science and computer science, with legal studies and sociology not far behind. Readers from either discipline will, I hope, find this book insightful: engineers, geeks, and technology enthusiasts may benefit from the strategic bird’s-eye-view; policy analysts and sociologists may gain something from its accessibly presented technical details; and students from either field may appreciate both. However, no single author can even hope to cover the full spectrum of cyber security, as the long vote of thanks in my acknowledgments makes clear. To make the book more approachable, its nine chapters can be read as stand-alone essays, each of which presents its own questions, argument and set of micro-case studies to illustrate specific points.
As for the sources used in this book, the most stimulating debates on recent cyber security developments are occurring not in scholarly journals but on a significant number of technology blogs and other websites that cannot be described as blogs. Some of the most important longer papers and reports are also not published in journals that can be cited according to established academic conventions, but on websites of companies and sometimes individuals. I generally cite the commonly used details: author name, title, publication forum, and date of publication. Readers will be able to find these sources through a quick Google search. Only items that may be harder to locate come with a URL. But because many URLs are clunky as well as short-lived, I decided to provide a bitly.com-link with statistics instead, for instance,1 http://bitly.com/OtcuJx+. This link will take the reader to a bitly.com page that shows the full link, the date it was first used, and more usage statistics—even when that link has expired.