In the mid-1930s, inspired by Europe’s political descent into the First World War over the tragic summer of 1914, the French dramatist Jean Giraudoux wrote a famous play, La guerre de Troie n’aura pas lieu (The Trojan War Will Not Take Place). The English playwright Christopher Fry later translated its two acts in 1955 as Tiger at the Gates.1 The plot is set inside the gates of the city of Troy. Hector, a disillusioned Trojan commander, tries to avoid in vain what the seer Cassandra has predicted to be inevitable: war with the Greeks. Giraudoux was a veteran of 1914 and later worked in the Quai d’Orsay, or French Foreign Office. His tragedy is an eloquent critique of Europe’s leaders, diplomats, and intellectuals who were, again, about to unleash the dogs of war. The play premiered in November 1935 in the Théâtre de l’Athénée in Paris, almost exactly four years before the dramatist’s fears would be realized.
Judging from recent pronouncements about cyber war, the world seems to be facing another 1935-moment. “Cyberwar Is Coming!” declared the RAND Corporation’s John Arquilla and David Ronfeldt in 1993.2 It took a while for the establishment to catch on. “Cyberspace is a domain in which the Air Force flies and fights,” announced Michael Wynne, the US secretary of the Air Force, in 2006. Four years later the Pentagon leadership joined in. “Although cyberspace is a man-made domain,” wrote William Lynn, America’s deputy secretary of defense, in a 2010 Foreign Affairs article, it has become “just as critical to military operations as land, sea, air, and space.”3 Richard Clarke, the White House’s former cyber czar, invokes calamities of a magnitude that make 9/11 pale in comparison and urges taking several measures “simultaneously and now to avert a cyber war disaster.”4 In February 2011, the then CIA Director Leon Panetta warned the House Permanent Select Committee on Intelligence: “The next Pearl Harbor could very well be a cyber attack.”5 Panetta later repeated this dire warning as head of the Pentagon. In late 2012, Mike McConnell, George W. Bush’s director of national intelligence until 2009, warned darkly that America could not “wait for the cyber equivalent of the collapse of the World Trade Centers.”6 Yet while US politicians were warning of digital doom, America’s covert operators were busy unleashing a highly sophisticated computer worm, known as Stuxnet, to wreck the Iranian nuclear enrichment program at Natanz. One much-noted investigative article in Vanity Fair concluded that the event foreshadowed the destructive new face of twenty-first-century warfare, “Stuxnet is the Hiroshima of cyber-war.”7
But is it? Are the Cassandras on the right side of history? Has cyber conflict indeed entered the “fifth domain” of warfare? Is cyber war really coming?
This book argues that cyber war will not take place, a statement that is not necessarily accompanied with an ironical Giraudouxian twist. It is meant rather as a comment about the past, the present, and the likely future: cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future. Instead, the opposite is taking place: a computer-enabled assault on violence itself. All past and present political cyber attacks—in contrast to computer crime—are sophisticated versions of three activities that are as old as human conflict itself: sabotage, espionage, and subversion. And on closer examination, cyber attacks help to diminish rather than accentuate political violence in three discrete ways. First, at the technical high-end, weaponized code and complex sabotage operations enable highly targeted attacks on the functioning of an adversary’s technical systems without directly physically harming the human operators and managers of such systems. Even more likely are scenarios of code-borne sabotage inflicting significant financial and reputational damage without causing any physical harm to hardware at all. Secondly, espionage is changing: computer attacks make it possible to exfiltrate data without infiltrating humans first in highly risky operations that may imperil them. Yet, paradoxically, the better intelligence agencies become at “cyber,” the less they are likely to engage in cyber espionage narrowly defined. And finally subversion may be becoming less reliant on armed direct action: networked computers and smartphones make it possible to mobilize followers for a political cause peacefully. In certain conditions, undermining the collective trust and the legitimacy of an established order requires less violence than in the past, when the state may have monopolized the means of mass communication. This applies especially in the early phases of unrest.
But offensively minded tech-enthusiasts should hold their breath. For these changes in the nature of political violence come with their own limitations. And these limitations greatly curtail the utility of cyber attacks. Using organized violence and putting trained and specialized personnel at risk also has unique benefits that are difficult or impossible to replicate in cyberspace. And again these limitations apply to all three types of political violence in separate ways. First, for subversives, new forms of online organization and mobilization also mean higher membership mobility, higher dependency on causes, and less of a role for leaders who may impose internal cohesion and discipline, possibly by coercive means. Starting a movement is now easier, but succeeding is more difficult. Second, using pure cyber espionage without human informers creates unprecedented difficulties for those trying to put data into context, interpret the intelligence, assess it, and turn it into political (or commercial) advantage. Getting data is now easier, but not using them. Finally, at the technical high-end, it is a massive challenge to use cyber weapons as instruments in the service of a wider political goal, not just in one-off and impossible-to-repeat sabotage stints that are more relevant to geeks with a tunnel view than to heads of states with a bird’s-eye perspective.
The book’s argument is presented in seven chapters. The first chapter outlines what cyber war is—or rather what it would be, were it to take place. Any attempt to answer this question has to start conceptually. An offensive act has to meet certain criteria in order to qualify as an act of war: it has to be instrumental; it has to be political; and, most crucially, it has to be violent, or at least potentially violent. The second chapter considers the altered meaning of violence in the context of cyber attacks. The third chapter examines an increasingly popular idea, “cyber weapons,” and discusses the potential as well as the limitations of code-borne instruments of harm. The book continues by exploring some frequently cited examples of offensive and violent political acts in cyberspace case by case. The fourth chapter considers sabotage. To date, the world has not experienced a major physically destructive attack against highly vulnerable and badly secured industrial control systems, such as power plants, the electricity grid, or other critical utilities—this chapter offers an explanation for this conspicuous absence (or perhaps delay), and assesses the real risk of potentially crippling future attacks on a developed society’s infrastructure. Chapter five scrutinizes espionage by means of computer network attack. In many ways, cyber espionage represents a paradox: it is almost always a non-violent form of network breach that is also the most fundamental and potentially game-changing threat to developed nations, mostly for economic reasons rather than for reasons of national security, strictly and narrowly defined. Chapter six explores perhaps the most widespread form of activism and political violence in cyberspace, subversion. Technology, it finds, has lowered the entry costs for subversive activity but it has also raised the threshold for sustained success. Chapter seven assesses the attribution problem, an issue that has been at the root of cyber security. If attribution is recognized for what it is, as a political rather than a technical problem, then it becomes possible to see that the problem itself is a function of an attack’s severity. The conclusion offers a summary and hopes to take the debate beyond the tired and wasted metaphor of “cyber war.”8