![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
Abstract
This article examines the implications of the proliferation of cyberwarfare capabilities for the character and frequency of war. Consideration of strategic logic, perceptions, and bargaining dynamics finds that the size of the effect of the proliferation of cyberwarfare capabilities on the frequency of war will probably be relatively small. This effect will not be constant across all situations; in some cases the advent of cyberwarfare capabilities may decrease the likelihood of war. On the other hand, the use of computer network attack as a brute force weapon will probably become increasingly frequent.
Acknowledgments
For valuable comments on earlier drafts of this article, I wish to thank Aaron Friedberg, Jon Lindsay, Jacob Shapiro, participants in the Princeton International Relations Seminar, and an anonymous reviewer.
Notes
1The White House, ‘Remarks by the President on Securing Our Nation's Cyber Infrastructure’, 29 May 2009, <www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/>.
2US Department of Defense, Quadrennial Defense Review (QDR) Report, Feb. 2010, 38.
3Bernard Brodie, ‘War in the Atomic Age,’ in Bernard Brodie (ed.), The Absolute Weapon: Atomic Power and World Order (New York: Ayer 1946), 23.
4In this article, cyberwarfare capabilities are defined as the capability to launch and/or defend against non-kinetic computer network attacks.
5The data that would be necessary for an empirical study either do not exist or are highly classified. Governments, militaries, and private corporations have strong incentives not to reveal information about attacks. Furthermore, as will become clear in the ‘defining cyberwarfare’ section below, there is no example of an event in the real world that can indisputably be cited as an occurrence of cyberwarfare.
6Notable exceptions include Gregory Rattray, Strategic Warfare in Cyberspace (Cambridge, MA: MIT Press 2001); Franklin Kramer et al. (eds), Cyberpower and National Security (Dulles, VA: Potomac Books 2009); and Kristin Lord and Travis Sharp (eds), America's Cyber Future (Washington, DC: CNAS June 2011). Unfortunately, these works seem to have not yet caught the attention of most academic international relations scholars.
7Distinct from coercive acts, which aim to extract concessions from the target, brute force measures are those in which the damage done by the attack serves as an end in itself.
8Mission-critical systems rely on defense contractors and allies whose networks are far less secure than the US military and intelligence community's classified networks. More than 90 per cent of the US military's energy is generated and distributed by private companies, while more than 80 per cent of its logistics are transported by the private sector. An ‘air-gapped network’ is a network that is not connected to non-proprietary networks such as the world-wide web.
9My analysis does not consider electronic warfare or any form of kinetic (physical) attack, even those that may aim to affect command and control networks or systems, such as an anti-satellite weapon.
10‘CNA’ and ‘cyberattack’ will be used interchangeably in this article. CNA: Actions taken through the use of computer networks to alter, disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. CND: Actions taken to protect, monitor, analyze, detect and respond to unauthorized activity within information systems and computer networks. CNE: Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Adapted from: ‘JP 1-02, DOD Dictionary of Military and Associated Terms.’
11For more on war as part of a bargaining process, see James Fearon, ‘Rationalist Explanations for War’, International Organization 49/3 (Summer 1995), 400. Any definition of cyberwarfare as a one-sided and/or single act falls short. One example is that found in Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: Ecco 2010), 6.
12Operation ‘Orchard’ refers to Israel's 2007 airstrike on an alleged Syrian nuclear reactor, which is believed to have involved a successful Israeli cyberattack that rendered Syria's air-defense network ineffective. See David A. Fulghum et al., ‘Israel shows electronic prowess’, Aviation Week & Space Technology, 25 Nov. 2007.
13Clausewitz defines war as ‘an act of violence intended to compel our opponent to fulfill our will;’ i.e., war is political and coercive in nature. Carl von Clausewitz, On War (Harmondsworth, UK: Penguin 1982), 101. For another recent article that also adopts a Clausewitzian interpretation of cyberwar, see Thomas Rid, ‘Cyber War Will Not Take Place’, Journal of Strategic Studies 35/1 (Feb. 2012), 5–32, <www.tandf online.com/doi/abs/10.1080/01402390.2011.608939>.
14These conclusions differ from those of a recent article in this journal (published after this article was accepted for publication), which concludes categorically that ‘cyber war will not take place’. See Rid, ‘Cyber War Will Not Take Place’.
15The former commander of Air Force Cyberspace Command argues that a novel aspect of cyberwarfare is its inherently asymmetric nature, saying, ‘the price of admission is inexpensive. It's a laptop computer and a connection to the Internet.’ Glenn Derene, ‘The Coming Cyberwar: Inside the Pentagon's Plan to Fight Back’, Popularmechanics.com, n.d., <www.popularmechanics.com/technology/military/4277463>. Other experts argue that an inferior adversary could turn ‘the United States’ sophisticated arsenal of space-age weapons […] against us to devastating effect’. Clarke and Knake, Cyber War, 93.
16For example, many Chinese military analysts believe that Operations ‘Desert Storm’, ‘Enduring Freedom’, and ‘Iraqi Freedom’, as well as the US military campaign in the Balkans, revealed logistics and force deployment times to be the potential Achilles' heel of US force projection. Northrop Grumman Corporation, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, Prepared for US–China Economic and Security Review Commission, 16 Oct. 2009, 25.
17A recent global survey commissioned by McAfee found that 29 per cent of operators of critical infrastructure reported having suffered large-scale DDoS attacks multiple times each month: 89 per cent had experienced infection with a virus or malware. Stewart Baker et al., In the Crossfire: Critical Infrastructure in the Age of Cyber War (Santa Clara, CA: McAfee 2010), 5.
18Connections to the Internet or other IP networks may allow unauthorized users access to core systems. Ibid., 19.
19What is of relatively greater importance than the target network's physical distance is its level of security and whether it is air-gapped.
20It is important to note that some advanced forms of CNA, such as Stuxnet, will require large investments of time and financial resources. For insight into the complexity of Stuxnet, see Falliere et al., W32.Stuxnet Dossier.
21As Blainey writes, ‘Recurring optimism is a vital prelude to war. Anything which increases that optimism is a cause of war. Anything which dampens that optimism is a cause of peace.’ Geoffrey Blainey, The Causes of War, 3rd ed. (New York: Simon and Schuster 1988), 53.
22Rattray, Strategic Warfare in Cyberspace, 196.
23Ibid, 163–234.
24At the same time, war could result if bargaining breaks down as a result of inconsistent beliefs about the two side's relative capabilities. In addition to the weaker power having ‘incentives to misrepresent’, the nature of cyber ‘weapons’ (computer code) makes transparency of actual capabilities difficult, if not impossible. In some situations, weaker powers may feel the need to demonstrate their capability in order to obtain a more favorable outcome in the bargain.
25A simple example is a DDoS attack using a botnet based in a third country.
26This concept is roughly analogous to what Libicki terms a ‘false flag.’ Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation 2009), 89.
27Security scholars may note a parallel to concerns about the possibility of nuclear ‘catalytic war’ during the 1960s and 1970s. The concept may be much more applicable to cyberwar than nuclear war, at least as long as the ability to trace cyberattacks does not improve significantly and proliferate to most states in the near future. Some analysts suggest that a state could even use such a cyberattack to draw an ally into a potential or hot conflict between itself and a third state. Clarke and Knake, Cyber War, 213. However, any attempt to do so would require a state to attack an ally; a very risky move. The author is indebted to Aaron Friedberg for suggesting this parallel to ‘catalytic war.’
28In July 2009, government websites in the US and South Korea were struck by DDoS attacks. In response to these attacks the top-ranking Republican on the House Intelligence Committee demanded a ‘show of force or strength’ against North Korea. Fortunately, the Obama administration did not heed his calls – a year later US officials largely ruled out North Korea as the source of the attack. Kim Zetter, ‘Lawmaker wants ‘show of force’ against North Korea for website attacks’, Wired.com, 10 July 2009; Lolita Baldor, ‘US largely ruling out N. Korea in 2009 cyberattacks’, Associated Press, 3 July 2010.
29Alternatively, non-attributable operations could be used ‘for the purpose of conducting network reconnaissance and implanting the means to execute attacks immediately at the onset of hostilities’. Jan Van Tol et al., AirSea Battle: A Point-of-Departure Operational Concept (Center for Strategic and Budgetary Assessments 2010), 56.
30Douhet once said, ‘Viewed in its true light, aerial warfare admits no defense, only offense’. Quoted in Rattray, ‘An Environmental Approach to Understanding Cyberpower’, 260; For an overview of air bombardment theory and its flaws, see Rattray, Strategic Warfare in Cyberspace, 235–308.
31For example: Clarke and Knake, Cyber War, 157–8; Andrew Krepinevich, ‘The Pentagon's Wasting Assets’, Foreign Affairs 88/4 (Aug. 2009), 31; Libicki, Cyberdeterrence and Cyberwar.
32In a seminal article, Van Evera identifies several consequences of an offensive advantage, including: more aggressive foreign policies, an increased risk of preemptive war, more competitive styles of diplomacy, and tighter political and military secrecy. The last consequence may make bargaining failure more likely given its exacerbation of asymmetric information. Stephen Van Evera, ‘The Cult of the Offensive and the Origins of the First World War’, International Security 9/1 (Summer 1984), 58–107; See also Fearon, ‘Rationalist Explanations for War’, 402–4.
33Many of these networks are owned by private corporations that may not want to grant the government or military the level of access necessary effectively to protect them.
34This all presumes, of course, that a tactical CNA against an adversary's military networks would be followed immediately by the use of conventional military force, which would minimize the chances of a retaliatory strike.
35As one cyberwarfare expert notes, ‘it is more difficult to measure the intent of an electron than it is to measure the intent of a tank.’ Timothy Thomas, Testimony Before the US-China Commission (Transcript), 2001, <www.uscc.gov/textonly/transcriptstx/testho.htm.>
36Libicki, Cyberdeterrence and Cyberwar, xv.
37For example, in the context of a dispute between a superpower and near-peer competitor.
38Some analysts call this ‘deterrence in kind’. Libicki, Cyberdeterrence and Cyberwar, 27.
39Deterrence targets the enemy's intentions, while defense aims at reducing his capabilities. Glenn H. Snyder, Deterrence and Defense: Toward a Theory of National Security (Princeton UP 1961).
40For examples of such claims, see Clarke and Knake, Cyber War, 157; Richard Hayes and Gary Wheatley, Information Warfare and Deterrence, NDU Press Book (Washington DC: National Defense University 1996), 11.
41From this point on, ‘defense’ refers specifically to passive defense unless otherwise noted. The aim of passive defenses is to minimize the damage caused by hostile attack without taking the initiative. Examples include fortifications and moats. Active defense refers to area denial, i.e., the use of limited offensive force and counterattacks.
42Robert Jervis, ‘Cooperation Under the Security Dilemma’, World Politics 30/2 (Jan. 1978), 167–214.
43Thomas Schelling, Arms and Influence (New Haven, CT: Yale UP 2008).
44For more on the limited relevance of the attribution problem to cyber deterrence, see Richard Kugler, ‘Deterrence of Cyber Attacks’, in Kramer et al., Cyberpower and National Security, 317–20.
45For example, some experts call for ensuring cyberdeterrence by developing a ‘cyber countervailing’ strategy analogous to the countervailing nuclear strategy adopted by NATO during the Cold War, which ‘[made] known to the adversary that the implication of a nuclear strike would be far greater than the potential gains an adversary could achieve by initiating the first strike’. Amit Sharma, ‘Cyber Wars: A Paradigm Shift from Means to Ends’, Strategic Analysis 34/1 (2010), 69.
46Similarly, a recently proposed law in Russia aims to give Moscow the authority to treat a cyberattack of any kind as an act of war and respond accordingly. Baker et al., In the Crossfire, 30.
47For example, Chinese military doctrine appears to be consistent with this view. China's ‘Science of Military Strategy’ notes that many PLA Information Warfare operators believe CNA to be ‘bloodless;’ thus CNA ‘may become first choice weapons for a limited strike against adversary targets to deter further escalation of a crisis’. Northrop Grumman Corporation, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, 19.
48James Lewis, ‘Cross-Domain Deterrence and Credible Threats’ (CSIS, July 2010).
49Despite this, the US and Russia recently began talks with a UN arms control committee about limiting the military use of cyberspace. ‘In shift, US talks to Russia on internet security’ New York Times, 13 Dec. 2009. Most analysts are cynical about its prospects.
50Unlike other arms control efforts that destroy weapons, cyber arms control can only forbid certain acts; it cannot eliminate capability. Clarke and Knake, Cyber War, 254.
51Robert Jervis, The Meaning of the Nuclear Revolution: Statecraft and the Prospect of Armageddon (Ithaca, NY: Cornell UP 1990), 60.
52Vice Admiral Bernard McCullough, ‘Positioning the Navy for Cyber Warfare: US Fleet Cyber Command’ (Center for Strategic and International Studies, 5 April 2010), <http://csis.org/event/cyber-warfare>.
53Lewis, ‘Cross-Domain Deterrence.’ For example, more than 40 per cent of the systems infected by the ‘precision’ Stuxnet malware were in 154 countries aside from Iran. Falliere et al., W32.Stuxnet Dossier, 6.
54The argument here differs from that of analysts who argue that deterrent theory does not apply to cyber warfare. E.g., Clarke and Knake, Cyber War, 189–95.
55Kugler, ‘Deterrence of Cyber Attacks’, 317.
56Rattray, Strategic Warfare in Cyberspace, 101.
57Irving Lachow, ‘Cyber Terrorism: Menace or Myth’, in Kramer et al., Cyberpower and National Security, 442–7.
58Critical infrastructure already fails fairly regularly (e.g., blackouts) – often for banal reasons such as human error – without generating widespread panic. Ibid., 447–8.
59I.e., both robust CNA and conventional capabilities.
60In the scenario envisioned here, without CNA the superpower's civilian infrastructure would otherwise be out of range of the strong state's conventional weapons.
61For example, Chinese doctrinal writings on information and cyberwarfare suggest that the scenarios described here may be applicable to a potential conflict between the US and China over Taiwan.
62Libicki, Cyberdeterrence and Cyberwar, 70. In contrast, all states – regardless of development phase – have physical structures that can be threatened by kinetic weapons.
63Rattray, Strategic Warfare in Cyberspace, 83–4.
64Irving Lachow, ‘Cyber Terrorism: Menace or Myth’, in Kramer et al., Cyberpower and National Security, 441.