Earlier this week, the United Kingdom became the first country to admit publicly that it was developing an offensive capability on the Internet, not just protecting against attacks coming across the web but the ability to launch them. With that admission, the ground appears to have shifted even further away from countries hiding their ability to launch strikes online to openly discussing the possibility.
Up until now, much of what has the media has referred to as “cyberwar” or “cyberattacks” has actually being closer to “cyberespionage” — spying and attempting to steal data for an entity’s own use, rather than destruction to achieve a military or political goal. In recent months, the National Security Agency’s reach into the networks of other countries has been brought to light, showcasing just how extensive the collection of intelligence overseas truly is. An article from the Guardian in June published a map that professed to show where the majority of metadata — the information that informs where and when messages were sent — collection was taking place, including places of interest like Pakistan and Iran.
On the flipside, foreign governments like China have long been targeting American industries and government alike in the pursuit of information. That sort of spying, Rep. Mike Rogers (R-MI), chairman of the House intel committee, said on Thursday is “raping the next generation’s possibility for economic prosperity in the greatest innovative economy in the world.” Rogers went on to accuse that China, Russia, and India of consistently probing and stealing economic secrets, calling it “the largest national security threat that we have that we are not prepared to deal with as a nation.”
Different than those hacking attempts or routine spying is when the use of electronic methods to have an impact on actual, physical objects. These real-world consequences are what many experts are referring to when they talk about “cyberwar.” Most of the warnings about this form of attack have leaned towards the maximal, worst-case scenarios that sound more like science fiction than reality, such as opening jail cells or turning off the flow of electricity. Former White House counterterrorism czar Richard Clarke has even warned of states being able to shutdown the U.S. military’s vaunted technological superiority through cyberattacks.
While things like the decrepit nature of the power grid currently prevent such nightmare scenarios, the first such instance of real-world effects of an attack from a computer virus has already occurred. The first that has made its way into the public view is the Stuxnet virus in Iran. Discovered in 2010, the virus caused centrifuges in Iran’s nuclear facilities to spin out of control and eventually break, greatly setting back the program’s development. According to reports, still unconfirmed from the Obama administration, the United States and Israel co-wrote the program, inserting it into German-made centrifuges and only when it was accidentally spread onto the greater Internet was it discovered.
In the event that viruses and actions like Stuxnet become more common, those who take action from behind a computer screen will likely be considered credible targets as seen in NATO’s Talinn Manual. Just this week the suspected Iranian chief of cyber operations was reportedly killed, though the Iranian government has yet to confirm his role.
It now seems that countries are starting to become more open about their armies’ activities online. “But simply building cyber defenses is not enough: as in other domains of warfare, we also have to deter. Britain will build a dedicated capability to counterattack in cyberspace and if necessary to strike in cyberspace,” British Defence Secretary Phillip Hammond said on Sunday.
And while it hasn’t been as transparent, the United States appears to be of the same mind. The U.S. already has the military component in place, running through the U.S. Cyber Command. America is one of only three countries in the world to have such an organization within its military; the other two are India and South Korea. The Guardian in June reported that President Obama has ordered his administration to draw up a list of possible targets in the event a offensive cyberattack was ever deemed necessary.
Gen. Keith Alexander — better known as the director of the NSA — also wears a second hat as the head of CYBERCOM. In speaking before Congress in March, he informed them that the U.S. was standing up 13 teams designed to counterattack should the U.S. first be attacked. “Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace,” he said at the time.
It’s Alexander’s dual role that has some in the field concerned and highlights just how far the debate over cyberwar has been brought into the light. “Imagine if the commander of U.S. Pacific Command were the leading source of information on the Chinese military threat, had the ear of Congress on China policy, ran covert military operations against China, and could decide what information on China was classified,” writes Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative.
NSA and Cyber Command need to be split, Healey argues, if for no other reason to prevent the accumulating of power online in the hands of one person. “This will of course create tensions and increased costs,” he writes, “but cyberspace is too important to grant one person have a near-monopoly on threat intelligence while simultaneously conducting active espionage, directing military force, and advising on policy.”
As these activities come further into the light, it makes it easier for an open discussion about about the ways in which cyber-operations will change the way we wage war. In his book ‘Cyberwar Will Not Take Place,’ King’s College’s Thomas Rid argues that the focus on the chance of networks being used to cause mass destruction are diverting from the real utility that these methods have.
“[I]n several ways, cyberattacks are not creating more vectors of violent interaction; rather they are making previously violent interactions less violent,” Rid writes. “Only in the 21st century has it become possible for armed forces to cripple radar stations and missile launchers without having to bomb an adversary’s air defense system and kill its personnel and possibly civilians in the process. Now this can be achieved through cyberattack.”
At present, there’s no sign of the activity of preparing for the possibility of cyberwar is retreating as far back into the shadows as it once was. Former Supreme Allied Commander Europe James Stradvaris actually believes that the U.S. should act now to scale up its cyber capabilities. “It is time we considered the creation of a US Cyber Force for many of the same reasons we needed a US Air Force,” he writes. “None of this means we are militarizing the cyber world. Just as in aviation, we must recognize the reality that there will be some level of military activity in the cyber world.”