Cyber warfare – a new strategic reality

Are cyber attacks the new ‘weapons of mass disruption’? Are we likely to see a ‘cyber Pearl Harbour’ sometime in the 21st Century? This talk examines how cyberspace is affecting the way wars are being fought and examines the claim that the internet is becoming an influential tool in contemporary conflict.

This talk was given at the National Library of New Zealand on Wednesday 1 April, 2015. It is part of a series of talks on the subject of conflict. The series is a joint presentation by the National Library and Victoria University of Wellington, which runs until September 2015.

Joe Burton

Joe Burton is a lecturer in International Relations and International Security at Victoria University. He has a PhD and Master of International Studies degree from the University of Otago and an undergraduate degree in International Relations from the University of Wales, Aberystwyth.

His research is currently focused on US foreign policy, contemporary security issues, such as cyber security and energy security, and how states, non-state actors, international organisations and alliances are adapting to deal with new strategic challenges.

Joe Burton is not an employee of the National Library, and as such his ideas and opinions are his own.

Introduction

I want to examine in my talk today the idea of cyber warfare and I want to question whether this term that we hear about quite often in the media is an accurate term and whether we are actually seeing wars being fought in, through and targeted at cyberspace.

In fact I want to argue today that cyber warfare is something that’s happening – it is a salient, relevant, and increasingly influential part of the contemporary security environment.

More specifically: cyber attacks are increasingly being used as part of ‘information warfare’ operations; cyberspace is increasingly being seen as the ‘fifth domain’ of warfare, along with land sea air and space-based operations; cyberspace itself is becoming increasingly militarized; and there are significant dangers relating to cyber escalation, where cyber attacks could lead to armed conflict.

Some parameters

Before I build on this line of reasoning I want to establish some parameters and caveats.

Firstly cyber attacks are never in and of themselves violent. No one has lost their life as a result of someone sending a malicious computer virus from one computer to another.

In looking at the causes, consequences and impact of warfare, physical violence is still the biggest factor – small arms and IEDs have cost far more lives than computer code likely ever will.

Thomas Rid, perhaps the world’s most prominent cyber security academic, at least in the IR discipline, has argued that “cyber war will not take place”, because cyber attacks cannot constitute an act of war because they neither involve physical acts of violence nor create true harm to individuals.

What I want to do though is move beyond that – I don’t find that satisfactory and I think broader definitions of what might constitute cyber warfare are important.

Second, by talking about cyberspace as a domain of warfare there is danger that the language we use begins to affect and even constitute reality. The term Cyber War could be a self-fulfilling prophecy – if that’s the way we talk about this area of activity, that’s what will eventuate. In IR theory the term ‘securitisation’ is pertinent here – we don’t want cyberspace to be something that becomes too engrained in a discourse of war and conflict.

So how can we talk about cyber warfare, how can we start to conceptualise it so that we can come to some sort of judgement about whether it is becoming a strategic reality, a salient and influential feature of war?

Categorising cyber security

Any conception of cyber warfare must acknowledge that it exists on a spectrum of complex and interrelated cyber activity – I think we need to be clear about the terms we use.

Cyber bullying via social media, cyber crime – things like identity theft and ban fraud, cyber espionage by states, data exfiltration, cyber terrorism – none of these are the same as war.

Too often these things become conflated in the media, by statesmen, policymakers and indeed by academics – Former Nato Secretary General Anders Fogh Rasmussen recently referred to cyber attacks against Nato as being a form of “permanent low level warfare”.

What I think he was referring to was cyber espionage - attempts by foreign states to penetrate Nato’s digital networks in order to monitor them or exfiltrate information from them.

Cyber-attacks as information warfare

The first way I think we can look at cyber warfare as a strategic reality is by seeing cyber war as a natural outgrowth of information warfare. Contemporary cyber warfare operations are, essentially, information warfare operations.

These sorts of operations have been incredibly influential in the history of the last century.

In reference to World War I, for example, the conflict that this series of talks commemorates, historian Jonathan Read Winkler has claimed that: “the leading belligerents in World War I engaged in information warfare throughout the war on a breadth and scale previously not understood”; and that Britain was involved in “systematic destruction of Germany’s information networks and that Germany engaged in a similar campaign against Allied communications systems”. (1)

He goes on to say, “In the late nineteenth and early twentieth centuries, the advent of submarine telegraph cables and then wireless telegraphy fundamentally altered the way in which countries and cultures related politically, commercially, financially, and culturally. It also affected the problems associated with how states could manage homeland and imperial defense. Protection of one’s own external communications networks and the destruction of an opponent’s network became important objectives.”

During World War II, Alan Turing’s work in breaking the German Enigma codes was crucial to Allied success in the war. (Turing is widely considered to be the father of modern computing, and his mathematical equations were the basis of modern computer systems).

In the modern era, cyber operations are part of states’ information warfare operations and control of the information environment is crucial in contemporary conflict, particularly in the areas of intelligence and situational awareness – awareness of what’s happening in the strategic environment.

Cyber-attacks can be used to degrade an adversary’s ability to communicate, and ever more sophisticated encryption and authentication measures are being used to protect militaries’ own communications.

In this sense the internet and advanced information and communications technology has given states new mechanisms for defense and new points of attack.

In the contemporary environment the impact of the internet on the control and supply of information in warfare has been increasingly important:

As senior US commander in Afghanistan recently revealed, in reference to the Taliban, “I was able to use my cyber operations against my adversary with great impact. I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”

So, even in Afghanistan, one of the most underdeveloped countries in the world, information warfare through cyberspace has been important.

Even more recently, in Ukraine, we have seen Russia mount hybrid warfare operations that revolve heavily around information warfare concepts. As one commentator has recently noted, “It is pretty clear that Russian involvement in Crimea last year showed the integrated use of capabilities including rapid deployment, electronic warfare, information operations, special-forces capabilities and cyberspace communications, targeted at both domestic and foreign audiences.” (2) The internet is being used by states in contemporary conflicts to control the information environment.

Cyber warfare is a new term for information warfare operations carried out through cyberspace.

Cyber space as the 5th domain

The second major way that I think cyber warfare is becoming an increasingly influential and important feature in the contemporary security environment is that cyberspace is coming to be seen as the new 5th domain of warfare – that is to say, it now joins land, sea, air, and space operation as a theatre of conflict.

When states talk about maintaining an ability to conduct ‘full spectrum’ operations they are talking now about cyberspace as well as the four other domains.

In one respect cyberspace has the potential to be theatre of conflict in and of itself.

Imagine a scenario in which US hackers, on instruction from the US government, hack into Chinese computer systems, and implant malicious software that, under a specified electronic command, will render Chinese internet and telecommunications networks inoperable. What if the Chinese retaliate by doing the same? This might sound fanciful, the realm of imagination, but it is possible.

In fact, these kinds of fears have been driving policy in some countries. When the US and Australian governments blocked Chinese company Huawei from supplying broadband infrastructure, this is the sort of thing they were concerned about.

Concerns that US hardware and software sold and installed in foreign countries might give the US ability to do the same have been mentioned in the Edward Snowden revelations. Such pre-emptive acts of cyber subversion against foreign networks could well be perceived and interpreted as acts of cyber warfare if not warfare more generally.

What I think though is more likely, and in fact what I think is actually happening, is that cyber warfare operations are taking place in conjunction with operations in the other four domains and are integrally linked to them.

In other words, cyber operations are influencing and interacting with land sea, air and space operations.

What evidence do we have for this claim? To what extent is cyber having an impact on these other domains?

Former US Deputy Defense Secretary William Lynn has claimed cyber warfare is ‘just as critical to military operations as land, sea, air, and space’. Senior military officers are very much buying into this idea.

In October 2011 the New York Times reported that in advance of the air campaign against Colonel Gadhafi’s Libya the US Department of Defense considered a barrage of cyber attacks against Libya’s surface to air missile capabilities and sites, that would have protected allied aircraft. (This was not implemented because of concerns over congressional approval and, perhaps more importantly, over fears that the US would be setting a dangerous cyber warfare precedent.(3)

Perhaps the most often-cited example of cyber operations being used in conjunction with more conventional military methods is the Russia-Georgia war in 2008. In that case, the Russian land and air campaign was preceded by cyber attacks against the digital networks of Georgian government ministries and military units, sowing confusion, and degrading their ability to communicate, and, arguably, this gave the advancing Russian offensive a significant military advantage.

This is a good example I think of how cyber attacks can amplify or multiply the effects of military operations. Again, the cyber attacks themselves weren’t violent, but they considerably increased the capacity and ability of advancing Russian forces to undertake a violent military offensive.

If we look at recent developments in advanced military capabilities we are seeing this idea of cyberspace as a 5th domain of warfare emerging quite prominently.

It was reported in the media just last month that the new US F35 fighter aircraft, which is probably the most advanced and capable fighter aircraft on the planet, would have a ‘cyber pod’ attached to it.

It is unclear what exactly the pod will do, but it unlikely to be just a purely defensive capability. In other words, it will protect the aircraft from cyber attacks and electronic jamming, but it will also be able to conduct cyber attacks against hostile targets by sending electronic signals. This could be what’s been referred to as a “Next Generation Jammer” that fools hostile radar systems by receiving those signals and sending back false ones directly to the source.

The magazine ‘Popular Science’ has referred to this capability as the world’s deadliest podcast.

Another example is in the area of drone warfare, and we have seen various attempts, some successful, to hack into drones, unmanned aerial vehicles.

A picture released by the office of Iran's Supreme Leader Ayatollah Ali Khamenei on May 11, 2014 shows him sitting next to a captured US RQ-170 sentinel high-altitude reconnaissance drone that crashed in Iran.

According to Russia Today, “The Iranians have claimed they used a cyber attack to bring down this drone – a technique called “spoofing” where they sent the drone the wrong coordinates and tricked it into believing it was landing at its home base in Afghanistan when in fact it was landing on Iranian territory.” (4)

So these are examples of how cyber can interact with air operations.

What about the other domains?

The US navy has recently announced a tactical shift to what it calls ‘distributed lethality’ – part of that strategy is about bypassing Chinese cyber attacks against naval battle groups in the Pacific. The Chinese A2/AD (anti-area, access denial) strategies are also well-known for relying on cyber capabilities to do just that.

Space is increasingly interesting. Can cyber attacks influence space based communications?

Again, there have been reports that the Chinese military are putting a lot of effort into developing the capability to conduct offensive cyber attacks against the US Global Positioning Satellite System.

At the moment the US have a distinct advantage over China in that they have their own GPS system and, in the event of a conflict with the latter could shut China out of that system, making it more difficult for the Chinese armed forces to conduct operations. (5)

China are developing their own rival satellite system in order to keep up with this potential domain of warfare.

According to a recent article in the foreign affairs magazine, “Chinese hackers recently hacked into the U.S. National Oceanic and Atmospheric Administration (NOAA) network in an attempt to disrupt data related to disaster planning, aviation, and much more coming from U.S. satellites”.

When we think about the wide range of systems that rely on satellites, including military operations but also phones, the Internet, banking systems, to monitor land, air, and maritime traffic; facilitate global communications, this is a worrying trend.

Militarisation of cyberspace

So I’ve talked about cyber warfare as an outgrowth if you will of information warfare, including electronic warfare and I’ve talked about cyber as a 5th domain.

I want to turn now to talk about a third conception of cyber warfare which is to do with militarisation.

Militarisation is generally understood as a process whereby a state prepares for war.

So the question becomes, is this what is happening in cyberspace? Is the internet being used in preparation for wars, and, crucially, what are national militaries doing in this area? Are they preparing to fight wars in cyberspace, or to use cyberspace for war fighting?

I think some of the evidence I’ve already provided suggests this is happening, but let’s look at this in a bit more detail.

At a rhetorical level, cyber attacks are often framed in strategic military terms. (6)

Leon Panetta, former CIA director and US Defence Secretary, has referred to the possibility of a “cyber Pearl Harbor”, and we often hear terms like “weapons of mass disruption” being used in this area. Regardless of whether we think cyber attacks can cause mass disruption, or whether cyber attacks could start a war, which I think they could, referring to them in this way gives the process of militarisation momentum.

In addition, some of the world leading powers are investing heavily in developing not just defensive but offensive cyber security capabilities.

The Stuxnet virus, which is fairly widely acknowledged to have been developed by the US and Israel as part of an operation code-named ‘Olympic games’, and which was deployed against Iranian nuclear centrifuges, is a prominent example.

The consequences of the deployment of this kind of capability, shouldn’t be underestimated. Arguably this has led Iran to accelerate its own cyber security capabilities, and there are real fears that these types of computer viruses can be reverse engineered.

In this respect the militarisation of cyberspace may lead to cyber arms races – the pursuit of increasingly sophisticated cyber weapons, and cyber security dilemmas.

It’s worth remembering at this point that the development of the internet itself was heavily influenced by the US military.

The Advanced Research Projects Agency Network was an early data packet switching system – ARPANET as it’s referred to. ARPA later became DARPA and is an agency of the US Department of Defence.

The other US agency which is much better known and which has taken a very prominent and controversial role in cyberspace is of course the NSA – again an intelligence agency that is housed within the US Department of Defence.

The internet has a phenomenal range of roles and influences, but we mustn’t forget that intelligence agencies and national security establishments have a massive stake in its operation, and particularly in the post 9/11 environment, these very powerful organizations have taken a much more intrusive role in cyberspace.

This has been one of the most contentious political issues that I’ve seen emerge in New Zealand in the 12 years I’ve been here.

More generally, we are seeing the militaries of many countries taking an active role in cyber defense and offense. According to a 2011 report by the US Centre for Strategic and International Studies, 33 states include cyber warfare in their military planning and organization. I think that this figure is likely to have grown in the last few years.

The US Army has officially acknowledged cyber warfare as an element of strategic doctrine and has a dedicated cyber command USCYBERCOMM, which is tasked with coordinating defensive and offensive cyber security operations for the various branches of the US military – the navy, air force, army and marines.

The Chinese military also appear to be involved in developing offensive cyber capabilities. Close links between the People’s Liberation Army and cyber attacks have been identified and the US justice department recently indicted 5 members of the PLA on charges of cyber espionage.

Miriam Dunne Cavelty, another prominent cyber security scholar, highlights that “Chinese authorities have stated repeatedly that they consider cyber space to be a strategic domain and by mastering it they may be able to equalize the existing military imbalance between China and the US more quickly”. (7)

Russia, as I’ve already mentioned, has already used cyber attacks in military operations. In Ukraine and Crimea we are seeing large scale use of cyber capabilities.

It seems to me that there is significant evidence of cyber security being militarised.

The dangers of cyber escalation

The final issue that I want to address before concluding is that of cyber escalation.

Could cyber attacks in and of themselves ever cause a war? Are we likely to have an attack which could cause as much damage and destruction as Pearl Harbor and propel one of the world’s great powers into a full scale military conflict.

There are two recent incidents of cyber attacks that are illustrative here:

The first is the 2007 cyber attacks that were conducted by Russian based hackers against Estonia, which took down the networks of Estonian government ministries, banks, and media outlets. There was significant concern at the time that the cyber attacks could escalate into a much more serious crisis between Estonia, NATO (of which Estonia had been a member since 2004), and Russia.

Estonian politicians claimed this was an attack against Estonian sovereignty. Estonian Prime Minister Andrus Ansip, for example, asked, “What's the difference between a blockade of harbours or airports of sovereign states and the blockade of government institutions and newspaper websites?”

Linnar Viik, a consultant to the Estonian government, said “...this is not some virtual world. This is part of our independence. And these attacks were an attempt to take one country back to the cave, back to the Stone Age.”

In 2007, however, NATO was some way from establishing whether cyber attacks constituted an ‘armed attack’ as stipulated in Article 5, and implementing a collective response to the attacks was problematic given the difficulty of attribution.

One of the concerns about this is whether this kind of cyber security posture could lead to escalation. If we think back to WW1 – the assassination of Arch Duke Ferdinand escalated into a world war because of alliance pacts.

One of the concerns about escalation is how do you respond? With a cyber retaliation, with sanctions, with a kinetic attack (neither the US or NATO have ruled this out).

I was in Japan recently and there is a lot of focus there on cyber security and Japan’s international partnerships, and I think there is a lot of concern in Japan that they don’t want to be part of collective defence agreement in the cyber security area because it might drag them into conflicts.

The second more recent example is the recent cyber attacks, allegedly by North Korean hackers, against Sony Pictures in the US, which were in response to the release of the film The Interview, which was about a fictitious plot to assassinate Kim Jong Un.

What struck me most about these attacks was how quickly they escalated into a serious diplomatic and economic crisis. Cinema goers were threatened, the film’s release was canceled, leading to a serious debate about free speech in America, President Obama personally intervened, the US imposed sanctions on North Korea, and it is possible that there was a cyber retaliation by the US against North Korean digital networks that rendered them inoperable for a time in the aftermath of the crisis.

Obama’s quote here is interesting in the context of this talk, because he says this didn't amount to an act of war – so he himself is categorizing malicious cyber activity, but more importantly, what he is trying to do is put a lid on the situation, to stop tensions boiling over – to de-escalate tension.

I think what both of the two examples that I’ve mentioned demonstrate is that cyber attacks can cause significant pressures to escalate conflict, and we need to put in place measures to stop this happening.

Interestingly in that context, Russia and the US took steps which include setting up direct communications between the Department of Homeland Security's US Computer Emergency Readiness Team (US-CERT) and the Russian equivalent organization.

Conclusion

Let me conclude by restating my basic argument.

I believe cyber warfare is a present, salient, strategic reality, and that we need to take these issues seriously. Claiming cyber warfare doesn't exist because cyber attacks aren’t violent does not allow us to focus on and analyze the extent of this kind of activity in the contemporary security environment.

If we come to that conclusion, where do we go from here, what implications are there for New Zealand if we accept this line of reasoning?

Well, in New Zealand, we need to take this issue seriously from a military perspective – we are sending another major deployment of our armed forces overseas and information security is a really important part of that operation – so that our troops can communicate safely and securely, that we can communicate with our allies securely, and that we are secure from cyber intrusions. Interoperability in cyber security in operations is really important for New Zealand as we go forward.

It’s interesting to note that there is now a Federated Intelligence Sharing network within NATO – an outgrowth of ISAF which is now being maintained and broadened. The FIN is basically a faster, better and more secure way of sharing information among allies and allies and global partners on a specific set of topics of interest.

As a small state with little in the way of resources I think we would be foolish to follow the lead of others in developing offensive cyber security capabilities and doctrine – we just can't compete in this area – a defensive cyber security posture is the right one for NZ at this time.

New Zealand has an opportunity as chair of the UNSC to push these issues internationally – I don't think we are going to see a big UN level agreement on cyber security, but we can have a role in the emergence of norms of behavior through international institutions through sustained engagement on the issues.

Many countries in our region are also looking at increasing cooperation on these issues – I was at the Asean Australia New Zealand dialogue in Kuala Lumpur last year and there was a lot of interest within the Asean countries on developing cooperation in this area.

So while there are some worrying trends in the area of cyber conflict, there is also a lot of potential for cyber cooperation with countries who share our interests and values.

James Der Derian, in his influential book Virtuous War says, ‘When war becomes the first, rather than the last, means to achieve security in the new global disorder, what one technologically can do begins to dominate what one legally, ethically and pragmatically should do.’

This sums up where we are on emerging cyber issues quite well. Just because we can conduct war through cyberspace, doesn’t mean we should.

Citations

1. 'Information Warfare in World War 1', The Journal of Military History, Volume 73, Number 3, July 2009, pp. 845-867. ^

1. 'Are We Prepared for 'Hybrid Warfare'?', The Diplomat, February 13, 2015. Also see The Military Balance. ^
2. 'U.S. Debated Cyberwarfare in Attack Plan on Libya', New York Times, October 17, 2011. ^

1. 'Watching the watchmen: US shield to protect drones from 'spoofing' cyber-attacks', RT, December 6, 2014. ^

1. 'Space Wars: Why Our Space Systems Need an Upgrade', Foreign Affairs, January 7, 2015. ^

1. 'The Militarisation of Cyberspace: Why Less May Be Better', Proceedings of the 2014 International Conference on Cyber Conflict, 2012. (pdf, 463KB) ^

1. 'The Militarisation of Cyberspace'. ^