Cyber “War”: A Misnomer?

In recent years, there has been much talk among government officials about the threat of cyber war. But what is cyber war? And is it really war? There are differing opinions on the matter. Generally defined, cyber war is “Internet-based conflict involving politically motivated attacks on information and information systems” (SearchSecurity.com). According to Dr. Thomas Rid, however, “what would constitute cyber war [is] a potentially lethal, instrumental, and political act of force conducted through malicious code” (Rid). By this definition, Rid and others argue, a true act of cyber war has yet to occur. Rather, Rid says, all politically motivated cyber attacks are simply versions of sabotage, espionage, and subversion – not out-and-out war.

In order to decide whether or not an act constitutes cyber warfare, one must first decide what constitutes war. According to the Stanford Encyclopedia of Philosophy, war “should be understood as an actual, intentional and widespread armed conflict between political communities [and] is a phenomenon which occurs only between political communities, defined as those entities which either are states or intend to become states” (Orend). Though a cyber attack isn’t “armed conflict” in any traditional sense, a computer virus is a weapon when used against any computer infrastructure upon which a country depends. However, even taking this into account, cyber war would have to be actual, intentional, and widespread conflict – occurring in cyberspace rather than physically.

A further complication in terming cyber attacks as acts of war arises when the origin of the attack cannot be traced. According to the previous definition, war is something that occurs between political communities. The problem with cyber attacks is that, oftentimes, they cannot be traced; it can be impossible to know whether they were perpetuated by a foreign government, or by an independent hacker or shadowy private group (Oltsik). And if no political entity claims responsibility for the attack, can it be considered an act of war? Can one be at war with a nameless, faceless enemy? If one equates cyber attacks to guerilla warfare, then the answer might be yes. Guerilla warfare is a type of warfare in which enemy forces operate among – and are often hidden or protected by – civilian populations. In guerilla warfare, it can be difficult to identify the enemy; the same is true of cyber attacks. Those who perpetuate cyber attacks are therefore like guerilla fighters in cyberspace; they can strike and then disappear into the anonymity that is cyberspace. The difference is that, in traditional guerilla warfare, an army typically knows who it is facing, even if it cannot easily find them. The same is not true of cyber attacks; it can be impossible to trace their origin, and if no one claims responsibility, then the one who was attacked can only hypothesize as to who the enemy is.

There is no doubt that cyber attacks occur; the question is as to whether or not cyber attacks equate to cyber warfare. If cyber warfare truly exists, then, as the most sophisticated cyber attack to date, the Stuxnet worm would surely be an act of it. However, depending upon the definition one uses to define cyber warfare, even Stuxnet might not count.

The Stuxnet worm is a self-replicating computer virus that spread through thousands of computers around the world via USB drives, searching for programmable logic controllers (PLCs). PLCs control basic mechanical actions in pieces of machinery, such as opening and closing valves and controlling the speed of spinning centrifuges. The Stuxnet virus sought out PLCs made by the German company Siemens; when it found them, it checked to see if they were operating under certain conditions and, if they were, it introduced its own rogue code into the controller, thus changing the way the machinery works. The Siemens PLCs that Stuxnet was designed to sabotage were those used in the Natanz nuclear facilities in Iran. The worm managed to sabotage the uranium enrichment centrifuges, thus disrupting Iran’s nuclear program – if only temporarily (Gross).

Going by the general definition of cyber warfare, Stuxnet is surely such an act; it was a computer-based attack on a system – in this case, the Iranian nuclear facility – and political motivation was clearly at play. The two biggest suspects in the creation of Stuxnet are the US and Israel, both of whom would like to see an end to Iran’s nuclear program because an Iran in possession of nuclear weapons poses a threat. One US security conference attendee was quoted as having said about Stuxnet, “Well, it saved the Iranians a good old-fashioned bombing” (Ranum). Stuxnet was able to accomplish the same thing as a bombing, without the loss of life, or extensive damage. Stuxnet, too, was not as clearly an act of war; though the US and Israel are suspected to be the perpetrators, releasing a computer worm to sabotage a system is not as blatantly aggressive as dropping a bomb, nor can it be as easily pinned on one country. Furthermore, by a legal definition of an act of war, “an action by one country against another with an intention to provoke a war or an action that occurs during a declared war or armed conflict between military forces,” it could be argued that Stuxnet counts (US Legal). Though Stuxnet may not have been intended to provoke war, it certainly could have had that result; even if Iran couldn’t definitively prove the worm was created by the US or Israel, it could have reacted with a declaration of war based on suspicion alone.

However, if one applies Rid’s more narrow definition of cyber warfare to Stuxnet, the worm no longer constitutes an act of war. According to Rid, “The worm was an act of cyber-enabled stand-alone sabotage not connected to a conventional military operation” (Rid). He draws a distinction between cyber sabotage and cyber warfare in that sabotage does not aim to be lethal; the prime targets are things, not people. His definition of cyber war, on the other hand, requires that the act be potentially lethal – something which Stuxnet was not, as the worm aimed to sabotage machinery, not harm people in any way. It could be argued that a cyber attack such as Stuxnet could cause collateral damage in the process of fulfilling its primary goal (had a nuclear meltdown occurred, for example); however, lethality was not the worm’s intended purpose and, because it was designed to sabotage, Rid claims that it is better classified as an act of cyber sabotage than of war. Furthermore, the actual effect of Stuxnet was far different from a bombing of the nuclear facility; such a blatant attack would have been an overt act of war, while the Stuxnet virus achieved similar results while maintaining a degree of anonymity. It could be argued that, because the Stuxnet virus did not result in war, it was not an act of war.

Clearly, Stuxnet represents a cyber attack. However, does it constitute cyber warfare? And, in reality, does the distinction really matter? It seems to me as though cyber attacks such as Stuxnet would be better classified as acts of terrorism than as acts of war. Terrorism can be defined as “the use of violence and threats to intimidate or coerce, especially for political purposes” (Dictionary.com), but, as was discussed in class, it is still a rather ambiguous term with no single, cut-and-dry definition. Since this is the case, cyber attacks could easily be classified as acts of terrorism.

Whether or not cyber attacks are acts of war does not change the fact that they can be devastating in their consequences. Countries should have means of defending their critical infrastructure and information, regardless of whether or not cyber attacks are technically war. The real reason cyber war needs to be defined might simply be for policy purposes; in order to draw up protocols for dealing with cyber threats, the government must first decide what they consider an act of cyber war, so that they can decide how best to respond. In this sense, then, the broader definition of cyber war – internet-based conflict involving attacks on information and information systems – might prove the more useful. Getting into the technicalities of the term “war” could very well prove pointless and counterproductive.

Works Cited

“Act of War Law and Legal Definition.” US Legal Definitions. USLegal, 2011. Web. 22 Oct. 2011.

Beaumont, Peter. “Stuxnet worm heralds new era of global cyberwar.” The Guardian. Guardian News and Media, 30 Sept. 2010. Web. 22 Oct. 2011.

“Cyber War Might Never Happen.” ScienceDaily. ScienceDaily LLC, 18 Oct. 2011. Web. 22 Oct. 2011.

“Cyberwarfare.” SearchSecurity.com. TechTarget, March 2010. Web. 22 Oct. 2011.

Dudding, Sasha. “Experts discuss cyber options.” The Dartmouth. The Dartmouth, 21 Oct. 2011. Web. 22 Oct. 2011.

Gross, Michael Joseph. “A Declaration of Cyber-War.” Vanity Fair. Condé Nast Digital, Apr. 2011. Web. 22 Oct. 2011.

Jackson, William. “DOD struggles to define cyber war.” Government Computer News. 1105 Media, 12 May 2010. Web. 22 Oct. 2011.

Oltsik, Jon. “The Stuxnet Worm and Cyberwar: What Happens Next?” Network World. Network World, 28 Sept. 2010. Web. 22 Oct. 2011.

Orend, Brian. “War.” Stanford Encyclopedia of Philosophy. Metaphysics Research Lab, CSLI, Stanford University, 28 Jul 2005. Web. 22 Oct. 2011.

Ranum, Marcus J. “Cyberwar: About Stuxnet, the next generation of warfare?” Fabius Maximus. WordPress.com, 29 Sept. 2011. Web. 22 Oct. 2011.

Richardson, John. “Stuxnet as Cyberwar: The Law of War and the Virtual Battlefield.” Global Investment Watch. WordPress, 14 July 2011. Web. 22 Oct. 2011.

Rid, Thomas. “Cyber War Will Not Take Place.” Journal of Strategic Studies (05 Oct. 2011). Taylor Francis Online. Web. 22 Oct. 2011.

Shachtman, Noah. “Spooks in the Machine: How the Pentagon Should Fight Cyber Spies.” Progressive Policy Institute. Progressive Policy Institute, 6 Jan. 2010. Web. 22 Oct. 2011.

“Terrorism.” Dictionary.com. Dictionary.com, 2011. Web. 26 Oct. 2011.

Watkins, Tate. “Cyber War: Still Not a Thing.” Hit & Run: Reason Magazine. Reason Magazine, 21 Oct. 2011. Web. 22 Oct. 2011.