The modern world is rapidly becoming an increasingly more complex system, from new economic models being continuously implemented, to new technologies that might affect a country’s critical infrastructures, such as electricity, water, or defence. As a consequence of such capabilities and their inherited convolution, together with globalisation, a raise in technological dependencies,  and hence central-points-of-failure can be observed across different countries, including, but not limited to the global supply chain, manufacturing, or chip design, which inevitably leads to abuse, attack, and potentially, to war.

This formal, educational article analyses and discusses different concepts of cyber war in the first part, namely around Thomas Rid’s perspective. Secondly, the past, current, and future state of cyber warfare, together with the role of cyber deterrence, will be covered. 

THOMAS RID ON CYBERWAR NOT TAKING PLACE

First, to best explain Rid’s work and argue it accordingly, the definition of cyber war must be expounded. Albeit there not being a unique valid answer for the last thirty years to denote what cyber war really is [1], it can be appropriate to start from the concept of war itself. 

Regarding the definition of war, according to Carl von Clausewitz’s magnum opus, On War, which extends his dictum stating that “war is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means” [2], defends that war must be political, instrumental, and violent, to force the enemy to compel to a certain political will by using violence. 

As for cyber war, definitional ambiguity, or even contradictory information, has not discouraged governments, academics, and the military from attempting to precisely define it. Since the early 1993 there have been provocative and controversial papers like the one titled Cyber war is coming, by Aquilla and Ronfeldt [3], that claimed that cyber war was an immediate threat, causing nation-wide alarm in the USA. On the other hand, Thomas Rid’s book in 2013 titled Cyber war will not take place [4], defends that, so far, no cyber-attacks have yet caused a cyber war, given that, for a cyber-attack to be considered a cyber weapon, it must possess a high-enough instrumental, political and violent value, which in turn leads to much more fatalities than previously recorded. 

However, it is the former White House counter-terrorism advisor, Richard Clarke, whose definition of cyber war has proven to be the most influential on Google Scholar, through his bestselling book named Cyber War: The Next Threat to National Security And What To Do About It [5]. Here, the author argues that cyber war is “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption”, which does not necessarily have to lead to human deaths or extreme levels of violence.

Rid’s arguments

Thomas Rid discusses that, to better understand why cyber war will not take place, there are three main misconceptions that must be clarified:

Firstly, he mentions that it is wrong to think that there is such a thing as cyber war or cyber peace, with both not making any sense. 

Secondly, he argues that it is flawed to think that the government (e.g.: seemingly The Air Force in the USA) is indeed in charge of global security against cyber war and that they have control over the latter. Instead, he expresses that the security of technical systems is up to the individual or the company in question, not the government itself. 

Thirdly, an important distinction must be made to correctly differentiate its original meaning from a common metaphor attached to the word, as in the war against drugs or cancer, which does not contribute to the physical event of war and will not be discussed in this article herein.

More specifically, Rid’s arguments seem to use Clausewitz’s as a three-point foundation to delimit what differentiates a cyber-attack from an act of war, given that it must be violent, political, and instrumental [6].

Political

Attached to political significance comes attribution, which refers to the identity of the offender that conducted the attack. Without such, Rid mentioned, an act of war cannot take place because it is impossible to force someone to compel to their offender’s will if their identity is unknown, which further makes it impossible for war to be an isolated event without any adversarial entity imposing their power.

Instrumental

For a cyber war to take place, Rid supports the idea that the act of war must be instrumental, whereby the enemy is forced to change. This, as stated by Clausewitz, might be achieved by employing force as an extension or alternative to other political means. It could be argued that, without the instrument of policy, the war itself would lose meaning, by lacking its element of subordination and control.

Violent

Although Rid states that, to comprehend the underlining violence correctly and fully in cyber war and caused by cyber weapons, the nature of the former phenomenon in traditional war must be first understood, where the line between a violent and non-violent act shall be drafted. To do such, Rid argues that if an attack does not have the potential of force, it is only violent indirectly, by its code not justifying a direct use of force. However, he then outlines that there has only been one major cyber-attack which caused relative physical harm, back in 2005, codenamed Stuxnet, and explained below in further detail. Equally, he theorises over the possibility of truly weaponizing a cyber weapon, such as a fully automated complex weapon system becoming the subject of a breach, whereby the offender gains complete flexibility and potential for chaos and damage. An example for the latter could be, in theory, hijacking a remotely controlled aircraft, like the Predator or Reaper drone. In practically, there have been a couple of examples that have come close to that, such as the hacking of a secret and stealthy CIA drone by the Iranians, back in 2011 [7].

Rather than past and current attacks being considered cyber-weapons or acts of war, he explains that they can be considered instruments of war, with high level of sophistication in the following areas: sabotage, espionage, and subversion. 

Sabotage

According to Rid, sabotage is rather technical in nature, with the objective of weakening and causing physical harm to an economic or military system, not always leading to physical destruction and overt violence. To better describe sabotage, Thomas Rid uses the USOSS’ (the precursor of the CIA) Sabotage Field Manual released in 1944, to further strengthen his view that sabotage “is carried out in such a way as to involve a minimum level of danger of injury, detection or reprisal”, and hence its limited use of violence [8].

Espionage 

As opposed to the more visible effects of sabotage, Thomas Rid indicates that it is very difficult to know the current state-of-the-art of espionage, because of its stealthy factor in nature. This attribute further contributes to lack of attribution, which makes it an instrument of war, instead of an act of war, as discussed above. It is only through publicly criticized and reprimanded figures like Snowden that its real extent can sometimes be known through leaks, where, in this case, the PDD-20 US document was uploaded to the public domain, sharing confidential information about nation-wide espionage by the NSA in 2013.

Subversion 

Having already briefly discussed sabotage and espionage, the third remaining offensive activity is subversion, which, according to Thomas Rid, despite its extremely advanced and avant-garde political techniques, has lacked considerable media and academic focus. From al-Qaeda’s attack on New York’s World Trade Centre, or the Occupy Wall Street movement ten years later, to the alter-globalization movements in more recent times, Rid outlines that these techniques have two constant attributes: the will to undermine the governing authority order as well as making use of new telecommunication technologies, such as encryption and mobile communications. In fact, it is technology that has mainly lowered the entry-to-market, but at the same time risen the threshold for success – this, in turn, means that subversion is becoming less violent, as per Rid’s conclusions, and thus an instrument of war at best.

Provided Rid’s above-mentioned attributes regarding common traits of acts of war, he declares that no past and current cyber-attacks fulfil any or all of these definitions at the same time, but instead further reinforces the idea of them being instruments of war. These very sophisticated cyber-attacks that, as opposed to cyber-weapons, do not need to be instrumental and intentional, and taken together, the lack of intentionality might lead to a third problem: the problem of learning agents. This problem refers back to the payload, regardless of its state-of-the-art, not being able to actively learn by itself, as seen during Stuxnet’s attack. For this, however, Rid points that recent advances in stealthy machine learning and artificial intelligence might solve this issue in upcoming attacks. 

Thomas Rid’s opposing arguments

Following Thomas Rid’s publication, several scholars reacted and investigated the phenomenon of cyber war itself, with respectable names such as Richard Clarke or John Stones.

For the former, Richard Clarke on his book Cyber war, explains how, even though the USA has not yet suffered a cyber war, smaller countries like Estonia or Georgia have. 

Secondly, John Stone’s article on Cyber War Will Take Place rather differs from Thomas Rid’s Clausewitzian view on war on two different accounts: the level of violence required from an instrument of war to be an act of war and the disproportionality between the force required to conduct and attack and the violence it creates once executed. When taken together, with his loose need for attribution for a war to be considered one, limited force, combined with instrumentality and being politically-drive, can indeed fall within the category of cyber war [10]. 

Furthermore, Sun Tzu’s ideas become particularly relevant when it comes to fighting a war without the use of extensive physical force, as he states that “to seize the enemy without fighting is the most skillful” [11]. Regarding the level of force to be used in a war, even Carl von Clausewitz’s paper defends that it might be a necessary tool for the adversary to make use of force, but he never states how much force must lead to violence, or fatalities. This makes Thomas Rid’s arguments overly restrictive [2]. 

However, it is worth mentioning that Thomas Rid’s main objective in the book, named as a French pun to the quote “la guère de Troie n’aura pas lieu” (the Trojan war will not take place), aims to clarify some common misconceptions between the meaning of war, and consequently, cyber war, to better categories and distinguish future acts of cyber war and the instrumentality of future cyber weapons, instead of implying some future predictions. 

Why Thomas Rid is not correct 

Firstly, although it might not be wise to state that the answer to whether cyber war has already happened or will happen is easy to develop, Thomas Rid’s perspective and analysis of cyber war seems to be overly narrow and antiquated. Rid further develops his definition of cyber war by restricting Clausewitz’s view on force and violence, defending that there should be approximately force leading to a matching level of violence during a war. This, beyond going against other scholar’s ideology, like John Stones, further reinforce the fact that he does not take into consideration the low force, yet catastrophic attributes of cyber-weapons used as an act of war. Hence, Rid fails to differentiate the terms violence and force, and their potentially disproportional relationship. As a reflection of this, he is not able to extend Stuxnet’s attack beyond a mere sophisticated sabotage. 

Moreover, he presents a rather pessimistic and suboptimal trust in people’s ability in the private sector to learn and overcome technical difficulties when engineering a state-of-the-art attack through the use of cyber-weapons. However, it is clear that every year, not only are there eight times more cyber-attacks, according to the FBI, [12] but also the tools and software used to design, build and execute cyber-attacks through the use of cyber-weapons are getting growingly more accessible and advanced. One of the main culprits for such might be the modern artificial intelligence models, with easier access to powerful hardware and resources. 

Thirdly, Thomas Rid’s thoughts on attribution might apply to the physical world, where it is very difficult to ignore an opponent’s ‘kinetic effect’. However, he does not accommodate the digital world’s stealth nature, and ability to minimize, delay or even completely bypass attribution. Regardless of what deterrences there are in place against attribution, the act of war is not made any less valid, quite the opposite. In fact, in Under the Law of Armed Conflict and Article 51, it is not yet clear the exact level of identification required to response accordingly to an act of cyber war, furthering strengthening Rid’s rather obsolete perspective on cyber war and its current capabilities. 

PAST, CURRENT AND FUTURE GLOBAL STATE OF CYBERWARFARE AND DETERRENCE

To analyze the extent of past and current cyber-attacks clearly and correctly, it is important to employ the paradoxical trinity that conceptualizes Clausewitz’s chaos of war and the tension between three main elements of war: the government, the people and the army [13]. However, over the previous decade, the world has suffered many cyber-attacks which led, in one way or another, to the weakening or destruction of one or more of those three elements. It will be therefore interesting to analyze how past cyber-attacks and cyber weapons have debilitated those elements, to be able to correctly accommodate future, objective predictions. 

Estonian cyber-attacks (2007-2008)

These attacks were carried out in three phases against the Estonian government, following Estonia’s government decision to move a Soviet World War II memorial of Bronze soldier to a military cemetery. 

In the first phase, the Russian government’s attacks consisted of some rather basic pings against Estonian’s digital governmental institutions, through Denial-of-Service cyber-attacks, website defacement, DNS servers and mass emailing spam.

In the second phase, many of these attacks were later reinforced by the use of distributed botnets and proxy-servers in other countries. Although it lasted a day, it went through Victory Day, which symbolizes the defeat of Nazi Germany. 

Finally, in the third phase, other governmental institutions or institutions of vital importance were hacked, like banks or informational government websites. These services were attacked from more than 180 countries at the same time. 

Stuxnet (2010)

Stuxnet is one of the first cyber-attacks that had a clear kinetic effect in the physical world, back in 2010, with a similar effect to a “cruise missile or commando raid” [14]. 

This attack, targeted at Iran’s nuclear enrichment plant’s centrifuges, required specific understanding and development of four zero-day exploits, including some very technical and advanced knowledge of how the machinery operated. For such, the offender (now attributed to the US and Israel) had to investigate and study SIEMENS’ PLC hardware, to find and exploit the frequencies at which the centrifuge motor would have to rotate to cause significant and irrecuperable physical damage, whilst simultaneously displaying false system diagnostic reports. 

In this case, this set the nuclear plant back 2-3 years, advancing the offender’s political and governmental intent.

NotPetya (2017)

In 2017, a ransomware malware appeared on many computers worldwide, which appeared to be targeted at Ukraine, during its Independence Day. It is now believed to be a result of a politically motivated attack by the Russian government to weaken and destabilise the Ukrainian government.

It was built upon the Petya malware and adapted to newer systems that were vulnerable to the EternalBlue exploit, developed by the NSA. 

After encrypting all files in the computer, it later on asked for a ransom to be paid in Bitcoin. This cryptographic address made it impossible to be attributed to one single entity, and hence its belief for this attack to create chaos. Unfortunately, many ransoms that were paid did not get any decryption keys at all, which is the case of Maersk’s computers, making them lose billions of USDs. 

Viasat (2022)

In early 2022, during Russia’s war in Ukraine, the Russian government took down the KA-SAT satellite networking, offering one of the last remaining lines of communication for the people stuck in Ukraine during the war. According to Thomas Rid and many other scholars, experts and even governments, this attack was deeply undervalued, given the potential negative repercussions that it had during the war and its technical complexity. It consisted of exploiting some software vulnerabilities in the satellites, as well as some firmware hardware vulnerabilities in the models used to connect to the satellites, in order to stop all communications between devices that were using it. These software attacks were most likely the result of Russia’s AcidRain and FancyBear zero-day exploits. This allowed Russia to weaken Ukrainian’s military communications. However, around six thousand wind turbines in Germany were also affected. 

The current state of cyberwarfare on norms

As previously discussed, because of the multiplicity of definitions around cyber war, cyber weapons, cybercrime and whether certain attacks are an act of war or simply an instrument of war or crime, it comes down to the definition each country has. In particular, the UK has developed a National Cyber Strategy, which, according to the UK government “plan to ensure that the UK remains confident, capable and resilient in this fast-moving digital world; and that we continue to adapt, innovate and invest in order to protect and promote our interests in cyberspace” [15]. Moreover, other entities like NATO have equally developed a framework to better focus on defence, given that they belief that the best offense is a good defence. Nevertheless, given the lack of a common framework to correctly classify and categorise defend cyber-attacks, the Tallinn Manual acts as an guidebook developed by a group of international experts to define the outline of what constitutes cyber war and how best to respond to it. 

How will it continue to evolve in the future?

As shown in the examples of cyber-attacks above, there seems to be a general tendency to abuse telecommunications channels and further develop exploits harnessing the power of AI. An example of such advancements will be Deep Fakes, with which an individual may be able to fake an influential figure for political or economic gain. Equally,  there will be a great shift in economic models, and hence security policies and vulnerabilities, following the advancements and popularisation of decentralised governance entities. 

What role will cyber deterrence play in the future? 

As mentioned previously, one of the elements of cyber war that will most likely change in the future will be deterrence, given that, as opposed to attacks with physical weapons and humans in the battleground, the next evolution of cyber-attacks and cyber weapons will be stealthy by nature. Fortunately, thanks to advancements in AI and mathematical models in the statistics and probability space, attribution will be made relatively easier to an ever-growing problem to correctly identify the offender. 

Overall, here at Pentestify Labs, we are committed to educating our clients, partners, or simply the next generation of Internet Web3 users about the real benefits of Web3, together with making sure that certain concepts are not abused or ignored, such as the government taking extreme surveillance measures under false or unnecessary pretences, like it has previously been seen with COVID-19. 

References:

[1] C. Ashraf, “Defining cyberwar: towards a definitional framework,” Def. Secur. Anal., vol. 37, no. 3, pp. 274–294, 2021, doi: 10.1080/14751798.2021.1959141.

[2] “Carl von Clausewitz: ON WAR. Table of Contents.” https://www.clausewitz.com/readings/OnWar1873/TOC.htm (accessed Nov. 23, 2022).

[3] J. Arquilla and D. Ronfeldt, “Cyberwar is coming!,” Comp. Strateg., vol. 12, no. 2, pp. 141–165, 1993, doi: 10.1080/01495939308402915.

[4] “NATO: ’’Cyber War Will Not Take Place’’: Dr Thomas Rid presents his book at NATO Headquarters, 07-May.-2013.” https://www.nato.int/cps/en/natolive/news_100906.htm (accessed Nov. 23, 2022).

[5] C. K. Borah, “Cyber war: the next threat to national security and what to do about it? by Richard A. Clarke and Robert K. Knake,” http://dx.doi.org/10.1080/09700161.2015.1047221, vol. 39, no. 4, pp. 458–460, Jul. 2015, doi: 10.1080/09700161.2015.1047221.

[6] T. Rid, Cyber war will not take place. 2013.

[7] “Iranians Claim Hack Brought Down US Drone Spy Plane | Silicon UK Tech News.” https://www.silicon.co.uk/workspace/iranians-claim-hack-brought-us-drone-spy-plane-down-51005 (accessed Nov. 23, 2022).

[8] “Simple Sabotage Field Manual by United States. Office of Strategic Services – Free Ebook.” https://www.gutenberg.org/ebooks/26184 (accessed Nov. 23, 2022).

[9] “‘Prepare for all-out cyber war’ | The Independent | The Independent.” https://www.independent.co.uk/news/media/online/prepare-for-allout-cyber-war-2159567.html (accessed Nov. 23, 2022).

[10] J. Stone, “Cyber War Will Take Place!,” https://doi.org/10.1080/01402390.2012.730485, vol. 36, no. 1, pp. 101–108, Feb. 2013, doi: 10.1080/01402390.2012.730485.

[11] Sun Tzu, “The Art of War .” http://classics.mit.edu/Tzu/artwar.html (accessed Nov. 23, 2022).

[12] “FBI sees a 400% increase in reports of cyberattacks since the start of the pandemic | Insurance Business America.” https://www.insurancebusinessmag.com/us/news/cyber/fbi-sees-a-400-increase-in-reports-of-cyberattacks-since-the-start-of-the-pandemic-231939.aspx (accessed Nov. 23, 2022).

[13] “The Trinity and the Law of War.” https://thestrategybridge.org/the-bridge/2017/11/12/the-trinity-and-the-law-of-war (accessed Nov. 23, 2022).

[14] L. J. Wedermyer, “The Changing Face of War: The Stuxnet Virus and the Need for International Regulation of Cyber Conflict.”

[15] “National Cyber Strategy 2022 (HTML) – GOV.UK.” https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022 (accessed Nov. 23, 2022).