For some time now we’ve been told that the Next Big Threat, when it finally arrives, would not come in the form of nuclear tipped missiles flying over the poles or suitcase sized dirty bombs detonating in a subway. It would be a silent string of ones and zeros sneaking in over the internet and destroying our infrastructure, crippling our military and making your invisible dog fence kill you. In short… cyberwar. As recently as this summer we were warned that both Syria and Iran could launch such an attack on us and that maybe our best approach to Assad would be to do the same to him first. Washington spends more than $4B a year on it and the costs in the private sector dwarf that by a vast margin.
But there is now a movement among one set of thinkers saying that the reality doesn’t live up to the hype and there really isn’t any cyberwar.
Why a cyberwar won’t happen
EXACTLY two decades ago, the RAND Corporation, an influential think tank, proclaimed that “cyberwar is coming!” In 2005, the US Air Force declared it would now “fly, fight, and win in cyberspace”. The future of war would surely play out in that fifth domain, on top of land, sea, air and space. Dark warnings of “Cyber Pearl Harbor” soon became a staple of Washington discourse…
What would an act of cyberwar look like? History suggests three features. To count as an armed attack, a computer breach would need to be violent. If it can’t hurt or kill, it can’t be war. An act of cyberwar would also need to be instrumental. In a military confrontation, one party generally uses force to compel the other party to do something they would otherwise not do. Finally, it would need to be political, in the sense that one opponent says, “If you don’t do X, we’ll strike you.” That’s the gist of two centuries of strategic thought.
No past cyberattack meets these criteria. Very few meet even a single one. Never has a human been injured or hurt as an immediate consequence of a cyberattack. Never did a state coerce another state by cyberattack. Very rarely did state-sponsored offenders take credit for an attack. So if we’re talking about war – the real thing, not a metaphor, as in the “war on drugs” – then cyberwar has never happened in the past, is not taking place at present, and seems unlikely in the future.
This is a complicated subject, and as much as I’ve read about it, I still feel like there’s a world of information out there which we should probably know. But even given that admission, this type of partial dismissal of the danger – and several others just like it – seem more like quibbling over definitions than any sort of revelation. The resounding phrase which defines these arguments is, essentially, it ain’t war until somebody dies. The other argument is that it’s not cyberwar… it’s cyber sabotage, espionage or subversion.
I’m sorry, but that sounds a bit too much to me like saying, “It’s not war war.” Sabotage, espionage and subversion are, by definition, things that happen in war war. They just aren’t the parts that take place on open battlefields with body armor, tanks and fighter jets. But how much damage could cyber terrorists really inflict? The Economist published an excellent piece last year which is worth a read if you’re interested in the subject. In it they argue that the real threats come in the form of purely criminal activity, stealing vast swaths of commercial and financial data or forms of industrial espionage. The ability to enact serious, widespread attacks on military or infrastructure targets is far less clear.
This seems to match what I found out when I had the chance to speak with a software engineer this summer who has been working on Smart Grid technology in both New Jersey and Ohio. She told me that while there are definite concerns to watch out for, hackers looking to wreak such havoc have a much tougher task than simply finding some deeply hidden password from a secret decoder ring in the right box of cereal and shutting down America’s electricity for months or years on end as in NBC’s series, Revolution.
The problem for the hackers, as she explained, is twofold. First, Smart Grids rely largely on what’s described as “hard triggers” rather than software control. Before an event takes place – such as isolating a particular grid by cutting the lines to prevent a rolling brownout – there has to be an actual failure of the power on the other side of the grid line. In other words, to produce a given physical result, you need to trigger another actual physical condition first, rather than sending some remote computer command to make it happen. Its apparently much harder than it sounds.
Second, the ironic thing that could potentially save us from that sort of infrastructure attack is that so much of our grid is still “dumb” rather than smart. The vast majority of America’s power transmission system is really still nothing more than “wires hanging on sticks,” as some Smart Grid supporters like to say. There simply is no computer interface capable of shutting it off, so there’s nothing to hack into. Yes, individual power generating stations might be briefly shut down through a computer attack, but those tend to be isolated quickly and manually restored to operational status in short order.
So what do you think? Are we overthinking this and spending too much time and resources worrying about something which is more hype than horror? Or is cyberwar really lurking out there and waiting to shut down our way of life?