Looking to History to Understand Cyber-Conflict

“Understanding Cyber Conflict: 14 Analogies”

A book edited by George Perkovich and Ariel Levite

Cyberwar is going nuclear. That’s according to the Pentagon’s 2018 Nuclear Posture Review, a document updating the U.S. military’s guidelines for launching nuclear weapons. The revised strategy calls for responding to non-nuclear attacks on critical infrastructure with nuclear weapons. The implications of the military’s thinking are clear enough: Nuclear weapons are a necessary deterrent to nation-states and terrorist groups that might consider using cyber-weapons to destroy critical infrastructure in America. If a cyberattack cripples anything from a small chemical facility to a wastewater treatment plant, it could spark a nuclear war.

The threat of nuclear retaliation is directed squarely at Russia. Whatever Vladimir Putin’s vision for Russia might be, he has learned to use cyberspace effectively to advance his goals by pairing cyber-strikes with disinformation campaigns. Over the last decade, Russia has mounted cyberattacks against critical infrastructure in Estonia, Georgia, and Ukraine. Discounting the smaller-scale, more targeted cyber-operations mounted by other countries, Putin has displayed a unique capacity and willingness to attack critical infrastructure in foreign nations. For now, when we talk about cyberwarfare, we’re talking largely about a Russian problem. And Putin’s tactics have, so far, confounded Western democracies.

Cyber-conflict is still a novel concept. Experts are grasping for the right language to discuss the digital front. A new book, “Understanding Cyber Conflict: 14 Analogies,” looks to history for analogies that can describe cyber-weapons and cyberwarfare. It brings together essays by journalists, academics and former government officials to answer three essential questions: “What are cyber weapons like?”; “What might cyberwars be like?”; and “What are preventing and managing cyber conflict like?” In spite of the clumsy headings, the sections structure the book effectively.

Click here to read long excerpts from “Understanding Cyber Conflict” at Google Books.

The editors, George Perkovich and Ariel Levite, respectively a vice president and a senior fellow at the Carnegie Endowment for International Peace, explain in their introduction how exploits—simple mistakes or deliberate plants hidden within software code—can give hackers a foothold to mount and execute cyberattacks, which destroy or corrupt devices. It’s to the book’s detriment that they mostly ignore the “larger-scale capabilities and scenarios” that might be imagined for cyberwars, in favor of analyzing how cyber-weapons are “germane to the operations in the gray zone between declared war and peace.”

Even so, the book offers a worthy, if uneven, primer on the concept of cyber-conflict. Some of the analogies are inventive and illuminating, such as ETH Zurich senior researcher Florian Egloff’s analysis of maritime law and the challenges of regulating cyberspace. Other analogies discussed here are tired and worn, such as the specter of a “cyber Pearl Harbor” that is covered at length in two separate chapters.

The book’s highlights include American Foreign Policy Council senior fellow Stephen Blank’s chapter on Russia’s use of offensive cyber-weapons to augment its longstanding practice of information and political warfare. His article is particularly arresting, given Russia’s uniquely aggressive stance in cyberspace. Blank’s chapter offers the most comprehensive look at societally disruptive forms of cyberwarfare.

Another chapter, by David Sanger, senior reporter at The New York Times, compares cyberattacks to drone strikes and concisely lays out the purely practical advantages and disadvantages of using cyber-weapons for a democratically elected government. His discussion of civilians killed in drone strikes is a painful reminder of the humanitarian costs of war, which can recede from view when weapons are operated remotely. His call for an open debate regarding cyber-weapons, however, rings hollow, both because of the secretive nature of the agencies that create and manage cyber-weapons for the U.S. and because the level of public discourse in the U.S. seems to sink to a new low every day. In an era of fake news, a referendum on cyber-weapons seems like a foolish exercise.

Sanger’s optimism is countered by Francis J. Gavin, professor of global affairs at Johns Hopkins University, who makes an important if seemingly obvious contribution to the book. Analyzing the 1914 network of European railroads and the factors that led to World War I, he argues that cyberspace has the capacity to “be especially destabilizing during a political crisis.” He suggests that digital technology “compresses the time available during a crisis to make decisions.” Cyberwarfare, in his view, has the power to move and escalate even faster than the wars of the past, in part because cyber-weapons can be deployed so much faster than traditional weapons.

Nicholas Lambert, a military historian and fellow at the Royal United Services Institute in London, provides the book’s most fruitful analogy in looking at the kind of pressure that might prevent international cyber conflicts from escalating. He compares cyberwarfare to economic warfare, examining Britain’s attempt to wage economic warfare against Germany at the opening of World War I. The strategy, in development for years, was abandoned after just two months because of, in Lambert’s view, resistance and noncompliance from British businesses. Globalization made it too painful for these companies to cooperate with the strategy imposed upon them by their own governments.

Like the economy, cyberspace is composed of stakeholders around the globe. For Lambert, an all-out cyberwar is almost unthinkable in part because the governments involved would face strong pressure from within to maintain some semblance of peace so that businesses could continue to function unimpeded. Capitalism is so tied up in cyberspace and vice versa that it’s hard to imagine governments letting a true cyberwar occur if it meant doing serious damage to their national economies.

Referencing maritime law and international waters, Lambert asks, “Does the United States or any other government have an international legal or moral right to defend, regulate, or control access to cyberspace in ways that will very likely impinge on others’ interests?” Lambert doesn’t say it, but given how contested cyberspace has already become, it seems possible that the U.S. or another nation will ultimately attempt to unilaterally gain control over some portion of cyberspace, beyond limiting access or creating local firewalls, the way states now assert competing claims of sovereignty over certain parts of the ocean. The most interesting part of that scenario is, what happens next?

The editors’ conclusion falls short in that it includes a lackluster set of technical and political policy prescriptions, such as penalizing nation-states that sponsor cyberattacks and gradually developing “norms to restrain the most potentially destabilizing sorts of cyber activities.” While that certainly sounds good, international norms of conduct take time to develop. In the short term, their most useful suggestion is for governments to increase defensive measures for critical infrastructure and to “enhance the capacity to detect and attribute cyber exploitations and attacks and to distinguish their purpose.”

“Understanding Cyber Conflict: 14 Analogies” provides excellent fuel for future conversations. There is real value in seeing how each metaphor sheds light on what makes cyber-conflict different from older forms of conflict. In focusing on the low-intensity conflicts that are currently prevalent in cyberspace, the book avoids sensationalism but loses a sense of urgency. Still, it’s worthwhile to learn how nation-states are using cyberspace to surreptitiously advance their interests, while stopping short of the attacks Russia has executed.

Winston Churchill famously said, “Russia is a riddle, wrapped in a mystery, inside of an enigma.” To that piercing analysis, he added that the “key” to solving the riddle lay in discerning Russia’s national interest. Based on the essays in “Understanding Cyber Conflict,” it appears that the key to solving cyber-conflict lies first in thinking more critically about the interests of Russia and other nations that might wage cyberwarfare against critical infrastructure and civilian populations.

Finding ways to prevent cyberwars on a technical level is vital, but so too is analyzing ongoing cyber-conflicts from a political viewpoint. By focusing on the “gray zone” between war and peace, where international conflict is already rife, this book does some of that analytical work and invites further discussion. In that sense, it succeeds brilliantly. Cyberspace provides new ways for old geopolitical tensions to flare up and find outlets. Considering cyber-conflicts in that context is the first step toward understanding and managing them. It’s an urgent problem, given the nuclear brinksmanship now in play.