View the H-Diplo Discussion Logs by month
View the Prior Message in H-Diplo's October 2013 logs by: [date] [author] [thread]
View the Next Message in H-Diplo's October 2013 logs by: [date] [author] [thread]
Visit the H-Diplo home page.
Edwin Moise writes: >I was struck by something I did not see in Brandon Valeriano's review >of Thomas Rid's book _Cyber War Will Not Take Place_. The center of >Rid's argument, as Valeriano summarizes it, is that, "Since cyber war >does not include violence or force in its conduct, it is tough to >argue that cyber war will take place because the tactic rarely can >breach the gap between violations of information and data, on one >hand, and physical harm, on the other." But the review says very >little about why it is that Rid believes there will not be, in the >future, cyber attacks doing significant physical harm. >The review is written as if both Rid and Valeriano regard actual >physical damage from a cyber attack as a purely hypothetical >possibility. I will state as the writer of the review that I do believe that a serious cyber attack that commits large scale damage is purely a hypothetical. Worse than that, it is almost an implausible hypothetical and we should not be build defense policy based on worst case scenarios that have little connection to the real world. Rid's point is the term "violence" cannot be applied to Cyber War so far, therefore it is not Cyber War. Cyber War has not happened and it is unlikely to, because, for him, cyber sabotage is so difficult. He does not spend much time going over the mechanisms for this restriction on violence in his book, but I have in my own work, which is why I was so interested in his ideas. I have a forthcoming article in the Journal of Peace Research (early version here: http://www.foreignaffairs.com/articles/138443/brandon-valeriano-and-ryan-maness/the-fog-of-cyberwar)that quantifies cyber attacks and evaluates their severity. Very few have had any sort of impact, with Stuxnet being the most serve so far, that we might term dangerous. I maintain the policies of restraint in combat, fear of collateral damage, the uncontrollable nature of cyber weapons, and the fact that using a cyber weapon releases it into the wild, making deterrence and secrecy of capabilities both paradoxically impossible, will ensure a likely peaceful cyber future. In fact, fear of cyber attacks is distracting and makes for bad policy. Trumpeting cyber fears only ensures that we will continue to build offensive cyber weapons cutting off the natural connections inherent in the cyber world. >Nowhere does Valeriano mention that there has actually >been a cyber attack that inflicted significant physical harm: the >Stuxnet worm, which damaged centrifuges in Iran's nuclear program. Stuxnet is often branded about as the harbinger of the future. But it is not even a moment for the present. Most research now shows that even if there was physical damage, there was not enough damage to inhibit Iranian production of uranium, and they actually were able to enrich more uranium during the time there was an attack than before, suggesting Stuxnet was not very effective (this is an important new RUSI Journal. 158(2): 48-56). But it was effective in changing our perceptions of cyber attacks. This is a shame because we are using one example to colour the future of a technology based on pure and abject speculation. Stuxnet was a "success" because of a series of discrete events (years of development through two administrations, capture of Libya's centrifuges, having an asset to place the worm inside the plant, Iran not noticing Stuxnet 1.0, etc) that worked out for the attacker. It is unlikely to be repeated and it was not even very successful in hindsight. >There are also two other ways a cyber attack could inflict physical >harm, which need to be discussed, even though there are not yet >examples of their successful execution. Statements such as this only build cyber fear and cyber hype, both unproductive sentiments. Fear of a weapon only activates the security dilemma. So far there has been very little evidence of cyber war and cyber conflict. If there are not yet examples of their successful execution then why is this such a pressing issue? Should we not focus on issues such as terrorism, state stability, force migration movements, and unsettled territorial disputes in Asia and Africa rather than the mythical cyber threat? Turning to these comments >Ed Moise writes: >Why are we treating this as so interesting and different simply because >a computer was used? Is it really *that* novel? Or novel enough that we >need a whole new terminology and body of thought around it? Very true, in fact it was impossible to commit Stuxnet without an asset inside the Iranian plant. It does seem that most of what we consider "Cyber War" is truly espionage. But terms are what they are, the military and others have decided that this is war in the fifth dimension (after land, air, sea, and space). More importantly, the language of the past has little leverage on the language used in cyber tactics. Deterrence is inaccurate to describe the process of cyber operations (I spend pages on this issue in my forthcoming book). Resilience is a new term that typically has not be covered in military strategy. I don't think past theories have much to say about how the cyber international relations world works and thus we do need new theories, ideas, experiments, and data examinations of this process. In any case, this is a developing field that deserves attention (I wrote this a few months ago: http://www.whiteoliphaunt.com/duckofminerva/2013/08/what-should-you-read-on-cyber-security.html). I approach it from the cynical point of view since I do not see much evidence of cyber tactics put into operation. Others will have different perspectives. The goal should be to return the debate to some form of intellectual engagement beyond fear, hype, and unproven assumptions. ______________________________________ Brandon Valeriano, Ph.D. Senior Lecturer in Politics and Global Security University of Glasgow www.brandonvaleriano.com --