The Current State of Cyber Warfare

The defence apparatus has an indispensable role in national cybersecurity but it should be under close democratic control.    By Lior Tabansky
 
Setting the Stage
Cyberspace, a domain created not by nature but by human beings, has emerged to provide tremendous benefits, but also to present new risks. Recently, cyber security has become a national policy issue. Driven predominantly by national security concerns, democracies have formulated national cyber strategies.
 
Consistent definitions are essential. Cyberspace refers to inter-connected information technology infrastructures comprising computers, computer-embedded systems, telecommunication networks, the world wide web and the Internet, including the information transmitted and processed within these systems. 
 
The public Internet is only one part of cyberspace. Other parts include mission-specific systems that vary widely in size and complexity and control the function of various obscure processes; these control functions gradually become computerised. The term “cyber,” derived from the Greek, refers to the control element.
 
For over two decades we have been hearing: “Cyberwar is coming!” To the surprise of scholars familiar with the Realist theory of International Relations, the idea of Cyber War emerged alongside cyberspace conceptualisation and then realisation. 
History and philosophy show that scientific developments do not alter human nature enough to eradicate violent conflict. While the potential for using cyberspace in a conflict is obvious, the currently prevailing properties of cyberspace make fundamental concepts of attack, defence, and ultimately war inadequate.
 
However, even experienced defence and IT professionals all too often confuse acts of cyber-crime and espionage with cyber-attacks. Failing to conceptualise what cyber warfare is and, more importantly, what it is not, skews perception and results in faulty policymaking. 
 
Let us now turn to a critical examination of the major issues in the cyber war debate. This article will discuss the significance of threats, the adequacy of the cyber war metaphor, the promise and problems of emergent responses and the securitisation critique. Finally, the article will outline a future approach. 
 
Risks and Materialisation
Technologically identical methods are used to gain unauthorised access to computer resources for most cyber operations, regardless of the intended purpose: crime, terrorism, industrial espionage, military espionage, or warfare. Indeed, novel cyber-attacks on critical national infrastructure are likely to severely disrupt social activities if successful. 
It has become theoretically possible to exploit the properties of today’s cyberspace to attack strategic targets remotely. Furthermore, the attacker risks significantly less in cyberspace due to the widespread use of vulnerable commercial off-the-shelf technologies, the difficulty of distinguishing a glitch from malicious action, and the challenges of identifying the attackers.
The discovery of “Stuxnet” was the major driver for national cyber security. The threshold leading from cyber exploitation (espionage and criminal data theft) to physically destructive, politically motivated cyber-attack was crossed in a spectacular manner. 
 
It remains the only known manifestation of a novel phenomenon: successful exploitation of cyberspace to target the control layer of a complex industrial process in order to achieve a destructive goal, all while avoiding military confrontation.
 
Cyberwar
The unique properties of information and cyberspace make some of the familiar concepts inadequate. This paradoxical state of affairs testifies to the fundamental novelty of cyberspace that renders even millennia-old concepts unsatisfactory. 
Stuxnet demonstrated just how sophisticated and precise cyber weapons could be, but to evaluate all cyber weapons’ strategic effectiveness according to this specific case assumes too narrow a perspective. Website defacement, distributed denial-of-service (DDoS), massive cyber espionage, all are labelled “attacks”; some espionage operations are often upgraded to the “advanced persistent threat” moniker, and the whole scene is called “cyberwar.” 
 
War is a central experience of mankind that always had gruesome properties. “War is an act of force to compel the enemy to do our will”; it consists of several universal elements, famously formulated by Clausewitz. Centrally, war is a violent act, where the threat of force and violence is instrumental to achieving a political goal. 
 
Neither denial-of-service, web hacking, nor espionage are even potentially violent, even when Stuxnet is considered, no cyber incident has yet been violent nor caused loss of human life. 
 
Since none of the cyber events have yet met the requirements to constitute a war, the “cyberwar” metaphor could be relinquished, at least for the time being. 
 
National Intervention in Cyber-Space
The proponents of the Internet as a self-organising global commons met national security strategies, along with the accompanying regulations and surveillance, with disapproval. Perhaps unsurprisingly, reliable evidence shows that the global commons ideal shunning state-led interventions is very remote from reality. 
 
Even liberal democracies employ domestic measures, such as content filtering and persistent surveillance for national policy ends, while confronting some opposition on legal, civil liberty and privacy grounds. The recent official national cyber strategies in developed democracies demonstrate a retreat from the long-term libertarian ideology that originally had shaped internet policy. The idea of the Internet delimited into national sovereign networks was disdained in the West, with pundits labelling this scenario with the unambiguously negative term “balkanisation.” However, the trend of national intervention in cyber is inevitable: once the crucial importance of cyberspace is acknowledged, no State can stay away from trying to assert cyber power.
 
A constructive debate should focus on the decision-making process and the character of actions selected by national governments, instead of decrying the loss of an ideal. 
 
Militarisation of Cyber-Space
Developed States have recognised the inadequacy of a laissez faire approach toward cyber, but only after repeated cyber breaches had increased perceived insecurity did national cyber security policies became politically feasible. 
Analysing the national responses to cyber security challenges reveals a pronounced trend towards the concentration of capacity in defence and intelligence circles. The accompanying over classification of the decision-making process regarding the means, goals, strategies and activities severely stifles the public voice, increasing the conflict with the citizens’ civil liberties. 
 
The severe suppression of public participation in the unfolding policy debate is anti-democratic. In practice, over-classification will be counter-productive. Cyber security is one of the pronounced cases of multi-stakeholder governance where a subordination of all its facets to the national security establishment’s perspective cannot provide a net-benefit outcome.
Acknowledging this problem does not necessarily lead to the securitisation interpretation to which the critical security studies scholars adhere. For the “Copenhagen School,” securitisation is an extreme version of politicisation that enables the use of extraordinary means in the name of security.
 
But what if the strategic environment has undergone such a technology-driven change that methods previously considered extraordinary become vital? The vulnerabilities of cyberspace can be attributed to a protracted market failure of the IT industry. 
 
The business sector is justly recognised as essential for many facets of cyber security, but cannot go it alone. It also should not: just as we do not expect citizens or companies to defend from air-to-surface missiles by themselves, we cannot reasonably expect cyber security without a national security effort.
 
The defence apparatus has an indispensable role to play in national cybersecurity and resilience, but it should be more closely controlled by democratic mechanisms. 
 
Cyber Security from a Technical Approach
We cannot afford blissful ignorance regarding our changing environment. This essay started with a brief conceptualisation of the central phenomena and then critically assessed three major issues in the cyber debate. These points are stressed.
The new risks and threats are real, making cyber security necessary. We, as individuals as well as societies, cannot go on unprotected. “Cyberwar,” however, appears to be an inappropriate analogy. The idea of cyberspace as global commons has been mostly forsaken. A significant national intervention in cyberspace, including the Web, is inevitable. Yet this in itself is not a negative phenomenon.
 
The concentration of power in the defence establishment is detrimental to cyber power because of the accompanying damage to civil liberties, the democratic process and long-term effectiveness. The national cyber strategies, as well as the practice of liberal democracies, have indeed come into conflict with civil liberties. This does not necessarily have to be the case. However, adopting the securitisation perspective is not an appropriate way towards balancing the values for societal resilience.
 
Cybersecurity is not simply a clear-cut technical issue. It is a strategic, political, and social phenomenon with all the accompanying messy nuances. 
 
Cyber reality must be examined with a scientific rigour by all disciplines, enabling an informed public debate. It is both morally essential and rationally effective for the responses to be formulated through a democratic process.
 
Cybersecurity Review
 
Lior Tabansky is a Cyber Security Policy Expert at Tel Aviv University 
« US Data Systems Under Attack
DDoS Attack? There Is An App For That. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

Patchstack

Patchstack

Patchstack (formerly WebARX) is a web application security platform, which allows digital agencies and developers to monitor, protect and maintain their websites.

CybergymIEC

CybergymIEC

CybergymIEC is a global leader in cyber defense solutions and training services.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Bugcrowd

Bugcrowd

As leaders in crowdsourced security testing, Bugcrowd connects companies and their applications to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Andreessen Horowitz (a16z)

Andreessen Horowitz (a16z)

Andreessen Horowitz (known as "a16z") is a venture capital firm in Silicon Valley, California that backs bold entrepreneurs building the future through technology.

MISP Project

MISP Project

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

Venkon

Venkon

Venkon provides effective and unique solutions to cyber-security threats and IT compliance requirements of your organization.

Legit Security

Legit Security

Legit Security's mission is to secure every organization's software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.