A Reality-Based Model for Cyber Conflict

Commentary | June 08, 2012

Cybersecurity incidents don't add up to war, argues EWI's Franz-Stefan Gady in New Europe. Rather, they are creating something new entirely.

"Cyberwar is coming!" announced two RAND Corporations analysts in 1993, yet to date, there is a wide controversy surrounding the existence of cyberwar. Opinions among policy makers, IT experts and the military differ widely with some referring to the threat as a looming "Cyber Pearl Harbor," while others simplystate that "cyberwar will not take place." The United States military views cyberspace as crucial to military operations as air, land, sea, and space.

This current ambiguity is impending policy development and leads to confusion among governments about the true cyber threat. As a report by the EastWest Institute on "Rendering the Geneva and Hague Conventions for Cyberspace" states, "It is possible that the binary peace versus war paradigm is too simple for the complexities of the Internet Age." The report recommends the development of "a third, 'other than-war' mode" to clarify how to use existing policy instruments and more importantly, the applicability of international law.

Scattering the metaphor of war regarding cyberspace dilutes and extenuates the true nature of warfare. As an inscription in the Swedish Army Museum in Stockholm reads, "This is -- after all -- what this museum is about: killing and maiming, or at least threatening to do so." Among the many definitions of war, cyberwar often (not always) fails to meet two of the most basic aspects of how we understand war; war must be lethal and political.

To gain clarity in this discussion, I propose a system of categorizing cyber attacks based on two simple criteria: impact and intent. Any act in cyberspace can be assessed through the prisms of this II Model. Assessing various high profile actions in cyberspace such as the infamous Stuxnet attacks, it becomes fairly clear that the war metaphor fails to apply to these occurrences. While the intent of Stuxnet may have had a political component (e.g., forcing the Iranian regime to return to the negotiation table), the lethal component was missing. Even if lives were lost in these attacks, the principle aim was sabotage, an "accepted" act in the international arena and a form of political warfare, not war and death in itself.

If the II Model is applied rigorously, it becomes clear that most cyber attacks in the political sphere (the core criteria for any discussion of organized violence towards a clear political objective) should be categorized as sabotage, espionage, and subversion -- all actions short of war and generally not constituting a "casus belli" in international law.

As such, cyberwar, is merely an extension of already existing forms of political warfare -- a metaphor that may have led to the nascent "cyberwar" metaphor. Political warfare's ultimate goal, however, is to alter an opponent's actions without using military power.

Many pundits argue that cyberwar is different because of the strategic impact and the immense power an individual can yield with just a few keystrokes. Above all, they lament the omnipresent power of cyber weaponry to strike anywhere and at any time; however, this is historically nothing new.

During the Seven Years War, the Austrian Army introduced irregular forces, the famous "Grenzer"(borderers), recruited from the Austrian provinces adjacent to the Ottoman Empire, where for centuries the Ottomans and Croatians fought small skirmishes, raided each other's lands and destroyed crops while the Austrian Empire was officially at peace with the Ottomans. When Austria introduced this concept into the rigid understanding of Western European Warfare, the outcry by orthodox commanders, such as Frederick II, was immense and led to confusion: Was this warfare or was it not?

The Grenzers unintentionally had a strategic impact on the war since the Prussians simply lacked a military doctrine on how to deal with these acts of sabotage and plundering. The Grenzers principle aim was not lethal but like some cyber attacks today, could have indirect lethal consequences (e.g., a starving population). Also, like today's cyber attacks, once unleashed, the Grenzers were hard to contain. Last, the aims of the Grenzers were not political but only to plunder. Again we are confronted with the dilemma of failing to properly categorize actions in cyberspace because of our own rigid understanding of war.

It is finally time to jettison the concept of war in the context of cyberspace, and the II Model may be a good starting point. When the model is applied, cyberwar fails to meet the most basic criteria of war, but then again, metaphors have their own life. Lest we end up with Bertold Brecht's old, mocking phrase, "imagine there is a (cyber)war, but nobody shows up for it!" we must establish new criteria now.