Has the Cyber-War Begun?

A battle rages over the definition of war -- war in cyberspace, that is.

A definition matters because the stakes are already enormous in this "new geography of warfare."

Everyone agrees The First Great Cyber-War (a decisive struggle over the Internet and within the Internet) has not been fought -- yet. Cyber-skirmishing, however, is frequent and fierce, a second-by-second form of digital probing and parrying that is cyberspace's combat equivalent.

Computers store and share vast quantities of data -- economic, military, intelligence, communications and politically sensitive information are obvious targets for spies, thieves, vandals, competitors and enemies. Digital systems control key infrastructure, like electrical grids. Zap a central computer with digital viruses, and the grid is damaged until the viruses are identified and removed. Repairing generators and power lines after an aerial bomb attack is an analog. The viruses, however, don't leave high-explosive craters.

And there's the rub. Is a cyber-intrusion that disrupts and destroys an "armed attack," which under international law would permit armed retaliation? Technology and techniques have once again outpaced political adaptation, rendered military doctrine obsolete, and are decades ahead of formal law.

Strategists, lawyers and warriors are struggling with these complex, multidimensional issues. James Andrew Lewis, in an essay titled "The Cyber War Has Not Begun" (published in March by the Center for Strategic and International Studies), believes focusing on cyber-security (protecting digital systems) "is a good thing." However, Lewis argues, "We are not in a 'cyber war.' War is the use of military force to attack another nation and damage or destroy its capability and will to resist. Cyber war would involve an effort by another nation or a politically motivated group to use cyber attacks to attain political ends. No nation has launched a cyber attack or cyber war against the United States."

Lewis provides a reasonable definition of an act of war and its goals. Cyber-like attacks have been used in warfare. Militaries are familiar with "cyber war in support of a conventional war" (acronym CWSC). In the guise of "electronic warfare," this type of "cyber support operation" has been going on since World War II. However, with the Internet now a major part of the planet's commercial infrastructure, "electronic warfare" has moved to another level. CWSC can now attack strategic targets (e.g., international lending and trading systems), not just the electronic weapons and communications of the combat forces.

Lewis recognizes a non-state actor ("politically motivated group") can wage cyber-war. He also asserts no nation (i.e., a nation-state) has launched a cyber-attack on the U.S., allowing the possibility of attempts to wage cyber-war by terrorists. Lewis argues that no nation-state has waged cyber-war or even launched a cyber-attack "to attain political ends" because the U.S. can trace these attacks to their source.

Guaranteed exposure is a deterrent because the attacker would risk retaliation of some sort -- political, economic, military or, presumably, cyber. I hope he is right, though even the most informed speculations in this field are haunted by the "unknown unknowns" that time and actual warfare inevitably reveal at high cost.

Lewis discusses four types of cyber-threats and warns against conflating them: 1) economic espionage (theft of proprietary business and economic data, and intellectual property); 2) political and military espionage (traditional spying carried into cyberspace); 3) cyber crime (e.g., theft of money from bank accounts); and 4) cyber war. In Lewis' view, cyber-attacks in cyber-war are "just another weapons system" for hitting targets.

The categories suggest structural responses. Police, trade and legal institutions, linked to international agreements, become the mechanisms for addressing economic espionage and cyber-crime. Defense and diplomatic organizations address cyber-espionage and cyber-warfare. Lewis advocates creating international "norms" and understandings for what constitutes an attack, and "an international framework" to establish "potential consequences for differing levels of hostile action."

However, determining levels of hostility as a crisis emerges and escalates is a very stiff requirement. History is riddled with surprise attacks whose devastating effects took time to assess. The categories are really not so discrete.

In "real space" crime and terror, and crime and rebellion all too easily mesh. Separating criminal from rebel is often a tough judgment call. In my own view, skirmishing is warfare. In cyber-space we are witnessing the potshots by light cavalry prior to a larger clash, where opponents, at a calculated pace, probe for vulnerabilities and seek decisive advantage.