By Thomas Rid
Hurst & Co | $29.95
THE explosion was catastrophic. When the gas pipeline ruptured that day in Siberia in 1982, the detonation was so large that the North American Aerospace Defense Command headquarters, NORAD, initially thought it might have been a missile launch. Equivalent to three kilotonnes of TNT (or a small nuclear device), it was the largest non-nuclear explosion so far seen from space. Over twenty years later, a US National Security Council staffer reported in his memoirs that the explosion was the result of a US sabotage operation. A Trojan Horse computer virus had been embedded in the software that controlled the pressure and flow in the Siberian pipeline; in disrupting and manipulating the pressure, the virus placed stress on the pipes, ultimately leading to the massive explosion. It was, the staffer declared, the first-ever act of cyber warfare.
Except that it wasn’t.
When that NSC staffer – Thomas Reed – published his memoirs, journalists and experts set about testing his claims; what they found was that Reed’s allegations were unverifiable. There were no media accounts that could confirm the explosion – even though accidents and explosions in the former Soviet Union were frequently reported in Western media at the time. Declassified internal Soviet accounts of computer sabotage during the height of the cold war also failed to report any such activities. Even the former head of the KGB refuted Reed’s report, suggesting that he might have mistaken an explosion that had happened earlier that year in the same region of Siberia. (In that incident, the thawing tundra had caused pipes to shift and fracture in the ground.) Even if such a lack of coverage could be chalked up to Soviet-era subterfuge and dissembling, technology experts claimed that such a “logic bomb” would have been almost impossible to hide in the basic software of 1982. All told, the preponderance of evidence combines to suggest that the so-called “first cyber-war attack” was a non-event.
This story of the Siberian pipeline “attack that wasn’t” is among the examples Thomas Rid uses in Cyber War Will Not Take Place to demonstrate that cyber war, at least as it has come to be publicly discussed, has not, and will not, happen. Rid, a reader in war studies at King’s College London, has emerged in the last few years as a sceptic in the increasingly hyperbolic public debate about cyber warfare and cyber security. And there has been plenty of hyperbole: a number of top US officials, including Richard Clarke, the former “cyber czar” of the White House, Leon Panetta, former CIA director, and Mike McConnell, director of national intelligence for the Bush administration, have spoken of impending cyber-war disasters, with Panetta warning of a “cyber Pearl Harbour” and McConnell prophesying a “cyber equivalent of the World Trade Center attack.” Calls for a “cyber Geneva Convention” have abounded, and mass media outlets have labelled computer viruses like Stuxnet the “Hiroshima of cyber war.”
In the midst of this commentary, Rid seeks to question the prevailing doomsday analogies and comes to the firm conclusion that “cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future.” He locates his assessment of the threat within an analysis of the nature of violence and warfare. Conflict, according to Rid, must fulfil certain criteria in order to be classified as war. Drawing on Carl von Clausewitz’s oft-quoted characterisation of war as “an act of force to compel the enemy to do your will,” he argues that any war must involve violence of a political nature in order to compel another party to comply with a set of demands. Hostile acts in cyberspace, he argues, frequently fall short of von Clausewitz’s three-part test – there is no violence, no political nexus, or no clear ends being sought. And so, he writes, “the ‘war’ in ‘cyber war’ ultimately has more in common with the ‘war’ on obesity than the second world war – it has more metaphorical than descriptive value.”
Labelling cyber attacks as cyber warfare is appealing – it’s politically galvanising and emotive, and gives rhetorical force to what otherwise might be dismissed as troublemaking, a nuisance or “mere” criminality. Cyber warfare is a growth industry – most major military powers have dedicated cyber-security agencies reportedly developing offensive and defensive cyber-capabilities, preparing to fight in what’s been termed the “fifth domain of warfare,” alongside land, sea, air and space. NATO has its own Cooperative Cyber Defence Centre of Excellence in Estonia, which is tasked with developing cyber-defence capabilities for NATO governments and was integral to the creation of the recently released Tallinn Manual on the International Law Applicable to Cyber Warfare. The United States has CYBERCOM – the United States Cyber Command – covering cyber operations in the army, navy, air force and marines; the creation of CYBERCOM is reported to have spurred the creation of similar military agencies in Britain, China and South Korea. Indeed, even Australia has its own inter-agency Cyber Security Operations Centre, which includes personnel from the armed forces, ASIO and the Federal Police, and has recently announced the creation of a new Cyber Security Centre.
As Rid argues throughout Cyber War Will Not Take Place, the rhetoric of warfare potentially distracts policy-makers from the real and genuine threats in cyberspace – subversion, espionage and sabotage – which are closer to criminality than to warfare on the “warfare spectrum.” Why this “marriage” of cyberspace and warfare is problematic is that the law of armed conflict does not, for the most part, concern itself with acts of espionage and sabotage. Provided such acts are carried out in compliance with the existing laws of armed conflict, espionage and sabotage are not considered violations of the laws of war. This is made explicit in the Tallinn Manual’s Rule 66, which states that “cyber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict.” In other words, continuing to view hostile acts in cyberspace through the prism of warfare opens up the potential for either ignoring the vast swaths of cyber hostilities that don’t reach the requisite threshold for warfare or classifying all acts of cyber hostilities as warfare – neither of which is an ideal solution.
Cyber War Will Not Take Place was published before the Tallinn Manual; as such, some of Rid’s comments are already out of date. In discussing the policy debate surrounding cyber warfare, for instance, Rid comments that “the debate and those trying to turn it into policy are getting ahead of themselves. Some fundamental questions on the use of force in cyberspace are still unanswered; worse, they are still unexplored.” As of July 2013, this is no longer true; the Tallinn Manual provides a detailed analysis of the law on the use of force and the law of armed conflict, and examines whether hostile cyber activities are regulated by that law and whether it needs to adapt to better regulate this kind of hostility. Oddly, the Tallinn Manual – the result of three years of research and consultations with twenty experts drawn from government, the armed forces, academia and industry, already in train when Rid was writing his own work – is not mentioned in Cyber War.
This is not to say that Cyber War has limited value. Rid provides a measured and well-researched analysis of cyber hostilities to date, and identifies where the real threat comes from – espionage, sabotage and subterfuge. Indeed, recent experience tends to support his contentions. The victims of the massive data theft from the Australian government, linked to Chinese hackers in May this year, were not only, or even primarily, military; rather, they were agencies such as ASIO, the Department of Foreign Affairs and Trade, the Department of the Prime Minister and Cabinet, the Reserve Bank and the Bureau of Statistics.
Rid stands as a useful voice among the Cassandras and Chicken Littles who warn of the impending cyber apocalypse. He bridges the divide between law and technology, and serves as the standard bearer for those hoping to lead the cyber-war debate out of what he calls the “realm of myth and fairytale” into rational, empirical discussion. •