Pages

31 August 2021

Defining cyberwar: towards a definitional framework

Cameran Ashraf

Introduction
Despite emerging into public consciousness in the 1980s,1 no generally accepted definition of cyberwar exists.2 There are many different and often contradictory definitions, ranging from cyberwar’s non-existence to cyberwar as an existential threat. A clear definition for cyberwar is vital for academic scholarship, security planning, and public policy. Definitional ambiguity makes coherent discussions of cyberwar challenging, limiting theoretical insights, and frustrating efforts at policy development.3 Indeed, Hughes and Colarik discovered that out of 159 cyberwar articles, 103 (65%) failed to offer an explicit definition of cyberwar.4

Awareness of this definitional ambiguity is vital for non-experts in the field for reaching definitional consensus and clarity in research and policy work. To that end, the purpose of this paper is to offer officials, analysts, scholars, and others without expertise in the field an overview of cyberwar’s definitional ambiguity, identify themes in the literature, offer a framework for defining cyberwar, and demonstrate how that framework can be used. While the field is evolving and growing, it is hoped that this paper can provide a conceptual grounding in the ongoing definitional debate over cyberwar.

In examining this interdisciplinary body of literature, three themes were identified: alarmist, skeptic, and realist. Broadly speaking, alarmists see cyberwar as an imminent threat, skeptics believe cyberwar is a contested idea and is not “war”, and realists believe that cyberwar should be understood through existing law and norms. These three themes are not mutually exclusive and weave their way through cyberwar scholarship. A single project may contain all three themes in equal measure, be more alarmist than skeptical, or any other configuration. For example, Sanger is alarmist in framing cyberwar as an imminent threat and realist in recognising the role of the state in working with international norms.5

Much of the debate on defining cyberwar focuses on the applicability of existing international law and state practice to cyberspace.6 This perspective believes that attacks in cyberspace can constitute a use of force, allowing a state to act in self-defense.7 These attacks fall under the legal concept of jus ad bellum, how a state justifies self-defence. In following this logic, once cyberwar has begun, then cyberattacks fall under jus in bello, or the rules governing the process of warfare. How jus ad bellum and jus in bello apply to cyberwar is constrained within the existing United Nations charter (Articles 2(4), 39, 41, 51), relevant international legal regimes, and norms of state behaviour.8

However, existing legal frameworks are only partially relevant to actions which do not fall under jus ad bellum and jus in bello. These actions can be governed by different sets of laws, such as: a) international agreements on cyberspace; b) location-based agreements through which the means of cyberwar are governed, such as the law of the sea, and those governing outer space, transnational communications, and aviation; and, c) international law of counter-measures, which regulate how states respond to violations which do not justify the use of force.

Applying legal regimes, territorial law, and jurisdiction to cyberwar situates it within the legal-territorial framework of the international system of states.9 However, a significant number of territorially ambiguous actions occur outside this framework. These attacks occur in a legal frontier and from a “liberal-utopian” position where cyberwar operates openly across international boundaries.10 The paradox of realist structure and liberal-utopian action is central to the efforts of states to apply a legal-territorial framework to cyberwar. These actions operate across a “spatiality of power” not confined to the limitations of geographical territory.11

Attempts to define cyberwar

The definitional ambiguity of cyberwar has not deterred academia, military, or governments in attempting a definition. Early definitions and popular media, such as the influential 1983 movie WarGames, and the seminal and provocatively titled 1993 paper Cyberwar is Coming! by Arquilla and Ronfeldt,12 established a class of “alarmist” definitions which argued that cyberwar was an imminent threat. The United States and its allies were framed as under threat, necessitating a strong defence and view of cyberspace as a domain where the United States could achieve dominance.13

Alarmist definitions are a recurrent theme in cyberwar thought and policy.14 One of the most influential recent thinkers, former White House counter-terrorism advisor Richard Clarke, argued in his 2010 bestselling book Cyber War: The Next Threat to National Security and What to Do About It that cyberwar was “actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption”.15 Clarke's definition proved to be highly influential in cyberwar research, and is the most highly cited (in Google Scholar) work on cyberwar, followed by 1990s alarmist work by Arquilla and Ronfeldt.16

Mehan17 extends the alarmist model into different classes of cyberwar. Class I cyberwar deals with personal informational security; Class II emphasises espionage; Class III includes (distributed denial of service) DDoS and other disruptive actions; and Class IV incorporates classes I-III in addition to cyber operations in support of military offensive actions. Mehan18 does not specify the nature of the actions or the actors involved, leaving cyberwar open to individual hackers, collectives, social movements, terrorists, corporations, and states.

Strategic doctrines have shifted from skepticism about cyberwar to including cyber as a key component of national defense. Alarmist thinking has also shifted from the perspectives offered by Arquilla and Ronfeldt19 and Clarke20 to more nuanced positions which perceive vulnerabilities not just in the United States, but for global leadership on setting cyberwar norms. This has manifested in nuanced alarmist perspectives from Sanger, Healey, Nye, and others.21 These scholars balance emphasis on imminent threats and the need for urgent cybersecurity reforms with an embrace of multipolarity.22

These definitions assert that cyberwar is an urgent threat while maintaining broad definitions of what constitutes cyberwar. For instance, Healey argues that states should focus less on determining attribution for attacks and instead on who should bear responsibility for attacks, stating that “‘Who is to blame?’ can be more important than ‘who did it?’”23 Alarmists are supported by military and defence policies which warn against an imminent “digital Pearl Harbor”24 with statements like “A cyber attack could stop our society in its tracks”25 by General Martin E. Dempsey, former-Chairman of the Joint Chiefs of Staff. Alarmism is used in popular rhetoric to support aggressive budgeting in the United States of over $17.4 billion in pursuit of strategic advantage and “defending forward” in cyberspace.26 These definitions see cyberwar as everything to anybody at any time and a world in which the West is under imminent threat.27

Another theme used by scholars argues that cyberwar is blown out of proportion and resembles Cold War fearmongering.28 In this skeptical theme, “cyberwar” is actually espionage or sabotage with few events, if any, able to be classified as “war” – in fact, cyberwar itself may not even exist.29 More theoretical approaches argue that cyberwar is a concept rather than a fact, with Joque stating “it will be fruitful to understand cyberwar as a war against systems: computer systems, state systems, systems of organization, and even systems of meaning”.30 Lindsay likewise emphasises that “cyberattack is a form of cheating”31 in a cyberspace which is an “assemblage of overlapping regulatory mechanisms and negotiated contracts implemented by both people and machines”.32

To some skeptical scholars, cyberwar has been glorified to benefit defence budgets and a cyber-industrial complex.33 Some skeptics, like Rid and others34 prefer definitions of cyberwar grounded in state-centric understandings of war. Valeriano and Maness35 argue that the actual threat of cyberwar fails to live up to the myth of existential threat, and that “Cyberwarfare poses a threat only if it is grossly overused or mismanaged, or if it diverts resources toward a mythical fear and away from real threats”. For Liff36 the realities of cyberwar limit its effectiveness at change into something which emphasises pre-existing political power.

Many of these approaches emphasise nineteenth century theorists, such as Clausewitz. Rid sees Clausewitz as a foundation for defining what cyberwar must be: violent by using force; instrumental in seeking to force an enemy to change; and with political aims.37 For many cyberwar skeptics, there has yet to be any action in cyberspace which could satisfy Clausewitz’s definition of war. The actions which have occurred and will likely occur are espionage, sabotage, or subterfuge but nothing resembling “war”.38

Rid’s approach is ends-based and focuses on war when it emerges rather than what contributes to causing war.39 From this perspective, the StuxNet attacks against Iran’s nuclear programme would not be cyberwar because they lacked the critical element of lethal force. Further, the plausible deniability associated with cyberattcks makes determining the political, or instrumental, reasoning behind these acts difficult, reinforcing the Clausewitzian position.

The realist theme grounds cyberwar within existing legal regimes and structures. Rather than arguing cyberwar is imminent or does not exist, these scholars believe it can be understood using existing international law and norms of state behaviour. This perspective includes publications from NATO which determine how international law applies to cyberwarfare.40 Manjikian41 argues that this theme is a realist interpretation of cyberspace within existing power structures and geographies which can be adapted to law with minor modifications. Whetham addresses skeptics directly by demonstrating that “war” as an easily definable event is a modern invention. He shows that medieval warfare was practiced on a scale ranging from conventional large-scale pitched battles to ongoing small-scale raids, and that the entirety of this spectrum was considered war:

Real war takes place on a spectrum, framed by the unattainable concept of absolute war at one end and the absence of war at the other. That spectrum should, rightly, include cyberattacks that do no obvious physical harm.42

Beyond this, Hathaway,43 Clarke,44 and the Tallinn Manual45 situate cyberwar as occurring between states grounded within the United Nations charter and international legal agreements and practice. Non-state actors are treated as aberrations, regardless of whether these actors are assisting states in upholding or violating international law. Crowdsourced attacks, such as those which occurred against Iran in 2009,46 against various Arab states in 2011,47 or against financial firms which declined to process payments for WikiLeaks,48 are examples of when this approach encounters problems. Nonetheless, Eun and Aßmann believe that it is not cyberwar that must conform to our definitions of war, but rather that war must conform to new realities of conflict.49

From a norms perspective, Clarke50 argues that states which sanction cyberattacks would be disconnected from the Internet until the attacks stop, an idea with precedence in international finance.51 Conceptually this is echoed in Healey, whose work is both alarmist and realist, and argues that technical focus on attribution detracts from the ability to address cyberattacks required by the policy world.52 He states:

To rein in attacks raging across the Internet, the international security community must focus on the needs of policy makers, which is best served by looking to the responsibility of nations. Too much time has been wasted obsessing over which particular villain pressed the ENTER key.53

According to some of these definitions, the state is the only geographical unit of analysis because of its unmatched financial and technical resources. Indeed, Lindsay54 and Betz55 argue that only states have the resources to conduct cyberwar or develop complex cyberweapons such as StuxNet. They are skeptical of the resources of non-state actors to engage in complex attacks and scale to rise to the level of “war”. However, these definitions ignore that states outsource cyberwar to hackers, quasi-government organisations, private citizens, terrorist organisations, and criminal groups.56 To that end, the realist theme does not confine the actors to states, but also includes non-state actors.57 Here Lucas states that “international law is inherently state-centric, while the cyberdomain is without discernible or meaningful state boundaries or jurisdictions.58

Three themes: a framework for defining cyberwar

Each theme in the literature emphasises certain actions, actors, effects, geography, and targets of cyberwar. A framework for defining cyberwar must include these variables while incorporating the broad historical themes in the literature. First, however, the following historical themes have been identified:

Alarmist: Cyberwar is an immediate present danger to the United States and its allies.

Skeptic: Cyberwar as both concept and reality is contested and ambiguous, and its existence depends on how we define cyberwar.

Realist: Some form of conflict in cyberspace exists, and it can be understood through existing international legal structures and state behavior norms.

Key variables

The key variables of each theme are actions, actors, effects, geography, and targets and are explained below:

Actions: Defining cyberwar requires defining which actions are part of cyberwar. There has been much debate on defining cyberattacks and their relationship to violence.59 For example, during the 1990s, DDoS attacks and defacement were considered hostile acts which could cripple vital communications. During Russia's 2008 invasion of Georgia and 2007 cyberwar with Estonia, these tactics were used to great success in order to create “information dominance”.60 However, recent research argues that these acts have diminished in importance as robust defences are common. Instead, these are now acts of disobedience or mild disruption.61 The changing nature of defining actions is a function of cost and complication of attacks. Stuxnet, for example, was exceptionally complex and could only have been developed with the resources of a nation-state.62 In this variable, actions are either cheap and widespread, as with DDoS, or expensive and complicated, as with Stuxnet, reflecting the split between alarmist and skeptic.

Actors: Actors are the legitimate entities that can both engage in and be responsible for cyberwar.63 Defining actors represents a way in which legitimacy is conferred, allowing certain responses in line with how the actors are classified. For example, the 1999 attacks against NATO computers had their origin in Chinese-sponsored groups portrayed as “patriotic citizens”. Rather than attempting to engage with the individual citizens or their actions, NATO chose to recognise China as the entity which had ultimate control over the attacks – legitimising the state as the actor in cyberwar. Generally, cyberwar literature focuses states, non-state actors, or everyone as legitimate actors in cyberwar.

Effects: Actions and actors seek outcomes and effects, and each of the themes defines cyberwar by the effects of cyberattacks. Clarke argues that the effects of cyberwar are large-scale destruction with societal collapse or severe disruption.64 On the other hand, Rid65 argues that the effects are small-scale: localised intelligence-gathering, or mild disruption in information flows within closed organisational structures. Sanger takes a broader view, eschewing scalar limitations and emphasising that future cyberwars will be long-term and low-intensity with a mix of both large and small-scale actions.66

Geography: How actors relate to cyberspace conditions how cyberwar is perceived. The skeptical theme generally sees cyberspace as a separate and proxy-domain which is self-contained with little spillover into the “offline” world.67 For these scholars it follows that cyberwar’s effects would be small-scale. Conversely, the alarmist theme sees cyberspace as a warfighting domain68 conceived of in terms of national territory, making incursion an act of cyberwar. Each theme constructs a different vision of cyberspace which reflects the actions, actors, and effects of cyberwar.

Targets: Ultimately, actions, actors, effects, and geography are also structured around the types of targets for cyberattacks. For example, alarmist definitions view critical infrastructure, such as electrical power plants, as prime targets for cyberwar.69 On the other hand, skeptics argue that these targets are already well-protected, meaning that smaller and less consequential or purely conceptual targets remain.70 Targets serve to reinforce and ground the geographical visions of each theme.

Each of these five core variables of cyberwar will be examined through the lenses of the three themes (alarmist, skeptic, and realist) below:

Alarmist

The alarmist theme argues that cyberwar is an imminent threat. Within the literature these scholars advocate for immediate action, leveraging Cold War or “clash of civilizations”71 geopolitical frameworks alongside focus on opponents such as China and Russia. These scholars share a Hobbesian worldview of cyberspace as a digital “all against all”, in contrast with others who see collaborative potential in cyberspace.72

Actions: Alarmism believes that the technical knowledge and cyberattacks are cheap, easy to duplicate, and widespread.73 This framing situates the United States and its allies under immediate threat of cyberwar from hackers who could easily challenge the state. Defences, however, are costly and require concerted national effort to secure critical infrastructure.74 The United States and its allies are believed to be highly vulnerable to attacks of varying destructive capability, with an emphasis on destructive rather than disruptive actions.

Actors: The belief that actions in cyberspace are cheap and widespread lends itself to the belief that actors are also widespread. These include individual hackers, terrorists, states, social movements, and corporations. Compromised computers or Internet of Things devices can also be actors, programmed to automate attacks or discover exploits.75 The multiplicity of actors does not imply that all actors are equal, or legitimate. The emphasis is on states as hostile actors who employ non-state actors for plausible deniability. For alarmists, ultimate responsibility resides with the state for financing attacks, allowing use of their national cyberspace, or refusing to cooperate with investigations into attack responsibility.76

Effects: Alarmist scholars emphasise the destructive aspects of cyberwar.77 Technical and infrastructural destruction will have unforeseen consequences for society, necessitating an emphasis on defending forward or responding to cyberwar with physical force.78 Alarmists believe that vulnerability of technical systems could cause power outages, water-processing malfunctions, air-traffic control shutdowns, and railroad collisions, among other disasters.79 In addition, alarmist scholars believe that cyberwar can be used to decapitate military command and control, resulting in battlefield chaos.80

Geography: For alarmists, the geography of cyberwar is bifurcated between cyberspace and physical space, both existing within national territory. While cyberwar can spillover into physical space, it remains a separate domain in terms of defensive and offensive actions, articulated here by the United States Department of Defense:

A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.81

This domain requires human-made technologies to enter and exists apart from other domains.82 However, it has consequences for other domains (land, air, sea, space) and requires unique rules of engagement, codified in the world's militaries since the 1980s.83

Targets: The targets of cyberwar are critical national infrastructure. This includes physical infrastructure, such as electricity and transportation, financial systems, information and media, intellectual property, consumer data, and communications.84 Because infrastructure is diverse and varies in cybersecurity preparedness, it is both vulnerable and vital - an attractive target during cyberwar. There is a firm sense of the state as spatial container of cybersecurity and any violation of that space represents a physical threat to the state itself.85

Summary: The alarmist theme articulates defined national boundaries which are a container for vulnerability and cybersecurity. The domain of cyberspace is separate from physical and political geography, but conflict in this domain has serious effects offline. National territory exists online and offline and is under threat from external attackers armed with cheap and widely-available cyberattacks. At stake is critical infrastructure with the potential for destruction, resulting in serious disruption in the functioning of society.

Alarmists use a range of historical vulnerabilities in cybersecurity to support their perspective. One of the prominent examples is operation Moonlight Maze.86 This operation targeted the U.S. Air Force, NASA, the Departments of Energy and Defense, and major universities and research laboratories across the country.87 Highly sensitive data was exfiltrated, including maps of military installations, and military hardware schematics.88 Other similar attacks used by alarmists to demonstrate vulnerability of the state and the widespread nature of cyberwar include the Gh0stNet cyberespionage ring89 and Titan Rain.90

Skeptic

The alarmist position has been influential since cyberspace was recognised as a threat domain after the Morris Worm attack in 1988.91 These entrenched attitudes have been challenged by skeptics who contest the existence, scope, and severity of alarmist definitions. Skeptics argue for critical engagement with the idea of cyberwar, deconstructing the word and its actions to understand the concept.92 This engagement ranges from denial that cyberwar exists to reconceptualising digital violence.93 These scholars share skepticism towards the alarmist claims and a desire to shift the debate from “cyberwar is inevitable” towards critically interrogating cyberwar itself.

Actions: The skeptic theme argues that actions of cyberwar are not widespread and inexpensive, but costly and expensive. They cite the significant investment in a technology like StuxNet, the availability of resources for attribution, or the extensive insider knowledge needed to hack into critical infrastructure as examples of high barriers to entry.94 These barriers prohibit actors other than states from engaging in serious cyberattacks.95 Even then, these are not acts of war, but disruptive acts of sabotage, espionage, and subversion.96

Actors: Due to expense and complexity, cyberwar is restricted to states. States may outsource actions to non-state actors, but only states have the financial resources to support projects like StuxNet.97 Shorter term events, such as activist group Anonymous hacking websites of U.S. financial firms, are limited due to lack of state funding. If other actors, such as motivated citizens, universities, private corporations, and other elements of state collective cyberpower can have any impact, it is only because of explicit or implicit state support.98

Effects: Skeptic scholars contest claims that cyberwar is an existential threat.99 Concerns over lax security and vulnerabilities in national infrastructure are tempered by claims that exploiting those vulnerabilities requires expert knowledge.100 Critical infrastructure, they argue, has security measures for malfunctions or catastrophic failures and is well-prepared to address cyberwar vulnerabilities.101 The effects, if any, of cyberwar are limited and localised rather than significant and widely destructive, or geographically contextualised as a regional issue between rivals.102 Instead, cyberwar asks us to reconsider how we think about war and violence.103

Geography: There is nothing unique or special about cyberspace – it is simply another political structure through which states engage in subversion, sabotage, and espionage with plausible deniability, and a lack of attribution.104 Cyberspace as a separate warfighting domain reflects the interests of lobbyists and elites rather than any inherent attribute of cyberspace.105

Targets: In-line with their belief that cyberwar is of limited scope, its targets are also limited. StuxNet, although its ultimate target was nuclear centrifuges, had as an intermediary target a human being who could transport the malware into the Natanz network, or who could be targeted via phishing.106 Other forms of cyberwar (espionage, subversion, sabotage, or disruption) require human failings or specific expertise to succeed, and only then can any secondary effects be manifested. Thus, the skeptical theme articulates targets both in terms of humans as well as critical infrastructure and information.107

Summary: Skeptical scholars question the saliency of claims that cyberwar is an existential threat. Cyberwar exists on a spectrum or is discrete components – espionage, sabotage, or subversion –and causes disruption rather than destruction.108 These actions are expensive and require specialised knowledge, limiting them to being supported by states. Because of high barriers to entry and precautions already in place in most critical infrastructure, the effects of cyberwar are limited and local. Cyberspace is an extension of the physical domain and political actions which occur in it. The existence of a separate warfighting domain reflects lobbying efforts by cyber-security firms, military, and policy elites.109

Skeptical claims centre on research which demonstrates that the cost of attack, such as StuxNet, could only be borne by a state, or the lack of explicit physical violence and harm from cyberattacks. For instance, Rid110 claims that Moonlight Maze does not represent a case of cyberwar, but is an example of cyber-espionage. Likewise, the 2007–08 DDoS attacks on Georgia and Estonia by Russia were a nuisance not a threat.111

The skeptical position has found resonance in popular media and in critical studies scholarship.112 The lack of any significant cyberwar, despite hype by alarmists, has contributed to skepticism that cyberwar will occur. National security experts continue to argue for a more alarmist-based position, but now temper warnings with skeptical considerations, emphasising the idea of cyberwar as disruptive, not destructive.113

Realist

The third theme involves scholars and practitioners who emphasise that cyberwar exists within a modified realist framework.114 These scholars do not dispute that cyberwar is a contentious topic. Rather, they see cyberwar as a conceptual, practical, political, and legal frontier which can be understood in historical or current state behaviour and international law.115

Actions: For the realist theme, there is little distinction between expensive, or complicated actions and cheap or widely available ones. Actions are precipitating an understanding of the legal contexts in which they should be situated – only then can they be understood.116 To an extent, this is an argument which echoes skeptical contentions about the nature of cyberwar, but realists situate the debate around definitional ambiguity.117

Actors: The realist conception of actions lends itself to a broad conception of cyberwar – individuals, non-state actors, states, social movements, corporations, and others can all freely engage in cyberwar.118 This emphasises individual actors, groups, and networks in cyberspace rather than restricting or limiting actors. Thus, a highly motivated individual could engage in cyberwar, as well as a state, or social movement.119 What matters is how actors relate within the context of the international system and how norms and law include those actors.120

Effects: The realist position is concerned about the implications of cyberwar for international law and politics.121 These may be disruption, destruction, subversion, espionage, or sabotage, but the impact will be on future interactions between individuals, groups, political and financial structures, intellectual property, and trade regimes.122 The effects of actions in cyberspace are on the broader systems and the worlds which actions enable.123 Thus, understanding where a state begins in cyberspace, what constitutes a hostile act, or how to interpret the StuxNet attack in international law, are the effects of cyberwar.124

Geography: The realist position sees cyberspace as a domain where unique actions take place, but those actions are grounded in pre-existing physical, political, and legal geographies.125 It is indistinguishable from the existing international system and must be seen, evaluated, and acted upon as an ordinary feature of that world. This perspective would contest the U.S. Department of Defense’s vision of cyberspace as a separate warfighting domain or the skeptical position that cyberspace is a proxy or metaphor for physical space.126

Targets: The focus of cyberattacks are any assets which exist within sovereign territories and legal jurisdictions.127 This includes civilians, corporations, military networks, and government computers, anything situated within existing international legal structure.128 What is relevant is the legal and conceptual geography of those targets.

Summary: The theme of realism is concerned with the implications of cyberwar on international law and practice. The precedents established by actions can have unforeseen consequences for international stability and careful analysis must be undertaken to properly understand them.129 Realism is not concerned with the cost or complexity of actions, but with the “who, what, and where” of cyberwar. Here, states are relevant because they underpin the international system and their actions have bearing on legal precedent and norms.

The realist position is largely composed of legal scholars and academics who see the debate between alarmists and skeptics as focused on language, rather than on events. Whether or not cyberwar exists is an issue about how cyberwar is defined rather than what is occurring in cyberspace. For example, StuxNet may or may not be an act of cyberwar or sabotage. Rather, it is the development and deployment of software, which destroys centrifuges without attribution or accountability and is a threat to international stability.130 In this example, realists are interested in interpreting events within international law rather than arguing whether cyberwar exists.

Example: using the framework for a definitional compromise

The framework of five variables and three themes can be used by scholars to develop definitions of cyberwar, or understand how themes relate to each variable. Considering the development of critical cyberwar scholarship, recent research has moved away from strict thematic boundaries, bringing together all three themes to paint a more nuanced picture of cyberwar. For instance, attack types previously considered to be cyberwar, such as DDoS attacks against Estonia131 are now seen by the Council of Europe and many scholars as civil disobedience.132 The proposed framework reflects emergent patterns of scholarship and the need to move beyond strict themes and towards a more fluid framework for defining cyberwar.

To demonstrate usage of the framework, this paper provides an example fourth theme: a definitional compromise amongst the three other themes. Given the interplay between alarmist, skeptic, and realist themes across literature, this theme sees cyberwar as actions undertaken by states to alter information, disrupt computer systems, networks, or Internet-connected devices belonging, or deemed critical to, another target state. This theme demonstrates how cyberwar can be defined using the framework by supporting each variable with case studies and selecting variable definitions from each theme.

Defining the variables

Actions: In line with skeptics, cyberwar actions are expensive and complicated. While cyberattacks range from simple DDoS to the highly complex Stuxnet malware, for an action to be considered part of cyberwar it must be complex enough to require state resources. This distinction matters because greater resources allow for more sophisticated attacks, including expensive zero-day exploits which the RAND Corporation estimates costs nearly $30,000 on average.133 This does not preclude simple attacks like DDoS, because state resources can be leveraged to execute large-scale attacks, such as Iran’s Operation Ababil DDoS attacks, which temporarily disrupted the U.S. banking sector.134

Beyond cost, critical state infrastructure has well-established protocols and procedures for dealing with emergency situations, necessitating a greater investment in resources by the attacker to infiltrate target networks.135 To disrupt in a serious fashion state infrastructure requires specialised knowledge and access to advanced plans or technical specifications, precluding all but the most well-funded and sophisticated actors.

Actors: The legitimate actors are states, who bear responsibility for what occurs within their cyberspace. As Healey argues, “national policy makers often need to know the responsibility for an attack, not the technical attribution, to drive their decisions and responses.”136 It is not that non-state actors cannot conduct cyberwar actions, but that they often do so on the behalf of states for plausible deniability.137 Noteworthy examples of this include the 2016 Russian “Fancy Bear” hacks of the U.S. Democratic National Committee and the Iranian “Shamoon” hacker group responsible for a significant attack on Saudi Aramco, wiping the hard drives of over 30,000 computers in 2012.138 However, final responsibility rests with states.

Effects: The effects of cyberwar have included not only the destruction of centrifuges, but also the Syrian Electronic Army hacking the Associated Press’ Twitter account and the resulting $130 billion in losses on the S&P 500 index.139 It has included long-term disinformation campaigns by Russia, hacks of Sony emails by North Korean mercenaries, and website defacements by Iranians.140 The effects of cyberwar are the accumulation of both large and small-scale attacks between adversaries. As Harknett and Smeets argue, “cyberspace introduces new ways and means of degrading national power by attaining strategic impact through continuous campaigns comprised of often-covert, less violent cyber operations.”141

Geography: Cyberspace is a distinct and separate domain with protocol-based limitations which limit state actions.142 That domain is inclusive and constitutive of political geography, meaning that cyberspace is part of a national territorial sovereignty while re-configuring that sovereignty online. This is illustrated in the 2018 U.S. Department of Defense Cyber Strategy:

The Department will prioritize securing sensitive DoD information and deterring malicious cyber activities that constitute a use of force against the United States, our allies, or our partners. Should deterrence fail, the Joint Force stands ready to employ the full range of military capabilities in response.143This theme echoes the U.S. position by saying there are limitations to warfighting actions in cyberspace, but responses to those actions are not limited by cyberspace. Cyberspace is both part of national sovereignties and a separate domain.

Targets: The targets of cyberwar are elements of national cyberpower. Cyberpower is the sum of critical cyber elements of a state and its society, including private corporations, military networks, talented individuals, universities, security organisations, symbols, and social, or political movements.144 The concept can be understood offensively and defensively, and adversaries may target smaller elements of cyberpower for the purpose of training or gaining access to complex systems.145 Thus, it may become necessary for states to intervene in non-critical areas which may impact cyberpower. This is demonstrated in the hack of Sony Pictures by North Korean-affiliated hackers. After the hacks, the U.S. government did not respond, believing it an affair for Sony Pictures. Although Sony Pictures was not “critical infrastructure”, eventually the U.S. worried that non-intervention would set a dangerous precedent for national security. Further, the idea of an authoritarian state limiting domestic freedom of expression made intervention symbolically important, with the secretary of the Department of Homeland Security stating “It was also an attack on our freedom of expression and way of life.146” Soon, the U.S. government accused North Korea of responsibility for the hacks.147

Addressing definitional shift

Definitional shift contributes to the lack of any single broadly accepted definition of cyberwar, and efforts to define cyberwar must address this shift.148 This paper has conducted a broad survey of interdisciplinary literature to provide an overview of the debates in scholarship, and identified three themes and five variables to provide a framework for defining cyberwar. The definition in this paper is one example of how the conceptual framework can be configured and reconfigured to create new and relevant definitions of cyberwar. Given cyberwar’s definitional fluidity, new definitions may make interdisciplinary communication and policy difficult. Thus, having a base framework for development, understanding, and evaluating definitions creates a common foundation for discussing cyberwar.

Definitions of cyberwar will undergo changes over time, but a modular framework of realist, alarmist, and skeptic provides a flexible baseline for examining future actions in cyberspace and how they relate to the actors, actions, geography, effects, and targets of any future cyberwar. As new technologies and state/non-state behaviours emerge, the framework provides a broad structure for incorporating, evaluating, and understanding change.

Conclusion

For nearly thirty years scholars have offered changing definitions of cyberwar, and the continued lack of clarity demonstrates that efforts at establishing a singular definition have not been successful. This paper takes the position that a broadly agreed upon scholarly definition of cyberwar is unlikely to emerge. Demonstrating the breadth of definitional ambiguity, Hughes and Colarik identified 56 explicit and 103 implicit definitions of cyberwar currently in use.149

The lack of definitional clarity makes interdisciplinary research and policy work challenging. For example, international legal scholars advising policymakers might examine research in security studies or geopolitics to understand attribution. Each of these three fields could have a different definition of cyberwar, leading to policy outcomes which do not speak to current or future realities. As such, it is vital for scholars and policymakers to have a baseline of definitional clarity from which to work.

To address this issue, rather than offering a new definition, this paper offered a framework for understanding the scholarly definitions of cyberwar, focused on three themes identified in a broad interdisciplinary survey of the literature: alarmist, skeptic, and realist. It subdivided these themes by five identified variables: actors, actions, geography, targets, and effects. Subsequent work can interrogate and engage with each aspect of this matrix, demonstrated by the paper’s definitional compromise theme. This framework provides a baseline for developing, understanding, and evaluating definitions of cyberwar across the literature while creating a foundation for future work in this fluid and dynamic field.

No comments:

Post a Comment