“The next Pearl Harbor we confront could very well be a cyberattack.” That’s what Leon Panetta, then head of the CIA, warned two years ago. A former U.S. director of national intelligence, Michael McConnell, warned in December of “the cyber equivalent of the collapse of the World Trade Centers.” Military organizations such as NATO want to devote considerable resources to cyberwarfare, and warn governments that they should spend far more on weapons of online war.
We tend to believe them. To those of us who grew up in the early decades of the Internet, reading William Gibson and watching Tron, the idea of a distinct and tangible “cyberspace,” as Mr. Gibson coined it, seems believable. If war is hell in meatspace, then imagine what it will be like when it moves into the online world, where all our communications and private data are stored, where the machines that control our entire lives can be hacked. If the Internet is everywhere, wouldn’t a cyberwar be a total war?
Once we started believing this, the whole world seemed to confirm it. An online virus was used by Israel and the United States to disable a uranium-enrichment facility in Iran. China uses a facility to steal data from the West. France, Britain and the United States, as we’ve recently learned, are mass-harvesting the online communications and phone calls of foreigners (and possibly their own citizens), and the man who revealed this, Edward Snowden, is in the midst of a globe-trotting flight across the settings of vintage James Bond movies. If this is what cyber cold war looks like, how horrid would real cyberwars be?
We can imagine them, and make movies about them, but the reality is far more mundane and less threatening.
That’s the conclusion made by Thomas Rid, an expert on cybersecurity and intelligence at the department of war studies at London’s King’s College. His forthcoming book’s straight-up title, Cyber War Will Not Take Place, is a call for sanity: There is no distinct “online world,” and the many forms of online crime and mischief are not a threat to our existence or our civilization.
“Cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future,” Mr. Rid writes.
Instead, he says, “the opposite is taking place: a computer-enabled assault on violence itself. All past and present political cyberattacks – in contrast to computer crime – are sophisticated versions of three activities that are as old as human conflict itself: sabotage, espionage and subversion … In several ways, cyberattacks are not creating more vectors of violent interaction; rather, they are making previously violent interactions less violent.”
People who understand distributed systems and networks realize this: It may be possible, if hundreds of people work on the problem for years, to damage a single centrifuge facility using a virus – but still only if there’s also a human sabotage agent placed on site. To destroy or disable an entire country’s or region’s infrastructure using lines of code or electromagnetic pulses would be impossible – or, at least, given the need for human agents at each target, it would be the same as using bombs to do so (and bombs would be quicker and easier).
This is Dr. Rid’s crucial message: There is no distinct “online” world; it is simply part of the world, as much as the telephone or the highway. Defence of vital assets remains important, but there is no distinct “cyberspace” to be defended – it is all of a piece.
The danger, Dr. Rid tells me from his office in London, is that the myth of “cyberwar” will lead us to believe that online security is a matter for the military – a notion that the military, eager for funding, is all too willing to promote.
“Hyping a cyberwar doesn’t necessarily create Chinese hackers coming in and harming citizens,” he says. “What’s more realistic is that if we couch the problem in a martial language – war and peace, offence and defence in a military context – then we think that the agencies that are traditionally in charge of that are best placed to deal with the problem, because it’s war. But if you put intelligence agencies in charge of cybersecurity, they’re more likely to apply an offensive mindset to the problem than ministries of interior.”
It is worth spending money to make our computers, and the devices that control our machinery, secure from spying and vandalism. But that’s not war, and it shouldn’t be a job for the warriors.