While a full-scale cyberwar is always possible, many experts argue that it seems unlikely
So far, no act of cyber incursion/aggression has yet filled all of Carl von Clausewitz’s classic criteria for war as “violent, instrumental, and political.” While a full-scale cyberwar matching this definition is always possible, many experts argue that it seems unlikely–for reasons I’ll explore at the end of this blog post.
- Scenario 1: Coordinated cyberattacks shut down important websites of an enemy nation as part of a series of Denial of Service and other, coordinated incursions.This has already happened, as described in Parts I and II of this blog series. In fact, the first incident of this kind was a Russian cyberattack on Estonia during a three-week period in 2007 following Estonian removal of the statue of a WW II Soviet soldier. Government, political, bank, and major newspaper websites were all shut down.
- Scenario 2: Hackers access and degrade an enemy’s military systems, crippling its conventional combat and offensive cyber system capabilities. Military systems, including GPS, for example, are inevitable targets in this scenario. Such attacks, in most cases, would be precursors to full-scale conventional war, and most probably coordinated with the following–
- Scenario 3: Most concerning to policy makers is the possibility of a series of concerted attacks in which hackers destroy or degrade a nation’s critical infrastructure, including its power grid, financial systems, and/or transportation networks (e.g., triggering trail derailments), knocking systems offline for weeks, perhaps many months.Such an attack would result in the deaths of thousands, perhaps millions, of civilians.
Factors making major cyberwar less likely
While the last two of these scenarios are ‘scary-apocalyptic,’ a number of experts argue that full scale Cyberwar is less likely than many of us have feared–
- First, outcomes of such major cyberattacks are highly uncertain–with potential devastating blowback to the perpetrator(s)/aggressor(s), even for advanced, sophisticated hypothetical aggressors like the U.S. and China. Bottom line: any nation state, large or small, has precise agendas and vital interests—that would be seriously jeopardized after launching such attacks. This dynamic is loosely parallel to the ‘balance of terror’ that has helped prevent nuclear war since the late 1940s.
- Second, political cyberattacks will most likely continue to be ‘Cyber Cold War’ activities like subversion, sabotage (e.g., Stuxnet) and espionage (e.g., the theft of intellectual property).”
- Third, though cyberwarfare seems asymmetrical (with weaker nations able to inflict serious damage on stronger nations), advanced cyberweapons are, in fact, costly to develop and hard to obtain from third parties. To date, weak actors do NOT seem capable of mounting the kind of protracted cyberattacks that could cripple the infrastructure of well-defended systems.
- Fourth, offensive cyberattacks by weaker states make sense only in the unlikely event that their digital capabilities are backed by significant conventional and/or nuclear weapons. Otherwise, they could easily be decimated by the conventional military response of the stronger state. North Korea is a possible exception. Bottom line: cyberwarfare is unlikely to provide any significant advantages to nations that are unwilling or unable to engage in a coordinated conventional war.
- Fifth, even the most hostile, strident actors (e.g., North Korea) have too much at stake to engage in a costly cyberwar if they can find other, cheaper ways to resolve conflicts.
- Sixth, wars are primarily about achieving concrete objectives—and it’s impossible to do that without claiming responsibility for the damage caused to an enemy’s property. At the same time, any government claiming responsibility for such attacks would then be highly vulnerable to devastating counterattack (if not already identified as the perpetrator).
- Finally, no terrorist group has yet had success disrupting target civilian or military infrastructures. Why? For a group like al-Qaida, or even the state-like entity of ISIS, such capabilities are not only costly, but difficult to implement, making newsworthy damage unlikely. In addition, cyberattacks lack the necessary spectacle of public theater terror, such as detonating a bomb in a busy public square. —That said, I, for one, believe that this is a long-term threat that needs to be monitored carefully.