"Cyberwar": Past and Present of a Contested Term

Despite all the technological capabilities, a global, catastrophic cyberwar has not happened yet and is not likely to happen in the foreseeable future. Yet, at the same time, cyberwar is in our midst, since internet-based attacks have become virtually an everyday occurrence. How do these two observations fit together, and how does this paradoxical discovery impact on our notions of war and peace? Finally, is "cyberwar" really the appropriate term to use in this situation? And, furthermore, is the military really suited to guaranteeing cyber security in the situation we find ourselves in?

To determine whether "cyberwar" is an accurate term, it would seem advisable first of all to review the history of the term and the respective threat scenarios. This gives us a better understanding of the fragile strategic situation where, despite the omnipresence of cyber attacks, there is no realistic prospect of major cyberwars. What is it that ensures cyberwar is largely limited to everyday cyber attacks? In the current literature, this limitation is being discussed with regard to the emergence of norms - a broad term that can encompass such different aspects as diplomacy, strategic deterrence, ethical limitations and liability issues.

Two extreme positions

The term "cyberwar" was coined in 1993 by security experts John Arquilla and David Ronfeldt. It described the "future of warfare" in the context of an IT-driven transformation of military systems, and the resulting reorganization of warfare.¹ Arquilla and Ronfeldt were thinking mainly of terror attacks by non-state actors, although they also sought to describe the increasing integration of cyber components into military defense systems. The cyber terrorism scenario is typical of an initial phase of awareness that extended into the early 2000s. It yielded to a second phase where the focus shifted mainly onto states. Public awareness reached a peak in 2009/10, when the first state or state-sponsored cyber attacks had demonstrated the dangers and capabilities of the new technology on a large scale for the first time. For a moment, in the collective imagination of Western populations, "cyberwars" appeared to be the next great threat to mankind. This entailed a revival of Cold War era fears of an impending nuclear annihilation of mankind.

Even though the problem has changed in many respects since then, plenty of ideas and terms from the 1990s are still circulating in the debate on cyberwars. But the fact that failed ­ideas live on - such as the cyber terrorism scenario, where ideologically motivated hackers cause a real-world disaster from their PCs - is merely a sign of a more fundamental strategic uncertainty. The ideological field broadly divides into two camps. The most extreme elements set the tone in each camp, while the many moderate voices are caught up in the polemic against the extreme positions. According to these positions, either there is a threat of major cyber catastrophes of hitherto unimagined proportions, or the cyberwar threat is just a pretext, and the real threat is a militarization of the internet.

The prospect of global "cyberwars" has opened up new threat scenarios that take the place of earlier scenarios of nuclear annihilation. According to such descriptions, civilization threatens to be wiped out by the destruction of critical infrastructures. Cyberwars have therefore reactivated latent fears of an impending nuclear war - the real possibility that mankind will be annihilated - and occupied the position left vacant in the collective imagination. The corresponding keywords are "cyber 9/11", "cyber Pearl Harbor", "cyber armageddon" (or "cybergeddon"), occasionally also "cyber Holocaust."

In this scenario, terror groups, hacker groups, script kiddies and other states fight against Western states. They do so primarily by crippling critical infrastructures on a large scale.

Critical infrastructures are everything that keeps modern civilization running, particularly energy and water supplies, transportation, health, banking and agriculture. Usually these areas are not under state control, but nevertheless they are of vital interest to the state, and their potential loss represents a threat to sovereignty. Power stations, hospitals and transport routes (including ports and airports), but also communication networks, must be protected, for any destruction or disruption of theseinfrastructures would paralyze civilian life and potentially produce many victims. Increasing digitalization has made these facilities vulnerable to cyber attacks. Some fear that hackers could open dams and cause a wave of flooding; or they could make trains derail (preferably goods trains carrying toxic chemicals); or take control of self-driving cars and repurpose them as weapons. By attacking power stations, they could cause power outages in urban centers (or even across whole countries). These attacks would be accompanied by a temporary disruption of communication networks. Perhaps the most extreme - and still futuristic-sounding - idea is that the "smart city" of the near future could be taken over by hackers, making life hell on earth for its inhabitants.

Despite the possibility in principle, so far no such large-scale cyber attacks on critical infrastructures have occurred. Known ransomware attacks on hospitals (such as the attack on the Lukas-Krankenhaus in Neuss and two other hospitals in North Rhine-Westphalia in February 2016) and municipal authorities did not achieve anything like the imagined extent of civilian damage or level of strategic threat. Great dystopias envisioning the destruction of critical infrastructures by hackers have remained the stuff of cyberwar folklore. The key point here is that such large-scale attacks on critical infrastructures have no strategic benefit for state actors, whereas non-state actors - who could be tempted into such a course of action even without a strategic reason - are not capable of carrying them out. The operational requirements have become too high, and such attacks lack strategic value.² They would only become strategically plausible in the context of a greater war strategy, but this would also limit their scope. Temporarily disabling infrastructures in war - e.g. to cut off the enemy's electricity supply - would probably rather result in a decrease in physical destruction. Indeed this has been one of the cyberwar scenarios from the beginning.

The media reaction to these catastrophic scenarios also tested many of the arguments that are still put forward today, in ever new combinations, against the term "cyberwar." Critics not only take exception to sensationalist word combinations like cyber 9/11, cyber armageddon, or cyber Pearl Harbor, they also essentially dispute that such a thing as cyberwar exists. They believe that the term "cyberwar" is merely an ideological construct, employed by states to gain new enemies and new powers. China and Russia - the two big state players in the fight against the Western order - only commit cyber espionage or cyber crime, they argue, but are not interested in a cyberwar. In 2012, the political scientist Thomas Rid summed up this point of view by stating that instead of a cyberwar, there were only different versions of subversion, espionage and sabotage.³

One key figure in this debate was the journalist Seymour Hersh. In an influential 2010 article, he described "cyberwar" as a struggle between civilian and military/intelligence use and control of the internet, in which the military and state security services would increasingly attempt to take over the internet. According to Hersh, the great fears are due to a confusion between cyberwar and cyber espionage. This only benefits the defense industry, whereas it is demoralizing for data protectionists. In his view, talk of cyberwar only creates a justification for government agencies to spy on their citizens. Instead, like many before and after him, Hersh calls for a greater use of encryption technologies, including state-mandated encryption: "The government would compel both corporations and individuals to install the most up-to-date protection tools."⁴ Only the military and security services would prevent such a solution, as it would limit their ability to intercept signals.

U.S. cyber security expert Amit Yoran adopts a confusing position. On the one hand, he asserts "serious implications [...] in calling the cybersecurity crisis a cyberwar. A warfare connotation or cyberwar label provides for a natural inclination to place greater emphasis on the role of the military and intelligence community." On the other hand, he too believes that: "Ultimately, it doesn't matter how you define cyberwar or whether you believe we are currently at a state of cyberwar or not."⁵ There is no need to point out that the two positions ("serious implications"/"it doesn't matter") are completely incompatible. But the contradiction reflects a widespread uncertainty about the relationship between language and things. Yoran regards the expression firstly as a "label" and thus seems to suggest that the linguistic designation alone could be capable of constituting an act of war - as though war were brought into being only in the act of naming, instead of the naming being a response to a war-like situation. In the second quotation, on the other hand, common sense returns: what matters in reality is not so much the precise term, but primarily the "action." At last, Yoran attempts to bring together the two contrasting aspects with an utterly trivial rhetorical formula: "While definitions matter, the time for action is now."⁶

At core, the apodictic rejection of the cyberwar concept serves to stating that cyber attacks should not serve as a casus belli. There are fears that the United States (or other Western countries) could use a cyber attack as justification for entering into a "real" war. It is highly characteristic of the quality of this debate that the mere fear appears to prohibit from the outset any in-depth investigation of the question of whether cyberwar exists, and what form possible cyberwars of the future could take. Yet the concern is far less justified than it first appears. Western military doctrines certainly allow for a response to a cyber attack using conventional military means. But this forms part of the strategic deterrent, particularly against states that are barely vulnerable to cyber counter-attacks. (The North Korean internet comprises just 28 websites.) Yet no state would go to war over espionage or ransomware attacks.

War and peace

At this point, it is useful to make a few conceptual distinctions. Typically, the term "cyberwar" is used to describe three very different things:

1. According to one concept, it is a war between two sovereign states, conducted mainly using cyber means, i.e. it is largely non-kinetic. In contrast to cyber crime and cyber espionage, cyberwar in this sense has not happened to date, nor is there any sign that it will happen in the near future. One commonly accepted exception is Stuxnet, the presumed American-Israeli attack on nuclear facilities in Natanz (Iran). It is disputed, however, whether this attack can reasonably be called an act of war.

2. The term cyberwar is also used when limited cyber attacks are carried out in preparation for a so-called kinetic war. Cyber technology is now deeply integrated into many weapons systems. Wars of the future will therefore to a large extent also contain cyber elements. But it seems that such an integration of cyber elements into war will ultimately make the notion of cyberwar obsolete. In the meantime, this application of cyber technology has tended to reduce kinetic destruction and hence to contain war - a factor that formed part of cyberwar scenarios from the beginning and remains a decisive argument against the great cyber dystopias.⁷

3. Another view sees the omnipresence of cyber crime and cyber espionage (which can develop into a full-scale war at any time, but is not actually developing into such a war) as a new kind of war, in which the permanent state of exception becomes the new normal state. This is not war in the sense codified in international law, but rather a kind of pre-legal state of war akin to Hobbes' state of nature, the fight of all against all.⁸ It is particularly in this sense that cyberwar challenges our notions of war and peace.

This cyber natural state forms a gray area between cyber crime, cyber espionage and cyberwar in the narrower sense. For now, we will have to live with the lack of conceptual clarity, and accept that "cyberwar" can refer both to something different than cyber crime and cyber espionage, and to the sum of all three. Broadly speaking, cyber crime forms the technological avant garde, while cyber espionage is the area where states and state-sponsored organizations are developing their cyber capacities. Cyber attacks in the narrow sense are characterized in that they bring the capacities of cyber crime and cyber espionage to a new level of precision and effectiveness. Such attacks are exceptionally rare (Stuxnet is perhaps the only example that meets all criteria), extremely expensive to prepare, limited in their scope, and unreproducible. At the same time, they are possible in principle and constitute an ongoing strategic threat.

In the vast majority of cases, cyberwar takes place in that gray area between cyber crime and cyber espionage. To a large extent, this appears to be the new kind of war in the 21st century. The real point here is that it then becomes almost impossible to distinguish between war and peace. George Lucas describes this kind of war as "ongoing, unrestricted warfare - warfare without rules, 'war of all against all' [...]. The danger is that such warfare not only blurs the lines between war and 'mere' criminal activities, but that such a state of war also becomes increasingly difficult to distinguish from peace."⁹

If it is true that this kind of cyberwar is the new kind of war in the 21st century, then the definition of cyberwar moves away from its dependence on Clausewitz's concept of war: "War is [...] an act of force to compel the enemy to do our will."¹⁰ In the cyberwar debate, this concept is preferred particularly by those who base their arguments on the "just war" and the criteria of the casus belli. What is actually new about cyberwar, however, is the general uncertainty as to whether and to what extent it is a war at all - the uncertain state between war and peace. The strategic threat posed by cyberwars creates a permanent state of war in peacetime.

Accordingly, we should not so much follow Clausewitz, and instead return to Hobbes and the idea of a war of all against all, a state in which man, "in the care of future time, hath his heart all day long, gnawed on by feare of death, poverty, or other calamity; and has no repose, no pause of his anxiety, but in sleep."¹¹ This state, which for Hobbes was characterized by the absence of a strong king, has its modern-day equivalent in the absence of a unipolar world power, and struggles for hegemony in a multipolar world. Cyberwar is the means of choice for aspiring great powers. It is a way to challenge the still strong United States within this system of coordinates, and gain technological, informational, economic or ideological advantages.

Norms for cyber warfare

For Hobbes, the idea of the war of all against all was supposed to motivate the renunciation of the natural state and the establishment of civilization. There are many indications that the 21st century is facing a similar process with regard to the cyberwar of all against all. But how can this cyber natural state be contained? Is it a matter for international law, in which the classical norms of (analog) war can be applied to cyberspace? The original enthusiasm for international law, as was still apparent in the so-called Tallinn Manual (2013/17), is increasingly giving way to a more complex understanding of the processes in which norms for cyberwar are only just forming.

Individual potential "strong" norms - such as restricting attacks to narrow military targets, banning cyber first strikes, or the obligation to prevent non-state attacks from within one's own territory - have not yet found much acceptance, especially among the big players. But these big players also have little interest in a major cyberwar. In part, and paradoxically, this is rooted in the principle of mutually assured destruction, comparable to the prospect of mutual nuclear annihilation during the Cold War. In particular, deterrence explains why there has been no cyberwar to date between the U.S. and China - two of the three biggest players - and why any such cyberwar has little strategic value. China could at any time cross the line from cyber espionage to cyber warfare against the United States, or at least that is what a number of major hacks suggest. And the United States, for its part, could attack China, especially where it could exploit security vulnerabilities created by Chinese product piracy. Both stand to gain little, but lose a lot, in a cyberwar.

Hence there is a common interest in not allowing a major cyberwar to happen despite all the various different goals. It would seem that this interest has also driven the recent rise of cyber diplomacy. Looking at the relevant initiatives, especially by the European Union, for the time being the main concern is with dialog and confidence building between the cyber powers. Ideally, diplomatic dialog leads to agreements below the threshold of law, which then acquire the force of law over time.

Moreover, norms for cyberwar are also formed in interaction with the private sector, for example in the fast-growing market for cyber insurance. In the near future, landmark court decisions on liability issues will give a new impetus to the emergence of norms. The scope will extend considerably beyond the topic of self-driving cars, which has achieved such high media visibility. For the time being, then, law will primarily emerge from court rulings on liability issues associated with damage caused by cyber attacks. For example, the insurance issues around Not Petya - a suspected Russian cyber attack against the Ukraine, in which a ransomware attack (Petya) was used as cover - revolve around the question of whether this was an attack by the Russian state, and therefore an act of war. The Mondelez group filed a complaint against the Zurich Insurance Group, which had refused to pay out on the basis of a war exclusion clause. Now the issue will be decided by an American court. This case is highly significant for the emergence of norms for cyber warfare and will undoubtedly also have an impact on the formation of norms for cyber attacks between states. But the way to deal with threats will also greatly change due to the establishment of good practices and industry standards. Cyber ethics should primarily reflect on and critically engage in these processes, instead of seeking to provide cyber practice with a normative concept that plays no role in the actual norming processes.

The multipolar world of cyber security

If we look at such examples of norming processes and the authorities involved in them, then it also becomes apparent that the feared "militarization" of cyberspace has not taken place. The military is one of many players in the national cyber defense field, but it has not brought cyberspace "under control". Particularly in Germany, with its federal structures, the German armed forces (Bundeswehr) share their tasks with a State Office of Criminal Investigation (Landeskriminalamt) in each of the Länder, the German Federal Intelligence Service (Bundesnachrichtendienst, BND), the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and various ministries. Internationally, national cyber defense is integrated into NATO and the EU. Moreover, limited but highly effective alliances emerge time and again, including Five Eyes (Australia, Canada, New Zealand, United Kingdom, United States) together with their various extensions, some of which include ­Germany (Eight Eyes, Nine Eyes, Fourteen Eyes). At the same time, the business sector, private IT security firms and cyber insurance companies have an increasingly large stake in cyber security.

In this multipolar world of competences and responsibilities, the military component is an important element. It will be most significant if an attack is of a military nature - meaning not only the objectives, but also the type of attack, i.e. the degree of complexity and strategic depth. In the realms of everyday cyber crime, state bodies perform defense tasks only to a limited extent. They largely play a coordinating role, and may also exert an influence on the cyber security of businesses, infrastructures and private users by formulating minimum technical standards - for example in the context of public contracting - or setting legal frameworks.

Thus we should not place too high expectations on military cyber defense. In the normal case the military's actual cyber defense tasks are in an area that cannot be served by other players. In the case of emergency, since the armed forces have greater capabilities and powers, they can adopt a stronger coordinating role. Discussions about the necessary capacities and powers of the Bundeswehr cyber command have largely focused on the question of whether, in the event of an attack, it can remain true to its defensive mandate, or whether it may also be allowed to "hack back", e.g. to switch off an attacker's server. It could also disconnect parts of Germany's infrastructure, to temporarily prevent access by military attackers. While blanket military control of the internet would hardly be desirable, there is little reason to forego the relative protection of military cyber commands.