Of Cyber, War, and Cyberwar

Prologue: cyber odyssey 2007 

Let's begin with a war story; certainly there are war stories also in cyberwar; this one is Eneken's: 

"I am a survivor of the First Cyberwar. I may even be a veteran. Of the latter I am not entirely sure.

Cyber bombs fell on Estonia in the end of April 2007. Nobody saw the bombers or heard the bombs falling, but everybody learned of their arrival when the defence minister, speaker of the parliament, minister of justice, and the prime minister all assured us they were there. Suddenly, the riots on the streets seemed secondary to this war. Weapons of mass destruction had hit us. We were under a blockade. Russia, the gargantuan eastern neighbour had (finally) made its move.

The tiny Tallinn airport was operational the next morning. I had no choice but to leave - there was a working meeting on personal data protection in Brussels and my orders to participate had not been withdrawn. Well, nobody had called me to postpone the trip, and had there been any 'normal' orders, I would not have known as there was no access to the governmental information system. 

I took off with a heavy heart. What should you pack when departing from a war zone? My grandparents had buried the family valuables in the garden when they left their home during the Second World War. That seemed a little unhelpful as I had nothing of that kind. Valuables, I mean.

In Brussels, the technocratic work was hardly on my mind. I kept checking the Estonian news, with no success: no online media site would open, and government websites were also down. However, everyone at the EU Commission and our colleagues from NATO were reporting the war.  

After a day filled with a constant flow of breaking news, I took a taxi to the airport. After checking in, I felt a little more at ease. There still was a country to go back to. I felt grateful and relieved - whatever was going to happen the next day, I would face it with my family and friends.

The next day at the office - I had two jobs - I learned what it means to be part of the public administration of a country at war. Not that anything directly threatened my so far comfortable life, but it was still a chaotic situation: an immediate legal assessment of the situation was required; hourly technical updates were requested; talking points kept pouring in; phones were ringing constantly.

Preparing my legal assessment of the situation, I felt how unprepared I was to deal with the notion of war. Not only was I unable to apply any rules of international law to the situation, but I kept circling back to municipal, national law; the penal code, data protection requirements, even the public information act that had made it easy to simply copy and paste hundreds of email addresses from the ministries' websites straight into the "weaponized code." When I spotted an international lawyer saying that international law is not fully equipped to deal with the type of war Estonia was in the middle of, it made some sense. However, this memo also suggested that international law was to be developed to deal with such attacks. I was not entirely sure of this - but then again, I had no educated opinion.

I also noticed our chief of defence saying in the corridors that nothing that was going on had any military significance. He must have been wrong. I was not sure how or why, but it was clear that the situation was nothing short of conflict as the Ministry of Defence was deeply involved. The NATO Centre of Excellence was to remain involved. I was to remain involved. So, clearly, the chief of defence must just have been confused: we now had a very different type of war to wage that did not exist when he was taught what for and how to fight.

The next day, the war was over. Naturally, the cyberattacks became a keen object of research at the Centre. We, the scientists and researchers, suddenly got to attend countless meetings - Brussels, Mons, Redmond, prominent UK and US universities, and think tanks - to tell our story, the story of a new kind of war.

At one of those many panels, somebody mentioned Estonia having invoked the right of collective self-defence under Article 5 of the North Atlantic Treaty. This was news to me, so I decided to check it out. Indeed, NATO had received a letter from Estonia warning against cyberattacks that, in our expertise and best assessment, were likely going to be a threat to all NATO countries.

"We did NOT invoke Article 5," I wrote in my notes. To fortify my talking points, I added: "No country can invoke collective self-defence if there is no armed attack. Some states regard this threshold to coincide with that of use of force, but the Estonian incident was nowhere near to any such threshold."

Apparently, I was slightly misguided again. Months later, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) was fully operational with not three members as per the minimum requirement, but seven! Estonia was the go-to country for cyber defence advice and cyberwar stories. The UN First Committee took up the issue of international cybersecurity and Estonia occupied one seat in the group of initially 15, then 20 and then 25 experts to attend to this issue.

Years later, when I analysed national positions on international law on this matter, I discovered that until 2006, as is obvious from the UN First Committee archives, Russia was the only country to sponsor the narrative of information and communications technology (ICT) as a theatre of war in the UN. Now, cyberwar is all around us. Much of it is very reminiscent of what fell on Estonia in 2007. It still does not make a lot of sense to try to apply laws of war to it. We should (much) rather ask ourselves if a solid resilience plan and better cyber hygiene, also on behalf of government institutions, could be more useful in this situation: cybersecurity starts at home.

Oddly, I feel like a veteran. I feel like a veteran of the war that never happened but that created a narrative of war that suddenly is becoming normalcy." 

*

Never let a good crisis go to waste - the saga of 2007 has been helpful to the control-freak East, the operations-savvy West, the insecure South, the unsure North, the eager industry, and the well-meaning peace lovers. We have heard many loud statements and seen many capitalized attributes witnessing cyberwar being waged. We do not believe in these testimonies. 

Of war

It's true that bad, harmful, and malicious things take place in cyberspace. Children are being bullied, exposed, and exploited, online fraud and theft appears to be easy and profitable, videos of violence are roaming free, and states, the civilized members of the international community, are conducting mass surveillance and targeted intelligence (espionage) and some destructive operations. But war? Let's get real.

It's true that we can detect a lot of 'wars' going on. While we have, hopefully, got rid of the notorious notion of the 'Global War on Terrorism,' another nonsense notion, 'hybrid war' has entered the theatre scene. Some time ago we waged protocol and browser wars, cola wars and coke wars; the war on obesity that humankind is constantly waging but is sure to lose. Agreed, the notion of war, perhaps similarly to jihad, is being used in a colloquial and expressive way to enrich the argument: something crucial and important is going on. But, if everything is war, the horrors of real war are being diminished and mainstreamed. If war is being waged everywhere, human and societal life is reduced to constant state of conflict. Most importantly, if we believe in the ongoing or looming war in cyberspace, we had better get ready to wage it. That is what many governments are proposing. 

We strongly advise that the expression of war only be used when speaking about organized state violence - the use of it against another state or politically organized entity. The wording is less important than the idea behind it. War is organized, that is, the conduct of war, warfare, waging of war, is organized and purposeful, politically motivated, systemic and systematic. War is violent, that is, it causes death and destruction. War belongs to the property of states; individuals resorting to violence are criminals. War also can also be seen as a phenomenon which takes place in an armed battle between states; yet, both the structural and phenomenological approximations follow the same logic.

We can also justifiably talk of civil wars (Sic!), intifada and insurgencies, wars of liberation, where one of the fighting parties is a state and the other, not necessarily having the formal status of a state, an organized group operating as a political entity. The political character of fronts, armies, and organizations of liberation, even tribes, is obvious: the political character does not require a parliament or parties but rather desires, set objectives, and thought-out means and measures to achieve the ambitions. Harold Lasswell's 1936 book titled Politics. Who Gets What, When, How made this clear straightaway. If a politically organized and motivated entity is conducting systematic and organized death and destruction-causing violence against another similar entity, let's face it: it is a war. Legally, this may not be the case, but then, legally, very few wars have been waged since the Korean War (which, by the way, has not yet formally ended). 

Our approximation of war is Clausewitzian. Despite the changes in its colours and structures - the famous chameleon argument - the nature of war as violent, uncertain, and purposeful remains. The current and anticipated state of cyber activities and operations, even by states, does not fit these criteria. 

Of cyber

Cyber operations have not caused large-scale destructive effects. Communications have been blocked, web pages have been smudged, electricity has been shut off, information has been destroyed, industrial systems have been halted, and financial and identity losses have been suffered. Yet there is very little smoke and rubble, and, most importantly, no human casualties. In fact, almost any other human activity is more lethal than cyber operations. 

Most importantly, cyber effects, ranging from manipulation to denial of access and services to degradation and destruction of information and systems are not likely to cause such second- and third-level effects that would make states resort to war. Cyber operations do not threaten the existence of states or shackle the balances of power, they do not create wider, long-term, and decisive effects that military campaigns and war proper aim for and can achieve. In the brutal reality of political decision-making, the question is not one of the conceptual possibility of death and destruction, but the scope of violent, devastating, and painful effects. 

Why then are many nations nevertheless developing cyber military capabilities, establishing cyber-specific units and commands, training and educating personnel to conduct cyber operations, and waging war in cyberspace? For example, since 2012, the USA has been systematically reviewing its national strategies, joint military doctrines, and field manuals to incorporate cyber capabilities as an elementary part of all military operations and functions. This would also include deploying cyber units and teams to tactical land forces formations, perhaps "down" to manoeuvre brigades, integrating cyber capabilities into the full range of military operations. Russia and China are trying to incorporate tools of information warfare into their military forces. The tree-hugging Nordics are building up capacities of cyberwarfare, and Estonia, et tu, a nation of barely over one million inhabitants, established a cyber command in November 2018. What's that, militarization?

Armed forces have always been at the forefront of employing the latest information and communication technologies. Computers were originally used to, well, compute. What was established next, as early as the 1950s, was connectivity between surveillance stations, command posts, and fire and manoeuvre units. In the aftermath of the Cuban missile crisis, the USA established (an ill-functioning) "Worldwide Military Command and Control System." Digitization has improved the accuracy of targeting. Currently, the majority of armed forces are modernizing their command and control and weapons systems. Looking for better effects and better ways to achieve effects, the most advanced are integrating their systems and networks. Smart and connected technologies are being deployed and employed to all military functions, administrative and lethal. Everyone is trying to protect their data and networks. 

Cyber capabilities are certainly being used in all contemporary conflicts. Governments employ cyber means in political and economic espionage, too. Some are also said to conduct criminal activities online. A conceptually correct and factually accurate notion to explain and entertain the development, deployment, and employment of ICT and cyber military capabilities is cyberwarfare, a combination of ways and means, methods, and capabilities, tools and their use. 

Precisely their falling short of war makes cyber operations lucrative and dangerous. They have been proposed as the default form of power projection. Some countries are openly proud of their cyber capabilities and operations, perhaps thinking them to be risk-free. The opposite is true.

Conflicts and contestation are nevertheless not virtual per se but political and real. Even the purest form, the most romantic image of cyber operations - exchanges of virtual salvos and hasty coding - does not take place in isolation or at the speed of light. 

The logic of war and politics and the reality of cyber operations thus leave us in a paradoxical situation: as long as cyber operations are only capable of causing relatively minimal, temporary, and secondary effects, they are not elevated to the level of war. Cyber operations causing serious existential or destructive effects (which is unlikely), would escalate the situation to traditional political and military conflict and war.  

Statistically, the vast majority of known or suspected state-sponsored cyber incidents constitute acts of espionage. The rest few dozens of recorded incidents result in relatively minor effects, such as defacement of websites, denial of services, manipulation of data, and in very limited instances, data destruction, sabotage, and physical consequences. The situation as such is far from anything war-like. 

The problem

The obsession with cyberwar makes us miss the point of what is going on. The cyber militarization surge does not involve only known and established powers - between them, cybernetics may become a way to avoid unnecessary casualties and destruction. We see whole new operational identities emerging in all continents; within the EU especially in Estonia, the Netherlands, and Poland. 

The entrance of the cyber newbies to the global conflict theatre is alarming and potentially destabilizing. Their presence testifies to an appetite for becoming relevant by power projection. Despite acknowledging that development and use of these capabilities positions them in the danger zone of their adversaries, new cyber powers let their operational ambitions take over their commitment to the rule of law. Just a little, it seems - a nip on sovereignty and a tuck on due diligence. These cuts, however, are serious wounds to the public international rule-based order. A self-proclaimed right to deny sovereignty of one nation denies the right to sovereignty of all. 

Development of new operational capabilities feeds the perpetuum mobile of political tensions and easily leads to an unwanted or unanticipated escalation. In any case, there is no way to predict how these newly found powers will develop or how resistant the new cyber powers are to political manipulation and provocation. Accordingly, while we are admiring the cyberwar that isn't, we miss developments that might lead to an actual conflict. 

The habit of conducting cyber operations is a risky business. The climate of cyber conflict and the (mis)perception of cyberwar further destabilizes the delicate balance between normalcy and crisis. During a cyber situation, political decision-making is easily inflicted by sense of urgency, the primacy of hard security, and the fallacy of appearing powerful. Yet decisions are made amidst a fog caused by misinformation, miscalculation, uncertainty, and fear. National and organizational exercises celebrate escalatory language and measures. De-escalation seems to be too difficult even to think about, but that is precisely what is needed.

We all hope this time will not come. We all know it likely will. We don't know how many cuts it takes for the international order to fatally bleed. Human rights, the rule of law, and the leitmotiv of peace are all neglected in the cyber power game. Voluntarism brings out the lack of the sense of accountability in the community of states. It underlines that states, unlike social communities, are not bound by any shared identity or common values. Instead, it reminds that the only common denominator between states is their political self, and that the prospect of any global governance is a mere utopia.  

This brings us to another kind of nonsense - voluntary and non-binding norms of responsible state behaviour, the placebo offered to the international community as a substitute to international law. Because there is no prospect of war between them, the United States and the Russian Federation can afford to dance a slow waltz with each other in the ballroom of no restraint. In their heavy hug, they are too self-confident and comfortable to deal with the overwhelming lack of resilience, awareness, and accountability looming all over the world. Tallies of new cyber powers are considered allies to one and excuses for the other - until the carriage turns back into a pumpkin.

The world has been just peaceful enough for states to drop their guard. There is, however, a real prospect of conflict in ICT if its development and use are not taken seriously. This prospect is not cyberwar. It is the prospect of real war. The type of war that international humanitarian law was made for.