Global cyber security (aka cyber warfare) is a new battlefield where battles are waged and lives lost. Only in this instance, it is gigabytes of data, not litres of blood, and the greatest casualty of all is privacy. According to the many documentaries about cyberwarfare, all it takes is a lone hacker, fuelled by energy drinks, and chaos will reign. This is not the case. The “lone gunman” type could do damage in the same way an assassin is able to snipe their target from a distance, but a credible cyber warfare operation requires a bit more than caffeine and displeasure.
There is no internationally recognised definition of cyber warfare. I would define it as an act of aggression whereby one party uses computers to cause deliberate disruption of an opponent’s computer or network. Cyber warfare is different from cyber crime (the topic of my next column) in that it is aimed at a long term agenda, whereas cyber crime is short term, with limited and immediate satisfaction.
Dr Kenneth Geers, speaking at DEFCON 20 (a computer security conference), noted that cyber warfare has advantages on traditional warfare. These include the unpredictability of attacks, the flexibility where attacks can be carried out (and by whom), the difficulty in attributing certain cyber attacks to one entity, as well as the lack of (obvious) dead bodies and noise of traditional warfare. Bombs make a noise when dropped, the screams of the wounded cry out into the still. But when a computer dies, nobody cares but those who need it.
One of the most recent and prominent examples of cyber warfare is not cyber warfare per se. 'Stuxnet' was a worm launched against the Iranian nuclear program in early 2010. Specifically designed to attack certain machines, the worm infected an engineer’s computer which was later connected to the internet. The objective was to destroy their centrifuges used to enrich uranium. While no one is confirming who was involved, reporter Josh Halliday cites multiple sources, saying the virus itself took months, if not years, of planning, and probably involved many academics and strategists, and in the end came down to a USB drive being delivered into the facility and inserted into the air-gapped computer. The weapon might have been modern, but the tradecraft was old-school.
The most productive application of cyber warfare is intelligence gathering. Edward Snowden’s revelations to the world about the breadth and depth of the United States' electronic intelligence gathering capabilities led to most of the world reacting in horror. Sadly my reaction was more one of “yeah obviously”. Any government with the skill and money to create the internet would find a way to store the information for later retrieval. While addressing an audience at TechCrunch, former NSA and CIA director Michael Hayden noted that from as early as 1952 any incidental information obtained by the government did not have to be destroyed, it just was not included in the report.
Australian ethics professor Peter Singer spoke at Google, saying major cyber warfare is a zero sum operation. He notes that it is in everyone’s best interests to maintain the status quo. Just think, if China shut down the US power grid as many believe they will do, then the US would not buy goods from China (and probably not pay back their debt), which will have flow on effects in the global economy. If that is true, no nation can afford to change the current balance of power, given the fiscal repercussions (both seen and unseen) post-recession. I am sure that there are small cyber skirmishes ongoing now, just like the multitude of SF operations being conducted globally. But if you know about it, someone screwed up.
Large scale cyber warfare is incredibly redundant. Stuxnet was an effective tool to hinder Iran’s nuclear program, but the operation was more James Bond than Die Hard 4.0. The threat of terror attacks led to the mass intelligence gathering, though that measure will always be questioned against the results it yields.