If a country is hit with a computer program and there is destruction/death involved, there is usually retaliation, a counter attack and an appropriate response. An opposing side is given a chance to respond to the enemy by means it deems necessary, especially if there is a lot of damage involved. In terms of conventional weapons it is clear who attached the target, yet cyberspace is another niche with its challenges.
Attribution in cyberspace has been a question for a long time. Although terrorist attacks attribution is somewhat difficult, cyberspace introduces a more complicated process. Anonymity is a challenge as perpetrators may easily hide their identities. Moreover, an attack can be launched from a number of computers, operated by different people and placed in different places across the world. According to Clarck and Landau, challenge lies in several dimensions: 1) identify a computer from which the attack was launched; 2) identify a person, who had been operating the computer at the time of the attack; 3) identify a main actor, who gave an order and/or an actor behind the attack (2010).
According to the technology consultant at the security company Sophos, perpetrators in cyber may use compromised computers that belong to unsuspecting innocent people to break in someone’s computer. A hack may be coming from China, but it may be under control of someone who is situated in another country. This was the case with the DDoS cyberattacks that happened in Estonia 2007 (it involved more than 80, 000 hijacked computers from around 178 countries). Moreover, even if an attacker is supposedly found, it is easy to blame it on a third party, saying that a computer has been hacked. This, consequently, gives rise to a plausible deniability.
Although technology is being developed in order to analyze and solve the problem of attribution, it is still a challenge because of the basic design of the Internet. In theory, nonetheless, it is possible to solve the problem. According to Feaver, in the future the language of computer networks will be replaced by the Internet Protocol version 6 (IPv6), which will raise the amount of computer addresses from four billion to an infinite number. That means that everything and everyone could be associated with a unique number. IPv6 may additionally support Internet Protocol Security for authentication of the Internet traffic (Ibid.).
However, at this point of time technological analysis should always be accompanied by intelligence and information analysis. This helps to identify attackers, understand more about capabilities and intentions, and whether the attack was sanctioned by the government. Strategic and political considerations will be essential too.
A damaging cyberattack may easily lead to escalation of the situation, which is another implication for a balance in international relations. In case of Stuxnet, a malware that affected a nuclear facility in Iran, if it achieved its believed goal to disrupt a nuclear infrastructure, it could have brought a high-level of destruction with many people dead. In this case, Iran would have probably retaliated with kinetic means, rather when relying on unreliable cyberattacks (unless they had the technology). However, as attribution was still lacking, it is not clear whether they would opt for this option.
Thus, attribution poses certain problems when it comes to the question of retaliation. When it is not clear who attacked, it is hard to prosecute or retaliate in response. Attribution also created additional challenges in decision-making, considering the speed of a cyberattack. Even if attribution is positive, it is still hard to understand what procedures are to be followed. If there are no casualties and no physical destruction, it is easier to opt for sanctions rather than a military retaliation. Moreover, if attribution is later established to be incorrect, there may be serious consequences.
On another note, the use of cyberattacks may have further complications, if the countries involved are nuclear. In case of major destructive consequences after a cyberattack, a country would be left with a choice whether to retaliate in kind or to employ conventional weapons, especially if they do not have a cyber capability.
What happens when an attacker is not identified but consequences are drastic? More importantly, if it is “believed” to be identified (yet without certainty), will a country retaliate? These questions are still yet to be answered, as there has been no precedent on such a scale. What is clear, cyberattacks present additional challenges in global security that should be undoubtedly addressed.
 Cluley, G. (2011). China denies hacking high-tech weapon maker. Naked security by Sophos, [online] Available at: https://nakedsecurity.sophos.com/2011/09/20/china-denies-hacking-high-tech-weapon-make/ [Accessed on 3.02.2018].
Wars: From Weapons to Cyberattacks
Historically war focused on public contests which involve arms, e.g. Gentili’s concept of war. The main goal of such contests is to inflict damage to soldiers of an opposing side. Through this lens, cyberwar may be seen as a contest which perhaps involves certain arms. But it should be noted that these contests are very seldom public, mostly due to attribution problem. Even more, cyberattacks do not kill or wound soldiers; instead they aim to disrupt a property. It is, however, somewhat debatable, because such disruption of a system (like meddling with the nuclear facilities of Iran) may have an effect on both, civilians and combatants in a longer run. However, these secondary consequences are not the primary goal of a cyberattack, thus, there should be a difference between a cyberwar and a war.
The element of war being public is very important, as war is always openly declared. Additionally, an opposing side is given a chance to respond to the enemy by whatever means it deems necessary. In the context of cyberwar, this is more complicated. In case of cyberattacks, it is very difficult to determine the source and the initial attacker (more precisely, an attribution problem which is to be addressed further). Moreover, many attackers prefer to remain silent. This argument is further exacerbated by the lack of evidence. At this date the best example of cyber warfare, going somewhat public, is Stuxnet – not attributed to and officially admitted.
In the end, the attack became public but it was hidden for a year before its discovery. The specialists did notice the Iranian centrifuges malfunctioning but they failed to identify the source of problems. This cyberattack was new because it did not hijack a computer or extort money; it was specifically designed to sabotage an industrial facility, uranium enrichment plant in Natanz.
However, attribution still falls behind. U.S and Israel are believed to launch Stuxnet, however they denied their involvement. Moreover, not any other country as officially admitted that. Based on the previous argument, for war to happen it has to be public. The case of Stuxnet or its similar computer programs does not therefore prove the case of cyberwar.
Moreover, if war is seen as a repeated series of contests and battles, pursued for a common cause and reason (for example, to change the behavior of the adversary), then there should be more attacks than just one. Nothing seems to preclude that one state may attempt launching a series of cyberattacks against an enemy in the future, which consequently be named a war. However, the adversary should be able to respond to the attacks.
Another view argues that the just war tradition can accommodate cyberwar; however there are also some questions to take into consideration. In cyberwar, a cyber tool is just means which is used by military or the government to achieve a certain goal. This fits the just war tradition very well, because the just war tradition does not say much about means used in war. It is more focused on effects and intentions (See Stanford Encyclopedia of Philosophy Online).
The example of cyberweapons and the debate around them prove that they are discussed in the same way as any other evolving technology. If agents, effects, and intentions are identified, cyberwar should supposedly apply to the just war tradition similarly to any other types of war. However, cyber means has unique characteristics: ubiquity, uncontrollability of cyberspace and its growing importance in everyday life. These characteristics make cyberwar more dangerous, and therefore it increases the threat in relation to cyberwar.
Another useful concept of war to which cyber is being applied is the concept of war by the Prussian general Carl von Clausewitz. It presents the trinity of war: violence, instrumental role, and political nature (Clausewitz, 1832). Any offensive action which is considered as an act of war has to meet all three elements.
Firstly, any war is violent where the use of force compels the opponent to do the will of the attacker (Ibid., 1). It is lethal and has casualties. Secondly, an act of war has a goal which may be achieved in the end of the war (or failed to achieve in case the attacker is defeated). The end of war, in this sense, happens when the opponent surrenders or cannot sustain any more damage. The third element represents political character. As Clausewitz puts it, “war is a mere continuation of politics by other means” (Ibid., p. 29). A state has a will that it wants to enforce on another (or other) states through the use of force. When applying this model to cyber, there are some complications.
Cyber activities may be effective without violence and do not need to be instrumental to work. According to Rid, even if they have any political motivation, they are likely to be interested in avoiding attribution for some period of time. That is why, he highlights, cybercrime has been thriving and was more successful that acts of war (Rid, 2012, p.16). However, in all three aspects, the use of force is essential.
In the case of war, the damage is inflicted through the use of force. It may be a bomb, dropped on the city; or a drone-strike that destroys its target. In any case, the use of force is followed by casualties: buildings destroyed, or people killed. However, in cyberspace the situation is different. The actual use of force in cyberspace is a more complicated notion.
 International Atomic Energy Agency (2010). IAEA statement on Iranian Enrichment Announcement. [online] Available at: https://www.iaea.org/newscenter/pressreleases/iaea-statement-iranian-enrichment-announcement [Accessed on 28.12.2017].
 Jus bellum iustum (Lat.) – sometimes referred both as “just war tradition” and “just war theory”. Just war theory explains justifications for how and why wars are fought. The historical approach is concerned with historical rules or agreements applied to different wars (e.g. Hague convention). The theory deals with the military ethics and describes the forms that a war may take. Ethics is divided into two groups: jus ad bellum (the right to go to war) and jus in bello (right conduct of war). (See Stanford Encyclopedia of Philosophy Online). In the text Cook applies cyberwar to the just war tradition, rather than theory. In his belief, “tradition” describes something which evolves as the product of culture (In Ohlin, Govern and Finkelstein, 2015, p. 16).
Stuxnet: a New Era in Global Security
Stuxnet was a malware which affected an Iranian nuclear facility (along with couple of other industrial sites across the world). It was found in 2010 but it took quite a while to actually discover it. What is particular about it is the fact that it crossed the line between cyber and physical domain, showing that it was possible to use a code to damage a critical infrastructure. Before it, a general debate in national / global security on how a critical infrastructure can be targeted and damaged through the information system has only been theoretical. After Stuxnet it was evident that cyberspace could be exploited and used to launch cyberattacks in order to cause physical damage. So what actually happened?
On June 17, 2010 Sergey Ulazin from a small security company in Belarus received a help-request for technical support from a customer in Iran. Arbitrary BSODs (a stop error after a system crash) and computer reboots were reported. After careful examination and a regular check for system malfunction, it was discovered that a malware infection was probably involved (The Man Who Found Stuxnet – Sergey Ulasen in the Spotlight). Having a stealthy nature and strange payload, it was later named Stuxnet, according to the file-name found in the code. A computer worm infected at least 14 industrial sites in Iran along with the uranium-enrichment plant in Natanz.
It carried genuine digital certificates (they guarantee that you can trust a file) from recognized companies, and it was well-developed and direct. The malware was able to determine the target it was looking for. In case, it was not, it did nothing and moved on to another system. This “fingerprinting of the control systems” proved that it was not just an average malicious program, but a targeted malware that meant to destroy.
Although Stuxnet relied on a physical person to install it (via USB flash drive), the worm spreads on its own between computers with Windows operating system. It affects other machines, regardless of the connection to the Internet though a local computer network. It could also infect other USB flash drives and jump into other computers through it. Moreover, it proliferates very quickly.
Once the worm infects a system, it waits, checking if necessary parameters are met. As soon as they are, it activates a sequence that causes industrial process to self-destruct. Symantec, a software company that provides cyber security software and services, conducted a thorough analysis of Stuxnet and found that Iran, Indonesia and India were the most affected countries in the early days of infection. The nuclear facility at Natanz was one of the most affected.
Furthermore, the principle is that this malware identifies a target, then records the data and finally decides what normal operations are. After this, it plays pre-recorded data on the computers of the personnel so that they think that the centrifuges are running normally, when in fact they are not. In the end, it erases itself from the system so that it cannot be traced and/or found.
The International Atomic Energy Agency inspected the Natanz facility and confirmed (International Atomic Energy Agency (2010)) that the centrifuges were malfunctioning and producing less than 20% of enriched uranium. However, at that time, the reason for that was unknown. The most detailed damage assessment came later from the Institute for Science and International Security in Washington. It claimed that Stuxnet destroyed 984 centrifuges. However, Iran has not provided such a number, and the IAEA failed to give precise information on the damage.
Stuxnet crossed this line where a code infects software or digital programs, what it actually did, it affected the physical equipment. This has brought a new technological revolution. Before, viruses were used by cyber pranksters and minor rowdies to cause a system to crash on computers of innocent victims. But state-to-state attacks and a cyberwar were not discussed and were not thought of, as it was something out of science fiction scenarios. Stuxnet has changed this perception, and opened a new era in global security.
A former chief of industrial control systems cyber security research said that Stuxnet was “the first view of something … that doesn’t need outside guidance by a human – but can still take control of your infrastructure. This is the first direct example of weaponized software, highly customized and designed to find a particular target.” It is not hard to imagine that similar malicious programs can be developed in the future and used to achieve a military and/or political goal.
Many believe that the cyberattacks on Iran nuclear facility were meant to slow down Iran nuclear program. However, enrichment recovered within a year, and did not permanently damage nuclear program. Some experts also say that it had no effect on nuclear program whatsoever and the whole situation around Stuxnet was over-hyped by the media. Others are also saying that evidence on the malware has been inconclusive and Stuxnet may have, in fact, helped in speeding up Iranian nuclear program. The media reaction towards cyberattacks may have been exaggerated because of the secrecy around cyber issues but in end Stuxnet has made a good story.
As to the parties involved, the attack was not tied to a specific name and/or a country. Yet, it widely believed to be launched by U.S. and Israel. The sophistication of the program required considerable amount of resources, including extensive financial support and skilled specialists. This is why many security companies and experts agree on attributing the complex malware to one or more states. Among them is Kaspersky Lab, a multinational cyber security company, who says that the attack was launched with a specific motivation in mind. The attackers wanted to access industrial control systems which monitor and control infrastructure and processes of the facility. (Similar systems are used in power plants, communication systems, airports, and even military sites). Moreover, such an attack required significant amount of intelligence data so Kaspersky Lab is convinced that it was likely supported by a nation state.
Although the identity of the attacker is still unknown, many experts in international politics believe that the attack was clearly politically-motivated and aimed to slow down the development of Iran’s nuclear program. The United States and Israel both deny their involvement in Stuxnet, however, some leaked information (WikiLeaks, CBC interview with a former CIA director Michael Hayden etc.) suggests that the claims might have some credibility. Regardless the claims made, it is important to highlight that no country officially declared that it launched an offensive cyberattack.
All in all, Stuxnet has revolutionized the way we look at malicious digital programs and boosted a debate about cyber tools used for political purpose. After all, we are living in a highly digitalized world where we are dependent on technology. Military is no exception. Digital technologies are widely being incorporated into military planning and operations. Modern nuclear and conventional weapons systems rely and depend on information systems for launching, targeting, command and control, including technologies that govern safety and security. It is clear that future military conflicts will all include a digital aspect and cyber technologies. Stuxnet was just an early version of software that could potentially destroy an industrial site, specifically a nuclear facility. If malware actually achieved its goals, consequences would have been disastrous and could cause an international crisis.
After all, as experts once have said, “Major concern is no longer weapons of mass destruction, but weapons of mass disruption” (Cetron and Davies, 2009).
A new cyber arms race
Not long time ago cyber threats were not even on agenda in security, let along national security landscape. Now, the situation is different. Now, everyone recognizes the risks of hyper-connected world: from an individual in front of the computer to a high-level officer, operating a nuclear facility. As new tools are being developed, cyber-security occupies an important niche in decision-making and planning. As more and more people are securing their laptops, tablets, phones; the military started doing that too.
Just six years ago the US Defence Secretary warned about a possible Cyber Pearl Harbour. Cyber Pearl Harbour is a strategic surprise attack which could potentially incapacitate computational and communication capabilities, leading to a devastating impact on the country (Goldman and Arquilla, 2014, p. 13). This notion is usually fuelled by ongoing media reports that countries are in active pursuit of offensive cyber capabilities which could jeopardize any sector, penetrate any system and cause major disruptions. Regardless of the accuracy of these reports, every country understands that these cyber insecurities can be and, probably, will be exploited by an enemy. That is why many states are now allocating enormous amount of resources to develop defensive cyber means along with the offensive capabilities.
The number of cyberattacks is increasing. One can argue about its future potential targets, but it is clear that we should assume that cyberattacks will become only more sophisticated and, possibly, more deadly in the future. That is why vulnerabilities should be addressed, and the nations should be prepared to the cyber challenge.
Along the most well-known cyberattacks happened in Estonia (2007), Syria (impacted air defence systems 2007), Georgia (2008), Iran (Stuxnet 2009-10), The Saudi Arabia (Aramco 2012), Ukraine (2014), U.S. (electoral campaign 2016). Additionally, the world was quite agitated about WannaCry and Petya attacks in 2017. All in all, most of the recent attacks targeted commercial sectors, showing that there might be a constraining norm in regards to military sector and critical infrastructures.
This consequently might indicate that states might be pursuing more sophisticated technologies in order to target more sophisticated systems. It might as well suggest a possibility of on-going cyber arms races between the countries. However, there are clear limitations of cyber warfare, as no physical damage occurred and no people were killed. Even the damage inflicted on critical infrastructures was limited and failed to cause major consequences. However, financial losses as a result of cyberattacks can be rather substantial and might have a great impact on economically weaker states.
Based on the scale of current attacks, we can only assume that the technology will spread and get more sophisticated with the time. As Mazanec has outlined, cyber warfare capabilities will play a role in future military conflicts, as they are being integrated into military and state doctrines (2015, pp. 80-83). However, despite cyber challenges to national security, it does not necessarily reflect that deterrence methods and tactics will be applicable to cyberspace.
This technology is quite cheap, requires less resources and personnel, and therefore allows less economically advanced countries developing cyber. As a result, there is a clear asymmetry with weaker states competing with the world powers. Consequently, the threat is multiplied internationally. So the states are now in an unprecedented situation, because of the high level of uncertainty that cyberspace poses. This compels the states to adapt to the fast changing environment in international relations.
According to the report of McAfee, a global security technology company, 57% believe that cyber arms race is taking place now. The top officials in the West are convinced too. For example, NATO secretary general Stoltenberg said that cyber would become integral to any military conflict. Following this, NATO Defence Ministers have agreed that cyber will be a part of military planning and operations. It is clear that the West is fully aware of cyber developments and eager to use it in its actions.
Similarly, the Chinese Military Strategy of 2015 has also admitted that cyberspace will take a place in strategic competition among all parties. The Indian Army is also not falling behind and strengthening its cyber arsenal. General Rawat has recently said that India is now more concerned about developing these cyber capabilities than fighting on the border. The chain-reaction follows as in the case of the Cold War in pursuing the technologies and keeping up-to-date with the others states.
In this situation a leader faces similar challenges as in proliferation of any other military technology. There are four possible scenarios that make it difficult to calculate probabilities (According to Goldman and Arquilla, 2014):
1) We develop a cyber capability – They develop a cyber capability;
This is a frequent scenario and occurs when both countries have technological capability to develop cyber means.
2) We develop a cyber capability – They don’t develop a cyber capability;
There are certain problems in verifying if a country really lacks a capability to pursue cyber weapons. However, this case gives obvious advantage and leverage to a state that develops cyber capability.
3) We don’t develop a cyber capability – They develop a cyber capability;
From a political and strategic point of view, it puts a state into a disadvantageous position, therefore, making it undesired.
4) We don’t develop a cyber capability – They don’t develop a cyber capability;
It is more desirable; however, no direct experience exists. Usually if there is a possibility that a technology can be developed, it will be developed at least by some state.
Interestingly enough, there is not much concrete information available in regards to these developments, whether it is amount of arsenal, types of cyber capability, or just simple information on the notions. Information which is accessible is usually written by the Western authors (it is particularly covered by US officials/military and academia) or can be found in government’s documents. NATO common strategy, perhaps, contributes towards it. On a broader scale, cyber is treated as a state secret and specific information is classified. There is much information which is not available (for example, development of cyber weapons, its employment, reasons for its employment, legality of the use of cyber weapons etc.). In some countries, there is nothing to find at all.
The good example is cyber capabilities of Russia. There is no available information: no official statements, no official policy, no academic articles published, it goes to the extent that even media is not engaged in these issues. Alexei Arbatov (2018), an internationally recognized scholar on global security, has recently confirmed that even academic debate in Russia does not officially exist, only at the university level or informal. Notwithstanding, the Military Doctrine of the Russian Federation recognizes the fact that military threats and dangers are now shifting towards cyberspace (“informatsionnoe prostranstvo”).
Similarly to Russia, China also maintains secrecy concerning its developments in the military. According to the report of the Institute for Security Technology Studies (2004), available sources insist that Beijing is pursuing cyber warfare programs, but classified nature of specifics aggravates assessments.
This secrecy around cyber resembles the secrecy surrounding nuclear developments. All of this information was classified too, yet the principles of nuclear governance have managed to emerge even in the tight environment of the Cold War. Similar situation arose in regards to the use of drones. All the initial strikes of drones were classified, and only with time the debate started to evolve. At the moment it is quite vigorous.
As for cyber, it will certainly take time to talk freely about cyber capabilities and warfare. It will be different in different countries, but in the end the debate will open up as well as new technologies will come and cyber would have become a history.
Arbatov, A. (2018). Stability in a state of flux. Opinion presented at the 31st ISODARCO Winter Course – The Evolving Nuclear Order: New Technology and Nuclear Risk, 7-14 January 2018, Andalo.
Billo, Ch. and Chang, W. (2004). Cyber Warfare, an Analysis of the Means and Motivations of selected Nation States. Institute for Security Technology Studies, [online] Available at http://www.ists.dartmouth.edu/docs/cyberwarfare.pdf [Accessed on 27.12.2017].
Goldman, E. and Arquilla, J., ed. (2014). Cyber Analogies. Monterey: Progressive Management.
Mazanek, B. (2015). Why International Order is not Inevitable. Strategic Studies Quarterly, 9 (2), pp. 78-98. [online] Available at: http://www.airuniversity.af.mil/Portals/10/SSQ/documents/Volume-09_Issue-2/mazanec.pdf [Accessed on 28.01.2018].
 U.S. Department of Defense (2012). Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City, [online] Available at: http://archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136 [Accessed on 22.01.2018].
 McAfee (2012). Cyber Defense Report. [online] Available at: https://www.mcafee.com/uk/about/news/2012/q1/20120130-02.aspx [Accessed on 22.01.2018].
 Hawser, A. (2017). NATO to Use Cyber Effects in Defensive Operations. Defense Procurement International, [online] Available at: https://www.defenceprocurementinternational.com/features/air/nato-and-cyber-weapons [Accessed on 22.01.2018].
 NATO (2017). NATO Defense Ministers agree to adopt command structure, boost Afghanistan troops levels. [online] Available at: https://www.nato.int/cps/ic/natohq/news_148722.htm?selectedLocale=en [Accessed on 22.01.2018].
 Gurung, Sh. (2018). Army stepping up cyber security. The Economic Times, [online] Available at: https://economictimes.indiatimes.com/news/defence/army-stepping-up-cyber-security/articleshow/62482582.cms [Accessed on 23.01.2018].
 Here it means both offensive and defensive capabilities (Author’s note).
 The Military Doctrine of the Russian Federation (edited in 2014). Moscow: p. 4. [online] Available at: http://www.mid.ru/documents/10180/822714/41d527556bec8deb3530.pdf/d899528d-4f07-4145-b565-1f9ac290906c [Accessed on 23.01.2018].
Wars: From Weapons to Cyberattacks
Stuxnet: a New Era in Global Security
Top 5 USA cities to enjoy this summer
Attribution and the problem of retaliation in cyberspace
Myths of Executive Jet Charters
IoT Solution World Congress
Key Terminology You Need to Know Before You Start Trading Forex
Attribution and the problem of retaliation in cyberspace
Barcelona, the top-3 ‘MICE’ tourism destination of the world
Myths of Executive Jet Charters
China9 months ago
A Lovers’ Quarrel: What Now for India and China?
Opinion9 months ago
Changing The Rules of the Game: What to Expect When Social Media Dictates the News
Business9 months ago
GESAB, innovation and design with 25 years of experience
India12 months ago
Struggling over Water Resources: The case of India and Pakistan
Economy9 months ago
Creating Perceptions: What is Really Happening with the Indian Economy?
Environment8 months ago
A Choking City: What the Ongoing Toxic Week in Delhi Means for its People
India Russia Cooperation9 months ago
Diamond Diplomacy: India and Russia Natural Allies in Reshaping Diamond Industry
Students' Column7 months ago
How Online Education Could Change the World