Excerpt:
“Assorted “cyber attacks” have attracted much attention in the past few months. One headline in this genre recently proclaimed “Anonymous Declares War on Orlando.” This is wrong on so many levels that it almost defies analysis. A more precise accounting would show that there have been no cyber wars and perhaps two or three cyber attacks since the Internet first appeared.
The most ironic example of hyperbole catching itself involves the new Department of Defense Cyber Strategy, which says that the United States reserves the right to use military force in response to a cyber attack. Since many reports call everything—pranks, embarrassing leaks, fraud, bank robbery, and espionage—a cyber attack, the strategy led to expressions of concern that the United States would be shooting missiles at annoying teenage hackers or starting wars over Wikileaks. In fact, the strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.
Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities. An extortion attempt in Brazil against a public utility may have backfired and temporarily disrupted electrical service. A better way to identify an attack is to rely on “equivalence,” where we judge whether a cyber exploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack.
Many militaries are developing attack capabilities, but this is not some revolutionary and immensely destructive new form of warfare that any random citizen or hacker can engage in at will. Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.
The denial-of-service efforts against Estonian and Georgian websites in 2007 and 2008 were not attacks. The Estonian incident had a clear coercive purpose, and it is worth considering whether the denial-of-service exploit against Estonia could have become the equivalent of an attack if it had been extended in scope and duration. The exploits against Georgia, while undertaken with coercive intent and closely coordinated with Russian military activities (and a useful indicator of how Russia will use cyber warfare), did no damage other than to deface government websites…”
“Assorted “cyber attacks” have attracted much attention in the past few months. One headline in this genre recently proclaimed “Anonymous Declares War on Orlando.” This is wrong on so many levels that it almost defies analysis. A more precise accounting would show that there have been no cyber wars and perhaps two or three cyber attacks since the Internet first appeared.
The most ironic example of hyperbole catching itself involves the new Department of Defense Cyber Strategy, which says that the United States reserves the right to use military force in response to a cyber attack. Since many reports call everything—pranks, embarrassing leaks, fraud, bank robbery, and espionage—a cyber attack, the strategy led to expressions of concern that the United States would be shooting missiles at annoying teenage hackers or starting wars over Wikileaks. In fact, the strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.
Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities. An extortion attempt in Brazil against a public utility may have backfired and temporarily disrupted electrical service. A better way to identify an attack is to rely on “equivalence,” where we judge whether a cyber exploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack.
Many militaries are developing attack capabilities, but this is not some revolutionary and immensely destructive new form of warfare that any random citizen or hacker can engage in at will. Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.
The denial-of-service efforts against Estonian and Georgian websites in 2007 and 2008 were not attacks. The Estonian incident had a clear coercive purpose, and it is worth considering whether the denial-of-service exploit against Estonia could have become the equivalent of an attack if it had been extended in scope and duration. The exploits against Georgia, while undertaken with coercive intent and closely coordinated with Russian military activities (and a useful indicator of how Russia will use cyber warfare), did no damage other than to deface government websites…”
