Moving Beyond the Cyberwar Debate

Harry Oppenheimer is a research associate for national security at the Council on Foreign Relations.

The most high profile debate in cybersecurity is also the most academic--will “cyberwar” occur between two nations. The lack of a definition for “cyberwar” is part of what makes the debate so unproductive. I was reminded of this while reading the most recent piece by Brandon Valeriano and Ryan C. Maness in Foreign Affairs titled “The Normative Arguments Against Cyberwarfare.” Their argument goes something like this: the United States has effective cyber defenses and the norms against war are strong enough that a cyberwar will be very unlikely to occur between it and another country. The authors conclude that while the mass of cyber operations is increasing what we are seeing is the proliferation of small scale operations that have few U.S. national security implications, and the defense implications of cyber operations by U.S. rivals have been overhyped.

This argument reflects a fundamental misunderstanding about the nature of cyber threats. The problem with the cyberwar debate is that it is trying to understand the impact of 21^st century technology using a 19^th century understanding of warfare. The debate on offensive cyber operations seems to be predicated on a view of conventional warfare—two sides, well defined, targeting the other’s military, operating within the accepted rules of warfare. In cyberspace this means two nations with banks of computers duking it out online, attempting to take down the other’s power grid or communications. As the authors describe the status quo, “probes and pokes do not destabilize states or change trends within international politics.” The problem is that threats probably won’t materialize within this idealized version of conflict. By looking at a narrow subset of cyberwar and they are missing the big picture.

The security dimensions of cyberspace become far more apparent when examining it through the prism of modern conflict proxy wars on poorly defined battlefields using asymmetric tactics. Irregular warfare and military cyber operations are actually quite analogous—lines of code or operations can lay dormant, the battlefield is undefined, tactics are sabotage, political, or informational, and the rules of warfare don’t typically apply (except in the case of a few of our allies). The Internet isn’t a one dimensional landscape. True, cyber conflicts present less of an “existential” threat than those from conventional foes, but since they are the most common threats countries have been forced to adapt.

The United States faces asymmetric warfare tactics because no one wants to fight a hegemon in a conventional fight, and if the United States could choose its adversary’s tactics they would undoubtedly be conventional. This is why irregular warfare was the strategy of choice for the Viet-Cong, al-Qaeda, and the Iraqi insurgency, and also why it was so effective. As James Adams said fifteen years ago, cyber operations are an attractive way to pose an asymmetric threat  when conventional military advantages are so overwhelming. This is because, compared to other methods, cyber operations pose few risks and the barriers to entry are low. An actor that could never go to war with the United States can wage a guerrilla campaign online. Cyber operations can be used to instill fear and cause disruption even if they don’t cause physical damage.

How can we apply the lessons of irregular warfare to cyberspace? First, the irregular groups that are threatening aren’t constrained by what Valeriano and Maness characterize as the, “international consensus [that] has stabilized around a number of limited acceptable uses of cyber technology—one that prohibits any dangerous use of force.” Irregular warfare, by definition, makes use of tactics and strategies that are against norms. There are international norms against terrorism and targeting civilians, but this doesn’t prevent al-Qaeda or self-declared Islamic State from employing those tactics. Second, just because a conventional cyberwar is unlikely doesn’t mean that cyber operations won’t be used by irregular forces, and it will be challenging to get the U.S. national security apparatus to adapt. The debate shouldn’t focus on the type of cyberwar that the United States should want to fight, but should look for other lines of conflict that are more likely to occur.

Cyber operations as espionage, crime, terrorism, or disruption have already become part of warfare strategy in irregular conflicts across the globe. Conventional foes such as China have used cyber operations precisely because they stay below the threshold of war. The nature of these threats means that examining cyber operations through the prism of conventional warfare is a pretty futile exercise. Let’s stop debating the future of cyberwar and start trying to come up with models that understand how these operations will become a part of national security strategy.