{"id":27555,"date":"2016-07-06T13:44:08","date_gmt":"2016-07-06T03:44:08","guid":{"rendered":"http:\/\/www.aspistrategist.ru\/?p=27555"},"modified":"2016-07-06T14:00:15","modified_gmt":"2016-07-06T04:00:15","slug":"cyberwar-wrap","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cyberwar-wrap\/","title":{"rendered":"Cyber(war) wrap"},"content":{"rendered":"
<\/p>\n
With ASPI\u2019s cyber team flat out like lizards drinking this week, here\u2019s a special edition of the cyber wrap, based on a lecture on cyberwarfare I gave at the ANU earlier this year.<\/span><\/p>\n As all good undergraduates know, the first thing you do is to look for definitions.<\/span> NATO had a crack<\/span><\/a> at a summit in 2014, but didn\u2019t manage to define what constituted a cyberattack for the purposes of an alliance military response. But their<\/span> official statement<\/span><\/a> was clear in its assessment of the impact of cyberattacks:<\/span><\/p>\n \u2018Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack.\u2019<\/span><\/p><\/blockquote>\n NATO has good reasons to think about cyberwar after the three weeks of<\/span> extensive attacks on Estonia in 2007<\/span><\/a>, which saw the Baltic state\u2019s internet connectivity essentially disabled, including the banking system.<\/span> Russia was widely seen as the culprit<\/span><\/a>, and the attacks corresponded with heightened tensions between the countries. Today the<\/span> NATO Cooperative Cyber Defence Centre of Excellence<\/span><\/a> is located in Estonia, and NATO\u2019s cyber doctrine<\/span> has evolved<\/span><\/a> in the wake of that incident.<\/span><\/p>\n One the reasons that NATO is working through its thinking on the subject is the vexed questions of appropriate and proportionate response to cyberattack. If hostile action is confined entirely to cyberspace, is a physical response justified and, if so, what level of violence is appropriate? NATO\u2019s<\/span> 2014 statement<\/span><\/a> that a cyberattack could be treated as the equivalent of an attack with conventional weapons (a point<\/span> reiterated last year<\/span><\/a>) means that:<\/span><\/p>\n \u2018\u2026 a digital attack on a member state is covered by Article 5, the collective defence clause. That states that an attack against one member of NATO “<\/span>shall be considered an attack against them all<\/span><\/a>” and opens the way for members to take action against the aggressor \u2014 including the use of armed force \u2014 to restore security.\u2019<\/span><\/p><\/blockquote>\n The AUSMIN talks of 2011 reached a similar conclusion for the ANZUS alliance. Stephen Smith, then Australia\u2019s Defence Minister,<\/span> observed that<\/span><\/a> \u2018a ”substantial cyber attack” on either country would trigger the treaty in a response similar to that following the 2001 terror attacks on the US\u2019. His hawkishness was matched by his American counterpart, Secretary for Defense Leon Panetta, who<\/span> warned in 2012<\/span><\/a> that \u2018the United States was facing the possibility of a \u201ccyber-Pearl Harbor\u201d and was increasingly vulnerable to foreign computer hackers who could dismantle the nation\u2019s power grid, transportation system, financial networks and government\u2019. The Pentagon was similarly belligerent; the<\/span> Wall Street Journal<\/em> was told<\/span><\/a> that a cyber attack on domestic infrastructure could generate a kinetic response: \u2018if you shut down our power grid, maybe we will put a missile down one of your smokestacks\u2019.<\/span><\/p>\n That\u2019s problematic for a number of reasons. First, there\u2019s the question of<\/span> proportionality<\/span><\/a>. An attack on a military system is one thing\u2014and it might presage a physical attack as well\u2014but if a civilian target such as a power grid or bank is taken down, does that justify a military response such as a bomb on a physical facility, with likely lethal consequences? Perhaps a case exists if there are fatalities due to a cyberattack, such as deaths due to extreme heat or freezing temperatures. But we have to keep this in perspective\u2014power grids fail for all sorts of reasons, and so far<\/span> squirrels constitute a greater danger<\/span><\/a> to the US power grid than cyberattacks.<\/span><\/p>\n Second, cyberattacks aren\u2019t always overt, and are often disavowable. Even if the location from which an attack is launched can be reliably discerned, there\u2019s still the issue of who was responsible; was it state-backed, a \u2018citizen\u2019s militia\u2019 or just an individual? It\u2019s not surprising that there\u2019s a live debate about attribution in<\/span> IT professional<\/span><\/a> and<\/span> academic<\/span><\/a> circles.<\/span><\/p>\n I think there\u2019s still quite a bit of confusion in thinking about cyberwarfare. It\u2019s certainly a new facet of conflict, and there has been a lot of work going on trying to understand what might be a<\/span> new \u2018domain\u2019 in warfighting<\/span><\/a> [PDF]. That\u2019s not just an academic argument about definitions. In a recent evolution in its thinking, NATO<\/span> declared cyberspace to be a military domain<\/span><\/a> (in addition to land, air and sea), further lowering the bar for a collective defence response to cyberattacks.<\/span><\/p>\n Despite all that, I\u2019d argue that cyberwarfare hasn\u2019t yet been fully integrated into strategic thinking. Despite the \u2018Pearl Harbor\u2019 type hyperbole that still pops up from time to time, there are more measured voices that<\/span> argue for a more nuanced approach<\/span><\/a>, and<\/span> caution against invoking defence treaties<\/span><\/a> in response to cyberattacks.<\/span><\/p>\n Some analysts<\/span> doubt that cyberwarfare will ever take place<\/span><\/a>, at least as a stand-alone activity. That\u2019s a view I tend to agree with. The 2007 attacks on Estonia were undoubtedly hostile, but ultimately no territory or lives were lost. On the other hand, the Russian military assault on Georgia in 2008, which was<\/span> accompanied by extensive cyberattacks<\/span><\/a>, was unambiguously an act of war. For now at least, I think we\u2019re best off thinking about cyberwarfare as an adjunct to other forms of war.<\/span><\/p>\n Further reading<\/b><\/p>\n In 2012, ASPI produced an<\/span> anthology of papers<\/span><\/a> on the consequences of cyberattacks for the ANZUS alliance. More recently, our International Cyber Policy Centre Fellow Jim Lewis provided some thoughts on<\/span> the role offensive cyber capabilities<\/span><\/a> in cyberwarfare. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":" With ASPI\u2019s cyber team flat out like lizards drinking this week, here\u2019s a special edition of the cyber wrap, based on a lecture on cyberwarfare I gave at the ANU earlier this year. As all …<\/p>\n","protected":false},"author":6,"featured_media":27556,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[391,95,261,1738],"class_list":["post-27555","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyber","tag-cyber-security","tag-nato","tag-squirrels"],"acf":[],"yoast_head":"\n